28 Abuse Prevention and Mitigation

Prototypical answer:

1. Introduction

The .deloitte TLD application concerns a single Registrant TLD, which means that it is currently contemplated that only one Registrant, DTT (which is also the Applicant) , will be entitled to register and delegate domain names within the TLD.

These limitations, requirements and procedures will be reflected in the following:
- the policies for the registration of domain names, which will contain provisions regarding:
o how Deloitte member firms may apply for domain names to be registered by the Registrant; and
o the responsibility of the various parties involved in the registration process, including the registrar sponsoring a domain name registration in the .deloitte TLD.

- the registry-registrar agreement, which will contain provisions regarding, at a minimum:
o the authentication of the registrant of domain names in the TLD;
o the verification – on a temporary basis – of whether the registrant continues to meet these requirements; and
o the verification of the domain name registrations made by the Registrant (e.g., confirmation that applied-for domain names do not infringe third-party rights).

- putting in place a Complaints point of contact, who will investigate any non-compliant or infringing domain name registrations at no cost to the third party complainant who is of the opinion that a domain name has been registered without the registrant meeting the eligibility requirements referred to above, and⁄or a domain name has been registered that potentially infringes the rights or legitimate interests of such complainant.
Due to the restricted nature of the TLD, domain name abuse and misuse would be extremely unlikely. Nevertheless, the Applicant plans to implement the following measures to mitigate any potential for domain name abuse, in compliance with ICANN regulations.

PART I: As required by ICANN for the completeness of our answer, we would like to address each of the four specific topics set forth within Question 28:

1.1. An implementation plan to establish and publish on its website a single abuse point of contact responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the TLD through all registrars of record, including those involving a reseller.

The Applicant commits itself to addressing matters regarding abuse in an expedient fashion and to providing a timely response to all abuse complaints concerning names registered within the .deloitte TLD.

Operating a closed TLD will in itself limit the possibilities of domain name abuse; however, to comply with ICANN requirements, the Applicant intends to implement a Domain Name Anti-Abuse Policy (a high level overview of which can be found below) and address promptly any non-compliance with that policy. A contact name for reporting abuse will be published on the TLD.

1.2. Policies for handling abuse complaints.

The Applicant does not foresee any actual domain name abuse within its restricted, one-Registrant TLD, where all registered domain names will be directly or indirectly linked to the professional services of the Deloitte member firms. Further, all domain names will be submitted to an internal compliance check before a domain name is registered. Nevertheless, should any complaints be filed, the Applicant will have a published policy in place in place to act accordingly.

The Applicant intends to handle any abuse complaints through its Governance Committee and will reserve the right to:
• Deny or cancel any registration or transaction;
• place any domain name(s) on registry lock, hold or similar status during the resolution of a dispute;
This in order to:
• protect the integrity and stability of the registry;
• comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process;
• avoid any liability, civil or criminal, on the part of the Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees;
• correct mistakes made by the Applicant.

1.3. A description of policies and procedures that define malicious or abusive behavior, capture metrics, and establish Service Level Requirements for resolution, including service levels for responding to law enforcement requests.

The Applicant will create a Domain Name Anti-Abuse Policy containing a clear articulation of what constitutes abuse and how abuse complaints will be addressed.
The objective of the Doman Name Anti-Abuse Policy is to define abusive uses pertaining to domain name registration and domain name usage. Consequently, the Applicant intends to define “abuse” as follows:

Abuse is an action that:
• Causes actual and substantial harm, or is a material predicate of such harm;
• Is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.
In the section below, a distinction is made between Registration Abuses and Malicious Use of Domain Names (Domain Name Usage Abuses), for the avoidance of confusion.

Registration Abuse

Registration abuse⁄misuse relates to abuse concerning the core domain name-related activities performed by the Applicant. Because the Applicant will be the same entity as the Registrant, the likelihood of any registration abuse is de minimis.

The following practices are considered, by ICANN’s Governmental Advisory Committee, to constitute registration abuse and would result in sanctions taken by the Applicant as Registry Operator, in the unlikely event that Applicant’s Registry is no longer a single-Registrant TLD:
• Cyber squatting;
• Front-running;
• Gripe sites;
• Deceptive, pornographic and⁄or offensive domain names;
• Fake renewal notices;
• Name spinning;
• Cross-TLD Registration Scam;
• Domain kiting.

Detailed descriptions of such abuses would be provided on the complete Domain Name Anti-Abuse Policy, to be published on the registration website.

