28 Abuse Prevention and Mitigation

Prototypical answer:

A. ABUSE PREVENTION AND MITIGATION TO BE IMPLEMENTED BY JCB Co., Ltd.

JCB Co., Ltd.ʹs proposed use for .jcb should, by its very nature, preclude abusive registrations from occurring, as all domains names may only be registered in the name of JCB Co., Ltd. and its affiliates
(for the purposes of this response, ʺaffiliatesʺ means in relation to a party any corporation or other business entity controlling, controlled by, or under common control of that party and for the purposes of this definition, a corporation or other business entity shall be deemed to control another corporation or business entity if it owns directly or indirectly (i) fifty percent (50%) or more of the
voting securities or voting interest in any such corporation or other entity; or (ii) fifty percent (50%) or more of the interest in the profit or income in the case of a business entity other than a
corporation; or (iii) in the case of a partnership, any other compatible interest equal to at least a fifty percent (50%) share in the general partner).

JCB Co., Ltd. is intending to operate .jcb for the benefit of Internet users that would like to interact with JCB Co., Ltd.. There is no incentive for JCB Co., Ltd. to confuse Internet users, nor otherwise
use domain names in bad faith, since JCB Co., Ltd.ʹs branded keyword gTLD is inherently intertwined with all uses of .jcb domain names.

Notwithstanding the above, JCB Co., Ltd. understands and agrees that it must comply with the different rights protection mechanisms such as the Uniform Domain Name Dispute Resolution Policy (UDRP) and the
Uniform Rapid Suspension System (URS) as described in the gTLD Applicant Guidebook (as may be later amended via Consensus Policy) and the Registry Agreement. The aforementioned policies provide a strong incentive to ensure that relevant and effective checks are in place to ensure that all .jcb domain names are only registered and used in an appropriate manner so as to benefit Internet users who would like to interact with JCB Co., Ltd., rather than in any manner that may be deemed inappropriate or in bad faith.

JCB Co., Ltd. will implement a clear written policy which requires the relevant corporate authorization and approvals to be procured and evidenced in order for any .jcb domain name to be registered for JCB Co., Ltd.ʹs use. In the event that JCB Co., Ltd. resolves to permit third parties (other than affiliates) that have a relationship with either JCB Co., Ltd. or its business, to register (or license) and use domain names within the top level domain (TLD), then additional corporate authorizations and approvals may be required to ensure internal responsibility for permitting and enforcing the terms of use of the .jcb domain. In addition to these safeguards, all registered domain names in the TLD will be regularly monitored for abusive use.

As stated in response to Question 18, JCB Co., Ltd.ʹs Registration Policy will address the minimum requirements mandated by ICANN including rights abuse prevention measures. JCB Co., Ltd. will implement the following as means of abuse prevention and mitigation:

1. JCB Co., Ltd.ʹs Registration Policy - draft, see the Q28_Registration_Policy_Draft_jcb.pdf attached.
2. JCB Co., Ltd.ʹs Procedure for Management of Trademark Infringement Claims - draft, see the Q28_Procedure_for_Management_of_TIC_jcb.pdf attached.


B. .jcb ANTI-ABUSE POLICIES

Although domain names will only be registered to JCB Co., Ltd. and its affiliates, all domain names will be subject to specific internal registration policy for .jcb domain. The JCB Co., Ltd.ʹs Registration Policy will set out in writing a methodology for corporate authorization, approval and evidence in order for any domain name to be registered for JCB Co., Ltd.ʹs use. This will prohibit any abusive use of a domain name. These policies include not only the required URS, but also the supplemental Anti-Phishing Takedown Process, JCB Co., Ltd. ʹs Acceptable Use Policy, and JCB Co., Ltd.ʹs strict controls on registration.


