ICANN Kill Two Birds with One Stone

By Larry Seltzer  |  Posted 2008-01-17

ICANN Kill Two Birds with One Stone

I had a moment of clarity today (believe me, I need them). In the wake of the Network Solutions scandal over the company's employment of front-running and domain tasting, I've been talking to a lot of vendors and other interested parties.

Front-running is a tricky problem that defies resolution. I've been inclined to blame ICANN, but that's unfair. I don't like a lot of ICANN policies, but I think it's pretty clear (although I have no hard evidence of it) that front-running comes as a result of some companies selling data they aren't supposed to be selling. No policy change could prevent it from being committed.

Then today, I realized how to stop front-running: by stopping domain tasting. Front-running is only employed, or at least the overwhelming majority of it is employed, in order to taste the domain. Take away the option of tasting the domain for speculative purposes, and you make front-running too risky to be worthwhile.

I really think it's that simple. A quick look at the practices of domain tasters gives some insight into why someone would want to front-run a domain. This includes Network Solutions. The ICANN GNSO's Initial Report on Domain Tasting (PDF) shows, for example, that in July 2007 alone there were over 62 million deletes performed during the grace period. You can safely assume that nearly all of these were for domain tasting. Data from VeriSign shows that in April 2007 three registrars each created over 9 million domains and then deleted nearly all of them within the grace period. The effect is so huge that the majority of domain name registrations in the last year were for tasting purposes.

All those tens of millions of deletes cost the tasting companies close to nothing. The direct cost was literally nothing; even if we allow them to charge some overhead across each account, it's effectively $0.00. The tasting process is automated and it's not like you have to feed the computers or pay for their health insurance.

If there were a fee associated with dropping a domain, the logic of the system would change substantially. One of the interest groups cited in the ICANN preliminary report recommended that the ICANN fee of 20 cents per domain be assessed even for a deleted domain. At 9 million domains, that comes to $1.8 million per month for a bunch of domains on which, presumably, the company is making nothing or next to nothing.

Ending Front-Running

Back to front-running. As I've said above, front-running is basically done in advance of tasting. When someone front-runs a domain, he or she is taking a risk on it: The front-runner is not the person interested in it, the person from whom the search was stolen. That search acts as a screening process indicating that someone was interested in the domain, and therefore there may be potential to monetize it.

Is the chance to monetize a domain worth committing funds to it? The answer to that is "up to a point." Let's assume that the average front-run domain has more potential than the average domain name generated algorithmically or from dictionaries. Is it 20 cents' worth of potential? How about a buck? I really doubt it's worth a dollar. To get that level of confidence with a domain, you really can't automate; you have to run the domain past a human judge of value. There are two problems with that: It's expensive and it's time-sensitive. Remember, you have to make the decision and register the domain before the person who thought of it first does so.

So we impose the ICANN fee, although the actual money from it won't be substantial, because its very presence will deter tasting. And we impose an extra "restocking" fee, as discussed in many venues for this problem. That money probably goes to the registry, even though it's even easier money than registries get for domains that are actually registered. Perhaps ICANN could come up with some neutral use for it, like the money in the middle of the board in Monopoly.

The idea behind the grace period was to allow mistakes to be corrected. As a general rule, this is not how it is used. If you make a mistake registering a domain, your registrar is not going to let you "undo" the registration and them register the right name. In general, it's only used by tasters to speculate on monetized domains. But it appears that some registrars have used the grace period in some extraordinary cases, such as when the customer's credit card is determined to have been stolen. Such cases are rare enough that the restock and ICANN fees are just the cost of doing business.

And there's plenty of evidence that imposing a restock fee will deter tasting. In 2007, PIR (Public Interest Registry), the operator of the .org registry, imposed an "excess deletion fee" for that domain. Registrars that delete more than 90 percent of their registrations within the grace period are charged a 5-cent USD fee for each domain deleted. This is about as gentle as you can get, but it reduced deleted domains from 2.4 million in May 2007 to 152,700 in June. Domain tasting in .org hasn't ended, but it's been cut back massively.

And according to Alexa Raad, CEO of PIR, these significant changes happened without much fuss. It's hard to imagine how they could have been more unobtrusive about it. Personally, I don't think they go far enough. Perhaps a change like PIR's could be pushed through the process, even at ICANN, without encountering serious resistance, but I think it's worth going for closer to 100 percent.

For instance, a serious restock fee on all deletes would put a quick end to Network Solutions' "domain protection" feature, just as it would put an end to the front-running and domain tasting of lower-profile outfits. PIR's approach would not stop Network Solutions, since deletes will never be 90 percent of their registrations. And PIR's fee doesn't end tasting, it just causes a restructuring of it. If you can find a way to do some legitimate registration business, you can keep a large tasting business too.

The way the arguments proceed is likely to show where people's interests lie. It's hard to imagine a big "legit" player, other than VeriSign, with an interest in perpetuating domain tasting and opposing the restock fee.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel