Red Alert: ICANN and Verisign Proposal Would Allow Any Government In The World To Seize Domain Names

ICANN, the organization that regulates global domain name policy, and Verisign, the abusive monopolist that operates the .COM and .NET top-level domains, have quietly proposed enormous changes to global domain name policy in their recently published “Proposed Renewal of the Registry Agreement for .NET”, which is now open for public comment.

Either by design, or unintentionally, they’ve proposed allowing any government in the world to cancel, redirect, or transfer to their control applicable domain names! This is an outrageous and dangerous proposal that must be stopped. While this proposal is currently only for .NET domain names, presumably they would want to also apply it to other extensions like .COM as those contracts come up for renewal.

The offending text can be found buried in an Appendix of the proposed new registry agreement. Using the “redline” version of the proposed agreement (which is useful for quickly seeing what has changed compared with the current agreement), the critical changes can be found in Section 2.7 of Appendix 8, on pages 147-148. (the blue text represents new language) Below is a screenshot of that section:

Proposed Changes in Appendix 8 of the .NET agreement
Proposed Changes in Appendix 8 of the .NET agreement

Section 2.7(b)(i) is new and problematic on its own (and I’ll analyze that in more detail in a future blog post – there are other things wrong with this proposed agreement, but I’m starting off with the worst aspect). However, carefully examine the new text in Section 2.7(b)(ii) on page 148 of the redline document.

It would allow Verisign, via the new text in 2.7(b)(ii)(5), to:

deny, cancel, redirect or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, as it deems necessary, in its unlimited and sole discretion” [the language at the beginning of 2.7(b)(ii), emphasis added]

Then it lists when it can take the above measures. The first 3 are non-controversial (and already exist, as they’re not in blue text). The 4th is new, relating to security, and might be abused by Verisign. But, look at the 5th item! I was shocked to see this new language:

“(5) to ensure compliance with applicable law, government rules or regulations, or pursuant to any legal order or subpoena of any government, administrative or governmental authority, or court of competent jurisdiction,” [emphasis added]

This text has a plain and simple meaning — they propose  to allow “any government“, “any administrative authority”  and “any government authority” and “court[s] of competent jurisdiction” to deny, cancel, redirect, or transfer any domain name registration (as I noted above, this is currently proposed  for .NET, but if not rejected immediately with extreme prejudice, it could also find its way into other registry agreements like .COM which the abusive monopolist Verisign manages).

You don’t have to be ICANN’s fiercest critic to see that this is arguably the most dangerous language ever inserted into an ICANN agreement.

“Any government” means what it says, so that means China, Russia, Iran, Turkey,  the Pitcairn Islands, Tuvalu, the State of Texas, the State of California, the City of Detroit,  a village of 100 people with a local council in Botswana, or literally “any government” whether it be state, local, or national. We’re talking about countless numbers of “governments” in the world (you’d have to add up all the cities, towns, states, provinces and nations, for starers). If that wasn’t bad enough, their proposal adds “any administrative authority” and “any government authority” (i.e.  government bureaucrats in any jurisdiction in the world) that would be empowered to “deny, cancel, redirect or transfer” domain names.  [The new text about “court of competent jurisdiction” is also probematic, as it would  override determinations that would be made by registrars via the agreements that domain name registrants have with their registrars.]

This proposal represents a complete government takeover of domain names, with no due process protections for registrants. It would usurp the role of registrars, making governments go directly to Verisign (or any other registry that adopts similar language) to achieve anything they desired. It literally overturns more than two decades of global domain name policy.

ICANN policy is supposed to be determined through an open and transparent multistakeholder process through the GNSO (Generic Names Supporting Organization), which has representatives from non-commercial organizations, registrars, registries, businesses, and other stakeholders. It is not supposed to be determined through bilateral private and opaque negotiations between ICANN staff and Verisign.

