gTLD	Full Legal Name	E-mail suffix	Detail
.网络	Computer Network Information Center of Chinese Academy of Sciences （China Internet Network Information Center）	cnnic.cn	View

28 Domain Name Abuse Prevention and Mitigation

For the purpose of minimizing abusive registration and other activities that have a negative impact on Internet users, CNNIC has thoroughly measured different types of potential acts of domain name abuse, and correspondingly formulated a series of policies on preventing domain name abuse and mitigation, including registrars enforcement procedure, registration reviewing procedure and complaints handling procedure.

In order to implement the above policies, CNNIC will adopt measures as constructing a comprehensive contact point for filing complaints on domain name abuse, a whole life-circle domain abuse monitoring and handling platform, and an information sharing mechanism with industry partners to prevent domain name abuse. Based on these measures, CNNIC will make sure that problems of domain name abuse are detected and resolved efficiently, while Whois accuracy and completeness is concurrently improved. To implement the above policies and measures, CNNIC has allocated resources in terms of manpower, equipment and finance, and worked out an implementation plan on startup and on-going basis.

28.1 Policies of Domain Name Abuse Prevention and Mitigation

28.1.1 The Definition of Malicious or Abusive Behavior

Based on the standards for domain name abuse formulated by the Registration Abuse Policy Working Group (RAPWG) of SSAC (Security and Stability Advisory Committee) (February 2009, available at http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf), CNNIC defines acts of domain name abuse as those that:

(1) causes actual and substantial harm, or is a material predicate of such harm, and

(2) is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.

28.1.2 Scope of Malicious or Abusive Behavior

Based on the definition by RAPWG and by reference to the report by the Fast-Flux working group ( 03 September 2009, available at http:⁄⁄gnso.icann.org⁄meetings⁄minutes-03sep09.htm), CNNIC currently defines 10 types of domain name abuse, which may be mitigated on the registry level, which are categorized as registration abuse and use abuse as following:

28.1.2.1 Registration abuse includes:

(1) Cybersquatting

(2) Front running

(3) Pornographic or offensive domain names

(4) Fake renewal notice

(5) Domain spinning

(6) Domain tasting

28.1.2.2 Malicious use of domain names includes:

(1) Conduct phishing to steal usersʹ information or commit fraud;

(2) Take advantage of the domain name to spread viruses or install malware for botnet command-and-control;

(3) Send out spams;

(4) Disseminate malicious information (concerning child pornography, race discrimination, sex discrimination, and etc.) that go against international ethics and morality or interfere with public order.

28.1.3 Domain Name Abuse Prevention and Mitigation Implementation plan

Please refer to Q28_attachment_table attached for details of the description of policies defining malicious and abusive behaviors of each category above. CNNIC provides the capture metrics and solution to deal with those abusive behaviors respectively in the stages of registrar management, active monitoring and suspension as well as complaint handling.

28.1.4 Proposed Policies and Procedures for Prevention of Domain Name Abuse

28.1.4.1 Provisions on Registrars for Domain Name Abuse Prevention

Any registrars seeking to register domain names in the proposed gTLD will be required to execute a Registry-Registrar Agreement (ʺRRAʺ), which will govern the relationship between the registrar and CNNIC. The agreement will specify the services (i) that CNNIC will provide for the registrars, such as domain name registration services, registry hosting and operation, and full-database Whois functionality; and (ii) for which registrars will be responsible, such as providing all customer support functions for domain name registrants.

CNNIC will, based on the Registrar Accreditation Agreement (RAA) requirements formulated by ICANN, establish a code of conduct for registrars of ʺ.网络ʺ domain to control domain name abuse by registrars, and cooperate with the registrars to mitigate and prevent domain name abuse. The following policies are included in the RRA of CNNIC for prevention of domain name abuse.
28.1.4.1.1 Registrar Qualification Requirement

To prevent and mitigate domain name abuse, CNNIC requires that registrars shall:

(1)be accredited by ICANN, i.e., having been validly accreditation by ICANN pursuant to RAA agreement;

(2)set up domain name registration service system within China with technical and customer service staff specializing in domain name services;

(3)have the credibility or capability of providing clients with long-term services;

(4)develop business development plans and related technical schemes;

(5)take effective network and information security safeguard measures;

(6)establish a sound domain name registration exit mechanism;

(7)comply with other relevant national rules and regulations.

28.1.4.1.2 Prohibited Terms

In the process of domain name registration service provision, the domain name registration service providers are not allowed:

(1)To provide domain name registration services in a disguised name of governments, or other enterprises, public institutions or social organizations;

(2)To occupy domain name resources in a disguised form by registering domain names based on false information;

(3)To provide domain name registration services by using such unfair competition means as misleading and threatening users;

(4)To induce uses to register domain names that are confusingly similar to those that are already registered;

(5)To force users to extend the term of domain name registration or sell bundled services;

(6)To fail to submit registration information to CNNIC in accordance with the actual registration years of domain name users;

(7)To reject without any justified reason applications filed by domain name holders for password of domain name transfer, or charge the same for such application;

(8)To use of the Whois database to send unsolicited e-mail to registrants, to solicit registrants by telephone or to use the database for other commercial purposes;

(9)To purchase of domain names for any purpose except instances where the registrar has a bona fide intent to use that domain name on its own behalf.

(10) To conduct other behaviors which are in violation of laws and regulations or infringe upon the interests of domain name users.

28.1.4.1.3 Cooperation between CNNIC and Registrars for Preventing of Domain Name Abuse

The RRA lays down the registrarsʹ obligations for cooperation with CNNIC in terms of domain name abuse mitigation and prevention, specifically registrars shall:

(1) establish a sound network and security emergency response system and intensify the domain name registration review to ensure the authenticity of the information provided by the registrants;
Note: CNNIC will provide regular monitoring of registration data for accuracy and completeness, employing telephone call back methods to investigate the Whois accuracy level.

(2) set up a help desk to receive complaints filed by the users on domain name abuse and disputes, to serve as the first level complaints contacting point;
Note: CNNIC will serve as the second level complaints contacting point to the customer.

(3) implement based on United Domain Name Dispute Resolution Policies, the decisions, judgments or verdicts of domain name dispute resolution provider or courts to rapid take down or suspension relevant domain names and provide the registrants with corresponding notices and explanations;

(4)establish expedited channels and contact information for law enforcement and community partners and drive towards response times of domain name take down request in the 1‐3 hours range;

(5) provide user ID and password at the time of registration, and provide registration data update, domain name transfer and cancellation services upon password verification and identification documents authentication. The domain name may be changed and put into use only upon obtaining the approval of the registrars within three working days after the registrars receive the application form for domain name registration data update, domain name transfer and cancellation.

28.1.4.1.4. Billing and Collection Provisions

In order to combat this free domain tasting which may cause cybersquatting, and in accordance with current ICANN policy of the RAA, CNNIC will include provisions in the RRA requiring registrars to receive a reasonable assurance of payment from any potential domain name registrant prior to submitting any registration request on behalf of that registrant.

In accordance with current ICANN policy, CNNIC recognizes that registrars may occasionally submit registrations to CNNIC in error. In such cases, the RRA will provide that registrars may receive refunds if they notify CNNIC of the error within five business days of the submission. CNNIC believes that this five day term enhances registrar monitoring of inadvertent registrations.

Finally, the RRA will specify that if a registrar does not receive payment for a domain name registration within forty five days after the payment becomes due, then the registrar will be obligated to cancel the registration and return the domain name to the general registry pool of available names. This policy will prevent registrars from being able to trade or sell domain names for their own accounts in a secondary market environment.

28.1.4.1.5 Agreement Termination

The RRA will enable CNNIC to reject registration requests from a registrar that is not in compliance with the RAA or any ʺ.网络ʺ registration policy. CNNIC will continue to reject such requests until the registrar ceases its non-compliance. In the event that such non-compliance continues, CNNIC will have the right to terminate the RRA. When the RRA is terminated by CNNIC for any reason, ʺ.网络ʺ domain name registrations managed by that registrar will be reallocated to other registrars in accordance with any applicable ICANN policy.

Any disputes between CNNIC and a registrar regarding the RRA will be submitted to binding arbitration for resolution. If a registrar materially breaches the RRA, CNNIC may, on thirty days notice and an opportunity to cure such breach, terminate the RRA and prohibit such registrar from registering domain names in the proposed gTLD. By incorporating its policies into the RRA, CNNIC will be in a position to enforce its policies against the individual registrars, without the intervention of ICANN.

28.1.4.2 Policies on Name Reservation

28.1.4.2.1 Reserved Names

CNNIC will initially reserve the following types of names for registration to ensure that domain names will not be used for such abuse activities as fraud and phishing:

(1) Names required to be reserved as stipulated in the agreement executed between CNNIC and ICANN:

*ICANN reserved names in the Top Level Reserved List in Application Guide Book and their translation in multiple languages

*Single & Two Character Names including the use of symbols

*Tagged names

*Nic, Whois, www

(2) Geographical names (see Question 22 for details);

(3) Names or abbreviations of the local government authorities and international inter-governmental organizations (ASCII and Chinese Translation); Note：The list will be formulated before or during the start-up period based on the final decision made by GAC, ICANN and local government authorities;

(4) Other controversial names that may conflict with public interests according to the domain name regulation in China.

28.1.4.2.2 Release of Reserved Names

After obtaining permit from respective local authorities, legitimate registrant will be allowed to submit the application to a registrar accredited by CNNIC for registration of the domain name. The application material shall include documentations as following:

*Domain name registration application form with an organizational stamp;

*Proof of establishment of the organizational registrant;

*Proof of personal identification of the registration contact person;

*other documentations issued by relevant parties for release of reserved domain names;

Then the registrar forwards the above material to CNNIC. After verification process, CNNIC will release the domain name to the database of the registrar. If the registration application doesnʹt get approved, CNNIC will notify the registrar about the reason of declination. The process of verification shall be finished within 3 days since CNNIC receives the application material from the registrar.

28.1.4.3 Policies on Domain Name Registration Review

28.1.4.3.1 Registrant Eligibility Requirements

ʺ.网络ʺ registrants can be divided into two categories: Organizational Registrant and Natural Person Registrant.

Organizational registrants which represent an enterprise, shall be organizations registered under the laws of the country or region where the applicant is located and capable of undertaking civil liabilities.

Natural Person registrant shall be all individual human-being registered with real identity.

28.1.4.3.2 Information Authentication

In order to apply for ʺ.网络ʺ domain name, registrant needs to complete an application form collecting all information required for Whois. In addition, organizational registrant shall submit authentic, complete and accurate organizational proof of establishment to the registrars. Acceptable documentation includes business ID, tax ID, VAT registration certificate or equivalent of the applicant issued by local administrative authority. Natural person registrants shall submit personal identification materials issued by a recognized authority, which can be personal ID, passport or equivalent. The registration contact person shall also submit personal identification materials, which can be personal ID, passport or equivalent. This additional documentation is just for registration record authentication but against any release to the public.

Based on authentication conducted by registrars, an application for domain name registration shall be rejected or cancelled in the following circumstances:

(1)The applicant submits incomplete application form with necessary information missing;

(2) The applicant provides invalid or fake supporting identity authentication material;

(3) The contact information is inaccessible;

(4)The applicant provides incoherent information in the application form with its identity proof.

28.1.4.3.3 Review of Prohibited Names

For the purpose of protecting the legitimate rights and interests of the general public and preventing domain name abuse, in addition to name reservation and applicant information authentication, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ (please refer to http:⁄⁄www1.cnnic.cn⁄html⁄Dir⁄2005⁄03⁄24⁄2861.htm). CNNIC may carry out review on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation. Specific review policies include:

(1) instigate hostility or discrimination among different ethnic groups, or disrupt national solidarity;

(2) spread rumors, disturb public order or disrupt social stability;

(3) spread obscenity, pornography, violence, homicide or terror or instigate crimes;

(4) insult or libel others and thus infringing other peopleʹs legitimate rights and interests;

(5) contain other contents prohibited by laws and administrative regulations.

28.1.4.4 Policies on Active Monitoring and Handling of Domain Name Abuse

CNNIC will conduct active monitoring of Whois accuracy, information security and monitor orphan glue records and to mitigate and prevent domain name abuse.

28.1.4.4.1 Policies on Whois Accuracy Control

CNNIC requires maintaining Whois accuracy to ensure in-time handling of domain name abuse, specifically:

(1) require applicants to submit domain name application forms along with identity certificates of registration contact person or proof of establishment of the registration organization, and conduct identity verification;

(2) require registrars to decline applications for domain name registration by registrants who have provided fake registration information;

(3) require the domain name holder to apply to the registrars for registration information change;
Note: When applying for registration information change, the applicant shall submit relevant application documents for domain name changes in the same way as applying for the domain name registration. The domain name shall be changed and put into use only upon obtaining the approval of the registrars and the registrars shall submit the changed registration information to CNNIC. The registrars shall not make changes to any clientʹs registration information without the consent of the domain name holder.

(4) monitor registration record of registered users by random telephone revisit. Where any information in the Whois is found to be inaccurate, CNNIC will notify the registrar and require the registration contact person for making corrections, and to suspend false domain names information that involve abuse;

(5) conduct Whois accuracy audit of every registrar on yearly basis, where registrars with weak enforcement of registration review policy which results in higher unreachable Whois data will receive penalty of reduced registrar rebate.

28.1.4.4.2 Policies on Information Security Control

Applicants for domain name registration shall submit authentic, accurate and complete domain name registration information, so as to intensify protection of usersʹ information and avoid leakage and misuse.

CNNIC, as a trusted neutral third-party registry, must maintain the trust of the registrars and the consumers. Therefore, CNNIC will not market, in any way, the registrant information obtained from registrars for purposes of running the registry, nor will it share that data with any unrelated third parties. The registry operator will only have access to such data as is necessary for operation of the registry itself and will use that data only for registry operation.

CNNIC will provide registrars with a mechanism for accessing and correcting personal data and will take reasonable steps to protect personal data from loss, misuse, unauthorized disclosure, alteration or destruction. To further secure registrant data, each registrant will have a secure password for his or her registry records. Only through use of this password will data be changed, registrars transferred, domain name servers be updated, etc. Registrars will develop, in consultation with the registry, secure password verification and authentication mechanisms. Moreover all registrars will be required to abide by all applicable international, national, and local laws.

In addition, CNNIC has formulated a plan for protecting registrantsʹ information, which include: protecting the security of the information submitted by users during the entire lifecycle of the ʺ.网络ʺ domain name registration, balancing the relationship between publicly accessible database(Whois) and registrant information protection, inspecting on a regular basis the status of information security management, and controlling over staff security.

28.1.4.4.3 Requirement for Inhouse Employees In term of Information Security Management

CNNIC will attach special importance to the security management with respect to staffs in charge of domain name user information, and take the following measures to avoid the occurrence of deliberate information leakage:

(1) designate special managerial staffs to conduct centralized collection and custody of domain name user information, and domain name registries shall keep such identity information of its managerial staffs and submit the same to registries for file;

(2) execute a special confidentiality agreement with the managerial staffs in charge of domain name user information, which shall expressly provides that any leakage of domain name user information will be subject to legal liabilities;

(3) set standards to the operation process of managerial staffs, reinforce audit of staff operation, and conduct audit and issue audit report regularly;

(4) conduct security training and education for managerial staffs on a regular basis.

28.1.4.4.4 Policies on Orphan Glue Records

To prevent the orphan glue records in the root domain from causing problems of domain name abuse, CNNIC will not allow the existence of orphan glue records, namely, glue records are required to be removed before the delegation point NS record is removed.

28.1.4.5 Policies of Complaints Handling

To handle domain name abuse in time and mitigate its negative influence on registrars and internet users, CNNIC formulate policies on handling of complaints on domain name abuse as follows:

28.1.4.5.1 Contact Points for filing complaints

Users may file complaints on domain name registration abuse or abusive use of a domain through the following channels:

(1) the complaint contact points (web, fax, email, SMS) published on the official website of CNNIC;

(2) the complaint channels published on the website of the registrar;

(3) the complaint channels provided by CNCERT, which shall in turn report the complaints to CNNIC for handling;

(4) the complaint channels provided by the Anti-Phishing Alliance of China,;

(5) the complaint channel of 12321 Internet Spam Information Reporting and Resolution Center, which shall forward to CNNIC for handling.

28.1.4.5.2 Complaint Acceptance

CNNIC is responsible for making acceptance and investigation from complaints. Assessment shall be conducted by anti-abuse complaint handling personnel pursuant to relevant measurement criteria (please refer to attached Q28_attachment_table: Implementation Plan of Domain Name Abuse Prevention and Mitigation), and if necessary, a special investigation team shall be formed to conduct research, analysis and judgment. Feedback shall be provided for the complainants in time upon the completion of assessment. All the investigation shall be completed within 5 business days.

28.1.4.5.3 Response to and Handling of Complaints

(1) Handling of complaints shall be made within 5 business days upon acceptance of complaint from each channel. Afterwards, the result of handling complaints will be forwarded, via telephone call or email, to the complainant, the person against whom the complaint is filed, and other parties involved.

(2) where CNNIC is found upon investigation of complaints to have committed violations of laws, or fail to effectively respond to complaint filed according to Trademark Post-Delegation Dispute Resolution Procedure (PDDRP) or Registry Restriction Dispute Resolution Procedure (RRDRP), we will take remedies according to the relevant provisions of ICANN.

(3) Where any registrar is found upon investigation of complaints to have committed violations of laws or Registry-Registrar Agreement terms, it shall be ordered to make corrections and make relevant compensations. In the case of severe breach of RRA without any correction upon notification, CNNIC is entitled to cancel the agreement and conduct further registrar transition afterwards.

(4) Where any registrant is found upon investigation of complaints to have committed violations of relevant regulations, the registrant shall be ordered to make corrections. In the case of such domain name abuse as phishing and dissemination of illegal information, as the existence of which will continue to cause greater losses to the users，the domain name shall be suspend within 2 hours after verification of the misconduct.

(5) Where the complaint involves domain name dispute, the complainant shall be told to resort to domain name dispute resolution provider or the court based on Uniform Domain Name Dispute Resolution Policy (UDRP) or relevant judicial procedures, then the registrar will be asked to lock the domain to prevent transfer or update till the dispute being resolved. CNNIC will further notify the registrar to unlock domain name or make transfer based on the dispute resolution decision.

(6) Where any information provided by the complainant is found to be inaccurate or there is no evidence to prove domain name abuse, CNNIC will reject the complaint and give corresponding explanations, and the complainant may, if not satisfied, provide further evidence to file an appeal.

28.2 Abuse Prevention and Mitigation Measures

Based on the abuse prevention and mitigation policies above, CNNIC has developed 3 measures, including an abuse monitoring and handling platform, a comprehensive contact point and customer support center for filing complaints on domain name abuse, and an information sharing outreach mechanism with industry partners.

28.2.1 Abuse Monitoring and Handling Platform

CNNIC will build an abuse monitoring and handling platform in order to monitor policy compliance of registrars, domain name applications, and post-registration domain name abuse.

28.2.1.1 Compliance Review of Registrars

CNNIC will, with reference to this plan, improve its agreement with and service standards for domain name registrars, define their responsibility of protecting domain name usersʹ information and domain name abuse prevention measures they shall take.

CNNIC will also reinforce management of domain name registrars, and conduct investigation over the registrars on a regular (yearly) basis pursuant to this plan. The investigation may take the form of spot check, and domain name registrars that are found to be disqualified shall be required to make rectifications. The investigation will mainly involve document review, staff interview, on-site inspection, and etc. The objects to be investigated include documents on system design⁄acceptance, relevant service and application management process and system management, records on equipment management and configuration and daily operations, systems and relevant equipment, and etc. The party to be investigated shall actively cooperate with the party conducting the investigation in providing corresponding materials, and make rectifications, if necessary, based on the result of the investigation.

Specifically, CNNIC requires that:

(1) The registrar shall be capable of providing normal services due to major business problem;

(2) Registrarsʹ service records and data backups shall illustrate the registrarʹs compliance to relevant policy.

(3) Result from registrant satisfaction survey shall meet an average standard.

(4) There should be no report of identified violations of RRA committed by registrars.

28.2.1.2 Review of Domain Name Applications

CNNIC will adopt the procedures of applicantʹs identity review, rights and interests review to mitigate and prevent abuse of domain names.

28.2.1.2.1 Data Collection

The ʺ.网络ʺ registrars shall collect and store as many of the technical details of the registration as possible. This information has multiple uses, including registration scoring, validation, takedown resolution, investigation, etc. This registrantʹs data to be collected includes:

(1) Registrant Name
(2) E-mail Address
(3) Registrant Personal Identification Material
(4) Company Name
(5) Proof of Company Establishment
(6) Address
(7) City
(8) Country
(9) State
(10) Zip
(11) Phone Number
(12) Additional Phone
(13) Fax
(14) Alternative Contact Name
(15) Alternative Contact E-mail
(16) Alternative Contact Phone

The registrar shall use this information for the account, not for the WHOIS information. In addition the registrar shall have a separate form for the WHOIS information that is pre-populated with this information. The registrars shall take the responsibility to explain that this WHOIS information will be used by external parties to contact that person in event of malicious activity or other issues with the domain.

28.2.1.2.2 Registration Information Authentication

From CNNICʹs past experience of managing ʺ.cnʺ, registration information authentication procedure can effectively prevent fake Whois data and enhance the accessibility of the contact information. Therefore, CNNIC continue to take these proceedings in ʺ.网络ʺ :
　
(1) ʺ.网络ʺ registrars shall strictly review the identity certificate submitted by registration applicants, and decline applications with incoherent information on the application form, so as to ensure the authenticity and accuracy of registration records in the Whois. Where any user who has been declined is not satisfied with the review of ʺ.网络ʺ registrars, he or she may file a complaint to CNNIC for reconsideration, with respect to which CNNICʹs determination shall be final and binding.

(2) The original documentation verified by registrars will be recorded as photocopies and forwarded to CNNIC for further review of registration record. CNNIC will provide monitoring of registration data for accuracy and completeness of Whois data. CNNIC will also employ telephone call back methods to ensure reachable Whois contact information. Any false registration information provided by the registrants will directly result in cancellation of application.

28.2.1.2.3 Rights and Interests Review

In the sunrise period, all applications of registration are required to be validated by ICANNʹs Trademark Clearinghouse to examine potential infringement of known trademarks. Only validated trademark owners are allowed to register with priority in the sunrise period. In order to validate the trademark status, the registrant shall provide proof of trademark registration and trademark usage to evidence its trademark rights to the string. Detailed requirement to such proof and validation process will be established upon the implementation of Trademark Clearing House.

During the first 60 days after launching general availability, CNNIC will continue to review applications to see if the domain names applied for matches any trademark included in the Trademark Clearing House. The applicant who intend to apply for such domain names will be advised that a third party or parties have claimed intellectual property rights over that domain name, they are directed to a notice that refers to intellectual property status of the domain name. The applicant is not prevented from completing the registration. Once the application has been completed, all parties who have their trademarks for that exact domain name included in the Trademark Clearing House are advised by email that a party has registered that domain name. Included in the email will be further information on the UDRP and an explanation of steps to take for further dispute action.

In the following process of general operation, in addition, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ. CNNIC may carry out verification on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation.

In order to fight against phishing websites, CNNIC will also screen⁄score all registrations for ʺunusualʺ domain name registration practices, such as registering hundreds of domains at a time, registering domains which are unusually long or complex, include an obvious series of numbers tied to a random word (baddomain01, baddomain02, baddomain03).

CNNIC, in coorporation with APAC will also screen⁄score all registrations for patterns known to be associated with phishing (government, bank, secure etc). CNNIC will also review all domain names proposed for registration against known sites that are often the subject of phishing type attacks to ensure ʺ.网络ʺ do not inadvertently aid in the provisioning of illegitimate content in online scams.

28.2.1.3 Measures of Monitoring and Handling Domain Name Abuse

28.2.1.3.1 Measure for Examining Whois Accuracy

CNNIC will be continuously committed to enhancing Whois accuracy to ensure enforceability of the determinations regarding domain name abuse by taking the following measures:

(1)During the reviews, the registrars will make telephone check in order to ensure accuracy and accessibility of contact information provided by registrants.

(2)In case of any change to the contact information on points of contact, registrars will be required to provide strong passwords for verification so as to prevent any third party from impairing the accessibility of the Whois information by making changes to such information;

(3) To further enhance the accuracy of Whois data, CNNIC will conduct further examination on fake or inaccurate information based on the application material submitted by the registrar. CNNIC will also conduct annual reviews on registrars in terms of Whois accuracy level;

(4) In case of any identified inaccessible Whois information concerning a domain name registration, the registrar will be advised to get in touch with the point of contact for correction to such false information. If the domain name has involved in any abusive behavior, the domain name shall be suspended by the registrar.

28.2.1.3.2 Measures for Removing Orphan Glue Records

CNNIC will take actions to remove orphan glue records with the following procedures:

At the time of registration of domain name or update domain name or host, the host must have IP address in order to prevent Orphan NS records.

Before deleting a domain name, if the domain name already has a host, the host must be deleted on the first hand. If the host is being used for other domain name as name server, the domain name shall not be deleted unless the name server or the host name is changed. This procedure also applies for the host deletion process in order to prevent orphan A record.

In the circumstance that the domain name uses the host of other domain in this zone as name server, if the domain name do not use its own host as domain name server at the same time, the NS record cannot be generated.

However, CNNIC recognizes that there are two circumstances which may result in the existence of orphan glue records:

(1) If the domain name has been spotted abusive behavior and thereafter be turned to ʺseverHoldʺ status, all the domains that use such domain nameʹs host as domain name server will be unable to resolve, hence will generate orphan glue records.

(2) If the domain name has been turned to clientHold status due to the registrantsʹ cause, all the domains that use such domain nameʹs host as domain name server will be unable to resolve, hence will generate orphan glue records.

In response to the above occasions, CNNIC has already adopted DNS operation monitoring system which will spot the generated NS record in a timely manner. Once the orphan glue record has been generated, CNNIC will notify the registrar to contact registrants to change NS server and thereafter remove the orphan glue record in the zone file.

28.2.1.3.3 Limit of Fast-Flux Domains

In addition, CNNIC recognizes that fast‐Flux domains, as domains for which either the base IP address (A record) or nameserver address (NS record), or both (known as double‐flux), are changed numeroustimes during the day, are now increasingly being used by criminal phishing, spam, and botnet gangs to ensure the resiliency of their sites and make it increasingly difficult for takedown authorities to remove or restrict access to illegitimate sites. This problem can be addressed partially by preventing or making it much more difficult to frequently change the NS record of a domain registration. There is very little, if any, legitimate need to change the NS record for a domain more than few times a month and any such action should trigger immediate red flags and possible investigation of the domain for illegal activity.

CNNIC will limit the ability of registrants to repeatedly change their name servers via a programmatic interface to reduce or eliminate automated name server hopping. With domains that change name servers more than twice a week (except by agreement), scrutiny and even the suspension of the domain will be conducted until a suitable explanation is provided by the registrant.

28.2.2 Measures for Protecting the Domain Name User Information throughout Lifecycle

In view of the lifecycle of ʺ.网络ʺ domain name user information, there are four steps to be considered in the formulation of protection measures: information submission from the user to the domain name registrar, custody and use of the information by the domain name registrar, information transmission from the domain name registrar to the domain name registry, and custody and use of the information by the registry.

28.2.2.1 Information Submission from the User to the Registrar

28.2.2.1.1 Obtaining Consent to the Personal Data Processing

CNNIC will notify each ICANN-accredited registrar that is a party to the registry-registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person (ʺPersonal Dataʺ) submitted to CNNIC by such registrar is collected and used, and require such registrar to obtain the consent of each registrant in the TLD for such collection and use of personal data.

Registrar shall agree that it will not process the Personal Data collected from the Registered Name Holder in a way incompatible with the purposes and other limitations about which it has provided notice to the registered name holder in accordance with the RRA.

Registrars shall send a notice to each holder of newly registered domain names or that of renewed domain names stating:

*The purposes for which any Personal Data collected from the applicant are intended;

*The intended recipients or categories of recipients of the data (including CNNIC and others who will receive the data from Registry Operator);

* Which data are obligatory and which data, if any, are voluntary;

*How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.


28.2.2.1.2 Data Access Control for Security

Registrars shall conduct vulnerability scanning at the system on a regular basis with respect to the online system through which users submit information to detect security vulnerabilities timely and conduct reinforcement; system account⁄password shall be kept with encryption.

28.2.2.1.3 Non-online Data Processing

As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.2 Custody and Use of Information by Domain Name Registrars

Registrar shall agree that it will take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. Specifically, domain name registrars shall take the following measures to reinforce protection of usersʹ information:

28.2.2.2.1 Secure Storage of Personal Data

(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system;

(2) Access control shall be conducted with respect to the backstage business system and front-end public service system.

(3) User information under protection (including certificate of incorporation, personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

(4) Identity verification materials which are in picture format shall be encrypted before being stored online or, if stored offline, be transferred to such media as magnetic tape⁄CD⁄portable hard drive for proper storage.
(5)Materials may be stored in the online system for up to 90 days.

28.2.2.2.2 Control of Information Access

(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.2.3 Proper Storage of Offline Data

(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.2.4 Data Removal

In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

(1) UDRP action

(2) valid court order

(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond)

(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

(6) billing dispute (where a registrant disputes the amount on a bill)

(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

28.2.2.3 Information Transmission from the Domain Name Registrar to the Domain Name Registry

CNNIC is responsible for the security of the transmission of information from the registrar to itself.

28.2.2.3.1 Network Transmission Encryption

Specific measures may include: HTTPS encryption for WEB services, SSL encryption for EPP registration services, and FTPS or SFTP encryption for FTP services.

28.2.2.3.2 System Reinforcement and Access Control

To detect security vulnerabilities timely, CNNIC will conduct vulnerability scanning at the system level on a regular basis with respect to the online system through which registrar submit information. System account⁄password will be kept with encryption.

28.2.2.3.3 Non-online Data Receiving and Handling

As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.4 Custody and Use of Information by Domain Name Registry

CNNIC will take reasonable steps to protect Personal Data collected from loss, misuse, unauthorized disclosure, alteration or destruction. CNNIC will not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars in the RAA. CNNIC, upon receiving domain name user information, take measures to reinforce protection of usersʹ information.

28.2.2.4.1 Secure Storage of Personal Data

(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system;

(2) User information under protection (including personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

(3) backstage storage system shall be separated physically from and may not share the same server with the front-end user information transmission system.

(4) Access control shall be conducted with respect to the storage system via software or hardware firewall.

28.2.2.4.2 Control of Information Access

(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.4.3 Proper Storage of Offline Personal Data

(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.4.4 Data Removal

In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

(1) UDRP action

(2) valid court order

(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond)

(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

(6) billing dispute (where a registrant disputes the amount on a bill)

(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

28.2.3 Comprehensive Contact Point for Filing Complaints

28.2.3.1 Contact Channel

For the purpose of receiving reports on domain name abuse, CNNIC has published at the homepage of its official website (www.cnnic.cn) the following contact information for abuse complaints:

*Complaints Hotline: +86-10-58813000

*Email: supervise@cnnic.cn

*Fax: +86-10-58812666

*SMS: 12302 (applicable to complaints filed within China mainland)

*Online complaint form available at: jubao.cnnic.cn

The contact point is accessible 24 hours a day, 7 days a week, the channels listed above accept abuse complaints of all kinds and guarantee replies within five working days. Complainants should describe the domain names they are complaining about, the abusive behaviors and the consequences, and provide their contact information including phone numbers, email addresses, etc. so that the results of complaint handling by CNNIC can be received in time.

28.2.3.2 Measures for Abuse Complaints Handling

28.2.3.2.1 Identification of Abusive Behaviors

A dedicated review team of domain name abuse will be employed by CNNIC to verify the domain name abuse complaint. CNNIC will remain updated on the policies concerning domain name abuse made by ICANNʹs Registration Abuse Policies Working Group (RAPWG), and thereby identify different kinds of abusive behaviors and inform related domain name holders of the results of such identification.

28.2.3.2.2 Approaches to Abuse Complaints Handling

Approaches to abuse complaints handling include general procedures and rapid suspension procedures:

(1) The general procedures are applicable mainly to those abusive behaviors where the persistent existence of domain names will not lead to further losses of Internet users, such as domain name registration abuse. The specific enforcement procedures are as follows:

*Once an abuse compliant is received, CNNIC will forthwith change the EPP status of the domain name concerned to ʺserverTransferProhibitedʺ, and inform the holder of the domain name concerned. The abuse examiner will verify related abusive behaviors within 5 working days;

*In the case of cyber-squatting complaint where the Uniform Domain-Name Dispute-Resolution Policy (UDRP) is applicable, the complainant will be advised to submit the dispute to the domain name dispute resolution provider or court for resolution. The domain name registrar is required to lock the domain name from further transfer or update once the dispute has been confirmed by dispute resolution provider. Thereafter, upon receipt of the domain name dispute resolution decision or law enforcement request, relevant registrar to proceed further domain name unlock, transfer or domain name suspension within 3 working days.

*In the case of complaint on registrarʹs violation of RRA or CNNICʹs misconduct, CNNIC will verify the complaint within 5 working days and notify the relevant registrar or personnel to make correction of their illicit behavior or terminate the agreement if applicable;

(2)The rapid suspension procedures are applicable to abusive behaviors regarding the use of domain names such as phishing or spreading of illegal contents, which may cause further losses to internet users. This procedure will most likely be the result of a complaint filed via APAC or 12321 center. The specific enforcement procedures are as follows:

*Once an abuse compliant is received, the relevant registrar will be required to directly lock the domain to prevent further transfer and update, while a dedicated group is assigned to communicate with relevant complaint to authenticate the complaint manually within 1-3 hours.

*After verification, the relevant registrar will be required to directly suspend the domain name in the SRS system and the EPP status will be changed into ʺserverHoldʺ, so that the domain name will not be able to resolve or be transferred until it is ʺrestoredʺ. The domain name holder and theregistrar concerned will be informed at the same time to make corrections. After the registrant has stopped the abusive behavior and made adequate correction, which need to be confirmed by the registry, the registrar will restore the domain name to the status before suspension.

*Once the complaint is determined to be tenable and no further appeal or correction confirmed by the registry within 60 days, the registry will take down the domain name and delete the registration record, which means the domain name comes to general availability.

*CNNIC will insure that glue records using an invalid domain are removed when that domain is found to be invalid, even if those glue records are in use in conjunction with other domains.

*The registrar concerned shall inform the domain name holder for three times as it has been locked, suspended, and canceled.

28.2.3.2.3 Support Escalation

CNNIC will operate with an escalation device. Normally support calls or other forms of communication shall start with the lowest level of support, and be escalated should the first level of support be insufficient. In cases where higher levels of support are immediately apparent (all levels of support staff will be trained in identifying these) the escalation chain may be jumped. Also, should the time limit expire with no notice, the support level may be escalated. The escalation levels and response requirements are as follows:

Level 1：Entry level support, basic complaints of operations or inquiries of registrar information, provided on an immediate 24⁄7 level.

Level 2: Technical based question, usually unique to the registrar, that may require support from a registry systems operator or engineer.

Level 3: Systems outage involving non-critical operations to the registry affecting one or more registrars only, but not the entire system.

Level 4: Catastrophic outage, or disaster recovery involving critical operations to the registry overall.

All customer service should use to the fullest customer management resource (CMR) systems, computer telephony integration (CTI) and databases to retain a reliable record of registry performance. While institution of such systems may be gradual, the goal should be to provide as much as possible automated systems in order to increase efficiencies and scale of operations.

28.2.4 Measures for Cooperation on Abuse Prevention

CNNIC will establish information sharing mechanism jointly with the Anti-Phishing Alliance of China (APAC), the Anti-Phishing Working Group (APWG), the National Computer Network Emergency Response Technical Team ⁄ Coordination Center of China (CNCERT⁄CC) and the 12321 Internet Spam Information Reporting and Resolution Center, CNNIC will be committed to share information of domain name abuse prevention and mitigation with those industry partners. Data to consider sharing include:

(1) IPs associated with fraudulent domain registrations with respectable blacklists;

(2) Full fraud reports with industry and law enforcement;

(3) Best practices regarding accepting and managing domain registrations.

28.2.4.1 Cooperation with APAC

CNNIC is an initiator and key member of the APAC, and the place where the Secretariat and the Secretary General of APAC are located CNNIC has published at the homepage of its official website the complaint channels provided by APAC.

28.2.4.1.1 Reports on phishing websites may be submitted to APAC through the following channels:

(1)Email: jubao@apac.cn

(2)Telephone: 010-58813000

28.2.4.1.2 The coorporation between CNNIC and APAC with regard to phishing websites will be carried out under the following procedures:

(1)Upon receiving complaints on phishing websites involving APAC members, the Secretariat of APAC will submit the complaints to third party technology authentication institutions for webpage analysis; the Secretariat should make determinations within one working day; in case of any difficulties or complicated circumstances, the Secretariat will ask for advices from the expertsʹ committee before making determinations;

(2)If any phishing website is identified, a notice will be sent to the registrar by mail. The registrar should suspend the domain name resolution within two hours upon receipt of the notice, and resolve the name to the information page of the phishing website.