C. DEFINITION OF ABUSE

JCB Co., Ltd. defines abuse as an action that causes actual and substantial harm, or is a material predicate of such harm, and is illegal, illegitimate, or otherwise contrary to JCB Co., Ltd.ʹs Registration Policy. Abuse includes, without limitation, the following:

- Content or actions that attempt to defraud members of the public in any way (for example, ʺphishingʺ sites);
- Content that is hateful, defamatory, derogatory or bigoted based on racial, ethnic, political grounds or which otherwise may cause or incite injury, damage or harm of any kind to any person or entity;
- Content that is threatening or invades another personʹs privacy or property rights or is otherwise in breach of any duty owed to a third party;
- Content or actions that infringe the trademark, copyright, patent rights, trade secret or other intellectual property rights, or any other legal rights of JCB Co., Ltd. or any third party;
- Content or actions that violate any applicable local, state, national or international law or regulation;
- Content or actions that promote, are involved in or assist in, the conduct of illegal activity of any kind or promote business opportunities or investments that are not permitted under applicable law;
- Content that advertises or offers for sale any goods or services that are unlawful or in breach of any national or international law or regulation; or
- Content or actions associated with the sale or distribution of prescription medication without a valid prescription;
- Content that depicts minors engaged in any activity of a sexual nature or which may otherwise harm minors;
- Activities that mislead or deceive minors into viewing sexually explicit material;
- Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks;
- Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
- Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through Domain Name System (DNS) hijacking or poisoning;
- Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers and trojan horses;
- Botnet command and control: Services run on a domain name that are used to control a collection of illegally compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks); and
- Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).

Any employee found to have violated any of JCB Co., Ltd.ʹs policies may be subject to disciplinary action, up to and including termination of employment.

Every JCB Co., Ltd. employee should be aware that the data they create on the corporate systems, including on any domain name hosted in .jcb, remains the property of JCB Co., Ltd.. For security and network maintenance purposes, authorized individuals within JCB Co., Ltd. may monitor equipment, systems and network traffic at any time. JCB Co., Ltd. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

JCB Co., Ltd. recognizes that, notwithstanding all of JCB Co., Ltd.ʹs internal policies having been meticulously followed by all employees and affiliates, the Internet remains an open and ubiquitous system that provides access and anonymity to participants around the world. This is one of the Internetʹs strengths and also a source of difficulty as malicious or criminal perpetrators exploit these characteristics for their own benefit. The frequency of activities such as phishing, pharming, spam and DDoS attacks have increased dramatically on the Internet and there is strong evidence to suggest this will continue.

JCB Co., Ltd. has resolved to ensure that abusive use of the .jcb domain names will not be permitted nor tolerated. The nature of such abuses creates security and stability issues for JCB Co., Ltd., as well as for users of the Internet in general, and particularly those who wish to interact with JCB Co., Ltd. in a secure and reliable manner. The nature of such abuses also inherently creates negative publicity and loss of brand integrity and goodwill and, therefore, any such abuse must be swiftly and effectively addressed, and systems must continue to evolve in accordance with evolving threats.

Scanning to identify malicious or abusive behavior.
All domain names within the .jcb domain shall be continually executing approved virus-scanning software with a current virus database, unless overridden by departmental or group policy for legitimate business reason.

JCB Co., Ltd. will conduct automated and regular scanning for malware of all domain names in the Registry through its selected back end Registry services provider, Verisign. Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names. Verisignʹs malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitorsʹ websites. Verisignʹs malware scanning technology uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrantʹs website.


D. ADDITIONAL PROCESSES TO ADDRESS ABUSIVE USE OF REGISTERED DOMAIN NAMES

Suspension processes conducted by backend registry services provider.
In the case of domain name abuse, JCB Co., Ltd. or JCB Co., Ltd.ʹs approved registrar(s) will determine whether to take down the subject domain name. Verisign, JCB Co., Ltd.ʹs selected backend registry services provider, will follow the auditable processes to comply with the suspension request as set out Diagram 1 of the Attachment.

Verisign Suspension Notification.
JCB Co., Ltd. or JCB Co., Ltd.ʹs approved registrar(s) submits the suspension request to Verisign for processing, documented by:

- Threat domain name
- Registry incident number
- Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
- Threat classification
- Threat urgency description
- Recommended timeframe for suspension⁄takedown
- Technical details (e.g., Whois records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name status that are relevant to the suspension)
- Incident response, including surge capacity

Verisign Notification Verification.
When Verisign receives a suspension request from JCB Co., Ltd. or JCB Co., Ltd.ʹs approved registrar(s), it performs the following verification procedures:

- Validate that all the required data appears in the notification
- Validate that the request for suspension is for a registered domain name
- Return a case number for tracking purposes

Suspension Rejection.
If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to JCB Co., Ltd. or JCB Co., Ltd.ʹs approved registrar(s) with the following information:

- Threat domain name
- Registry incident number
- Verisign case number
- Error reason

JCB Co., Ltd. will notify the registrar of record in relation to a complaint.