Let me provide a few examples of what the “new world order” for domain names would be under the world envisioned by ICANN staff and Verisign:

  1. The government of China orders domain names operating websites that are critical of its policies to be suspended (or simply transferred to the Chinese government).
  2. The government of Russia, at war with Ukraine, orders the transfer of pro-Ukrainian domain names to the control of the Russian government.
  3. The government of Ukraine, at war with Russia, orders the transfer of pro-Russian domain names to the control of the Ukrainian government.
  4. The government of Texas orders pro-abortion domain names to be transferred to the Texas government.
  5.  The Taliban government in Afghanistan orders pro-abortion domain names, and those promoting education for girls, to be transferred to the government.
  6.  The government of Iran orders all domain names around the world with “adult” content (i.e. pornography) to be transferred to the Iranian government.
  7. The  government of Tuvalu, (which already licenses the .TV registry in order to raise funding) facing an economic crisis due to climate changes, orders that every 2-letter, 3-letter, and one-word dot-net be transferred to the Tuvalu government, in order to auction off the domain names to raise new funding for themselves.
  8. A government in Argentina launches a new program whose name happens to be identical to the domain name owned by a French company for the past 25 years. The government of Argentina orders that the domain name be transferred to them, without compensation for the expropriation.
  9. The government of Italy is upset about a social media company operating from China, and orders that the Chinese company’s domain name be transferred to the Italian government.
  10. The UK government is upset that software published by a Swedish company has end-to-end encryption. It orders the domain name of the Swedish company be transferred to the UK government.

I’m sure readers can come up with their own examples of what would happen if governments are able to censor or seize domain names they don’t like or expropriate domain names that they covet, without due process for registrants.

Now, you might be thinking “Hey, I don’t live in or have any connection to China, Russia, or Afghanistan — those governments have no jurisdiction over me.” That’s how things are at present. ICANN and Verisign propose to overturn centuries of legal debate over the nature of liability across jurisdictions with their outrageous proposal

Next, you might be thinking “If they take my domain, I will sue Verisign, ICANN, or my registrar.” However, that would be quite difficult, given that the one-sided registrar agreements forced upon us by ICANN prevents that! (one might get sympathy from courts, if they’re deemed to be unconscionable “contracts of adhesion”).

Using the red-line agreement again, section 2.7(b)(iii) of Appendix 8 (page 148, literally below the screenshot above!) contains the following text:

“a provision requiring the Registered Name Holder to
indemnify, defend and hold harmless Verisign and its subcontractors, and its and their directors, officers, employees, agents, and affiliates from and against any and all claims, damages, liabilities, costs and expenses, including reasonable legal fees and expenses arising out of or relating to, for any reason whatsoever, the Registered Name Holder’s domain name registration. The registration agreement shall further require that this indemnification obligation survive the termination or
expiration of the registration agreement.” [emphasis added]

Verisign, ICANN, and registrars want to be immune from liability, and thus your registration agreement with your registrar contains one-sided terms which protect Verisign, ICANN and registrars.

Next, you might think “If a government in China, Russia, or Iran, or anywhere else takes my domain name, I will get a lawyer and sue them in my country’s court system!”

Unfortunately, that is also going to be very problematic, because of the notion of “sovereign immunity” which generally makes it nearly impossible to start an action against a foreign government outside the courts of their own nation. We saw this in the context of domain names when the US Supreme Court would not allow the dispute over the France.com domain name to be heard in US courts. If the Iranian government took your domain, you’d have to go to the courts of Iran to seek relief. If the Chinese government took your domain, you’d have to go to the courts of China for justice, and so on. This is why I was so opposed to the proposal relating to IGOs, which would also harm domain name owners’ rights to have disputes decided by courts, due to alleged IGO immunity. [see my extensive analysis of that sham policy change,  which is now before the ICANN Board, which will likely rubberstamp it, throwing registrants under the bus].

This proposal is even more egregious because domain name registrars take a very thoughtful and  nuanced approach to jurisdiction, in order to protect the due process rights of registrants. My company is based in Toronto, Ontario, Canada, and all my company’s domain names are registered with Tucows/OpenSRS. I would expect that if Tucows/OpenSRS was approached by the government of Iran, China, Russia, etc. about one of my company’s domain names, they’d be told to take their dispute to an Ontario court, particularly given that domain names are property in Ontario, Canada.

