gTDL Applications (Comparison)

Back

28 Abuse Prevention and Mitigation

gTLD	Full Legal Name	E-mail suffix	Detail
.top	Jiangsu Bangning Science & Technology Co.,Ltd.	55hl.com	View

28 Abuse Prevention and Mitigation

The Applicant will not tolerate any abuse of the domain names under its management. Described below are the proposed policies and procedures to prevent abusive registrations and minimize other activities that have a negative impact on registrants and Internet users.
28.1 Implementation Plan

28.1.1 Abuse Analysis

With reference to the final Report of the Registration Abuse Policy Working Group (RAPWG), the domain name abuse is an action that:

a) causes actual and substantial harm, or is a material predicate of such harm, and
b) is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.

The RAPWG defines two types of domain name abuses:

Registration abuses are related to the core domain name-related activities performed by registrars and registries. These generally include (but are not limited–to) the allocation of registered names; the maintenance of and access to registration (WHOIS) information; the transfer, deletion, and reallocation of domain names.

Domain name use abuses concern what a registrant does with his or her domain name after the domain is created—the purpose the registrant puts the domain to, and⁄or the services that the registrant operates on it. These abuses are often independent of or do not involve any registration issues.

The Applicant understands that there are differences between registration and use abuses and hence requires different process to minimize these abuses.

28.1.2 Anti-abuse Policies

The Applicant states in its registration policies that it reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on suspension, takedown or similar status, that it deems necessary, in its discretion to prevent and mitigate domain name abuses. The Applicant also reserves the right to place registry suspension, takedown or similar status on a domain name during resolution of a dispute. Abusive uses, as defined above, undertaken with respect to “.STRING” domain names shall give rise to the right of the Applicant to take such actions.

The Applicant will stipulate in the prospective Registry-Registrar Agreement that the Accredited Registrar shall “acknowledge and agree that the Registry reserves the right to immediately deny, cancel, terminate, suspend, lock, or transfer any Reservation Request or Registration Request and any resulting Reservations or Registrations that it deems necessary, in its discretion:

1) to enforce Registry Policies and ICANN Requirements, as amended from time to time;

2) to protect the integrity and stability of the Registry, its operations, and the TLD;

3) to comply with any applicable law, regulation, holding, order, or decision issued by a court, administrative authority, or dispute resolution service provider with jurisdiction over the Registry or you;

4) to establish, assert, or defend the legal rights of the Registry or a third party, or to avoid any liability, civil or criminal, on the part of the Registry as well as its affiliates, subsidiaries, owners, officers, directors, representatives, employees, contractors, and stockholders;

5) to correct mistakes made by the Registry or any Registrar in connection with a Registration or Reservation; or as otherwise provided herein.”

The prospective Registration Agreement will also require the registrant to “represent, warrant, and agree that the registrant hold the necessary rights t or permit to use any item, word, or term submitted through the DNR Services, and that such use shall not in any way to the best of your knowledge and belief:

(i) violate or potentially violate any right of any third party, including infringement or misappropriation of any copyright, patent, trademark, trade secret, or other proprietary right;
(ii) constitute or potentially constitute violations, such as, without limitation, false advertisement, unfair competition, defamation, invasion of privacy, invasion of rights, and discrimination;
(iii) cause or potentially cause a business dispute, personal dispute, or any other dispute;
(iv) be or potentially be unlawful, harmful, fraudulent, libelous, slanderous, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, or otherwise offensive;
(v) be or potentially be racially, ethnically, or ethically objectionable; or
(vi) constitute a criminal offense, give rise to civil liability, or otherwise violate any applicable law, including local, provincial, state, national, international, or other laws. ”

With these two contractual instruments, the Applicant will be well positioned to prevent and mitigate domain name abuses.

28.1.3 Point of Contact for Anti-abuse

The anti-abuse policies will be published on the website of the Applicant. The Applicant will establish an abuse point of contact for filing and handling of domain name abuse complaints. The contact information will include at least fixed telephone number, fax number and email address.

The single point of contact will be composed of at least a primary contact person who will be responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the TLD through all registrars of record, including those involving a reseller.

The Applicant will form a team to work along with the primary contact person to take steps to investigate and respond to any reports of malicious conduct from law enforcement agencies, governmental and quasi-governmental agencies. Below sections will elaborate on the processes to address the abuses of varying nature. Resourcing plan in the below section will describe in detail the members of the anti-abuse team and their respective roles.

