28 Abuse Prevention and Mitigation

Prototypical answer:

1. Introduction
Applicant is aware of the fact that existing TLDs have suffered from abusive behavior. Gradually, policies have been implemented in order to prevent such issues from occurring. Hence, it is very important to Applicant that the .ltd TLD is secure and safe gTLD that does not allow such behavior protecting the internet at large. Applicant intends to do the following in order to prevent such uses:

2. An implementation plan to establish and publish on its website a single abuse point of contact responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all domain names registered in the TLD.
Applicant commits itself to publish on its website a single abuse of contact for addressing matters regarding abuse. Applicant intends to handle all complaints within 48 hours and take the necessary appropriate actions.
According to the level of the complaints the Applicant will reserve the right to:
1) deny, cancel or transfer any registration or transaction;
2) place any domain name(s) on registry lock, hold or similar status during the resolution of a dispute;
This in order to:
1) protect the integrity and stability of the registry;
2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process;
3) to avoid any liability, civil or criminal, on the part of the Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees;
4) to correct mistakes made by the Applicant.

3. Proposed measures for removal of orphan glue records for names removed from the zone when provided with evidence in written form that the glue is present in connection with malicious conduct
With the current setup of the Applicant we do not foresee any issues regarding orphan glue records.
Glue records can only be inserted with the domain name itself. Inclusion is based on the fact that the name servers have the same extension as the domain name. These address records only exist by the grace of the domain name itself. Since the IP address is always linked to the domain name, the address will also disappear from the zone as soon as the domain name is removed from the registration database. Should any evidence be provided that a domain name, registered with the Applicant, is present in connection with malicious conduct, the name and glue will be simultaneously be removed. This limits the possibility of orphan glue records.
In view of the possible risks and dangers this is a very balanced choice of limitations and it allows for a flexible and consistent handling of glue records.

4. A description of policies and procedures that define malicious or abusive behavior
Applicant intends to create and implement a Domain Name Anti-Abuse Policy containing clear definitions of what constitutes abuse.
The objective of the Domain Name Anti-Abuse Policy is to define abusive uses pertaining to Domain Name registration and Domain Name usage and the sanctions following non-compliance to this policy.
In accordance to the Applicant an abuse is an action that:
1) Causes actual and substantial harm, or is a material predicate of such harm;
2) Is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.
In the section below a distinction is made between Registration Abuses and Malicious Use of Domain Names (Domain Name Usage Abuses), as a failure to do so could lead to confusion.

4.1. Registration Abuses
The following practices are considered registration abuses and will result in sanctions taken by Applicant:
1) Cyber squatting;
2) Front-running;
3) Gripe sites;
4) Deceptive, pornographic and⁄or offensive domain names;
5) Fake renewal notices;
6) Name spinning;
7) Cross-TLD Registration Scam;
8) Domain kiting.
Detailed descriptions of these abuses will be available from the Domain Name Anti-Abuse Policy that will be published on the registration website.

4.2. Malicious Use of Domain Names
Malicious use of domain names applies to what a registrant does with his or her domain name after the domain is created—the purpose the registrant puts the domain to.
Consequently, the following practices will be deemed to be considered as malicious use of domain names and will result in actions taken by Applicant:
1) Illegal or fraudulent actions;
2) Spam;
3) Phishing;
4) Pharming;
5) Traffic diversion;
6) False affiliation;
7) Wilful distribution of malware;
8) Fast flux hosting;
9) Botnet command and control;
10) Distribution of child pornography;
11) Illegal Access to Other Computers or Networks.
Non-compliance to the Domian Name Policy will be monitored by the Applicant.
The Applicant will reserve the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registrations policies or (5) to correct mistakes made by the Application. The Applicant also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a complaint.
The abusive uses, as described above, undertaken with respect to applicable domain names can give rise to the right of the Applicant to take such actions in its sole discretion. Should a dispute occur, regarding a domain name registered with the Applicant, the domain name will be put on hold immediately. Within 48 hours after the domain name was put on hold the dispute will be resolved and the domain will be accessible again or will be deleted.

5. Adequate controls to ensure proper access to domain functions
Access to other domain functions, such as domain name update and deletion, will only possible after authentication via strong password. The following principles are used for strong passwords:
1) Users shall pick a password of sufficient complexity, which contain characters from at least 3 of following characteristics:
a) English uppercase characters (A through Z);
b) English lowercase characters (a through z);
c) Base 10 digits (0 through 9);
d) Non-alphabetic characters (for example, !, $, #, %).
2) A password should have a minimal length of 8 characters.
3) Passwords & PIN codes shall not be based on easily-guessable information, such as:
a) words from a dictionary;
b) data linked to a user (phone numbers, license plate, date or place of birth, names of the children, ...);
c) significant portions of the userʹs account name or full name.


6. Measures to promote WHOIS accuracy.
As mentioned in response to Question 26, the applied-for WHOIS will be a “thick” WHOIS, where all key contact data relating to every domain name registered in the applied-for TLD will be stored at Applicant level.
WHOIS accuracy will be the responsibility of the registrant and registrar but will be periodically checked by the Applicant in order to ensure Whois accurarcy. Applicant intends to include this obligation in its domain name registration policies and its registrar-registry agreement.

7. WHOIS abuse prevention measures
Considering the fact that a WHOIS database contains quite some sensitive information that is available to Internet users at large over a web-based interface, the Applicant will put in place various methods in order to avoid abuse of such information by third parties.
First of all, Applicant will only display search results in response to a search query after the user has successfully entered the displayed CAPTCHA code together with such query, this in order to prevent the automatic harvesting of WHOIS data.
Furthermore, private individuals (if at all allowed by the Applicant to register and hold domain names within the TLD) will be allowed to indicate – through their registrars or via a web-based portal provided by the Applicant – that certain personal data will not be automatically displayed following a successful WHOIS query. This measure is taken in order to comply with particular applicable laws and regulations regarding data privacy.
However, parties demonstrating to the Applicant that they have a right or legitimate interest in order to obtain access to this hidden data can request access to a particular, identified record upon request to the Applicant. Positive responses to legitimate requests shall not be unreasonably withheld or delayed.
The features described above can be temporarily or permanently disabled for specific eligible parties, such as law enforcement agencies, and this upon simple request by a competent authority. These eligible parties will then obtain access to all WHOIS information via a secure, web-based portal.

8. Resourcing plans
Applicant intends to outsource the above to reputable firms that have had experience to handle such complaints. These firms will consist out of highly technical and legal qualified staff.
An estimate of financial projections can be found in question 47.

Similar gTLD applications: (1)