(3)If the registrar fails to suspend the domain name resolution within two hours, CNNIC, as a registry, will suspend the resolution directly and resolve the domain name to the information page of the phishing website.

(4)Any opposition held by the registrant may be filed with the Secretariat of APAC;

(5)The Secretariat of APAC will inform its members and the complainant concerned of the results of such procedures.

28.2.4.1.3 Cross Reference of Phishing Websites URLs

The APAC can provide a daily feed to the registry listing all of the phishing URLs identified by the APAC community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

28.2.4.2 Cooperation With Anti-phishing Working Group (APWG)

The APWG can also provide a daily feed to the registry listing all of the phishing URLs identified by the APWG community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

Specifically, CNNIC shall:

(1) assist APWG in carrying out online phishing investigation and publish in a timely manner the trend of the distribution of phishing websites in our country;

(2) regularly follow up the reports published by APWG on phishing websites and establish a contact interface for receiving phishing URLs updates submitted by APWG;

(3) verify within one working day upon receipt of any complaint of the phishing domain in light of request by APWG, notify the registrar to handle the complaint, and after verification, resolve the domain name to the IP address which contains the notice of the phishing website.

28.2.4.3 Cooperation with National Computer Network Emergency Response Technical Team⁄Coordination Center of China (CNCERT⁄CC)

CNNIC will cooperate with CNCERT⁄CC in dealing with network virus transmission and system attack via domain names. CNCERT⁄CC, an emergency response team responsible for coordinating security events of computer networks in China, provides the national public internet, major national network information systems and key departments with such services as security monitoring for computer networks, early warning, emergency response and precaution as well as technical support and collect, verify, gather and publish in a timely manner authoritative information on internet security. It has currently become an official member of the international authoritative organization, Forum of Incident Response and Security Teams (FIRST).

The interaction between CNNIC and CNCERT is mainly reflected in the following aspects:

(1)CNNIC will follow up on a regular basis vulnerabilities and early warnings on virus related to the DNS system published by CNCERT, and CNCERT will provide assistance in inspecting whether any ʺ.网络ʺ domain name is involved in virus transmission;

(2)CNNIC will timely deal with vulnerabilities in the domain name system in view of opinions of CNCERT on handling abuse events, and establish service levels against network attacks;

(3)CNNIC will assist CNCERT in carrying out research on unexpected network events and gathering statistics on and monitoring the trend of distribution of botnet and malware in our country.

28.2.4.4 Cooperation with the 12321 Internet Spam Information Reporting and Resolution Center

12321 Internet Spam Information Reporting and Resolution Center (hereinafter referred to as the ʺ12321 Centerʺ), a complaint acceptance agency established by the Internet Society of China under the entrustment of the Ministry of Industry and Information Technology (formerly known as the Ministry of Information Industry) ,is responsible for assisting the Ministry of Industry and Information Technology in undertaking such work as complaint acceptance, investigation, analysis and imposition of punishment with regard to illicit information (including unsolicited information sent to end users) transmitted via information communication networks as the internet, mobile phone network, telephone network or other telecommunication services.

CNNICʹs cooperation with the 12321 Center is mainly reflected in the following aspects:

(1)receive complaint on domain names which contain illicit information reported by the 12321 Center,, timely search the Whois for the registration contact persons of the domain names which involve such information for further law enforcement;

(2) notify relevant registrars in rapidly suspending illicit information spreading domain against which complaints are filed;

(3) provide assistance for gathering statistics on and track the result of illicit information handling;


28.3 Resource Planning

28.3.1 Staffing

With proven capabilities for scaling its staff to meet the needs at peak level demands for complaint handling and customer service, CNNIC will benefit from its current staffʹs expertise to support the execution of domain name abuse prevention. Meanwhile, CNNIC also benefits from its unique position in close relation with the China Academy of Science in terms of talent recruiting. Many staff came directly from this top education institution in China with long term determination to contribute.

28.3.1.1 Initial Staffing

We expect that the above measures of domain name abuse mitigation for the new gTLD will be executed sharing the same staff with existing TLDs ʺ.cnʺ and ʺ.中国ʺ and prospective new gTLD ʺ.公司ʺ which CNNIC has applied for. In order to provide higher standard services with lower rate of domain name abuse, other than its current staff, CNNIC will also recruit additional staff in the start-up period for the first 3 years operation for maintaining the functionality described above.

28.3.1.1.1 Management Positions (Please see attached document Q28_attachment_CV) of key managerial personnel for reference)

(1)CNNIC assigns its Director of Business Operation responsible for ensuring high-quality domain name application review, customer support and complaint handling for registrars and end-users and for refining and developing additional policy in conjunction with ICANN. CNNIC expects this role to be critical during the Sunrise and Land Rush Period, during which time domain name registrations rises significantly.

(2)CNNIC will also assign its experienced legal manager to handle with any registry misconduct lawsuit and Intellectual property dispute, and to serve as an ombudsman, assisting registrants and registrars in dispute resolutions related to ʺ.网络ʺ and respond to Registry Restriction Dispute according to Registry Restriction Dispute Resolution Procedure..

(3)CNNIC will guarantee the neutrality for all the TLDʹs under CNNICʹs management. By assign different product manager for different TLD, who will keep checking the overall service performance of each TLD by means of registrar or registrants survey, a balance between different TLDsʹ services and higher resource efficiency will be achieved.

28.3.1.1.2 Customer Support Staff

CNNIC has set up a customer support centre providing 7×24 hoursʹ service to handle inquires and complaints from registrants. Upon ICANNʹs delegation of ʺ.网络ʺ and ʺ.公司ʺ, volume of end-userʹs inquiries and complaints are expected to rise accordingly and more staff members will be hired to enhance the service capacities. Based on the original staffing basis of 31 employees, 5 additional employees will be recruited to support the new operation. The staff members are divided into the 3 subgroups:

*Registrant Service group providing telephone inquiries and complaints handling services;

*Registrant Caring group responsible for registrant visiting and renewal reminding;

*Service Supporting group performing back-office support and performance supervision for the customer support centre.

28.3.1.1.3 Registrar Supporting Staff

The Registrar Supporting Group provides 7×24 hoursʹ telephone or on-site support to the registrars. This support will be dedicated primarily to operational registrars along with respond to inquiries from potential registrars. Overall, the registrar supporting group shall attempt to provide round the clock, real time professional support ranging from basic inquiries to high level operations critical technical support. Registrar contractual compliance review and performance evaluation shall be supported also by this group periodically. Registrars shall receive equal levels of support regardless of their location of operations. Based on our current staffing as 9 employees, we expect that 1 more staff members will be hired to improve our service offerings of the new gTLD.

28.3.1.1.4 Review and Monitoring Staff

CNNIC currently has 20 members to review of domain names applications and monitor the Whois accuracy on 5×8 hoursʹ basis. As all required staff members are expected to be on duty starting from the start-up period, additional recruitment must meet the needs of the peak registration season. 1 more staff responsible for supervision of review work and monitoring of registration status should be hired to support the new gTLD forming a team with 21 persons.

28.3.1.1.5 Outreach Cooperation Liaison Team

CNNIC has already established long term cooperation mechanism to cooperate with the Anti-phishing Alliance of China, the International Anti-phishing Working Group and the 12321 Network Negative Information Complaint Center. 2 members have been assigned as regular contacts for the above functions, and they will also further take charge of liaison with Trademark Clearing House and Uniform Rapid Suspension System Provider as well as other assigned body designated by ICANN. Therefore, we see no needs for further staffing expansion.

28.3.1.1.6 Security Specialist

In order to monitor and handling of the domain name abuse caused by system vulnerability or human errors, CNNIC will assigned technical personnel to serve the as security specialist in order to actively monitor and prevent domain name abuse. The security specialist will operate with an escalation device supporting customer complaint. Specifically, their tasks include monitoring generated orphan glue record or phishing websites and communicate with relevant registrar for further solutions. As discussed in Question 31, CNNIC have already allocated 6 persons to serve this function, including 2 additional staff already recruited for the expanded operation of the new gTLDs.

28.3.1.2 Staffing on Ongoing Basis

CNNIC has been structured to operate with an initial human capital investment to staff and manage the infrastructure required for sustaining the domain name abuse policies during the first 3 years of operations. The current staffing model also allows for back-up staffing, which provides a better overall understanding of our systems security. CNNIC foresees little expansion required for domain name abuse prevention and mitigation. However, CNNIC will expand its staff if necessary on ongoing basis. Staffing allocations may also need to be adjusted as demand for our services increases. Adjustments could include overall staff size or refinements to required technical skills. Cross-training will be used in all positions to promote job interest. Specific factors which could affect staffing levels include:

(1)Increase in the number of registrars;

(2)Higher than anticipated domain name registration or transfer request;

(3)Higher than anticipated complaint volume;

(4)Higher than anticipated domain name dispute;

(5)Increase in the complexity of our services;

Additional staff requirements will be met through a rigorous recruitment process following the requirement of employment. To meet registration demand and the cumulative growth of new registrars, CNNIC may hire an additional 5 staff personnel for the functionalities described above in the fourth and fifth years of ʺ.网络ʺ operations, as necessary.

28.3.1.3 Requirements for Employee

CNNIC is structured to meet the needs of its customers: registrars, registrants, the Internet community at large, and ICANN. CNNIC staff will meet or exceed the stated requirements in skills, competence, and experience. The staff will be augmented during the initial 3 years and thereafter, as necessary, by subject-matter experts. Our requirements for employee are as following:

(1) All key management and technical positions will be staffed with employees who have demonstrated their successful previous experiences.

(2) Our customer service and complaint handling staff will embody the customer sensitivity and efficiency, which is essential to achieve positive client reception to the registry services.

(3) Standard background investigations will be applied to all permanent and temporary positions. We will verify employment history and check references with prior employers, perform credit and criminal checks, and explore any employment gaps.

(4) Staff members will be required to sign non-disclosure agreements to protect proprietary information for CNNIC and its clients.

28.3.2 Equipment Planning

28.3.2.1 Major Systems

CNNIC has provided software and hardware for the domain name application review, customer self-service, customer support and abuse monitoring, including the following:

28.3.2.1.1 Electronic Registrant Review System;

This system will collect the application information transmitted to CNNIC by registrars and display the information in a user friendly format for CNNIC staff to review the application. Once the review process has finished the system has also connect with shared registration system for further process of domain name registration status.

28.3.2.1.2 Customer Self-Service System

CNNIC will set up a multiple language system customer self-service system on our official website. This webpage will contain the following functions:

* Web-based searchable Whois.

* Registrar information and contact;

* ʺ.网络ʺ Registration Policy Tutorial;

* Complaint and dispute challenge filing tutorial;

* Web-based complaint channel

* ʺ.网络ʺ related Frequent asked questions(FAQs)

28.3.2.1.3 Customer Support System

CNNIC has provided an interface on its website that allows a user to determine the appropriate customer support contact information based on the domain name. Access to our customer support will be through telephone, email and web based interface. CNNIC has integrated Consumer Relationship Management (CRM), accounts, trouble ticketing, document tracking, into its customer support system infrastructure. Computer telephony integration (CTI) and databases is also used to retain a reliable record of registry performance.

28.3.2.1.4 System Monitoring and Database Management Systems

The system monitoring applications developed by CNNIC create a detailed error alert if the application encounters a situation of domain name abuse such as that orphan glue record has been generated or suspected phishing website is spotted with confusingly similar domain string to specific renowned websites, etc. These application alerts are automatically sent to the security team, which generates an alert to the Operations staff 24⁄7.

28.3.2.2 Work Space and Administrative Resources

CNNICʹs current work site is currently equipped to accommodate all required personnel listed above. Every staff has been equipped with at least one desktop computer. All software required for working are pre-installed in their computers. The internet connection and telephone connection is also provided to every working staff by our office assistance team.

The current infrastructure will be sustainable for the projected 3 years of initial operation of ʺ.网络ʺ. CNNIC will undertake to update the software and hardware in time for ongoing basis, if necessary.

