28 Abuse Prevention and Mitigation

Prototypical answer:

Top Level Domain registries stand in a unique position within the global DNS infrastructure.

TLD registries collect registrants’ registration data and so often “know” the entity responsible for a particular domain name. TLD registries record associations between domain names, registrars and registrants and therefore are in the core of the control chain for every domain name in the TLD. Registries also directly control the delegation records and therefore have the power to enable or disable a particular domain name in the DNS.

This unique position gives power and calls for responsibility. Applicant as a future TLD registry recognizes its important role in maintaining law and order and is committed to acting in the best interests of the public. Hereby we provide a description of the principles and procedures we will apply to mitigate abusive conduct.

28.1. Single Abuse Point of Contact
To streamline the information flow and to facilitate ease of communication with the public, Applicant will dedicate a single abuse point of contact responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the TLD. The contact information will consist of at least an email address and a telephone number. This point of contact will be prominently published on the registry website by the commencement of the Sunrise period. Applicant will ensure that:
* The e-mail account is continuously monitored and all communication securely stored
* The telephone number is either answered by a live person or diverted to a monitored voicemail account.
* Abuse contact information will be kept current and will be updated should it ever change in a timely manner

Messages received through the published abuse point of contact will be processed via the same procedure and within the same timeframe as the signals coming from the monitoring systems. Each message, both via email and phone channels, triggers the creation of a support ticket in a dedicated queue and procedures for ticket escalation exist. Messages originating from law enforcement authorities are by default assigned an escalated level. For critical tickets personnel is available 24x7 to react accordingly.

Applicant and CentralNic commit to responding to all abuse complaints within 24 hours of receipt (on a 24x7 basis). During the time periods when its global offices are open (typically 8am-6pm in London, Los Angeles and Dubai) response times are expected to be substantially faster, at around 2-3 hours.

28.2. Policy on Handling Complaints Regarding Abuse
Applicant is prepared to deal with situations where registry intervention may be required in order to stop illegal activity, prevent abusive conduct or to enforce the law.

Applicant will adopt a comprehensive Eligibility and⁄or Acceptable Use Policy that will establish what constitutes acceptable use of the domain and will contain a description of the procedures registry that will apply to enforce the Policy. The initial policy is described in detail in section 20(e).

An enforcement action may be triggered by a variety of events including complaints from the public, registrars or ICANN, decisions of a competent dispute resolution provider, outreach from a governmental agency or findings produced by internal investigation or monitoring processes.

Normally if abusive behaviour in a TLD is encountered, the reports of such behaviour and the evidence available will be analysed by the Registry. If the Registry, in its sole discretion, concludes that a Domain Name Holder has indeed violated a TLD Policy, the registrant will be given a notice and opportunity to correct the breach.

Furthermore, the registry reserves the right to lock the domain name or put it on hold (preventing domain resolution in the DNS). In extreme cases where a domain is involved in malicious or illegal activity there are provisions for rapid takedown of the domain name in question. The situations in which rapid takedown provisions may be applied, include, but are not limited to:
* Phishing
* Pharming
* Distribution of illegal content
* Distribution of malware
* Fast flux hosting
* Botnetting
* Unauthorized access to information systems
* Threats to the security and⁄or stability of the TLD

The Eligibility and Acceptable Use Policy will be incorporated into the Registry-Registrar agreements and Registrars will be required to pass through the requirements to comply with the policy to the registrants.

Applicant will take reasonable steps to investigate and respond to any reports of illegal activity in connection with the use of the TLD and will cooperate with the competent governmental agencies in such investigations.

Applicant will utilize the expert services of its registry services provider CentralNic to implement and enforce all of our anti-abuse policies in our TLD. CentralNic has dedicated and scalable resources for this function, described below.

CentralNic has long experience in the domain registry business, and is an industry leader with respect to its anti-abuse policies. CentralNic has a dedicated Dispute Resolution Policy in place with WIPO, found at WIPO’s website: http:⁄⁄www.wipo.int⁄amc⁄en⁄domains⁄gtld⁄cnic⁄index.html. This policy mirrors the UDRP policy for new gTLDs and, as a result, CentralNic already has real-time experience working with WIPO to implement and execute a similar policy. CentralNic has trained personnel who handle interaction with WIPO, to ensure that panelists’ decisions are carried out expeditiously as required by the DRP.