Indeed, there is an active dispute between various registrars and the government of India, because those registrars (including Tucows, Dynadot, NameCheap) insist that plaintiffs get US court orders to takedown various sites. Those registrars are even facing being blocked by ISPs in India, in order to protect the rights of registrants to due process in their own jurisdiction and national courts.

ICANN staff and Verisign are trying to sneak through this major policy change which has enormous negative implications for domain name rights without any serious debate. If you re-read the announcement page for the public comment period, it appears to simply be a routine renewal. Here’s a screenshot of what ICANN staff claims are the “key provisions” that are “materially different” from the current agreement.

ICANN's summary of materially different provisions in the .NET agreement
ICANN’s summary of materially different provisions in the .NET agreement

Did ICANN staff highlight the enormous negative ramifications that I’ve pointed out in this article? Of course not! Instead, they bury major policy changes in an appendix near the end of a document that is over 100 pages long (133 pages long for the “clean” version of the document; 181 pages for the “redline” version). I’ve been ICANN’s fiercest critic (and Verisign’s too!) for two decades (see pages 4-5 of a recent comment submission which lists some of the “highlights”, including sounding the alarm over tiered pricing, SiteFinder, etc.) When I saw the ICANN summary, it seemed at first glance like a routine renewal with no big changes. But, I had some time on the weekend to go through the redline version and was astonished at the changes.

ICANN and Verisign appear to have deliberately timed the comment period to avoid public scrutiny.  The public comment period opened on April 13, 2023, and is scheduled to end (currently) on May 25, 2023. However, the ICANN76 public meeting was held between March 11 and March 16, 2023, and the ICANN77 public meeting will be held between June 12 and June 15, 2023. Thus, they published the proposal only after the ICANN76 public meeting had ended (where we could have asked ICANN staff and the board questions about the proposal), and seek to end the public comment period before ICANN77 begins. This is likely not by chance, but by design.

Few others would have noticed what’s going on, so once again I’m sounding the alarm.

What can you do? You can submit a public comment, showing your opposition to the changes, and/or asking for more time to analyze the proposal. [there are other things wrong with the proposed agreement, e.g. all of Appendix 11 (which takes language from new gTLD agreements, which are entirely different from legacy gTLDs like .com/net/org); section 2.14 of Appendix 8 further protects Verisign, via the new language (page 151 of the redline document); section 6.3 of Appendix 8, on page 158 of the redline, seeks to protect Verisign from losing the contract in the event of a cyberattack that disrupts operations — however, we are already paying above market rates for .net (and .com) domain names, arguably because Verisign tells others that they have high expenses in order to keep 100% uptime even in the face of attacks; this new language allows them to degrade service, with no reduction in fees).

You can also contact your registrar, so that they are encouraged to voice their opposition to this proposed agreement.  You can also blog about this, or participate on message boards to educate and inform other domain name owners about the great dangers should this proposed agreement be adopted unchanged, so that they too can submit comments opposing the proposed agreement. You can also follow me on Twitter for further updates.

Verisign is an abusive monopolist. They’re already getting guaranteed 10% permitted annual registry fee increases, due to past weak negotiations by ICANN. The management of the .NET (and .COM) TLDs should be put out to a competitive public tender.

In the alternative, ICANN and Verisign should simply renew the existing contract with absolutely no changes.

I will be writing to the ICANN Board to express my concerns, and asking for at least an extension of the comment period. ICANN staff should also hold a public webinar where they can explain these changes.

As I noted earlier, these changes are either (i) by design, or (ii) unintentional. If by design, the ICANN staff who negotiated this agreement, which attacks  registrars, registrants and usurps the role of the GNSO, should be removed from their position. Such a dangerous proposal to give governments unprecedented powers over domain names should not have seen the light of day if ICANN staff were true custodians of the domain name system. If instead these proposed changes are unintentional, then the ICANN staff (including any external lawyers reviewing their work) are grossly incompetent to put forth a document that they didn’t understand. Gross incompetence should lead to immediate dismissal. It’s time to hold ICANN’s staff, and ICANN’s board accountable for this sloppy proposal that they’re attempting to sneak through to the detriment of domain name owners. Someone has to take the fall for this unprecedented attack on the rights of domain name owners.

