[AfrICANN-discuss] ICANN Kill Two Birds with One Stone

[Anne-Rachel Inné]

*ICANN Kill Two Birds with One Stone*
http://www.eweek.com/c/a/Security/ICANN-Kill-Two-Birds-with-One-Stone/

The problems of domain tasting and front-running are interrelated, and so
are the solutions to them. The time has come for ICANN to mandate restock
fees.

I had a moment of clarity today (believe me, I need them). In the wake of the
Network Solutions scandal over the company's employment of front-running and
domain tasting,<../../c/a/Infrastructure/NetSol-Abuses-the-Process-in-Order-to-Save-It/>I've
been talking to a lot of vendors and other interested parties.

Front-running is a tricky problem that defies resolution. I've been inclined
to blame ICANN, but that's unfair. I don't like a lot of ICANN policies, but
I think it's pretty clear (although I have no hard evidence of it) that
front-running comes as a result of some companies selling data they aren't
supposed to be selling. No policy change could prevent it from being
committed.

Then today, I realized how to stop front-running: by stopping domain
tasting. Front-running is only employed, or at least the overwhelming
majority of it is employed, in order to taste the domain. Take away the
option of tasting the domain for speculative purposes, and you make
front-running too risky to be worthwhile.

I really think it's that simple. A quick look at the practices of domain
tasters gives some insight into why someone would want to front-run a
domain. This includes Network Solutions. The ICANN GNSO's Initial Report on
Domain Tasting (PDF)<http://gnso.icann.org/issues/domain-tasting/gnso-initial-report-domain-tasting-07jan08.pdf>shows,
for example, that in July 2007 alone there were over 62 million
deletes performed during the grace period. You can safely assume that nearly
all of these were for domain tasting. Data from VeriSign shows that in April
2007 three registrars each created over 9 million domains and then deleted
nearly all of them within the grace period. The effect is so huge that the
majority of domain name registrations in the last year were for tasting
purposes.

All those tens of millions of deletes cost the tasting companies close to
nothing. The direct cost was literally nothing; even if we allow them to
charge some overhead across each account, it's effectively $0.00. The
tasting process is automated and it's not like you have to feed the
computers or pay for their health insurance.

If there were a fee associated with dropping a domain, the logic of the
system would change substantially. One of the interest groups cited in the
ICANN preliminary report recommended that the ICANN fee of 20 cents per
domain be assessed even for a deleted domain. At 9 million domains, that
comes to $1.8 million per month for a bunch of domains on which, presumably,
the company is making nothing or next to nothing.

Back to front-running. As I've said above, front-running is basically done
in advance of tasting. When someone front-runs a domain, he or she is taking
a risk on it: The front-runner is not the person interested in it, the
person from whom the search was stolen. That search acts as a screening
process indicating that someone was interested in the domain, and therefore
there may be potential to monetize it.

Is the chance to monetize a domain worth committing funds to it? The answer
to that is "up to a point." Let's assume that the average front-run domain
has more potential than the average domain name generated algorithmically or
from dictionaries. Is it 20 cents' worth of potential? How about a buck? I
really doubt it's worth a dollar. To get that level of confidence with a
domain, you really can't automate; you have to run the domain past a human
judge of value. There are two problems with that: It's expensive and it's
time-sensitive. Remember, you have to make the decision and register the
domain before the person who thought of it first does so.

So we impose the ICANN fee, although the actual money from it won't be
substantial, because its very presence will deter tasting. And we impose an
extra "restocking" fee, as discussed in many venues for this problem. That
money probably goes to the registry, even though it's even easier money than
registries get for domains that are actually registered. Perhaps ICANN could
come up with some neutral use for it, like the money in the middle of the
board in Monopoly.

The idea behind the grace period was to allow mistakes to be corrected. As a
general rule, this is not how it is used. If you make a mistake registering
a domain, your registrar is not going to let you "undo" the registration and
them register the right name. In general, it's only used by tasters to
speculate on monetized domains. But it appears that some registrars have
used the grace period in some extraordinary cases, such as when the
customer's credit card is determined to have been stolen. Such cases are
rare enough that the restock and ICANN fees are just the cost of doing
business.

And there's plenty of evidence that imposing a restock fee will deter
tasting. In 2007, PIR (Public Interest Registry), the operator of the .org
registry, imposed an "excess deletion fee" for that domain. Registrars that
delete more than 90 percent of their registrations within the grace period
are charged a 5-cent USD fee for each domain deleted. This is about as
gentle as you can get, but it reduced deleted domains from 2.4 million in
May 2007 to 152,700 in June. Domain tasting in .org hasn't ended, but it's
been cut back massively.

And according to Alexa Raad, CEO of PIR, these significant changes happened
without much fuss. It's hard to imagine how they could have been more
unobtrusive about it. Personally, I don't think they go far enough. Perhaps
a change like PIR's could be pushed through the process, even at ICANN,
without encountering serious resistance, but I think it's worth going for
closer to 100 percent.

For instance, a serious restock fee on all deletes would put a quick end to
Network Solutions' "domain protection" feature, just as it would put an end
to the front-running and domain tasting of lower-profile outfits. PIR's
approach would not stop Network Solutions, since deletes will never be 90
percent of their registrations. And PIR's fee doesn't end tasting, it just
causes a restructuring of it. If you can find a way to do some legitimate
registration business, you can keep a large tasting business too.

The way the arguments proceed is likely to show where people's interests
lie. It's hard to imagine a big "legit" player, other than VeriSign, with an
interest in perpetuating domain tasting and opposing the restock fee.

*Security** **Center** Editor Larry Seltzer <larryseltzer at ziffdavis.com> has
worked in and written about the computer industry since 1983.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20080121/2d191f21/attachment.htm