CentralNic also enforces a Policy on Phishing and Fraud, found at its dedicated Phishing & Abuse page at the following website: https:⁄⁄www.centralnic.com⁄support⁄abuse. Pursuant to clause 13, sections (f) and (h) of CentralNicʹs Terms and Conditions, CentralNic may cancel the registration or suspend registration of a domain name:

(f) if CentralNic believes that the domain name was registered for use in a ʺphishingʺ attack or other illegal activity of any kind.
(h) if inaccurate or false contact details are provided.

Further to these conditions, CentralNic operates the following policy regarding suspected ʺphishingʺ domain names:
- If we have a reasonable suspicion that a domain name registered at CentralNic is being used in a phishing attack, or otherwise being used for other illegal activities, we will place the domain name ʺOn Holdʺ and under a Registry Lock.
- We will then notify the current registrar for the domain name. If the registrar can provide confirmation that the domain name was registered in ʺgood faithʺ by the registrant, then CentralNic will immediately unlock the domain name and place it on the ʺLiveʺ status.
- If no confirmation is received, or the registrars agree that the domain name was registered in ʺbad faithʺ, the domain name will be placed onto ʺPending Deletionʺ, and will be fully deleted from the database after 45 days.

28.3. Orphan Glue
CentralNicʹs registry system includes effective measures to prevent the abuse of orphan glue records.

Firstly, the Shared Registry System will reject any request to create host object that is the child of a non-existent domain name. That is, if EXAMPLE.REIT does not exist, then NS0.EXAMPLE.REIT cannot be created. If the parent domain name does exist, then only the sponsoring registrar of that domain is permitted to create child host objects.

CentralNicʹs registry system currently follows the third model described in the SAC 048 report: orphan glue records are deleted from the registry and removed from the DNS when the parent domain name is deleted. If other domains in the database are delegated to orphan hosts that are removed, then the delegation is also removed from these domains.

28.4. Measures to Maintain Whois Accuracy
Applicant will operate a “thick” WHOIS system, in which all registrants’ contact information will be stored in a single database maintained by the registry. Accredited registrars will have the ability to change the records in that database through the Shared Registration System. The Registry-Registrar agreement requires registrars to ensure that the WHOIS data is accurate at the time of submission and also requires the information provided on the system to be updated in a timely manner in case of any changes. Corresponding provisions also exist in the Registrar Accreditation Agreement (RAA), para. 3.7.7.

In addition to the standard measures described above, the WHOIS system will feature extra levels of reliability with regards to Whois information.

28.4.1. Extra checks on WHOIS data Applicant, through its Registry-Registrar agreements will require registrars to perform the following additional checks on the WHOIS data:

* Verify syntactic correctness of email addresses and phone numbers by validating them against the corresponding standards
* Verify that the domain holder receives email at the addresses listed in WHOIS as registrant’s email address and administrative contact email address, by requiring them to click a unique web link that is sent to those addresses.

28.4.2. Random audits of WHOIS records by the Registry Applicant will periodically (at least once every 12 months) perform a random check of WHOIS records in for prima facie evidence of fraudulent or inaccurate WHOIS information. For those suspicious records that may be found, Applicant will further require registrars to conduct a reasonable investigation and to respond with one of the three possible actions:

* confirm that the information provided in WHOIS is accurate, or
* correct the WHOIS information, or
* delete the domain name(s).

The measures described above exceed the ICANN requirements and are adequate to improve accuracy of WHOIS information while maintaining low implementation cost for registrars and good user experience for registrants.

28.5. Resourcing
Applicant and CentralNic will provide abuse response on a 24x7 basis. The resourcing to fulfil this function will be provided by a combined team of support and operations personnel. The first response function will be provided by support agents during normal office hours, with this responsibility being passed to the Network Operations Centre(NOC) during 24x7 operations.

As can be seen in the Resourcing Matrix found in Appendix 23.2, CentralNic will maintain a team of full-time developers and engineers which will contribute to the development and maintenance of this aspect of the registry system. These developers and engineers will not work on specific subsystems full-time, but a certain percentage of their time will be dedicated to each area. The total HR resource dedicated to this area is equivalent to 75% of a full-time role.

