<p><span class="contentpagetitle"><b>ICANN Kill Two Birds with One Stone</b></span>
<br><a href="http://www.eweek.com/c/a/Security/ICANN-Kill-Two-Birds-with-One-Stone/">http://www.eweek.com/c/a/Security/ICANN-Kill-Two-Birds-with-One-Stone/</a><br><br>
</p><p>The problems of domain tasting and front-running are interrelated, and so are
the solutions to them. The time has come for ICANN to mandate restock fees.</p>
<p>I had a moment of clarity today (believe me, I need them). In the wake of <a href="../../c/a/Infrastructure/NetSol-Abuses-the-Process-in-Order-to-Save-It/" rel="nofollow">the Network Solutions scandal over the company's employment of
front-running and domain tasting,</a> I've been talking to a lot of vendors and
other interested parties.</p>
<p>Front-running is a tricky problem that defies resolution. I've been inclined
to blame ICANN, but that's unfair. I don't like a lot of ICANN policies, but I
think it's pretty clear (although I have no hard evidence of it) that
front-running comes as a result of some companies selling data they aren't
supposed to be selling. No policy change could prevent it from being
committed.</p>
<p>Then today, I realized how to stop front-running: by stopping domain tasting.
Front-running is only employed, or at least the overwhelming majority of it is
employed, in order to taste the domain. Take away the option of tasting the
domain for speculative purposes, and you make front-running too risky to be
worthwhile.</p>
<p>I really think it's that simple. A quick look at the practices of domain
tasters gives some insight into why someone would want to front-run a domain.
This includes Network Solutions. The <a href="http://gnso.icann.org/issues/domain-tasting/gnso-initial-report-domain-tasting-07jan08.pdf" rel="nofollow">ICANN GNSO's Initial Report on Domain Tasting (PDF)</a> shows, for
example, that in July 2007 alone there were over 62 million deletes performed
during the grace period. You can safely assume that nearly all of these were for
domain tasting. Data from VeriSign shows that in April 2007 three registrars
each created over 9 million domains and then deleted nearly all of them within
the grace period. The effect is so huge that the majority of domain name
registrations in the last year were for tasting purposes.</p>
<p>All those tens of millions of deletes cost the tasting companies close to
nothing. The direct cost was literally nothing; even if we allow them to charge
some overhead across each account, it's effectively $0.00. The tasting process
is automated and it's not like you have to feed the computers or pay for their
health insurance.</p>
<p>If there were a fee associated with dropping a domain, the logic of the
system would change substantially. One of the interest groups cited in the ICANN
preliminary report recommended that the ICANN fee of 20 cents per domain be
assessed even for a deleted domain. At 9 million domains, that comes to $1.8
million per month for a bunch of domains on which, presumably, the company is
making nothing or next to nothing. </p><p>Back to front-running. As I've said above, front-running is basically done in
advance of tasting. When someone front-runs a domain, he or she is taking a risk
on it: The front-runner is not the person interested in it, the person from whom
the search was stolen. That search acts as a screening process indicating that
someone was interested in the domain, and therefore there may be potential to
monetize it. </p>
<p>Is the chance to monetize a domain worth committing funds to it? The answer
to that is "up to a point." Let's assume that the average front-run domain has
more potential than the average domain name generated algorithmically or from
dictionaries. Is it 20 cents' worth of potential? How about a buck? I really
doubt it's worth a dollar. To get that level of confidence with a domain, you
really can't automate; you have to run the domain past a human judge of value.
There are two problems with that: It's expensive and it's time-sensitive.
Remember, you have to make the decision and register the domain before the
person who thought of it first does so.</p>
<p>So we impose the ICANN fee, although the actual money from it won't be
substantial, because its very presence will deter tasting. And we impose an
extra "restocking" fee, as discussed in many venues for this problem. That money
probably goes to the registry, even though it's even easier money than
registries get for domains that are actually registered. Perhaps ICANN could
come up with some neutral use for it, like the money in the middle of the board
in Monopoly. </p>
<p>The idea behind the grace period was to allow mistakes to be corrected. As a
general rule, this is not how it is used. If you make a mistake registering a
domain, your registrar is not going to let you "undo" the registration and them
register the right name. In general, it's only used by tasters to speculate on
monetized domains. But it appears that some registrars have used the grace
period in some extraordinary cases, such as when the customer's credit card is
determined to have been stolen. Such cases are rare enough that the restock and
ICANN fees are just the cost of doing business. </p>
<p>And there's plenty of evidence that imposing a restock fee will deter
tasting. In 2007, PIR (Public Interest Registry), the operator of the .org
registry, imposed an "excess deletion fee" for that domain. Registrars that
delete more than 90 percent of their registrations within the grace period are
charged a 5-cent USD fee for each domain deleted. This is about as gentle as you
can get, but it reduced deleted domains from 2.4 million in May 2007 to 152,700
in June. Domain tasting in .org hasn't ended, but it's been cut back
massively.</p>
<p>And according to Alexa Raad, CEO of PIR, these significant changes happened
without much fuss. It's hard to imagine how they could have been more
unobtrusive about it. Personally, I don't think they go far enough. Perhaps a
change like PIR's could be pushed through the process, even at ICANN, without
encountering serious resistance, but I think it's worth going for closer to 100
percent.</p>
<p>For instance, a serious restock fee on all deletes would put a quick end to
Network Solutions' "domain protection" feature, just as it would put an end to
the front-running and domain tasting of lower-profile outfits. PIR's approach
would not stop Network Solutions, since deletes will never be 90 percent of
their registrations. And PIR's fee doesn't end tasting, it just causes a
restructuring of it. If you can find a way to do some legitimate registration
business, you can keep a large tasting business too.</p>
<p>The way the arguments proceed is likely to show where people's interests lie.
It's hard to imagine a big "legit" player, other than VeriSign, with an interest
in perpetuating domain tasting and opposing the restock fee. </p>
<p><em>Security</em><em> </em><em>Center</em><em> Editor <a href="mailto:larryseltzer@ziffdavis.com" rel="nofollow">Larry Seltzer</a> has
worked in and written about the computer industry since 1983.</em></p>