Update #1: I’ve submitted a “placeholder” comment to ICANN, to get the ball rolling.  There’s also a thread on NamePros.com about this topic, if you had questions, etc.

Update #2: DomainIncite points out correctly that the offending language is already in the .com agreement, and that people weren’t paying attention to this issue back 3 years ago, as there bigger fish to fry. I went back and reviewed my own comment submission, and see that I did raise the issue back then too:

11. We also object to the major changes to the .COM Registry-Registrar Agreement (starting from page 47 of

Click to access com-proposed-amend-3-03jan20-en.pdf

for those who didn’t read that far!). Without mentioning all sections (we object to all the changes, out of an abundance of caution), we point out that the new language in section 2.7 is dangerous, potentially allowing Verisign the ability to override decisions by
registrars as to how to handle various situations, which can result in elimination of due process for registrants. For example, 2.7(b) refers to:

“any legal order or subpoena of ****any government*****, administrative or governmental authority, or court of competent jurisdiction,” (emphasis added)

which is not acceptable! For example, if this language is not modified, then it says that if a government from Cuba, North Korea, Iran or other totalitarian regime tells Verisign to transfer ownership of sites owned by my company, such as Math.com or FreeSpeech.com to
their control, Verisign can go along! Or, why stop there? Why not allow Verisign to shut down Google.com, if the government of Iran or Turkey or Russia asks for it? Why bother with a shutdown — suppose a government in one of those regimes orders the actual transfer of a
domain name such as Google.com or Sex.com or School.com or Apple.com or Amazon.com or Microsoft.com?

Again, why stop there? A “crafty” government seeking to profit economically, say in a banana republic, can pass a law to say that they want all dictionary-word dot-coms, 2-letter and 3-letter dot-coms
and other valuable domain names to be transferred to them! That’s many billions of dollars worth of digital assets, all for the taking — if those banana republics can sell passports, citizenship, their entire
ccTLDs, and engage in other dubious activities, why wouldn’t they be incentivized to simply pass laws to order the transfer of an $872 million domain like Cars.com?

The top 25 most expensive domain names


https://www.dnacademy.com/the-definitive-guide-to-the-worlds-largest-domain-sale

This is unacceptable. Registrants have an expectation that they will be governed by the laws of the  jurisdictions in which they are based (or that of the registrar), and due process considerations demand that
this continues.

All of the changes to section 2.7(b) should be eliminated. For example, why single out “copyright infringement” — why not criminal activity by banks such as Barclays?

http://www.circleid.com/posts/20150520_should_barclays_lose_the_barclays_top_level_domain/

Or patent violations by Apple?

https://www.theverge.com/2020/1/29/21114325/apple-broadcom-caltech-lawsuit-jury-award-1-1-billion-damages

Even Google has an active case involving alleged copyright infringements with Oracle:

https://en.wikipedia.org/wiki/Google_v._Oracle_America

If Google loses that case (now before the Supreme Court), why shouldn’t they lose all of their domains, under the literal interpretation of the proposed Section 2.7(b)? It’s clear to us that Section 2.7(b) is dangerous because it would only be selectively enforced. I doubt Google or Youtube has much to fear from Verisign,
despite all the copyright infringement that takes place on their domains. But, by the strict language of that contract, conceivably they *should* be afraid. Instead, it’ll be more vulnerable entities who would lose their domains, without proper due process. No one
should have that power, except proper courts (in the proper jurisdictions, not “any jurisdiction”). Contracts should be read as to what’s possible, and what’s proposed here is potentially extremely
dangerous.

12. The new language in Section 2.14 reinforces 2.7(b), and also must
be eliminated, for the reasons above.

Given that this dangerous text made it through without serious consideration at the time, and now that folks are aware of the issues, then it should be removed from .com (and not permitted in .net).