Malicious Use of Domain Names
In general, malicious use of domain names concerns what a Registrant (here, the same entity as the Applicant) does with a domain name after it is created—specifically, the purpose the Registrant puts the domain to, and⁄or the services that the Registrant operates on it. Again, the fact that the Applicant will be the same entity as the Registrant virtually eliminates the likelihood of malicious use of domain names.

The following practices are considered malicious use of a domain name and would result in actions taken by the Applicant as Registry Operator, in the unlikely event that Applicant’s Registry is no longer a single- Registrant TLD:
• Illegal or fraudulent actions;
• Spam;
• Phishing;
• Pharming;
• Traffic diversion;
• False affiliation;
• Wilful distribution of malware;
• Fast flux hosting;
• Botnet command and control;
• Distribution of child pornography;
• Illegal Access to Other Computers or Networks.

The Applicant will reserve the right, in its sole discretion, to deny or cancel any registration, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Applicant and its personnel; (4) to accord with the terms of the Registry Agreement; or (5) to correct mistakes made by the Applicant. The Applicant also reserves the right to place a domain name upon registry lock, hold or similar status during resolution of a dispute. Should a dispute occur, the domain name would be put on hold immediately and, within a designated period of time (most likely 48 hours), the dispute will be resolved and the domain will be accessible again or will be removed.

1.4. Adequate controls to ensure proper access to domain functions

Due to the restricted nature of the TLD, some domain name functions will -- at least initially -- not be allowed, such as domain name transfers. Access to other domain functions, such as domain name update and deletion, would be possible only after authentication via a strong password and through the registrar sponsoring the domain name. The following principles are used for strong passwords:
• Users shall pick a password of sufficient complexity, which contain characters from at least 3 of following characteristics:
o English uppercase characters (A through Z);
o English lowercase characters (a through z);
o Base 10 digits (0 through 9);
o Non-alphabetic characters (for example, !, $, #, %).
• A password should have a minimal length of 8 characters.
• Passwords & PIN codes shall not be based on easily-guessable information, such as:
o words from a dictionary;
o data linked to a user (phone numbers, license plate, date or place of birth, names of the children, etc.);
o significant portions of the userʹs account name or full name.

The usage of the strong passwords will be enforced, where possible, by the application used to access domain function.
Furthermore, all domain name requests will be submitted to an internal compliance check.

1.5. Proposed measures for removal of orphan glue records for names removed from the zone when provided with evidence in written form that the glue is present in connection with malicious conduct (see Specification 6); and

The Applicant does not foresee any issues regarding orphan glue records.
Glue records can only be inserted within the domain name itself. Inclusion is based on the fact that the name servers have the same extension as the domain name. These address records only exist by the grace of the domain name itself. Since the IP address is always linked to the domain name, the address will also disappear from the zone as soon as the domain name is removed from the registration database. Should any evidence be provided that a domain name, registered with Applicant, is present in connection with malicious conduct, the name and glue will be simultaneously be removed. This eliminates the possibility of orphan glue records.

1.6. Resourcing plans for the initial implementation of, and ongoing maintenance for, this aspect of the criteria (number and description of personnel roles allocated to this area).

As previously stated, the Applicant intends to form a Governance Committee to oversee the implementation of the Domain Name Anti-Abuse Policy and to respond promptly to any instances of abuse that may arise. The Applicant will put in place a point of contact for any complaints related to domain name abuse. As the Applicant intends that only domain names that are connected to the professional services provided by the Deloitte member firms may be registered within the .deloitte TLD, the likelihood of abusive domain name registrations is de minimis. However, as the .deloitte TLD evolves, the Governance Committee will re-assess this need on a periodic basis.

PART II: To be eligible for a score of 2, we would also like to clarify how the extra indicated topics have been addressed:

1.7. Measures to promote WHOIS accuracy.

As described, the .deloitte TLD will be a closed TLD. Consequently, the WHOIS accuracy will be the responsibility of the Applicant, as in this case, the Applicant will be the same entity as the Registrant.

The Governance Committee will take all necessary and appropriate steps to ensure that only authorized personnel may register domain names on behalf of the Registrant ensuring that all provided information in the WHOIS is correct and up to date.
As an additional measure to ensure WHOIS accuracy, the Applicant intends to perform an extensive review of all domain names registrations on a yearly basis in order to ensure that the data reflected in the WHOIS is accurate and up to date.

Similar gTLD applications: (0)