28.3.3 Funding

CNNIC is planning to invest enough funding to ensure the implementation of the policies and measures on domain name abuse. The funding will support our customer service and technical security maintenance and other administrative function such as website design and equipment update. Please see question 47 for detailed amount of funding for each section.

gTLD	Full Legal Name	E-mail suffix	Detail
.公司	Computer Network Information Center of Chinese Academy of Sciences （China Internet Network Information Center）	cnnic.cn	View

28 Domain Name Abuse Prevention and Mitigation

For the purpose of minimizing abusive registration and other activities that have a negative impact on Internet users, CNNIC has thoroughly measured different types of potential acts of domain name abuse, and correspondingly formulated a series of policies on preventing domain name abuse and mitigation, including registrars enforcement procedure, registration reviewing procedure and complaints handling procedure.

In order to implement the above policies, CNNIC will adopt measures as constructing a comprehensive contact point for filing complaints on domain name abuse, a whole life-circle domain abuse monitoring and handling platform, and an information sharing mechanism with industry partners to prevent domain name abuse. Based on these measures, CNNIC will make sure that problems of domain name abuse are detected and resolved efficiently, while Whois accuracy and completeness is concurrently improved. To implement the above policies and measures, CNNIC has allocated resources in terms of manpower, equipment and finance, and worked out an implementation plan on startup and on-going basis.

28.1 Policies of Domain Name Abuse Prevention and Mitigation

28.1.1 The Definition of Malicious or Abusive Behavior

Based on the standards for domain name abuse formulated by the Registration Abuse Policy Working Group (RAPWG) of SSAC (Security and Stability Advisory Committee) ( February 2009, available at http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf), CNNIC defines acts of domain name abuse as those that:

(1)causes actual and substantial harm, or is a material predicate of such harm, and

(2)is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.

28.1.2 Scope of Malicious or Abusive Behavior

Based on the definition by RAPWG and by reference to the report by the Fast-Flux working group ( 03 September 2009, available at http:⁄⁄gnso.icann.org⁄meetings⁄minutes-03sep09.htm), CNNIC currently defines 10 types of domain name abuse, which may be mitigated on the registry level, which are categorized as registration abuse and use abuse as following:

28.1.2.1 Registration abuse includes:

(1) Cybersquatting

(2) Front running

(3) Pornographic or offensive domain names

(4) Fake renewal notice

(5) Domain spinning

(6) Domain tasting

28.1.2.2 Malicious use of domain names includes:

(1) Conduct phishing to steal usersʹ information or commit fraud;

(2) Take advantage of the domain name to spread viruses or install malware for botnet command-and-control;

(3) Send out spams;

(4) Disseminate malicious information (concerning child pornography, race discrimination, sex discrimination, and etc.) that go against international ethics and morality or interfere with public order.

28.1.3 Domain Name Abuse Prevention and Mitigation Implementation plan

Please refer to Q28_attachment_table attached for details of the description of policies defining malicious and abusive behaviors of each category above. CNNIC provides the capture metrics and solution to deal with those abusive behaviors respectively in the stages of registrar management, active monitoring and suspension as well as complaint handling.

28.1.4 Proposed Policies and Procedures for Prevention of Domain Name Abuse

28.1.4.1 Provisions on Registrars for Domain Name Abuse Prevention

Any registrars seeking to register domain names in the proposed gTLD will be required to execute a Registry-Registrar Agreement (ʺRRAʺ), which will govern the relationship between the registrar and CNNIC. The agreement will specify the services (i) that CNNIC will provide for the registrars, such as domain name registration services, registry hosting and operation, and full-database Whois functionality; and (ii) for which registrars will be responsible, such as providing all customer support functions for domain name registrants.

CNNIC will, based on the Registrar Accreditation Agreement (RAA) requirements formulated by ICANN, establish a code of conduct for registrars of ʺ.公司ʺ domain to control domain name abuse by registrars, and cooperate with the registrars to mitigate and prevent domain name abuse. The following policies are included in the RRA of CNNIC for prevention of domain name abuse.

28.1.4.1.1 Registrar Qualification Requirement

To prevent and mitigate domain name abuse, CNNIC requires that registrars shall:

(1)be accredited by ICANN, i.e., having been validly accreditation by ICANN pursuant to RAA agreement;

(2)set up domain name registration service system within China with technical and customer service staff specializing in domain name services;

(3)have the credibility or capability of providing clients with long-term services;

(4)develop business development plans and related technical schemes;

(5)take effective network and information security safeguard measures;

(6)establish a sound domain name registration exit mechanism;

(7)comply with other relevant national rules and regulations.

28.1.4.1.2 Prohibited Terms

In the process of domain name registration service provision, the domain name registration service providers are not allowed:

(1)To provide domain name registration services in a disguised name of governments, or other enterprises, public institutions or social organizations;

(2)To occupy domain name resources in a disguised form by registering domain names based on false information;

(3)To provide domain name registration services by using such unfair competition means as misleading and threatening users;

(4)To induce uses to register domain names that are confusingly similar to those that are already registered;

(5)To force users to extend the term of domain name registration or sell bundled services;

(6)To fail to submit registration information to CNNIC in accordance with the actual registration years of domain name users;

(7)To reject without any justified reason applications filed by domain name holders for password of domain name transfer, or charge the same for such application;

(8)To use of the Whois database to send unsolicited e-mail to registrants, to solicit registrants by telephone or to use the database for other commercial purposes;

(9)To purchase of domain names for any purpose except instances where the registrar has a bona fide intent to use that domain name on its own behalf.

(10) To conduct other behaviors which are in violation of laws and regulations or infringe upon the interests of domain name users.

28.1.4.1.3 Cooperation Between CNNIC and Registrars for Preventing of Domain Name Abuse

The RRA lays down the registrarsʹ obligations for cooperation with CNNIC in terms of domain name abuse mitigation and prevention, specifically registrars shall:

(1) establish a sound network and security emergency response system and intensify the domain name registration review to ensure the authenticity of the information provided by the registrants;
Note: CNNIC will provide regular monitoring of registration data for accuracy and completeness, employing telephone call back methods to investigate the Whois accuracy level.

(2)set up a help desk to receive complaints filed by the users on domain name abuse and disputes, to serve as the first level complaints contacting point;
Note: CNNIC will serve as the second level complaints contacting point to the customer.

(3)implement based on United Domain Name Dispute Resolution Policies, the decisions, judgments or verdicts of domain name dispute resolution provider or courts to rapid take down or suspension relevant domain names and provide the registrants with corresponding notices and explanations;

(4)establish expedited channels and contact information for law enforcement and community partners and drive towards response times of domain name take down request in the 1‐3 hours range;

(5)provide user ID and password at the time of registration, and provide registration data update, domain name transfer and cancellation services upon password verification and identification documents authentication. The domain name may be changed and put into use only upon obtaining the approval of the registrars within three working days after the registrars receive the application form for domain name registration data update, domain name transfer and cancellation.

28.1.4.1.4. Billing and Collection Provisions

In order to combat this free domain tasting which may cause cybersquatting, and in accordance with current ICANN policy of the RAA, CNNIC will include provisions in the RRA requiring registrars to receive a reasonable assurance of payment from any potential domain name registrant prior to submitting any registration request on behalf of that registrant.

In accordance with current ICANN policy, CNNIC recognizes that registrars may occasionally submit registrations to CNNIC in error. In such cases, the RRA will provide that registrars may receive refunds if they notify CNNIC of the error within five business days of the submission. CNNIC believes that this five day term enhances registrar monitoring of inadvertent registrations.

Finally, the RRA will specify that if a registrar does not receive payment for a domain name registration within forty five days after the payment becomes due, then the registrar will be obligated to cancel the registration and return the domain name to the general registry pool of available names. This policy will prevent registrars from being able to trade or sell domain names for their own accounts in a secondary market environment.

28.1.4.1.5 Agreement Termination

The RRA will enable CNNIC to reject registration requests from a registrar that is not in compliance with the RAA or any ʺ.公司ʺ registration policy. CNNIC will continue to reject such requests until the registrar ceases its non-compliance. In the event that such non-compliance continues, CNNIC will have the right to terminate the RRA. When the RRA is terminated by CNNIC for any reason, ʺ.公司ʺ domain name registrations managed by that registrar will be reallocated to other registrars in accordance with any applicable ICANN policy.

Any disputes between CNNIC and a registrar regarding the RRA will be submitted to binding arbitration for resolution. If a registrar materially breaches the RRA, CNNIC may, on thirty days notice and an opportunity to cure such breach, terminate the RRA and prohibit such registrar from registering domain names in the proposed gTLD. By incorporating its policies into the RRA, CNNIC will be in a position to enforce its policies against the individual registrars, without the intervention of ICANN.

28.1.4.2 Policies on Name Reservation

28.1.4.2.1 Reserved Names

CNNIC will initially reserve the following types of names for registration to ensure that domain names will not be used for such abuse activities as fraud and phishing:

(1) Names required to be reserved as stipulated in the agreement executed between CNNIC and ICANN:

*ICANN reserved names in the Top Level Reserved List in Application Guide Book and their translation in multiple languages

*Single & Two Character Names including the use of symbols

*Tagged names

*Nic, Whois, www

(2) Geographical names (see Question 22 for details);

(3) Names or abbreviations of the local government authorities and international inter-governmental organizations (ASCII and Chinese Translation); Note：The list will be formulated before or during the start-up period based on the final decision made by GAC, ICANN and local government authorities;

(4) Other controversial names that may conflict with public interests according to the domain name regulation in China.

28.1.4.2.2 Release of Reserved Names

After obtaining permit from respective local authorities, legitimate registrant will be allowed to submit the application to a registrar accredited by CNNIC for registration of the domain name. The application material shall include documentations as following:

*Domain name registration application form with an organizational stamp;

*Proof of establishment of the organizational registrant;

*Proof of personal identification of the registration contact person;

*other documentations issued by relevant parties for release of reserved domain names;

Then the registrar forwards the above material to CNNIC. After verification process, CNNIC will release the domain name to the database of the registrar. If the registration application doesnʹt get approved, CNNIC will notify the registrar about the reason of declination. The process of verification shall be finished within 3 days since CNNIC receives the application material from the registrar.

28.1.4.3 Policies on Domain Name Registration Review

28.1.4.3.1 Registrant Eligibility Requirements

ʺ.公司ʺ registrants can be divided into two categories: Organizational Registrant and Natural Person Registrant.

Organizational registrants which represent an enterprise, shall be organizations registered under the laws of the country or region where the applicant is located and capable of undertaking civil liabilities.

Natural Person registrant shall be all individual human-being registered with real identity.

28.1.4.3.2 Information Authentication

In order to apply for ʺ.公司ʺ domain name, registrant needs to complete an application form collecting all information required for Whois. In addition, organizational registrant shall submit authentic, complete and accurate organizational proof of establishment to the registrars. Acceptable documentation includes business ID, tax ID, VAT registration certificate or equivalent of the applicant issued by local administrative authority. Natural person registrants shall submit personal identification materials issued by a recognized authority, which can be personal ID, passport or equivalent. The registration contact person shall also submit personal identification materials, which can be personal ID, passport or equivalent. This additional documentation is just for registration record authentication but against any release to the public.

Based on authentication conducted by registrars, an application for domain name registration shall be rejected or cancelled in the following circumstances:

(1)The applicant submits incomplete application form with necessary information missing;

(2) The applicant provides invalid or fake supporting identity authentication material;

(3) The contact information is inaccessible;

(4)The applicant provides incoherent information in the application form with its identity proof.

28.1.4.3.3 Review of Prohibited Names

For the purpose of protecting the legitimate rights and interests of the general public and preventing domain name abuse, in addition to name reservation and applicant information authentication, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ (please refer to http:⁄⁄www1.cnnic.cn⁄html⁄Dir⁄2005⁄03⁄24⁄2861.htm). CNNIC may carry out review on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation. Specific review policies include:

(1) instigate hostility or discrimination among different ethnic groups, or disrupt national solidarity;

(2) spread rumors, disturb public order or disrupt social stability;

(3) spread obscenity, pornography, violence, homicide or terror or instigate crimes;

(4) insult or libel others and thus infringing other peopleʹs legitimate rights and interests;

(5) contain other contents prohibited by laws and administrative regulations.

28.1.4.4 Policies on Active Monitoring and Handling of Domain Name Abuse

CNNIC will conduct active monitoring of Whois accuracy, information security and monitor orphan glue records and to mitigate and prevent domain name abuse.