CentralNic operates a shared registry environment where multiple registry zones (such as CentralNicʹs domains, the .LA ccTLD, this TLD and other gTLDs) share a common infrastructure and resources. Since the TLD will be operated in an identical manner to these other registries, and on the same infrastructure, then the TLD will benefit from an economy of scale with regards to access to CentralNicʹs resources. CentralNicʹs resourcing model assumes that the ʺdedicatedʺ resourcing required for the TLD (ie, that required to deal with issues related specifically to the TLD and not to general issues with the system as a whole) will be equal to the proportion of the overall registry system that the TLD will use. After three years of operation, the optimistic projection for the TLD states that there will be 1,000 domains in the zone. CentralNic has calculated that, if all its TLD clients are successful in their applications, and all meet their optimistic projections after three years, its registry system will be required to support up to 4.5 million domain names. Therefore the TLD will require 0.02% of the total resources available for this area of the registry system.

In the event that registration volumes exceed this figure, CentralNic will proactively increase the size of the Technical Operations, Technical Development and support teams to ensure that the needs of the TLD are fully met. Revenues from the additional registration volumes will fund the salaries of these new hires. Nevertheless, CentralNic is confident that the staffing outlined above is sufficient to meet the needs of the TLD for at least the first 18 months of operation.

28.6. Periodic review of anti-abuse policies Applicant acknowledges that new types of abusive behaviour emerge in cyber space and is prepared to take steps to counter any new types of abuse. Applicant will periodically (once every 12 months, or more frequently depending on the circumstances) require CentralNic to provide reports regarding the received abuse-related complaints. Such reports should contain categorisation of the abusive behaviour reported, actions taken and response time. Applicant will analyse the reports and will review its anti-abuse policies to continually improve the handling of abuse complaints.

28.7. Extra provisions for validation-based TLDs As mentioned above, registrations in the TLD will not be in real time. The registration process will involve manual verification of the identity of the applicant, correctness of its contact information and its compliance with the Eligibility restrictions. The manual verification process will ensure that only legitimate and reputable businesses will be able to register domain names in the TLD. Manual verification of contact information will further ensure unprecedented accuracy of WHOIS data.
Applicant expects that this additional manual screening process, added on to the standard anti-abuse measures, will discourage abusive registrations and make any malicious activity extremely unlikely to occur in the TLD.

28.8 Principles of Eligibility and Acceptable Use
.REIT domains are available for registration by a limited pool of registrants whose registration and company details will undergo thorough background checks and authentication by the Registry, promoting complete and accurate WHOIS information.

28.8.1. Eligibility
NAREIT will establish a clear policy structure for determining an applicant’s eligibility to register a second-level name in the gTLD. Only a REIT will be deemed eligible to register a domain name in the TLD. Whether an entity applying for a domain name qualifies as a REIT will be determined by two criteria: 1) whether a REIT regime is in place in the nation in which the applicant is domiciled; and, 2) whether the applicant is, in fact, organized and operating as a REIT under the REIT regime established in that nation.

i. NAREIT will first determine whether the nation in which the applicant is domiciled has a REIT regime in place.

The core features of a REIT are:
* ownership must be widely held;
* a majority of assets and income are real estate related;
* a majority of income is distributed annually to shareholders (pursuant to applicable law; regulatory or stock exchange requirements or customs; or in order that its distributions be deductible from entity-level income tax); and,
* there is only one level of tax on income distributed by the REIT.

NAREIT also will consider whether the nation of the applicant has a law which formally establishes a national REIT regime. If an applying entity is organized and operating as a REIT as described above pursuant to the REIT regime in the countries set forth in Appendix 20e.1, NAREIT will consider it eligible to register a domain name in the TLD.

Several nations not listed in 20e.1 appear to have regimes in place or under consideration that may meet some or all of the criteria described previously. With additional clarifying information provided by an applicant, applicants from these nations (listed in Appendix 20e.2) may move in to the list of nations with qualifying regimes.

NAREIT regularly draws on major publications and compendiums of REIT regimes around the world, such as the EPRA Global REIT Survey, PWC Compare and Contrast: Worldwide Real Estate Investment Trust (REIT) Regimes; Ernst & Young Global Real Estate Investment Trust Report, as well as its own policy research to maintain its list of global REIT regimes. The primary list is neither meant to be static nor dispositive in the event the applicant is able to demonstrate that the nation or company in question meets the core criteria. Because laws change from time to time, NAREIT will update and publish this list on a regular basis as applicable laws change or as circumstances otherwise warrant.

