28 Abuse Prevention and Mitigation

Prototypical answer:

28. Abuse Prevention and Mitigation

As mentioned in response to Question 18 (b) above, Pictet is a well-known financial institution operating around the world. Pictet has an extensive experience and expertise in managing complex information technology infrastructures in connection to its business relying on in-house and external resources.

Pictet doesnʹt aim to manage a domain name registry system. Pictet has chosen to rely on Verisign for the back-end registry operation of the applied-for ʺ.pictetʺ registry in accordance with the specific technical requirements imposed upon new gTLD registries. The response to this question describes the registry services for the ʺ.pictetʺ TLD as provided by Verisign.

28.1 Comprehensive abuse policies, which include clear definitions of what constitutes abuse in the TLD, and procedures that will effectively minimize potential for abuse in the TLD

The Applicant has identified Verisign as a trusted partner based on its stable organization with strong financial stability and the resources to ensure responsible backend operator services. Verisign has proven to the Applicant that it is the high-value and low-risk vendor of choice to meet the gTLD program needs. The Applicant will rely on Verisign to provide all the technical support linked to the new gTLD program and to enforce all ICANN mandatory procedures to minimize all potential abuse in the TLD.

As per the vision & mission statement stated in response to question 18 of this application, most if not all of the domain names registered therein will be under the control of the Registry Operator. Given this character that the applied-for TLD shall initially have and the control of the Registry Operator in operating the applied-for TLD, the risks that the TLD or domain names registered therein will be used in an abusive manner is already limited in itself.

Pictet is of the opinion that the operation of the ʺ.pictetʺ TLD will not be facing the challenges in mitigating abuses that most true ʺgenericʺ top-level domain names are and will continue to be coping with. Nevertheless, the Applicant is factoring in mechanisms to prevent and mitigate possible abuses.

28.1.1 ʺ.pictetʺ Abuse Prevention and Mitigation Implementation Plan

The Applicant monitors all possible abuses of the ʺ.pictetʺ TLD and also relies on Verisign as its technical backend operator due to its longstanding legacy in the industry and its capabilities to support Pictet in mitigating all above mentioned abuse.

As mentioned above, the Applicant expects few risks of abuses as it intents initially to use the ʺ.pictetʺ as a single registrant TLD. Furthermore, as abuses of the TLD will be detrimental to the reputation of the Applicantʹs key brand, the Applicant aims to strictly control the use of its TLD and to have clear policies in place that grant the Applicant the right to cancel, suspend, or even revoke domain names registered in the TLD.

Eligibility

Eligibility is the central requirement to apply to and be awarded the use of a ʺ.pictetʺ domain name. It is therefore necessary that a registrant understand the eligibility requirements for registration of a ʺ.pictetʺ domain name, and maintain its eligibility throughout the term of the authoriyation to use.

Are eligible to a ʺ.pictetʺ domain name the following:
- Pictet & Cie and its subsidiary for commercial usages.
- Members of the Pictet family bearing this last name for private or commercial usages
- Business partners of Pictet & Cie and its subsidiary – while domain names will have to be managed by a Pictet entity

28.1.2 Policies for Handling Complaints Regarding Abuse

The selection of Verisign was based on the technical expertise of Verisign and its experience in running different large registries and managing right protection mechanisms. Verisign has demonstrated its ability to provide high levels of service that are scalable while still flexible enough to provide appropriate right protections measures.

The Applicant has a domain name and legal department, which protects and enforces the intellectual property rights of the Applicant in various ways. For the ʺ.pictetʺ TLD, the Applicant relies on various internal and external resources in order to ensure that the organization is able to plan for right protection matters that may occur.

Furthermore, this department is responsible for registering and monitoring domain names in existing TLDs. Following award of the ʺ.pictetʺ TLD to the Applicant, this department will also be controlling registrations and⁄or registration volumes, as well as potential abuses of domain names within this extension.

The Applicantʹs back-end registry service provider will also monitor the on-going technical abuses processes.

Pictet will post an abuse point of contact on its website ʺabuse@registry.pictetʺ. This e-mail address will allow the GCC department to monitor abuse reports and work towards their resolution. Pictet will put in place a ticketing system for tracking those complaints.