Likewise, all the accredited registrars and resellers of the TLD will be required to set up a contact to liaise with the registry for abuse mitigation. A link to the abuse complaint page of the Registry (the Applicant) will be required to be shown on the website of the registrars.

The Applicant will publish any changes of the contact information on its website, and notify registrars and ICANN in a timely manner.

28.2 Abuse Prevention Mechanisms
Pursuant to the policies adopted in the section above, the Applicant will take necessary actions to prevent and mitigate abuses concerning the .STRING” TLD within the scope of its power.

28.2.1 Reserved lists

In order to ensure the stability and scalability of the domain name system and protect the public interest, pursuant to the Specification 5 of Registry Agreement, certain names will be reserved.

1. ICANN Reserved Names – names reserved based on the Registry Agreement with ICANN; they are:
-The label “example”;
-Two-character labels;
-Tagged domain names;
-Second-Level Reservations for Registry Operations;
-Country and Territory Names.

2. Geographic names (please refer to Q.22 for more information on the geographic names protection mechanism);

3. Government Reserved Names both in English and in Chinese, include but are not limited to the names of the ministries, the names of the national institutions and the names of the national defense;
4. Offensive words or words of hatred, both in English and in Chinese;
5. ICANN related names and IANA related names;

Release of reserved names

Most of the reserved names are prohibited from registration. However, some reserved names may be released to the extent that the registrant demonstrates its legal right on the name and intend to register the name under “.STRING” TLD. In this case,the procedures below will follow.

Release of reserved names for registry operation

Activations of reserved names will generally be provisioned via ICANN Accredited Registrars. The Reserved Names for registry operation will be directly procured from an accredited registrar and locked at the registry.

Release of geographic names

Please refer to the answer to Question 22 for details of the release operation. In summary, the prospective registrant will have to present a supporting letter from the applicable government office to be eligible for registration.

28.2.2 Startup Abuse Prevention Mechanism

Before the launch of the ”.STRING” TLD, the Applicant will mainly focus on Rights Protection Mechanism to safeguard that the pre-registered domain names will not infringe the rights of third parties.

The Applicant will launch a minimum 30 days Sunrise Preregistration Period pursuant to the requirement of the Applicant Guidebook.

After that, a minimum 60 days Landrush Pre-registration Period will be launched to protect the rights of premium domain names.

At the open registration period, the Applicant will also initiate a minimum 60 days Trademark Claims Service to protect trademarks on the startup of the ”.STRING”. For details of the protection mechanism please refer to the answer to Question 29.

28.2.3 WHOIS accuracy Requirement

The Applicant believes that the accuracy and genuineness of WHOIS information are essential to the proper uses of domain names and are vital in tackling the abuses of the domain names. The applicant hence requires the registrants to provide accurate and genuine WHOIS information when registering a domain name, and the Registry and registrars to perform necessary verification to ensure the WHOIS accuracy.

Compliance Requirement for the Registrants

When registering a “.STRING” domain name, the Registrant must consent to the clause on WHOIS requirement in the Registration Agreement, and ensure that the submitted registration information is authentic, accurate and complete. The registrant must also acknowledge that should there be any changes on the WHOIS information in the future, it will update the registration information within 30 days.

The registrants must also agree that they are responsible for the accuracy of the WHOIS information of the domain name. Failure to adhere to the accuracy requirement will cause suspension or termination of the registration.

Compliance Requirement for Registrars

Accreditation of the registrar requires it to be responsible for auditing and verifying the WHOIS information submitted by the “.STRING” domain name registrant.

In the proposed RRA agreement, the Registrar is required to take necessary measures to verify the authenticity, accuracy and completeness of the registrant information upon the domain names registration. First of all, the registrar has to check the completeness of the registration documentation before registration. Incomplete information will result in rejection. Complete registration documentation includes:

1) Complete WHOIS information of the registrant;

2) Verified Email Address of the registrant.

3) A signed copy of the registration agreement.

Additional identification material of the registrant, for example, electronic copy of the ID card or passport for individual or business certification or other legal documentation of the establishment for corporate is required for further verification if necessary.

After registration, pursuant to Registrar Accreditation Agreement, the registrar is required to verify the accuracy and authenticity of the WHOIS information of the domain name during 5 day Add Grace Period. The process for the WHOIS verification will be as follows:

1. The Registrar will send out emails to the administrative contact requesting for confirmation of the contact information;

2. The administrative contact will reply per the instructions to confirm within the five day Add Grace Period;

3. The registrar will suspend the domain name should there be no confirmation, and a notice of WHOIS update will be sent to the technical and billing contact in the WHOIS. It is expected that the WHOIS information will be updated within 5 days upon receipt of the notice;

4. Once the update is made, the domain name will be active again. If there is no update within five days, the domain name registration will be cancelled with no refund.