The absence of a nation from either of the attached lists is not considered finally conclusive in the determination of whether the nation in which the applicant is domiciled has a REIT regime in place. Indeed, as noted above, NAREIT shall consider any relevant information and documentation provided by an applicant and will also consider whether commercial investment-oriented indexes of publicly traded REITs and real estate companies around the world include the applicant as a REIT in its nation of domicile.

ii. NAREIT will next determine whether the applying entity is indeed organized or operating as a REIT, with an emphasis on verification by the applicant providing third-party documentation.
Possible forms of documentation shall include, but are not limited to:
* Certified filings of the applicant with agencies of the relevant national government; or,
* A letter written in English from independent outside counsel with REIT legal expertise.

Unlike several existing sponsored Top-Level Domains (“sTLDs”), NAREIT will not rely on easily manipulated verification information, including links to established websites or community-based email addresses belonging to applicants.

In addition, to accommodate REIT regimes when such documentation is not available, applicants shall have the opportunity to briefly describe their claim to REIT status, such as by providing an English-language copy of a relevant national law governing REITs or REIT-like entities along with documentation establishing the REIT’s compliance with that law, or any other indicia of qualification or operation as a REIT. NAREIT shall reserve the right to require any applicant to provide further information or clarification regarding its request to register a domain name.

NAREIT will review all requests from applicants internally, through a dedicated six-member Determination and Verification Team (“Team”) composed of NAREITʹs:
1) Executive Vice President and General Counsel;
2) Senior Tax Counsel;
3) Senior Vice President, Industry & Member Affairs;
4) Vice President, Investment Affairs & Investor Education;
5) Vice President, Operations; and,
6) Industry Affairs Coordinator.

As discussed further below, all eligibility determinations made by the Team are subject to reconsideration through the Eligibility Reconsideration Process administered by an independent board of global REIT community members.

28.8.2. Name Selection Rules
NAREIT will limit the registration of domain names in the TLD to the legal trade names of REITs, or the names by which REITs are commonly known, which may include acronyms, registered and common law trademarks, and exchange ticker symbols. NAREIT’s name selection policy will tie in with its verification policy, such that any certified documentation required for community eligibility should also clearly display the applicant’s trade name or commonly known name. NAREIT may also require English-language copies of trademark registrations for name selection purposes or evidence of use in commerce, such as websites or marketing collateral.

NAREIT will implement a policy similar to the existing .jobs sTLD and both:
1) impose a continuing obligation on applicants to maintain their trade names or commonly known names concurrently with their domain name registration; and,
2) retain discretion as the sole arbiter of determining whether the applicant meets the naming criteria—subject only to the discretion of a dispute resolution provider under the Community Eligibility Dispute Resolution Procedure (“CEDRP”) described below—as well as the appropriate level of documentation necessary to substantiate the applicant’s claim. Initially, NAREIT will prohibit registration of generic and descriptive terms relating to REITs on the second level that do not refer to the trade name of a specific REIT.

Allowed character repertoire for consists of ASCII characters “A” to “Z”, the hyphen character (“-“) and digits “0” to “9”. Internationalized Domain Names cannot be registered on the second level.

The resulting domain name label must conform to the requirements and limitations imposed by applicable technical standards for the Domain Name System and TLD naming requirements as outlined in response to question 20e. For instance, DNS labels cannot be longer than 63 characters (excluding the TLD suffix).

28.8.3. Registration
Following the Sunrise Period, NAREIT will implement a strict “first come, first served” policy to vitiate the potential for multiple requests for the same second level domain name. Only in the event where a “first come, first served” policy is inadequate to settle demand for the same second level domain by multiple eligible applying entities, NAREIT may consider registration of geographic modifiers, such as “US-[REITʹs name].REIT” or “[REITʹs name]Asia.REIT” so long as no confusion is caused by such modifiers.

28.8.4. Acceptable Use Policy
Domain names must be registered by eligible entities and for the benefit of the community. All domain names must serve the needs of the REIT community, and can be cancelled if they do not. Serving the needs of the REIT community shall include providing information about or offering services relating to a registrant’s REIT.

Registrants must establish use of all domain names within one (1) year of registration, which may include forwarding the domain name to an existing TLD that serves the needs of the REIT community. Domains cannot be registered solely for the purpose of selling, trading or leasing the domain names for compensation.

Domain names can only be used for lawful purposes. The Registry is committed to maintaining the environment free from online crime, malicious or illegal activities. The Registry will investigate all reports of illegal activity and will cooperate with the competent governmental agencies in such investigations.

Similar gTLD applications: (0)