Pictetʹs GCC department will assess complaints received via the abuse complaint decide what action is appropriate.

The GCC department in charge of the « .pictet » project aim to provide all its customers, internal or external, with a high level of service. However, if for any reason a user would not be satisfied with the service received an advisor will investigate and respond to complaints.  Pictet commits to respond within a maximum of seven (7) days to abuse complaints concerning all names registered in the TLD through the registrar.

Complaints should be made in writing and include the following information:
• Name and contact details and other information if appropriate
• The details of the initial complaint
• A clear description of the concern or complaint
• Proposed complaint resolution options

Primary advisor to contact:

Riccardo BONFERRONI
Senior web publisher⁄editor
Digital Communications
Group Corporate Communications
Pictet & Cie,
60 route des Acacias
CH-1211
Geneva, Switzerland
Tel. +41 (0)58 323 1491

If a party would want to appeal a decision, an appeal notice should be sent by mail to the GCC department. This notice should explain the reasons for appealing, but should not contain any new evidence or attachments.

Appeals are heard by the ʺ.pictetʺ evaluation committee as defined in question 18. They have 30 days to make their decision. In many ways, they act like a normal expert. An appeal decision is irrevocable.

Upon passing Pictetʹs acceptance of the appeal, these domain names will be allowed to resolve to active websites and email addresses by removal of server-hold status.

The version of these Rules in effect at the time of the submission of the complaint to the Provider shall apply to the administrative proceeding commenced thereby.

Law enforcement

Rights and obligations and all actions contemplated by the registrant agreement shall be governed by the laws of Switzerland. With regard to any action arising from the use of the registered name the registrant agrees to submit to the jurisdiction of the court of Geneva, Switzerland.

Pictet will be prepared to call upon relevant law enforcement bodies as needed and commits to respond to law enforcement within seven ⁄7) days of notification received at Pictetʹs headquarter in Geneva, Switzerland.

Take-down procedures

In the event of termination of a domain name registration service where the domain registration is current and no monies are owing registrants may transfer the domain name to another registrar within seven (7) days after which time Pictet may at our exclusive option delete the domain name or acquire without further consideration all rights to the domain name.

Where the service is terminated due to a break of the Pictet code of conduct, ethics and business activities (as detailed in section 18), Pictet has the exclusive option of erasing a domain name or, without further consideration, acquiring all rights to the domain name and Pictet may keep the domain name without compensation to the registrant. For this purpose the registrant irrevocably consent to Pictet authorizing a change of ownership, update of WHOIS data including change of contacts and registered name holder, registrar transfer or other action without having any obligation to notify the registrant either before the changes occur. Pictet however commits to inform the registrants of such action within seven (7) days after it happens.

If a domain name should be suspended for a financial, legal, or operational reason Pictet will take action via its technical providers to take the following steps gradually:
1. ʺDNS Suspendedʺ (DNS zone is deactivated, domains will no longer resolve)
2. ʺDomain Server Hold processʺ (domain is locked, domain cannot be modified).
Domains with the EPP status code ʺServerHoldʺ are not included in the zone files

28.1.3 Proposed Measures for Removal of Orphan Glue Records

Although orphan glue records often support correct and ordinary operation of the Domain Name System (DNS), registry operators will be required to remove orphan glue records (as defined at http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf) when provided with evidence in written form that such records are present in connection with malicious conduct. Pictetʹs selected backend registry services providerʹs (Verisignʹs) registration system is specifically designed to not allow orphan glue records. The registrar, Domainoo, required to delete⁄move all dependent DNS records before they are allowed to delete the parent domain.

To prevent orphan glue records, Verisign performs the following checks before removing a domain or name server:

Checks during domain delete:
Parent domain delete is not allowed if any other domain in the zone refers to the child name server.
If the parent domain is the only domain using the child name server, then both the domain and the glue record are removed from the zone.

Check during explicit name server delete:
Verisign confirms that the current name server is not referenced by any domain name (in-zone) before deleting the name server.

Zone-file impact:
If the parent domain references the child name server AND if other domains in the zone also reference it AND if the parent domain name is assigned a serverHold status, then the parent domain goes out of the zone but the name server glue record does not.
If no domains reference a name server, then the zone file removes the glue record.