28.1.4.4.1 Policies on Whois Accuracy Control

CNNIC requires maintaining Whois accuracy to ensure in-time handling of domain name abuse, specifically:

(1)require applicants to submit domain name application forms along with identity certificates of registration contact person or proof of establishment of the registration organization, and conduct identity verification;

(2) require registrars to decline applications for domain name registration by registrants who have provided fake registration information;

(3) require the domain name holder to apply to the registrars for registration information change;
Note: When applying for registration information change, the applicant shall submit relevant application documents for domain name changes in the same way as applying for the domain name registration. The domain name shall be changed and put into use only upon obtaining the approval of the registrars and the registrars shall submit the changed registration information to CNNIC. The registrars shall not make changes to any clientʹs registration information without the consent of the domain name holder.

(4) monitor registration record of registered users by random telephone revisit. Where any information in the Whois is found to be inaccurate, CNNIC will notify the registrar and require the registration contact person for making corrections, and to suspend false domain names information that involve abuse;

(5) conduct Whois accuracy audit of every registrar on yearly basis, where registrars with weak enforcement of registration review policy which results in higher unreachable Whois data will receive penalty of reduced registrar rebate.

28.1.4.4.2 Policies on Information Security Control

Applicants for domain name registration shall submit authentic, accurate and complete domain name registration information, so as to intensify protection of usersʹ information and avoid leakage and misuse.

CNNIC, as a trusted neutral third-party registry, must maintain the trust of the registrars and the consumers. Therefore, CNNIC will not market, in any way, the registrant information obtained from registrars for purposes of running the registry, nor will it share that data with any unrelated third parties. The registry operator will only have access to such data as is necessary for operation of the registry itself and will use that data only for registry operation.

CNNIC will provide registrars with a mechanism for accessing and correcting personal data and will take reasonable steps to protect personal data from loss, misuse, unauthorized disclosure, alteration or destruction. To further secure registrant data, each registrant will have a secure password for his or her registry records. Only through use of this password will data be changed, registrars transferred, domain name servers be updated, etc. Registrars will develop, in consultation with the registry, secure password verification and authentication mechanisms. Moreover all registrars will be required to abide by all applicable international, national, and local laws.

In addition, CNNIC has formulated a plan for protecting registrantsʹ information, which include: protecting the security of the information submitted by users during the entire lifecycle of the ʺ.公司ʺ domain name registration, balancing the relationship between publicly accessible database(Whois) and registrant information protection, inspecting on a regular basis the status of information security management, and controlling over staff security.

28.1.4.4.3 Requirement for Inhouse Employees In term of Information Security Management

CNNIC will attach special importance to the security management with respect to staffs in charge of domain name user information, and take the following measures to avoid the occurrence of deliberate information leakage:

(1) designate special managerial staffs to conduct centralized collection and custody of domain name user information, and domain name registries shall keep such identity information of its managerial staffs and submit the same to registries for file;

(2) execute a special confidentiality agreement with the managerial staffs in charge of domain name user information, which shall expressly provides that any leakage of domain name user information will be subject to legal liabilities;

(3) set standards to the operation process of managerial staffs, reinforce audit of staff operation, and conduct audit and issue audit report regularly;

(4) conduct security training and education for managerial staffs on a regular basis.

28.1.4.4.4 Policies on Orphan Glue Records

To prevent the orphan glue records in the root domain from causing problems of domain name abuse, CNNIC will not allow the existence of orphan glue records, namely, glue records are required to be removed before the delegation point NS record is removed.

28.1.4.5 Policies of Complaints Handling

To handle domain name abuse in time and mitigate its negative influence on registrars and internet users, CNNIC formulate policies on handling of complaints on domain name abuse as follows:

28.1.4.5.1 Contact Points for Filing Complaints

Users may file complaints on domain name registration abuse or abusive use of a domain through the following channels:

(1) the complaint contact points (web, fax, email, SMS) published on the official website of CNNIC;

(2) the complaint channels published on the website of the registrar;

(3) the complaint channels provided by CNCERT, which shall in turn report the complaints to CNNIC for handling;

(4) the complaint channels provided by the Anti-Phishing Alliance of China,;

(5) the complaint channel of 12321 Internet Spam Information Reporting and Resolution Center, which shall forward to CNNIC for handling.

28.1.4.5.2 Complaint Acceptance

CNNIC is responsible for making acceptance and investigation from complaints. Assessment shall be conducted by anti-abuse complaint handling personnel pursuant to relevant measurement criteria(please refer to attached Q28_attachment_table: Implementation Plan of Domain Name Abuse Prevention and Mitigation), and if necessary, a special investigation team shall be formed to conduct research, analysis and judgment. Feedback shall be provided for the complainants in time upon the completion of assessment. All the investigation shall be completed within 5 business days.

28.1.4.5.3 Response to and Handling of Complaints

(1) Handling of complaints shall be made within 5 business days upon acceptance of complaint from each channel. Afterwards, the result of handling complaints will be forwarded, via telephone call or email, to the complainant, the person against whom the complaint is filed, and other parties involved.

(2) where CNNIC is found upon investigation of complaints to have committed violations of laws, or fail to effectively respond to complaint filed according to Trademark Post-Delegation Dispute Resolution Procedure (PDDRP) or Registry Restriction Dispute Resolution Procedure (RRDRP), we will take remedies according to the relevant provisions of ICANN.

(3)Where any registrar is found upon investigation of complaints to have committed violations of laws or Registry-Registrar Agreement terms, it shall be ordered to make corrections and make relevant compensations. In the case of severe breach of RRA without any correction upon notification, CNNIC is entitled to cancel the agreement and conduct further registrar transition afterwards.

(4) Where any registrant is found upon investigation of complaints to have committed violations of relevant regulations, the registrant shall be ordered to make corrections. In the case of such domain name abuse as phishing and dissemination of illegal information, the existence of which will continue to cause greater losses to the users，the domain name shall be suspend within 2 hours after verification of the misconduct.

(5) Where the complaint involves domain name dispute, the complainant shall be told to resort to domain name dispute resolution provider or the court based on Uniform Domain Name Dispute Resolution Policy (UDRP) or relevant judicial procedures, then the registrar will be asked to lock the domain to prevent transfer or update till the dispute being resolved. CNNIC will further notify the registrar to unlock domain name or make transfer based on the dispute resolution decision.

(6) Where any information provided by the complainant is found to be inaccurate or there is no evidence to prove domain name abuse, CNNIC will reject the complaint and give corresponding explanations, and the complainant may, if not satisfied, provide further evidence to file an appeal.


28.2 Abuse Prevention and Mitigation Measures

Based on the abuse prevention and mitigation policies above, CNNIC has developed 3 measures, including an abuse monitoring and handling platform, a comprehensive contact point and customer support center for filing complaints on domain name abuse, and an information sharing outreach mechanism with industry partners.

28.2.1 Abuse monitoring and handling platform

CNNIC will build an abuse monitoring and handling platform in order to monitor policy compliance of registrars, domain name applications, and post-registration domain name abuse.

28.2.1.1 Compliance Review of Registrars

CNNIC will, with reference to this plan, improve its agreement with and service standards for domain name registrars, define their responsibility of protecting domain name usersʹ information and domain name abuse prevention measures they shall take.

CNNIC will also reinforce management of domain name registrars, and conduct investigation over the registrars on a regular (yearly) basis pursuant to this plan. The investigation may take the form of spot check, and domain name registrars that are found to be disqualified shall be required to make rectifications. The investigation will mainly involve document review, staff interview, on-site inspection, and etc. The objects to be investigated include documents on system design⁄acceptance, relevant service and application management process and system management, records on equipment management and configuration and daily operations, systems and relevant equipment, and etc. The party to be investigated shall actively cooperate with the party conducting the investigation in providing corresponding materials, and make rectifications, if necessary, based on the result of the investigation.

Specifically, CNNIC requires that:

(1) The registrar shall be capable of providing normal services due to major business problem;

(2) Registrarsʹ service records and data backups shall illustrate the registrarʹs compliance to relevant policy.

(3) Result from registrant satisfaction survey shall meet an average standard.

(4) There should be no report of identified violations of RRA committed by registrars.

28.2.1.2 Review of Domain Name Applications

CNNIC will adopt the procedures of applicantʹs identity review, rights and interests review to mitigate and prevent abuse of domain names.

28.2.1.2.1 Data Collection

The ʺ.公司ʺ registrars shall collect and store as many of the technical details of the registration as possible. This information has multiple uses, including registration scoring, validation, takedown resolution, investigation, etc. This registrant’s data to be collected includes:

(1) Registrant Name
(2) E-mail Address
(3) Registrant Personal Identification Material
(4) Company Name
(5) Proof of Company Establishment
(6) Address
(7) City
(8) Country
(9) State
(10) Zip
(11) Phone Number
(12) Additional Phone
(13) Fax
(14) Alternative Contact Name
(15) Alternative Contact E-mail
(16) Alternative Contact Phone

The registrar shall use this information for the account, not for the WHOIS information. In addition the registrar shall have a separate form for the WHOIS information that is pre-populated with this information. The registrars shall take the responsibility to explain that this WHOIS information will be used by external parties to contact that person in event of malicious activity or other issues with the domain.

28.2.1.2.2 Registration Information Authentication

From CNNICʹs past experience of managing ʺ.cnʺ, registration information authentication procedure can effectively prevent fake Whois data and enhance the accessibility of the contact information. Therefore, CNNIC continue to take these proceedings in ʺ.公司ʺ :
　
(1) ʺ.公司ʺ registrars shall strictly review the identity certificate submitted by registration applicants, and decline applications with incoherent information on the application form, so as to ensure the authenticity and accuracy of registration records in the Whois. Where any user who has been declined is not satisfied with the review of ʺ.公司ʺ registrars, he or she may file a complaint to CNNIC for reconsideration, with respect to which CNNICʹs determination shall be final and binding.

(2) The original documentation verified by registrars will be recorded as photocopies and forwarded to CNNIC for further review of registration record. CNNIC will provide pre-approval monitoring of registration data for accuracy and completeness of Whois data. CNNIC will also employ telephone call back methods to ensure reachable Whois contact information. Any false registration information provided by the registrants will directly result in cancellation of application.

28.2.1.2.3 Rights and Interests Review

In the sunrise period, all applications of registration are required to be validated by ICANNʹs Trademark Clearinghouse to examine potential infringement of known trademarks. Only validated trademark owners are allowed to register with priority in the sunrise period. In order to validate the trademark status, the registrant shall provide proof of trademark registration and trademark usage to evidence its trademark rights to the string. Detailed requirement to such proof and validation process will be established upon the implementation of Trademark Clearing House.

During the first 60 days after launching general availability, CNNIC will continue to review applications to see if the domain names applied for matches any trademark included in the Trademark Clearing House. The applicant who intend to apply for such domain names will be advised that a third party or parties have claimed intellectual property rights over that domain name, they are directed to a notice that refers to intellectual property status of the domain name. The applicant is not prevented from completing the registration. Once the application has been completed, all parties who have their trademarks for that exact domain name included in the Trademark Clearing House are advised by email that a party has registered that domain name. Included in the email will be further information on the UDRP and an explanation of steps to take for further dispute action.

In the following process of general operation, in addition, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ. CNNIC may carry out verification on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation.

In order to fight against phishing websites, CNNIC will also screen⁄score all registrations for ʺunusualʺ domain name registration practices, such as registering hundreds of domains at a time, registering domains which are unusually long or complex, include an obvious series of numbers tied to a random word (baddomain01, baddomain02, baddomain03).

CNNIC, in coorporation with APAC will also screen⁄score all registrations for patterns known to be associated with phishing (government, bank, secure etc). CNNIC will also review all domain names proposed for registration against known sites that are often the subject of phishing type attacks to ensure ʺ.公司ʺ do not inadvertently aid in the provisioning of illegitimate content in online scams.

28.2.1.3 Measures of Monitoring and Handling Domain Name Abuse

28.2.1.3.1 Measure for Examining Whois Accuracy

CNNIC will be continuously committed to enhancing Whois accuracy to ensure enforceability of the determinations regarding domain name abuse by taking the following measures:

(1)During the reviews, the registrars will make telephone check in order to ensure accuracy and accessibility of contact information provided by registrants.

(2)In case of any change to the contact information on points of contact, registrars will be required to provide strong passwords for verification so as to prevent any third party from impairing the accessibility of the Whois information by making changes to such information;

(3)To further enhance the accuracy of Whois data, CNNIC will conduct further examination on fake or inaccurate information based on the application material submitted by the registrar. CNNIC will also conduct annual reviews on registrars in terms of Whois accuracy level;

(4)In case of any identified inaccessible Whois information concerning a domain name registration, the registrar will be advised to get in touch with the point of contact for correction to such false information. If the domain name has involved in any abusive behavior, the domain name shall be suspended by the registrar.