Compliance Requirement for the Registry Service Provider

The Applicant requires the Registry Service Provider to carry out random inspections on WHOIS information of the domain name registered on the SRS on a daily basis. KSRP is designed to send out email each email address of the registered domain name to ask for verification. The verification process is similar to that of the registrars. Any inaccurate WHOIS information will be reported to the Applicant.

The Applicant will request the registrar concerned to update the registrant information within 10 working days. Failure to do so may result in domain name suspension or takedown if the Applicant is unable to contact registrant.

Compliance Requirement by the Applicant

The Applicant will set up an annual evaluation process for the Registrars on their performance on the WHOIS verification. The Evaluation is based on the complaints received and results of the WHOIS inspection performed by the Registry Provider based on the RRA.

An accuracy ratio of 90% of the WHOIS is qualified and higher accuracy will be awarded and honored. The accuracy ratio lowers than 90% will lead to warning or financial penalty pursuant to RRA. Lower than 80% is deemed a breach of RRA .

With the WHOIS Verification Mechanism, a considerable portion of the domain name abuses could be effectively prevented in the registration stage.

28.2.4 Access Control

The Applicant will place a tiered access control mechanism for the registrant to prevent and mitigate potential domain name abuses.

The Applicant will require accredited registrars to set up an online platform for registrants to manage its portfolios of the domain names. The management functions include WHOIS data update and transfer, renewal or deletion of domain names. This platform will provide SSL-based services. Strong passwords of the registrants are mandatory to access the platform. And the password will be requested to change every three months. Each access to the platform will require CAPTCHA verification. In addition to that, each operation of the domain name, such as update of registrant information, setting of the NS record will require verification before activation.

In the event of domain name transfer, the Auth-code which is used to verify the domain name transfer between registrars will be sent to the email address of the administrative contact of the registrant by the losing registrar. Meanwhile, the losing registrar is required to send transfer notice to the administrative contact, technical contact and billing contact of the registrant before initiating transfer operation. Likewise, the gaining registrar is also required to notify the administrative contact, technical contact and billing contact of the registrant after the transfer operation.

In the event of the domain name deletion, the registrant will be required to verify the operation either via emails or via written notices. Meanwhile, the administrative contact, technical contact and billing contact of the registrant will all be informed of the operation.

28.2.5 Policy on Orphan Glue Records

By definition of SSAC, a glue record becomes an ʺorphanʺ when the delegation point NS record referencing it is removed without also removing the corresponding glue record. The Applicant will adopt the management policy of disallowing orphan records.

KSRP automatically marks the orphan glue records generated and the date of generation when suspending the resolution of a domain name or deleting a domain name. At the time that an orphan glue record is generated, the system will automatically send an email notice to the administrative contacts, technical contacts of the domain name and its sponsoring Registrars, informing that the orphan glue record should be deleted within a 30-day grace period.

Moreover, the registry system will carry out scanning and cleansing program on orphan glue records on a daily basis. The orphan glue records that are no longer used as well as those that exceed the 30-day grace period will be deleted.

When provided with evidence that the glue is indeed present to abet malicious conduct, the Applicant will take the following action:

Upon receipt of the complaint, the Applicant will give an immediate deletion order to the Back-End Service Provider to remove the orphan glue record in question;

The Back-End Service Provider will delete the record within 8 hours upon receipt of the order and feedback to the Applicant;

The Applicant shall inform the complainants on the results within 8 hours.

28.3 Abuse Mitigation Mechanism
The Applicant will set up anti-abuse mechanisms to act swiftly to mitigate any abuse and take down any infringing “.STRING” domain names. Based on the nature of the abuses mentioned above, the Applicant shall act in three levels to defend against potential registration abuses and domain use abuses:

28.3.1 Registration abuse mitigation mechanism

The Applicant will adopt such rules in the Registration Agreement to prevent infringement on the right of third parties or violation on applicable laws and regulations. The Registry-Registrar Agreement (RRA) also states that the Registrar is responsible for the WHOIS accuracy of the domain names. Any inaccurate WHOIS information could lead to domain name cancellation or rejection.

Upon receipt of complaints on domain registration abuses, the Applicant will follow the procedures described below:

The Applicant will first put the domain name in question on registry lock, then

The Applicant will determine the nature of the complaints, if it fits the description of registration abuses, the Applicant will take down the domain name pursuant to the RRA or the Registration Agreement immediately; a notice of breach will also be sent to the registrant and the sponsoring registrar.