28.1.4 Resourcing Plans

As underlined in question 18, the Group Corporate Communication (GCC) department will manage the relationship with all third-party technical providers including the data escrow. Those costs have been accounted for in the project set-up and operational costs as detailed in question 47. Details related to resourcing plans for the initial implementation and ongoing maintenance of Pictetʹs abuse plan are provided in Section 2 of this response.

28.1.5 Measures to Promote Whois Accuracy

The Applicant supported by its backend operator will comply to all ICANN requirements such as Whois accuracy.

The Applicant believes that Whois accuracy will be fully under control, considering the fact that it is a single registrant TLD that is monitored and operated in-house. The Applicant performed in this preparatory stage a rather high-level analysis of the possible uses of the ʺ.pictetʺ TLD.

The registrar selected by Pictet, Domainoo, offers an online interactive WHOIS service. His website en.lenom.com offers name check and WHOIS search.  Domainoo also provides a WHOIS service using port 43 webservice which is updated on a daily based. The WHOIS interacts and requests on registrar name, registered domain name, primary name server and secondary name server, identity of registrar, original creation date of registration, expiration date of registration, name and address of domain name registered holder and administrative and technical contacts.

Domainoo, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, takes reasonable steps to investigate that claimed inaccuracy. In the event Agence Virtuelle informs Domainoo of an inaccurate contact information associated with a Registered Name sponsored, the registrar takes reasonable steps to correct that inaccuracy. In particular, Domainoo sends an email to the current Registered Name holder to up-date their record. The email contains the following language:

ʺThis message is a reminder to help you keep the contact data associated with your domain registration up-to-date. Our records include the following information:
Domain: ____________
Registrar Name: _________
Registrant:
Name: _____________
Address: ____________
City: ___________
State⁄Province: ________
Country: __________
Postal Code: ___________
Administrative Contact:
Name: ______________
Address: ____________
City: ___________
State⁄Province: ________
Country: __________
Postal Code: ___________
Phone: ______________
Fax: _________
Email: _______________
Technical Contact:
Name: ______________
Address: ____________
City: ___________
State⁄Province: ________
Country: __________
Postal Code: ___________
Phone: ______________
Fax: _________
Email: _______________
Original Creation Date: ___________
Expiration Date: ______________
Nameserver Information:
Nameserver: _______________
 
If any of the information above is inaccurate, you must correct it by visiting our website. (If your review indicates that all of the information above is accurate, you do not need to take any action.) Please remember that under the terms of your registration agreement, the provision of false Whois information can be grounds for cancellation of your domain name registration.ʺ

In general, Domainoo complies with the Whois Data Reminder Policy by sending the above email once a year to their customers. For auditing purposes, Pictet will request exports of all or part of the whois data.

28.1.6 Authentication of Registrant Information

During the registration process, Pictet collects identifiable information, including, but not limited to, name, company name, telephone numbers, postal and e-mail addresses relating to the registrant and any other identifiable information that Pictet may reasonably require in order to provide access to Pictetʹs applications and services to its Registrants.
Registrants are assigned user names and passwords, all of which are used to identify the Registrants when they are using the Pictet registration services.

28.1.7 Regular Monitoring of Registration Data for Accuracy and Completeness

Verisign, Pictetʹs selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANNʹs Whois accuracy requirements. Verisign provides the following services to Pictet for incorporation into its full-service registry operations.

As part of internal auditing and risk mitigation, the Applicant will perform on a regular basis Whois data control process. As the Applicant is willing to provide selected stakeholders in Pictet & Cie, its subsidiary, business partners and Pictet family memebers with the opportunity to create a secure and safe Internet environment that is mainly or even fully under control of the Applicant and⁄or such stakeholders, the Applicant will regularly audit its domain name portfolio, as this is the case with its current intellectual property rights.

Pictet willl focus primarily on pre‐registration validation and spot checks. Above 80% of the ʺ.pictetʺ domain names will be used by Pictet and company for which, registrants will clearly be identified. Family members applying for a ʺ.pictetʺ TLD will go through a meticulous selection process as detailed in question 18.