28.2.1.3.2 Measures for Removing Orphan Glue Records

CNNIC will take actions to remove orphan glue records with the following procedures:

At the time of registration of domain name or update domain name or host, the host must have IP address in order to prevent Orphan NS records.

Before deleting a domain name, if the domain name already has a host, the host must be deleted on the first hand. If the host is being used for other domain name as name server, the domain name shall not be deleted unless the name server or the host name is changed. This procedure also applies for the host deletion process in order to prevent orphan A record.

In the circumstance that the domain name uses the host of other domain in this zone as name server, if the domain name do not use its own host as domain name server at the same time, the NS record cannot be generated.

However, CNNIC recognizes that there are two circumstances which may result in the existence of orphan glue records:

(1) If the domain name has been spotted abusive behavior and thereafter be turned to ʺseverHoldʺ status, all the domains that use such domain nameʹs host as domain name server will be unable to resolve, hence will generate orphan glue records.

(2) If the domain name has been turned to clientHold status due to the registrantsʹ cause, all the domains that use such domain nameʹs host as domain name server will be unable to resolve, hence will generate orphan glue records.

In response to the above occasions, CNNIC has already adopted DNS operation monitoring system which will spot the generated NS record in a timely manner. Once the orphan glue record has been generated, CNNIC will notify the registrar to contact registrants to change NS server and thereafter remove the orphan glue record in the zone file.

28.2.1.3.3 Limit of Fast-Flux Domains

In addition, CNNIC recognizes that fast‐Flux domains, as domains for which either the base IP address (A record) or nameserver address (NS record), or both (known as double‐flux), are changed numeroustimes during the day, are now increasingly being used by criminal phishing, spam, and botnet gangs to ensure the resiliency of their sites and make it increasingly difficult for takedown authorities to remove or restrict access to illegitimate sites. This problem can be addressed partially by preventing or making it much more difficult to frequently change the NS record of a domain registration. There is very little, if any, legitimate need to change the NS record for a domain more than few times a month and any such action should trigger immediate red flags and possible investigation of the domain for illegal activity.

CNNIC will limit the ability of registrants to repeatedly change their name servers via a programmatic interface to reduce or eliminate automated name server hopping. With domains that change name servers more than twice a week (except by agreement), scrutiny and even the suspension of the domain will be conducted until a suitable explanation is provided by the registrant.

28.2.2 Measures for Protecting the Domain Name User Information throughout Lifecycle

In view of the lifecycle of ʺ.公司ʺ domain name user information, there are four steps to be considered in the formulation of protection measures: information submission from the user to the domain name registrar, custody and use of the information by the domain name registrar, information transmission from the domain name registrar to the domain name registry, and custody and use of the information by the registry.

28.2.2.1 Information Submission from the User to the Registrar

28.2.2.1.1 Obtaining Consent to the Personal Data Processing

CNNIC will notify each ICANN-accredited registrar that is a party to the registry-registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person (ʺPersonal Dataʺ) submitted to CNNIC by such registrar is collected and used, and require such registrar to obtain the consent of each registrant in the TLD for such collection and use of personal data.

Registrar shall agree that it will not process the Personal Data collected from the Registered Name Holder in a way incompatible with the purposes and other limitations about which it has provided notice to the registered name holder in accordance with the RRA.

Registrars shall send a notice to each holder of newly registered domain names or that of renewed domain names stating:

*The purposes for which any Personal Data collected from the applicant are intended;

*The intended recipients or categories of recipients of the data (including CNNIC and others who will receive the data from Registry Operator);

* Which data are obligatory and which data, if any, are voluntary;

*How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.

28.2.2.1.2 Data Access Control for Security

Registrars shall conduct vulnerability scanning at the system on a regular basis with respect to the online system through which users submit information to detect security vulnerabilities timely and conduct reinforcement; system account⁄password shall be kept with encryption.

28.2.2.1.3 Non-online Data Processing

As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.2 Custody and Use of Information by Domain Name Registrars

Registrar shall agree that it will take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. Specifically, domain name registrars shall take the following measures to reinforce protection of usersʹ information:

28.2.2.2.1 Secure Storage of Personal Data

(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system;

(2) Access control shall be conducted with respect to the backstage business system and front-end public service system.

(3) User information under protection (including certificate of incorporation, personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

(4) Identity verification materials which are in picture format shall be encrypted before being stored online or, if stored offline, be transferred to such media as magnetic tape⁄CD⁄portable hard drive for proper storage.

(5)Materials may be stored in the online system for up to 90 days.

28.2.2.2.2 Control of Information Access

(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.2.3 Proper Storage of Offline Data

(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.2.4 Data Removal

In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

(1) UDRP action

(2) valid court order

(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond)

(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

(6) billing dispute (where a registrant disputes the amount on a bill)

(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

28.2.2.3 Information Transmission from the Domain Name Registrar to the Domain Name Registry

CNNIC is responsible for the security of the transmission of information from the registrar to itself.

28.2.2.3.1 Network Transmission Encryption

Specific measures may include: HTTPS encryption for WEB services, SSL encryption for EPP registration services, and FTPS or SFTP encryption for FTP services.

28.2.2.3.2 System Reinforcement and Access Control

To detect security vulnerabilities timely, CNNIC will conduct vulnerability scanning at the system level on a regular basis with respect to the online system through which registrar submit information. System account⁄password will be kept with encryption.

28.2.2.3.3 Non-online Data Receiving and Handling

As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.4 Custody and Use of Information by Domain Name Registry

CNNIC will take reasonable steps to protect Personal Data collected from loss, misuse, unauthorized disclosure, alteration or destruction. CNNIC will not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars in the RAA. CNNIC, upon receiving domain name user information, take measures to reinforce protection of usersʹ information.

28.2.2.4.1 Secure Storage of Personal Data

(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system;

(2) User information under protection (including personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

(3) backstage storage system shall be separated physically from and may not share the same server with the front-end user information transmission system.

(4) Access control shall be conducted with respect to the storage system via software or hardware firewall.

28.2.2.4.2 Control of Information Access

(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.4.3 Proper Storage of Offline Personal Data

(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.4.4 Data Removal

In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

(1) UDRP action

(2) valid court order

(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond)

(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

(6) billing dispute (where a registrant disputes the amount on a bill)

(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN

28.2.3 Comprehensive Contact Point for Filing Complaints

28.2.3.1 Contact Channel

For the purpose of receiving reports on domain name abuse, CNNIC has published at the homepage of its official website (www.cnnic.cn) the following contact information for abuse complaints:

*Complaints Hotline: +86-10-58813000

*Email: supervise@cnnic.cn

*Fax: +86-10-58812666

*SMS: 12302 (applicable to complaints filed within China mainland)

*Online complaint form available at: jubao.cnnic.cn

The contact point is accessible 24 hours a day, 7 days a week, the channels listed above accept abuse complaints of all kinds and guarantee replies within five working days. Complainants should describe the domain names they are complaining about, the abusive behaviors and the consequences, and provide their contact information including phone numbers, email addresses, etc. so that the results of complaint handling by CNNIC can be received in time.

28.2.3.2 Measures for Abuse Complaints Handling

28.2.3.2.1 Identification of Abusive Behaviors

A dedicated review team of domain name abuse will be employed by CNNIC to verify the domain name abuse complaint. CNNIC will remain updated on the policies concerning domain name abuse made by ICANNʹs Registration Abuse Policies Working Group (RAPWG), and thereby identify different kinds of abusive behaviors and inform related domain name holders of the results of such identification.

28.2.3.2.2 Approaches to Abuse Complaints Handling

Approaches to abuse complaints handling include general procedures and rapid suspension procedures:

(1) The general procedures are applicable mainly to those abusive behaviors where the persistent existence of domain names will not lead to further losses of Internet users, such as domain name registration abuse. The specific enforcement procedures are as follows:

*Once an abuse compliant is received, CNNIC will forthwith change the EPP status of the domain name concerned to ʺserverTransferProhibitedʺ, and inform the holder of the domain name concerned. The abuse examiner will verify related abusive behaviors within 5 working days;

*In the case of cyber-squatting complaint where the Uniform Domain-Name Dispute-Resolution Policy (UDRP) is applicable, the complainant will be advised to submit the dispute to the domain name dispute resolution provider or court for resolution. The domain name registrar is required to lock the domain name from further transfer or update once the dispute has been confirmed by dispute resolution provider. Thereafter, upon receipt of the domain name dispute resolution decision or law enforcement request, relevant registrar to proceed further domain name unlock, transfer or domain name suspension within 3 working days.

*In the case of complaint on registrarʹs violation of RRA or CNNICʹs misconduct, CNNIC will verify the complaint within 5 working days and notify the relevant registrar or personnel to make correction of their illicit behavior or terminate the agreement if applicable;

(2)The rapid suspension procedures are applicable to abusive behaviors regarding the use of domain names such as phishing or spreading of illegal contents, which may cause further losses to internet users. This procedure will most likely be the result of a complaint filed via APAC or 12321 center. The specific enforcement procedures are as follows:

*Once an abuse compliant is received, the relevant registrar will be required to directly lock the domain to prevent further transfer and update, while a dedicated group is assigned to communicate with relevant complaint to authenticate the complaint manually within 1-3 hours.

*After verification, the relevant registrar will be required to directly suspend the domain name in the SRS system and the EPP status will be changed into ʺserverHoldʺ, so that the domain name will not be able to resolve or be transferred until it is ʺrestoredʺ. The domain name holder and theregistrar concerned will be informed at the same time to make corrections. After the registrant has stopped the abusive behavior and made adequate correction, which need to be confirmed by the registry, the registrar will restore the domain name to the status before suspension.

*Once the complaint is determined to be tenable and no further appeal or correction confirmed by the registry within 60 days, the registry will take down the domain name and delete the registration record, which means the domain name comes to general availability.

*CNNIC will insure that glue records using an invalid domain are removed when that domain is found to be invalid, even if those glue records are in use in conjunction with other domains.

*The registrar concerned shall inform the domain name holder for three times as it has been locked, suspended, and canceled.

28.2.3.2.3 Support Escalation

CNNIC will operate with an escalation device. Normally support calls or other forms of communication shall start with the lowest level of support, and be escalated should the first level of support be insufficient. In cases where higher levels of support are immediately apparent (all levels of support staff will be trained in identifying these) the escalation chain may be jumped. Also, should the time limit expire with no notice, the support level may be escalated. The escalation levels and response requirements are as follows:

Level 1：Entry level support, basic complaints of operations or inquiries of registrar information, provided on an immediate 24⁄7 level.

Level 2: Technical based question, usually unique to the registrar, that may require support from a registry systems operator or engineer.

Level 3: Systems outage involving non-critical operations to the registry affecting one or more registrars only, but not the entire system.

Level 4: Catastrophic outage, or disaster recovery involving critical operations to the registry overall.

All customer service should use to the fullest customer management resource (CMR) systems, computer telephony integration (CTI) and databases to retain a reliable record of registry performance. While institution of such systems may be gradual, the goal should be to provide as much as possible automated systems in order to increase efficiencies and scale of operations.

28.2.4 Measures For Information Sharing with Respect to Abuse Prevention

CNNIC will establish information sharing mechanism jointly with the Anti-Phishing Alliance of China (APAC), the Anti-Phishing Working Group (APWG), the National Computer Network Emergency Response Technical Team ⁄ Coordination Center of China (CNCERT⁄CC) and the 12321 Internet Spam Information Reporting and Resolution Center, CNNIC will be committed to share information of domain name abuse prevention and mitigation with those industry partners. Data to consider sharing include:

(1) IPs associated with fraudulent domain registrations with respectable blacklists;

(2) Full fraud reports with industry and law enforcement;

(3) Best practices regarding accepting and managing domain registrations.

28.2.4.1 Cooperation with APAC

CNNIC is an initiator and key member of the APAC, and the place where the Secretariat and the Secretary General of APAC are located CNNIC has published at the homepage of its official website the complaint channels provided by APAC.

28.2.4.1.1 Reports on phishing websites may be submitted to APAC through the following channels:

(1)Email: jubao@apac.cn

(2)Telephone: 010-58813000

28.2.4.1.2 The coorporation between CNNIC and APAC with regard to phishing websites will be carried out under the following procedures:

(1)Upon receiving complaints on phishing websites involving APAC members, the Secretariat of APAC will submit the complaints to third party technology authentication institutions for webpage analysis; the Secretariat should make determinations within one working day; in case of any difficulties or complicated circumstances, the Secretariat will ask for advices from the expertsʹ committee before making determinations;

(2)If any phishing website is identified, a notice will be sent to the registrar by mail. The registrar should suspend the domain name resolution within two hours upon receipt of the notice, and resolve the name to the information page of the phishing website.