Should the abuse be use related, the Applicant will follow the procedure that is described in the following section.

28.3.2 Use abuse mitigation mechanism

With regard to abusive uses of “.STRING” domain names, including phishing, pharming, malware downloading, etc., the Applicant will rely on the registrars, the interested parties or the Internet users to detect the abuse. It will tackle such abusive uses in collaboration with other third party security vendors or Law Enforcement Agencies.

A typical process to tackle the abusive uses is as such:

1) Any complaints to the domain names shall be sent to the abovementioned contact via telephone, fax or email;

2) Upon receipt of the complaints, the Applicant will put the domain name in question at “Registry lock” status and will identify the abuse incidents involving the domain names; If the abuse is filed by Law Enforcement Agencies (LEAs) and CERT⁄CC and the abuse is deemed that its existence will lead to further losses of Internet users, such as phishing and pharming, the Applicant will suspend the domain name in the SRS system and the EPP status will be changed into “serverHold”, so that the domain name will not be able to resolve or be transferred.

3) Once the abuse is identified with the help of third party security vendors or Law Enforcement Agencies (LEAs) if necessary, a notice of breach will be sent to the domain name registrant, registrar and any party concerned to request for immediate actions;

4) Should the Applicant receive no response from the registrant or the registrar within four hours, pursuant to the RRA, the Applicant will suspend or take down the domain name depending on the nature of the abuse; the Applicant shall also notify the administrative and technical contacts of the registrant and the sponsoring registrar;

5) After the abuses involved the domain name are cleansed and the evidences are presented to the Applicant, the domain name will be reactivated within 4 hours. A notice of reinstatement will also be sent to the administrative and technical contacts of the registrant and the sponsoring registrar.

Take down Procedure
Upon receipt of the takedown notice from the LEAs, CERT⁄CC , the Applicant will check whether the domain name meets the criteria for taking down action;

If so, the Applicant will instruct the sponsoring registrar to take down the domain name and send email notification to the registrant (administrative contact, technical contact or billing contact);

Should the registrant think the Applicant domain name is suspended by mistake, registrant can appeal to the Applicant with evidence.

The Applicant will direct the evidence to the LEAs or CERT⁄CC for review. If the evidence is approved valid, the Applicant will restore the domain name within 8 hours, a notice of restoration will be sent to the administrative and technical contacts of the registrant and the sponsoring registrar.

28.3.3 Domain names dispute resolution mechanism

Pursuant to the Specification 7 of the Registry Agreement, the Applicant will comply with the following domain names disputes resolution mechanisms that may be revised from time to time:

a. the Trademark Post-Delegation Dispute Resolution Procedure (Trademark PDDRP) and the Registry Restriction Dispute Resolution Procedure (RRDRP) adopted by ICANN.; and

b. the Uniform Rapid Suspension system (“URS”) adopted by ICANN, including the implementation of determinations issued by URS examiners.

c. the Uniform Domain Name Dispute Resolution Policy adopted by ICANN as Consensus Policies.

The Trademark PDDRP and RRDRP

In the Registry Agreement, the Applicant agrees to implement and adhere to any remedies ICANN imposes (which may include any reasonable remedy, including for the avoidance of doubt, the termination of the Registry Agreement pursuant to Section 4.3(e) of the Registry Agreement) following a determination by any PDDRP or RRDRP panel and to be bound by any such determination.

Details of the resolution mechanisms, please refer to the Trademark PDDRP and RRDRP, which is listed in the Applicant Guidebook.

The URS Procedure
The URS does not concern the Applicant as the gTLD Registry Operator. However, in the event of the Uniform Rapid Suspension dispute, the Applicant will fulfill the obligations as follows:

The Applicant will “lock” the domain name in question within 24 hours upon receipt of the “Notice of Complaint”, restricting all changes to the registration data, including transfer and deletion of the domain names, but the name will continue to be resolved.

After the “lock” operation, the Applicant will notify the URS Provider immediately (Notice of Lock).

Immediately upon receipt of the Determination order from the URS Provider, the Applicant shall suspend the domain name, which shall remain suspended for the rest of the registration period and would not resolve to the original web site. The name servers will also be redirected to an informational web page provided by the URS Provider about the URS. The Whois for the domain name shall continue to display all of the information of the original Registrant except for the redirection of the name servers. In addition, it shall be reflected on the Whois that the domain name will not be able to be transferred, deleted or modified for the life of the registration.