E. ABUSE POINT OF CONTACT AND PROCESS FOR ADDRESSING COMPLAINTS

JCB Co., Ltd. will act as the primary abuse point of contact for the gTLD. JCB Co., Ltd. may use its third party registrar(s) or its selected back end registry services provider, Verisign, to perform some or all of the functions associated with handling inquiries relating to malicious conduct in the gTLD. Contact details (including at least a valid email and mailing address) for the abuse primary contact will be displayed prominently on JCB Co., Ltd.ʹs main website. The primary contact will investigate and respond to all complaints and incidents within a reasonable time and be empowered to take effective action within well-defined written criteria to guide those actions. Action will be taken in line with what is set out in this answer and the registration policy for the .jcb domain. Changes to contact details will be clearly and effectively communicated to ICANN and prominently displayed on JCB Co., Ltd.ʹs website.

The above mentioned email address will be set up to receive complaints for any potential malicious conduct in the TLD. Furthermore, the email address will be routinely monitored over a 24 hour period, 365 days a year. Complainants will be provided with a written email response communication containing an auditable tracking or case number. JCB Co., Ltd. will investigate all reasonable complaints and take any reasonably necessary and appropriate action. Verified law enforcement requests will be addressed in no more than twenty-four hours from verified receipt. All other requests will be addressed in no more than seventy-two hours from receipt.

Abuse complaint metrics will be tracked, and adequate resources will be expended to ensure appropriate trending of those metrics by providing the abuse point of contact with sufficient resources. The complaint metrics will be gathered by the registrar(s) and regularly forwarded to JCB Co., Ltd. for the purposes of identifying gaps in the Registryʹs current policies and areas of improvement. Given JCB Co., Ltd.ʹs belief that infrastructure protection, rights protection and user security are paramount goals of operating the TLD, JCB Co., Ltd. intends to engage a third party registrar(s), who will be required to ensure that sufficient resources are provided to satisfy this critical requirement, and to do whatever is reasonably necessary to ensure a secure and trusted zone.

JCB Co., Ltd. will have strict controls over the registration and use of the .jcb domain names. JCB Co., Ltd. will devise and document strict criteria and authority levels which will need to be satisfied before a domain name can be registered for use. To ensure independence of this function, a third party registrar will be responsible for ensuring strict compliance with the criteria and authority levels designated. Only authorized personnel within JCB Co., Ltd. organization will be permitted to request and⁄or authorize DNS changes to be made either by the third party registrar or the registry services provider. JCB Co., Ltd.ʹs documented criteria and authority levels for registering a domain name ensure multiple, unique points of contact are needed to request and⁄ or approve, update, transfer and⁄or deal with deletion requests, and will require notification of multiple unique points of contact when a domain name has been updated, transferred, or deleted.


F. ORPHAN GLUE RECORDS

JCB Co., Ltd. will ensure proper attention is paid to orphan glue records. While orphan glue often supports correct and ordinary operation of the DNS, JCB Co., Ltd. understands that it will be required, via Specification 6 of the Registry Agreement, to take action to remove orphan glue records when provided with evidence in written form that such records are present in connection with malicious conduct. JCB Co., Ltd.ʹs robust controls on registration and use, and ongoing monitoring of the .jcb zone, should ensure that this is not an area of concern. Furthermore, JCB Co., Ltd.ʹs selected backend registry services providerʹs (Verisignʹs), registration system is specifically designed to not allow orphan glue records. Registrars are required to delete⁄move all dependent DNS records before they are allowed to delete the parent domain. To prevent orphan glue records, Verisign performs the following checks before removing a domain or name server:

Checks during domain delete:
- Parent domain delete is not allowed if any other domain in the zone refers to the child name server
- If the parent domain is the only domain using the child name server, then both the domain and the glue record are removed from the zone

Check during explicit name server delete:
- Verisign confirms that the current name server is not referenced by any domain name (in-zone) before deleting the name server

Zone-file impact:
- If the parent domain references the child name server AND if other domains in the zone also reference it AND if the parent domain name is assigned a server Hold status, then the parent domain goes out of the zone but the name server glue record does not
- If no domains reference a name server, then the zone file removes the glue record

Controls on new registrations of domain names.
JCB Co., Ltd. will adopt and impose strict controls over the registration and use of .jcb domain names. JCB Co., Ltd. will devise and document strict criteria and authority levels which will need to be satisfied before a domain name can be registered for JCB Co., Ltd.ʹs use. To ensure appropriate verification of this function, third party registrar(s) will be appointed to perform the administrative aspects of the registration of domain names in strict compliance with the defined criteria and designated authority levels. The registry services provider will be provided with the defined criteria and will be required to ensure that only domains which comply with the criteria are registered. Only authorized personnel within JCB Co., Ltd. organization will be able to request and⁄or authorize DNS changes to be made either by the third party registrar(s) or the registry services provider. JCB Co., Ltd.ʹs documented criteria and authority levels for domain name registration will ensure multiple, unique points of contact are needed to request and⁄ or approve, update, transfer and⁄ or deal with deletion requests, and will require notification of multiple unique points of contact when a domain name has been updated, transferred, or deleted.

JCB Co., Ltd. confirms that it will meet the standards set out in the Registry Agreement, with respect to the Sunrise and Trademark claims process for any domain names registered.


G. ENSURING WHOIS ACCURACY

A complete and accurate Whois database promotes the prevention of identity theft, fraud and other on-line crime, promotes the publicʹs ability to police its rights against unlawful copyright and trademark infringement, and minimizes technical errors. JCB Co., Ltd. has a compelling interest in accounting to itself and the public for the use of Applicant assets, and in ensuring those assets are only used by persons or entities authorized by JCB Co., Ltd.. That interest is especially strong with respect to the .jcb and all domain names registered or used therein, since it is a core component of JCB Co., Ltd.ʹs online branding and technological platform.

JCB Co., Ltd. will enforce the Whois data accuracy provisions in ICANNʹs Registry Agreement, Registrar Accreditation Agreement and all relevant Consensus Policies. Those agreements generally require all registrants to provide accurate and reliable contact details and promptly update any changes made during the registration term. JCB Co., Ltd.ʹs registrars must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of the domain name registration. .jcb and⁄or its affiliates (as defined in this response) will be listed as the sole registrant of all domains within the .jcb. JCB Co., Ltd.ʹs clear written policy which requires the relevant corporate authorization and approvals to be procured and evidenced for any .jcb domain name to be registered for JCB Co., Ltd.ʹs use, and the subsequent verification through a registrar will ensure thorough pre-verification of all Whois data. Therefore, all Whois information will be complete and accurate at the time of registration. In the event of any change in the Whois contact information for a domain name, that change will be promptly updated in the Whois database.

Verisign, JCB Co., Ltd.ʹs selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANNʹs Whois accuracy requirements. Verisign provides the following services to JCB Co., Ltd. for incorporation into its full-service registry operations.

Registrar self certification.
The self-certification program consists, in part, of evaluations applied equally to all operational ICANN accredited registrars and conducted from time to time throughout the year. Process steps are as follows:

- Verisign sends an email notification to the ICANN primary registrar contact, requesting that the contact go to a designated URL, log in with his⁄her Web ID and password, and complete and submit the online form. The contact must submit the form within 15 business days of receipt of the notification;
- When the form is submitted, Verisign sends the registrar an automated email confirming that the form was successfully submitted;
- Verisign reviews the submitted form to ensure the certifications are compliant;
- Verisign sends the registrar an email notification if the registrar is found to be compliant in all areas;
- If a review of the response indicates that the registrar is out of compliance or if Verisign has follow-up questions, the registrar has 10 days to respond to the inquiry;
- If the registrar does not respond within 15 business days of receiving the original notification, or if it does not respond to the request for additional information, Verisign sends the registrar a Breach Notice and gives the registrar 30 days to cure the breach;
- If the registrar does not cure the breach, Verisign terminates the Registry-Registrar Agreement (RRA).