Post-registration, Pictet will conduct random audits after registration and focus a great deal on compliance and policy enforcement. Pictet will do a monthly review of about 30 to 50 records which results in about 360 or 600 annual audits.

Pictet will also perform annual Whois database cleanups and a consistency check to help validate information. And then updates the Whois data whenever someone requests different resources.

Verisign, Pictetʹs selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANNʹs Whois accuracy requirements. Verisign provides the following services to Pictet for incorporation into its full-service registry operations.

Verisign sends an email notification to the ICANN primary registrar contact, requesting that the contact go to a designated URL, log in with his⁄her Web ID and password, and complete and submit the online form. The contact must submit the form within 15 business days of receipt of the notification.

When the form is submitted, Verisign sends the registrar an automated email confirming that the form was successfully submitted.

Verisign reviews the submitted form to ensure the certifications are compliant.

Verisign sends the registrar an email notification if the registrar is found to be compliant in all areas.

If a review of the response indicates that the registrar is out of compliance or if Verisign has follow-up questions, the registrar has 10 days to respond to the inquiry.

If the registrar does not respond within 15 business days of receiving the original notification, or if it does not respond to the request for additional information, Verisign sends the registrar a Breach Notice and gives the registrar 30 days to cure the breach.

If the registrar does not cure the breach, Verisign terminates the Registry-Registrar Agreement (RRA).

28.1.8 Use of Registrars

To ensure full control of its registrar network, the Applicant has decided to operate the TLD on a very limited registrant TLD basis. All ICANN mandatory specifications will be included in the registry-registrar agreement and the Applicant will also rely on its registrar to report any potential abuses in the TLD.

28.1.9 Malicious or Abusive Behavior Definitions, Metrics, and Service Level Requirements for Resolution

As outlined in the answer to question 30B, the Pictet Group, as a Bank, has a strong security culture. Malicious or abusive behavior that could endanger any of the Pictet Groupʹs activities is scrupulously and continually monitored, from inside as well as from outside viewpoints.

Abusive use criteria

The following criteria will be used to determine whether use of a particular domain is considered abusive:
a. the domain name registered by the domain name registrant is identical or confusingly similar to a trademark or service mark in which the complainant (the person or entity bringing the complaint) has rights; and
b. the domain name registrant has no rights or legitimate interests in respect of the domain name in question; and
c. the domain name has been registered and is being used in bad faith

Is considered as abusive use of the ʺ.pictetʺ TLD the following:
- Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to email spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of websites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks.
- Phishing: The use of counterfeit web pages that are designed to trick recipients into divulging sensitive data such as user names, passwords, or financial information.
- Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and trojan horses.
- Botnet command and control: Services that run on domain names that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct distributed denial-of-service attacks (DDoS attacks).
- Distribution of child pornography

As explained, ʺ.pictet TLDʺ will be a private TLD. There will be no registrant except Pictet and Pictet family members. In the latter case, family members will only be a license to use, but those domain names will remain under Pictetʹs property and management at all times. In addition to Verisignʹs monitoring and fault escalation procedure, Pictet will be monitoring ʺ.pictetʺ TLD operations on a daily basis and will implement this control in its current online brand watch and domain names watch already in place for 3 years. Pictetʹs security service operates 24x7 and provides timely responses to malicious and abusive behaviors

Trademark

As per the vision ⁄ mission statement stated in response to Question 18 of this application, most if not all of the domain names registered therein will be completely or at least partially under the control of the Registry Operator and for internal usages. Most uses of the « .pictet » TLD will be for Pictet & Cie (founded in 1805) and its affiliates which are registered trademarks protected under Swiss law and international copyrights laws. Pictet will not authorize any trademarks infrigements based on this intellectual property during the transitional period and beyond.

Trademark or intellectual property owners can initiate a procedure to challenge a ʺ.pictetʺ domain name. In order to prevail, the complaining party must show:
i. that a trademark is owned (either registered or unregistered) that is the same or confusingly similar to the registered second level domain name;
ii. that the party that registered the domain name has no legitimate right or interest in the domain name; and
iii. that the domain name was registered and used in bad faith.