The successful Complainant may also be allowed by the Applicant to extend the registration period for one additional year at commercial rates.

Uniform Dispute Resolution Procedure

The UDRP requires all registrars to follow the Uniform Domain-Name Dispute-Resolution Policy (UDRP). Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar cancels, suspends, or transfers a domain name. Disputes alleged to arise from abusive registrations of domain names (for example, cybersquatting) may be addressed by expedited administrative proceedings initiated by the owner of the trademark by filing a complaint with an approved dispute-resolution service provider.

To invoke the policy, a trademark owner should either:

(a) File a complaint in a court of proper jurisdiction against the domain-name holder (or where appropriate an in rem action concerning the domain name) or

(b) In cases of abusive registration, submit a complaint to an approved dispute-resolution service provider.

Details of the UDRP are available for review at http:⁄⁄www.icann.org⁄dndr⁄udrp⁄policy.htm. The Applicant recommends that Complaints under the UDRP be submitted to Asian Domain Name Dispute Resolution Center or any desired dispute-resolution service provider by the complaints. The listed providers can be visited at http:⁄⁄www.icann.org⁄dndr⁄udrp⁄approved-providers.htm.

The Applicant as the Registry Operator will also monitor the compliance of the registrars on the implementation of UDRP decisions.

28.3.4 Anti-abuse Collaboration with Partners
Externally, the Applicant will work with other parties to prevent and mitigate abuses on its domain names. The procedures or mechanisms of the cooperation will be described as follows:

With ICANN

With contractual relationship with ICANN, the Applicant must fulfill the legal obligations described on the Registry Agreement. The Applicant also consent to the Consensus policies and temporary policies specification described in the Specification 1 of the Registry Agreement. Details of the consensus policies can be found at: http:⁄⁄www.icann.org⁄en⁄general⁄consensus-policies.htm.

With regard to Temporary Policies, the Applicant shall comply with and implement all specifications or policies established by the ICANN Board on a temporary basis. The Applicant pledges that the Temporary Policies will be implemented within a month upon the notice of the policies. In the event of a conflict between Registry Services and Consensus Policies or any Temporary Policies, the Consensus Polices or Temporary Policy shall control.

With LEAs and other security providers

On one hand, the Applicant will establish a contact window with CERT⁄CC, LEAs and other security providers to take down domain name abuse incidents concerning “.STRING” domain names. On the other hand, the Applicant will rely on them to identify domain name abuse incidents. The collaboration mechanism is as follows:

1) Upon receipt of the takedown notice from the LEAs, CERT⁄CC , the Applicant will check whether the domain name meets the criteria for taking down action;

2) If so, the Applicant will instruct the sponsoring registrar to take down the domain name and send email notification to the registrant (administrative contact, technical contact or billing contact);

3) Should the registrant think the domain name is suspended mistakenly, it can appeal to the Applicant with evidence;

The Applicant will direct the evidence to the LEAs or CERT⁄CC for review. If the evidence is approved valid, the Applicant will restore the domain name within 8 hours, a notice of restoration will be sent to the administrative and technical contacts of the registrant and the sponsoring registrar.
28.4 Resourcing Plan
28.4.1 Human resource plan
Based on the estimated registration volume of “.STRING” TLD, two staffs will be furnished to carry out the duty. One will be tasked to be the anti-abuse contact of the Registry to handle complaints. The other will be in charge of the compliance of the registrars and WHOIS verification matters. A legal counsel will be tasked to take care of the anti-abuse activities and to determine the actions on domain name abuses.

Aside from that, registrar supporting executive and technical staff will also help with the execution of the anti-abuse activities.

On the Back-End Service Provider side, a team will be allocated to take swift and effective action to respond to the actions to address the abuses.

Review and Monitoring Staff
The Back-End Service Provider currently has 20 members to review the Whois accuracy. As all required staff members are expected to be on duty starting from the start-up period, additional recruitment must meet the needs of the peak registration season.

Emergency response team
The team will operate in accordance to the orders by the Registry Operator on a 24*7 basis. Currently, the Back-End service provider has employed 10 employees to fulfill the duty. In addition to that, a coordination specialist will be tasked to cooperate with third parties.

28.4.2 Funding plan
Details of the funding plan for the anti-abuse mechanisms please refer to the answer to question 47.

gTLD	Full Legal Name	E-mail suffix	Detail
.娱乐	Morden Media Limited	zodiac-corp.com	View