Whois data reminder process.
Verisign regularly reminds registrars of their obligation to comply with ICANNʹs Whois Data Reminder Policy, which was adopted by ICANN as a consensus policy on 27 March 2003. Verisign sends a notice to all registrars once a year reminding them of their obligation to be diligent in validating the Whois information provided during the registration process, to investigate claims of fraudulent Whois information, and to cancel domain name registrations for which Whois information is determined to be invalid.


H. RESOURCE PLANNING

JCB Co., Ltd. has effectively mitigated the risk of abuse in the gTLD and foresees assigning a member of staff to act as the primary points of contact for handling inquiries relating to malicious or abusive conduct in the TLD. JCB Co., Ltd. is committed to ensuring that sufficient resources are made available at all times. However, given the restricted nature of the gTLD, JCB Co., Ltd. does not currently expect that this role will require a full-time resource. JCB Co., Ltd. may engage its third party registrar(s) and its selected back end registry services provider, Verisign, to perform some or all of the tasks associated with abuse issues. This will ensure that highly skilled, specialized and scalable resources are on hand to address any possible abuse issues both during the startup phase of the TLD and continually during operations of the TLD.

Verisign, JCB Co., Ltd.ʹs selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 - Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLDʹs initial implementation and ongoing maintenance. Verisignʹs pricing for the backend registry services is included in VSJʹs pricing and it provides to JCB Co., Ltd. fully accounts for cost related to this infrastructure, which is included in the registry services provider costs in Section I.K ʺOutsourcing Operating Costsʺ within the Question 46 financial projections response.

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisignʹs quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisignʹs ability to align personnel resource growth to the scale increases of Verisignʹs TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:

- Application Engineers: 19
- Business Continuity Personnel: 3
- Customer Affairs Organization: 9
- Customer Support Personnel: 36
- Information Security Engineers: 11
- Network Administrators: 11
- Network Architects: 4
- Network Operations Center (NOC) Engineers: 33
- Project Managers: 25
- Quality Assurance Engineers: 11
- Systems Architects: 9

To implement and manage the .jcb TLD as described in this application, Verisign, JCB Co., Ltd.ʹs selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.

When usage projections indicate a need for additional staff, Verisign ʹs internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internetʹs largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

To the extent JCB Co., Ltd. licenses use of any .jcb domain names, at minimum it will ensure proper controls such that its abuse point of contact will have necessary information to investigate all abuse complaints and formulate any appropriate responsive actions in a timely fashion. JCB Co., Ltd. may also require the licenseeʹs information in the WHOIS record as the Administrative, Technical and⁄or a supplemental contact point. In addition, licensees will be bound in a written contract to relevant provisions of the Registry Agreement, the registration policy for the JCB Co., Ltd. TLD and JCB Co., Ltd.ʹs Acceptable Use Policy.


I. Conclusion

The approach outlined in this answer clearly shows that the risk of abuse in the .jcb TLD has been extensively mitigated and as a direct result is very low. JCB Co., Ltd. is committed to ensuring that abuse will not be tolerated. The proposed policies and methods for addressing any abuse exceed the standard outline in the gTLD Applicant Guidebook and is more than commensurate with the risks identified, JCB Co., Ltd. is, therefore, entitled to a score of two points for its response to Question 28.


The JCB Co., Ltd.ʹs Procedure for Management of Trademark Infringement Claims see the Q28_Procedure_for_Management_of_TIC_jcb.pdf attached.

The JCB Co., Ltd.ʹs Registration Policy, see the Q28_Registration_Policy_Draft_jcb.pdf attached.

The Diagram 1 is provided in the attachment file, see the Q28_Suspension_processes_diagram_jcb.pdf attached.

The Question 46 ʺmost likelyʺ financial projections template, see the Q46_Mostlikely_Financial_Projection_jcb.xls attached.

Similar gTLD applications: (7)