If the trademark owner successfully proves all three points in the administrative proceeding, then the domain name can either be cancelled or transferred to the prevailing trademark owner. If the trademark owner fails to prove one of these points, Pictet will not cancel the domain name. In no case does a domain name cancellation would automatically result in a transfer to the complaining party.

Registration limited to Pictet & Cie and its subsidiary or family members baring the Pictet last name.

28.1.10 Controls to Ensure Proper Access to Domain Functions

Verisign Inc. will provide back-end registry services for applied-for « .pictet » TLD.

As Pictet has no in-depth experience in managing a domain name registry, Pictet has decided to rely on professional providers for all the technical support linked to operating the new gTLD program and to enforce all ICANN mandatory procedures to minimize all potential abuse in the TLD.

Moreover, the registration policy for Pictetʹs dotBrand will be restricted to the brand owner and its affiliates to register domain names in order to create a ‘safe-zoneʹ for internet users. Family membersʹ domain names will also be controlled by the brand owner.

Pictet defines the registration policy so unwanted activity from domainers or cyber squatters could be prevented by creating a strict policy. All registrations will be handled directly so risks involving third parties will be mitigated. Pictetʹs registration policy will be set so domain names are never transferred to licensees that arenʹt validated.

Pictet doesnʹt aim promote the use of the ʺ.pictetʺ TLD to third parties such as distributors and business partners. Co-branding webpages could be created but remain under the sole property and operations of Pictet. Pictet will rely on the experience and knowledge of Domainoo as the unique authorized registrar. Pictet will outsource the technical set-up and operations including the necessary infrastructure and human resources to professionals to ensure strict control on the domain name.

Registering Pictetʹs own TLD will allow the firm to proactively register common mistyped URLʹs and direct them towards the correct website. Pictet will also track and trace domain names that were visited, but not registered yet.

28.1.11 Multi-Factor Authentication

To ensure proper access to domain functions, Pictet incorporates Verisignʹs Registry-Registrar Two-Factor Authentication Service into its full-service registry operations. The service is designed to improve domain name security and assist its registrar in protecting the accounts they manage by providing another level of assurance that only authorized personnel can communicate with the registry. As part of the service, dynamic one-time passwords (OTPs) augment the user names and passwords currently used to process update, transfer, and⁄or deletion requests. These one-time passwords enable transaction processing to be based on requests that are validated both by ʺwhat users knowʺ (i.e., their user name and password) and ʺwhat users haveʺ (i.e., a two-factor authentication credential with a one-time-password).

The registrar can use the one-time-password when communicating directly with Verisignʹs Customer Service department as well as when using the registrar portal to make manual updates, transfers, and⁄or deletion transactions. The Two-Factor Authentication Service is an optional service offered to registrars that execute the Registry-Registrar Two-Factor Authentication Service Agreement. As shown in Figure 28-1, the registrarsʹ authorized contacts use the OTP to enable strong authentication when they contact the registry. There is no charge for the Registry-Registrar Two-Factor Authentication Service. It is enabled only for registrars that wish to take advantage of the added security provided by the service.

28.1.12 Requiring Multiple, Unique Points of Contact

As per ICANN requirements, the Applicant will establish and publish on its website a single abuse point of contact responsible for addressing matters requiring advanced attention and providing a timely response, maximum seven (7) days, to abuse complaints concerning all names registered in the TLD through the registrar. The Applicant has planned adequate resources to implement and take care of any abuse matter. Moreover, the Applicant will also rely on various internal and external resources in order to ensure that the TLD remains secured and controlled, such as monitoring phishing mailing lists, etc.

28.2 Technical plan that is adequately resourced in the planned costs detailed in the financial section

28.2.1 Resource Planning

Customer support in relation to the operation of the ʺ.pictetʺ TLD will be part of the services provided by the Applicant, its registrar (Domainoo) and its backend operator, Verisign. However, As underlined in question 18, the Applicant took into account the cost of supervising this activity and also took into account that its general customer service will have employees available who can respond to concerns of third parties in relation to the operation of the TLD. The Group Corporate Communication (GCC) department will manage the relationship with all third-party technical providers including the data escrow. Those costs have been accounted for in the project set-up and operational costs as detailed in question 47.