(3)If the registrar fails to suspend the domain name resolution within two hours, CNNIC, as a registry, will suspend the resolution directly and resolve the domain name to the information page of the phishing website.

(4)Any opposition held by the registrant may be filed with the Secretariat of APAC;

(5)The Secretariat of APAC will inform its members and the complainant concerned of the results of such procedures.

28.2.4.1.3 Cross Reference of Phishing Websites URLs

The APAC can provide a daily feed to the registry listing all of the phishing URLs identified by the APAC community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

28.2.4.2 Cooperation With Anti-phishing Working Group (APWG)

The APWG can also provide a daily feed to the registry listing all of the phishing URLs identified by the APWG community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

Specifically, CNNIC shall:

(1) assist APWG in carrying out online phishing investigation and publish in a timely manner the trend of the distribution of phishing websites in our country;

(2) regularly follow up the reports published by APWG on phishing websites and establish a contact interface for receiving phishing URLs updates submitted by APWG;

(3) verify within one working day upon receipt of any complaint of the phishing domain in light of request by APWG, notify the registrar to handle the complaint, and after verification, resolve the domain name to the IP address which contains the notice of the phishing website.
28.2.4.3 Cooperation with National Computer Network Emergency Response Technical Team⁄Coordination Center of China (CNCERT⁄CC)

CNNIC will cooperate with CNCERT⁄CC in dealing with network virus transmission and system attack via domain names. CNCERT⁄CC, an emergency response team responsible for coordinating security events of computer networks in China, provides the national public internet, major national network information systems and key departments with such services as security monitoring for computer networks, early warning, emergency response and precaution as well as technical support and collect, verify, gather and publish in a timely manner authoritative information on internet security. It has currently become an official member of the international authoritative organization, Forum of Incident Response and Security Teams (FIRST).

The interaction between CNNIC and CNCERT is mainly reflected in the following aspects:

(1)CNNIC will follow up on a regular basis vulnerabilities and early warnings on virus related to the DNS system published by CNCERT, and CNCERT will provide assistance in inspecting whether any ʺ.公司ʺ domain name is involved in virus transmission;

(2)CNNIC will timely deal with vulnerabilities in the domain name system in view of opinions of CNCERT on handling abuse events, and establish service levels against network attacks;

(3)CNNIC will assist CNCERT in carrying out research on unexpected network events and gathering statistics on and monitoring the trend of distribution of botnet and malware in our country.

28.2.4.4 Cooperation with the 12321 Internet Spam Information Reporting and Resolution Center

12321 Internet Spam Information Reporting and Resolution Center (hereinafter referred to as the ʺ12321 Centerʺ), a complaint acceptance agency established by the Internet Society of China under the entrustment of the Ministry of Industry and Information Technology (formerly known as the Ministry of Information Industry) ,is responsible for assisting the Ministry of Industry and Information Technology in undertaking such work as complaint acceptance, investigation, analysis and imposition of punishment with regard to illicit information (including unsolicited information sent to end users) transmitted via information communication networks as the internet, mobile phone network, telephone network or other telecommunication services.

CNNICʹs cooperation with the 12321 Center is mainly reflected in the following aspects:

(1)receive complaint on domain names which contain illicit information reported by the 12321 Center,, timely search the Whois for the registration contact persons of the domain names which involve such information for further law enforcement;

(2) notify relevant registrars in rapidly suspending illicit information spreading domain against which complaints are filed;

(3) provide assistance for gathering statistics on and track the result of illicit information handling;


28.3 Resource Planning

28.3.1 Staffing

With proven capabilities for scaling its staff to meet the needs at peak level demands for complaint handling and customer service, CNNIC will benefit from its current staffʹs expertise to support the execution of domain name abuse prevention. Meanwhile, CNNIC also benefits from its unique position in close relation with the China Academy of Science in terms of talent recruiting. Many staff came directly from this top education institution in China with long term determination to contribute.

28.3.1.1 Initial Staffing

We expect that the above measures of domain name abuse mitigation for the new gTLD will be executed sharing the same staff with existing TLDs ʺ.cnʺ and ʺ.中国ʺ and prospective new gTLD ʺ.网络ʺ which CNNIC has applied for. In order to provide higher standard services with lower rate of domain name abuse, other than its current staff, CNNIC will also recruit additional staff in the start-up period for the first 3 years operation for maintaining the functionality described above.

28.3.1.1.1 Management Positions(Please see attached document Q28_attachment_CV) of key managerial personnel for reference)

(1)CNNIC assigns its Director of Business Operation responsible for ensuring high-quality domain name application review, customer support and complaint handling for registrars and end-users and for refining and developing additional policy in conjunction with ICANN. CNNIC expects this role to be critical during the Sunrise and Land Rush Period, during which time domain name registrations rises significantly.

(2)CNNIC will also assign its experienced legal manager to handle with any registry misconduct lawsuit and Intellectual property dispute, and to serve as an ombudsman, assisting registrants and registrars in dispute resolutions related to ʺ.公司ʺ and respond to Registry Restriction Dispute according to Registry Restriction Dispute Resolution Procedure..

(3)CNNIC will guarantee the neutrality for all the TLDʹs under CNNICʹs management. By assign different product manager for different TLD, who will keep checking the overall service performance of each TLD by means of registrar or registrants survey, a balance between different TLDsʹ services and higher resource efficiency will be achieved.

28.3.1.1.2 Customer Support Staff

CNNIC has set up a customer support Center providing 7×24 hoursʹ service to handle inquires and complaints from registrants. Upon ICANNʹs delegation of ʺ.公司ʺ and ʺ.网络ʺ, volume of end-userʹs inquiries and complaints are expected to rise accordingly and more staff members will be hired to enhance the service capacities. Based on the original staffing basis of 31 employees, 5 additional employees will be recruited to support the new operation. The staff members are divided into the 3 subgroups:

(1)Registrant Service group providing telephone inquiries and complaints handling services;

(2)Registrant Caring group responsible for registrant visiting and renewal reminding;

(3)Service Supporting group performing back-office support and performance supervision for the Customer Support Centre.

28.3.1.1.3 Registrar Supporting Staff

The Registrar Supporting Group provides 7×24 hoursʹ telephone or on-site support to the registrars. This support will be dedicated primarily to operational registrars along with respond to inquiries from potential registrars. Overall, the registrar supporting group shall attempt to provide round the clock, real time professional support ranging from basic inquiries to high level operations critical technical support. Registrar contractual compliance review and performance evaluation shall be supported also by this group periodically. Registrars shall receive equal levels of support regardless of their location of operations. Based on our current staffing as 9 employees, we expect that 1 more staff members will be hired to improve our service offerings of the new gTLD.

28.3.1.1.4 Review and Monitoring Staff

CNNIC currently has 20 members to review of domain names applications and monitor the Whois accuracy on 5×8 hoursʹ basis. As all required staff members are expected to be on duty starting from the start-up period, additional recruitment must meet the needs of the peak registration season. 1 more staff responsible for supervision of review work and monitoring of registration status should be hired to support the new gTLD forming a team with 21 persons.

28.3.1.1.5 Outreach Cooperation Liaison Team

CNNIC has already established long term cooperation mechanism to cooperate with the Anti-phishing Alliance of China, the International Anti-phishing Working Group and the 12321 Network Negative Information Complaint Center. 2 members have been assigned as regular contacts for the above functions, and they will also further take charge of liaison with Trademark Clearing House and Uniform Rapid Suspension System Provider as well as other assigned body designated by ICANN. Therefore, we see no needs for further staffing expansion.

28.3.1.1.6 Security Specialist

In order to monitor and handling of the domain name abuse caused by system vulnerability or human errors, CNNIC will assigned technical personnel to serve the as security specialist in order to actively monitor and prevent domain name abuse. The security specialist will operate with an escalation device supporting customer complaint. Specifically, their tasks include monitoring generated orphan glue record or phishing websites and communicate with relevant registrar for further solutions. As discussed in Question 31, CNNIC have already allocated 6 persons to serve this function, including 2 additional staff already recruited for the expanded operation of the new gTLDs.

28.3.1.2 Staffing on Ongoing Basis

CNNIC has been structured to operate with an initial human capital investment to staff and manage the infrastructure required for sustaining the domain name abuse policies during the first 3 years of operations. The current staffing model also allows for back-up staffing, which provides a better overall understanding of our systems security. CNNIC foresees little expansion required for domain name abuse prevention and mitigation. However, CNNIC will expand its staff if necessary on ongoing basis. Staffing allocations may also need to be adjusted as demand for our services increases. Adjustments could include overall staff size or refinements to required technical skills. Cross-training will be used in all positions to promote job interest. Specific factors which could affect staffing levels include:

(1)Increase in the number of registrars;

(2)Higher than anticipated domain name registration or transfer request;

(3)Higher than anticipated complaint volume;

(4)Higher than anticipated domain name dispute;

(5)Increase in the complexity of our services;

Additional staff requirements will be met through a rigorous recruitment process following the requirement of employment. To meet registration demand and the cumulative growth of new registrars, CNNIC may hire an additional 5 staff personnel for the functionalities described above in the fourth and fifth years of ʺ.公司ʺ operations, as necessary.

28.3.1.3 Requirements for Employee

CNNIC is structured to meet the needs of its customers: registrars, registrants, the Internet community at large, and ICANN. CNNIC staff will meet or exceed the stated requirements in skills, competence, and experience. The staff will be augmented during the initial 3 years and thereafter, as necessary, by subject-matter experts. Our requirements for employee are as following:

(1)All key management and technical positions will be staffed with employees who have demonstrated their successful previous experiences.

(2) Our customer service and complaint handling staff will embody the customer sensitivity and efficiency, which is essential to achieve positive client reception to the registry services.

(3)Standard background investigations will be applied to all permanent and temporary positions. We will verify employment history and check references with prior employers, perform credit and criminal checks, and explore any employment gaps.

(4)Staff members will be required to sign non-disclosure agreements to protect proprietary information for CNNIC and its clients.

28.3.2 Equipment Planning

28.3.2.1 Major Systems

CNNIC has provided software and hardware for the domain name application review, customer self-service, customer support and abuse monitoring, including the following:

28.3.2.1.1 Electronic Registrant Review System

This system will collect the application information transmitted to CNNIC by registrars and display the information in a user friendly format for CNNIC staff to review the application. Once the review process has finished the system has also connect with shared registration system for further process of domain name registration status.

28.3.2.1.2 Customer Self-Service System

CNNIC will set up a multiple language system customer self-service system on our official website. This webpage will contain the following functions:

* Web-based searchable Whois

* Registrar information and contact

* ʺ.公司ʺ Registration Policy Tutorial

* Complaint and dispute challenge filing tutorial

* Web-based complaint channel

* ʺ.公司ʺ related Frequent asked questions(FAQs)

28.3.2.1.3 Customer Support System

CNNIC has provided an interface on its website that allows a user to determine the appropriate customer support contact information based on the domain name. Access to our customer support will be through telephone, email and web based interface. CNNIC has integrated Consumer Relationship Management(CRM), accounts, trouble ticketing, document tracking, into its customer support system infrastructure. Computer telephony integration (CTI) and databases is also used to retain a reliable record of registry performance.

28.3.2.1.4 System Monitoring and Database Management Systems

The system monitoring applications developed by CNNIC create a detailed error alert if the application encounters a situation of domain name abuse such as that orphan glue record has been generated or suspected phishing website is spotted with confusingly similar domain string to specific renowned websites, etc. These application alerts are automatically sent to the security team, which generates an alert to the Operations staff 24⁄7.

28.3.2.2 Work Space and Administrative Resources

CNNICʹs current work site is currently equipped to accommodate all required personnel listed above. Every staff has been equipped with at least one desktop computer. All software required for working are pre-installed in their computers. The internet connection and telephone connection is also provided to every working staff by our office assistance team.

The current infrastructure will be sustainable for the projected 3 years of initial operation of ʺ.公司ʺ. CNNIC will undertake to update the software and hardware in time for ongoing basis, if necessary.

28.3.3 Funding

CNNIC is planning to invest enough funding to ensure the implementation of the policies and measures on domain name abuse. The funding will support our customer service and technical security maintenance and other administrative function such as website design and equipment update. Please see question 47 for detailed amount of funding for each section.