28.2.2 Resource Planning Specific to Backend Registry Activities

Verisign, Pictetʹs selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLDʹs initial implementation and ongoing maintenance. Verisignʹs pricing for the backend registry services it provides to Pictet fully accounts for cost related to this infrastructure, which is provided as ʺTotal Critical Registry Function Cash Outflowsʺ (Template 1, Line IIb.G) within the Question 46 financial projections response.

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisignʹs quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisignʹs ability to align personnel resource growth to the scale increases of Verisignʹs TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:
- Application Engineers: 19
- Business Continuity Personnel: 3
- Customer Affairs Organization: 9
- Customer Support Personnel: 36
- Information Security Engineers: 11
- Network Administrators: 11
- Network Architects: 4
- Network Operations Center (NOC) Engineers: 33
- Project Managers: 25
- Quality Assurance Engineers: 11
- Systems Architects: 9

To implement and manage the .pictet gTLD as described in this application, Verisign, Pictetʹs selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.

When usage projections indicate a need for additional staff, Verisignʹs internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internetʹs largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

28.3 Policies and procedures identify and address the abusive use of registered names at startup and on an ongoing basis

28.3.1 Start-Up Anti-Abuse Policies and Procedures

The operation of the ʺ.pictetʺ TLD will not face the challenges that most ʺgenericʺ top-level domain names faces. In Pictetʹs view, the applied for TLD will mainly be a platform for supporting its business activities; except few exceptional cases for family members.

Verisign, Pictetʹs selected backend registry services provider, provides the following domain name abuse prevention services, which Pictet incorporates into its full-service registry operations. These services are available at the time of domain name registration.

Specific Extensible Provisioning Protocol (EPP) status codes are set on the domain name to prevent malicious or inadvertent modifications, deletions, and transfers. Typically, these ‘serverʹ level status codes can only be updated by the registry. The registrar only has ‘clientʹ level codes and cannot alter ‘serverʹ level status codes. The registrant must provide a pass phrase to the registry before any updates are made to the domain name. However, with Registry Lock, provided via Verisign, Pictetʹs subcontractor, registrars can also take advantage of server status codes.

The following EPP server status codes are applicable for domain names: (i) serverUpdateProhibited, (ii) serverDeleteProhibited, and (iii) serverTransferProhibited. These statuses may be applied individually or in combination.

The EPP also enables setting host (i.e., name server) status codes to prevent deleting or renaming a host or modifying its IP addresses. Setting host status codes at the registry reduces the risk of inadvertent disruption of DNS resolution for domain names.

The Registry Lock Service is used in conjunction with a registrarʹs proprietary security measures to bring a greater level of security to registrantsʹ domain names and help mitigate potential for unintended deletions, transfers, and⁄or updates.

Two components comprise the Registry Lock Service:

Pictet and its registrar provides Verisign, Pictetʹs selected provider of backend registry services, with a list of the domain names to be placed on the server status codes. During the term of the service agreement, the registrar can add domain names to be placed on the server status codes and⁄or remove domain names currently placed on the server status codes. Verisign then manually authenticates that the registrar submitting the list of domain names is the registrar-of-record for such domain names.

If Pictet or its registrar requires changes (including updates, deletes, and transfers) to a domain name placed on a server status code, Verisign follows a secure, authenticated process to perform the change. This process includes a request from a Pictet-authorized representative for Verisign to remove the specific registry status code, validation of the authorized individual by Verisign, removal of the specified server status code, registrar completion of the desired change, and a request from the Pictet-authorized individual to reinstate the server status code on the domain name. This process is designed to complement automated transaction processing through the Shared Registration System (SRS) by using independent authentication by trusted registry experts.

Pictet intends to charge its registrar based on the market value of the Registry Lock Service. A tiered pricing model is expected, with each tier having an annual fee based on per domain name⁄host and the number of domain names and hosts to be placed on Registry Lock server status code(s).

28.3.2 Ongoing Anti-Abuse Policies and Procedures

Criminals constantly develop new methods of attacking Internet users. Pictet is conscious of its responsibility and determined to safeguarding its users. Pictet will leverage its existing web security procedures and rely on technical providers to which are experts in combatting potential abuses.

Suspension criteria

The Registrant Agreement contains terms permitting the Registry operator to revoke the use of a ʺ.pictetʺ domain name for the reasons outlined below:
1. The registrantʹs status changes and they cease to be a member of the eligible community defined by Pictet & Cie;
2. If any prescribed registration, transfer, renewal or other fee is not paid if applicable;
3. If a warranty made by the registrant;
4. If any information provided in the course of registration is incorrect;
5. If misleading, incomplete or incorrect information is supplied in the application for registration, transfer or renewal;
6. Failure to comply with any ʺ.pictetʺ policy that applies to the registrant at any time;
7. If a court of competent authority orders that the ʺ.pictetʺ domain name should not be licensed to the Registrant, be removed from the registry or be licensed to another person;
8. If the ʺ.pictetʺ domain name, or the use of the ʺ.pictetʺ domain name, is not in the best interests of the Pictet & Cie;
9. If instructed by the registrant or its authorized agent; and
10. If ʺ.pictetʺ domain name which could not otherwise be registered under this policy is registered through mistake on the part of the registrant or the Registry.

28.3.3 Policies and Procedures That Identify Malicious or Abusive Behavior

Verisign, Pictetʹs selected backend registry services provider, provides the following service to Pictet for incorporation into its full-service registry operations.

Malware scanning service. Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names.

Verisignʹs malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitorsʹ websites. Pictet will use a malware scanning technology which uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrantʹs website.

28.3.4 Policies and Procedures That Address the Abusive Use of Registered Names

As mentioned under 1.1, Pictet will be the only user of its own TLD and thus there will be no registered name by unknown persons and, as a consequence, no risk of abuse of registered names.

All disputes arising out of or related to the TLD management shall be governed by, construed, and enforced in all respects in accordance with the laws of Switzerland, jurisdiction and venue of the Courts of Geneva. An appeal to the Federal Supreme Court of Switzerland is reserved.

Suspension processes conducted by backend registry services provider. In the case of domain name abuse, Pictet will determine whether to take down the subject domain name. Verisign, Pictetʹs selected backend registry services provider, will follow the following auditable processes to comply with the suspension request (Figure 28-2).

Verisign Suspension Notification. Pictet submits the suspension request to Verisign for processing, documented by:
- Threat domain name
- Registry incident number
- Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
- Threat classification
- Threat urgency description
- Recommended timeframe for suspension⁄takedown
- Technical details (e.g., Whois records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name statuses that are relevant to the suspension)
- Incident response, including surge capacity

Verisign Notification Verification. When Verisign receives a suspension request from Pictet, it performs the following verification procedures:
- Validate that all the required data appears in the notification.
- Validate that the request for suspension is for a registered domain name.
- Return a case number for tracking purposes.

Suspension Rejection. If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to Pictet with the following information:
- Threat domain name
- Registry incident number
- Verisign case number
- Error reason

28.4 Technical plan scope⁄scale that is consistent with the overall business approach and planned size of the registry

28.4.1 Scope⁄Scale Consistency

Founded in 1805 in Geneva, Pictet & Cie is today one of Switzerlandʹs largest private banks, and one of the premier independent asset management specialists in Europe, with over USD 325 billion in assets under management and custody at 31 December 2011. In connection to its business, the Applicant has a substantial experience and expertise in managing internally complex IT systems and infrastructures, hereby relying on in-house and external resources. Pictet has a strong web presence with an annual budget of web communication and operations of over 50,000 Pictet webpages visited daily.

However, Pictet has no in-depth experience in managing a domain name registry system and it would require too much effort for the Applicant to develop a system itself that complies with the specific technical requirements imposed upon new gTLD registries. Therefore, Pictet has decided to rely on Verisign Inc. to provide back-end registry services for applied-for « .pictet » TLD.

28.4.2 Scope⁄Scale Consistency Specific to Backend Registry Activities

Verisign, Pictetʹs selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisignʹs infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.

Verisignʹs scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the ʺ.pictetʺ gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisignʹs pricing for the backend registry services it provides to Pictet fully accounts for cost related to this infrastructure, which is provided as ʺOther Operating Costʺ (Template 1, Line I.L) within the Question 46 financial projections response.

Similar gTLD applications: (0)