Registering, Managing and Cancelling Policy Review Submission
From: David Farrar
Received: 29 January 2007

This is a personal submission from David Farrar.

I have over tens years experience with domain name policies both in New Zealand and internationally and am very conversant with the effectiveness, or otherwise, of various regimes. I comment on each suggestion in turn:

That the five day grace period is also used as a public notification period. This procedure will address, for example, concerns raised on malicious registrations for phishing or other illegal or malicious purposes. Regulatory authorities can thus monitor proposed registrations and respond appropriately. For example, the use of the word "bank" is restricted under the Reserve Bank Act and inappropriate use may constitute an offence.

Firstly it should be made clear that publishing of new registrations would have seriously detrimental effects on other policies. Specifically it would allow third parties to build a database of valid .nz names. Then that list of names can be used to access whois details for .nz domains. Experiences tells us that those details will then be used to spam registrants with offers to register further variations on their names, or even worse confusing them into thinking they need to renew their own name when they do not. Changing this policy would negatively impact tens of thousands of .nz registrants.

I also note that the mere registration of a domain is unlikely in itself to break any law. This is a different issue to what use a website using part of that domain may be put to. A nzbank.co.nz website would probably be legal if it was an information site providing comparative info on NZ banks. If it was a phishing site it would not be legal. It is the use of the website, not the registration of the domain that matters.

The objective of the RMC policy should be to put in place processes to prevent fraudulent applications for domain names and also provide for cooperation with industry participants including state bodies where potential fraudulent applications are suspected. A further objective of the policy should be to ensure that the domain names have integrity. For example, registration of domain names that are likely to mislead Internet users such as derivatives of corporate names, for example "Wespac" and "Natonal" should be prevented.

This calls for a fundamental change in the operation of .nz. At present registrations are fully automated and operate on a first come first served basis. This has allowed registrations to be completed online within minutes, a domain to be active within an hour, and for registration costs to be modest. In some other countries they do restrict registrations. The trade off is that all registrants pay more for their domains, and often take longer to register.

With 240 different country code top level domains there are a huge variety of registration policies. Bodies such as the OECD and CENTR perform surveys of registration polices from time to time. Both the OECD and CENTR have found that the very clear trend amongst ccTLD Managers is to liberalise registration policies. If .nz were to start imposing restrictions on registrations, we would be going in the opposite direction to the global trend.

Introducing a requirement that the DNC is required to check applications for domain names against defined criteria, for example similar to those used by the Companies Office.

The same comment as above applies. Any change from a fully automated first in first served system will have significant consequences and a degraded service to the 250,000+ existing registrants.

Enabling the immediate and effective cancellation of a domain name in the event of a fraud.

If a court finds a website is operating fraudulently then the website hoster and/or domain name registrar are obliged to cancel the fraudulent site. However InternetNZ is not competent to determine what is and is not fraud.

Insert a clause that states that a domain name must not consist of a word that is not permitted by law or the applicant itself is not permitted to use in accordance with any law operating in New Zealand. For example, Section 64 of the Reserve Bank of New Zealand 1989 Act which places limits on the use of restricted words such as "bank", banker and "banking" in a name or title. If an application seeks to use such restricted words then the relevant registrar will be required to carry out checks that the applicant is permitted to use these words in their domain name.

As I explained earlier, one can not judge if a domain name by itself infringes. It depends on what any website associated with the domain name may purport to be. I do not believe the law restricts a domain name of bankwatch.org.nz which might be used to point to a website which is critical of NZ banks.

Also it should be made clear that registrants can get around any restrictions placed at the .nz registry by using fourth level names such as bank.nzl.co.nz (the owner of nzl.co.nz can set up bank.nzl.co.nz). The domain name structure is not suitable for trying to ban words from.

That a list of restricted words should be drawn up by the DNC as a guide for registrars carrying out their functions.

This could be a useful initiative. Registrars often provide other services such as web hosting and may be in a position to ascertain if a planned registration may infringe, based on knowledge of what the client has asked for. Registrars would probably find it useful to have a list of words, which if used in a certain way, might be illegal.

Payment should be received from an applicant before the domain name is provided unless there are "exceptional circumstances". Exceptional circumstances might include where the applicant can demonstrate that due to a pressing commercial requirement that use of the domain name is required immediately.

This is, with all respect, an idiotic suggestion. It is up to registrars how they manage their credit applications but such a requirement would make it incredibly difficult for some registrants to register names. From my own experiences of working in the NZ Parliament, it was near impossible to get payment for anything except on an invoice basis. This would delay or hinder registrations massively.

In summary I have sympathy for the aims of those proposing the changes. We would all like phishing scams stopped and/or made harder to pull off. But the changes proposed would result in greater costs, more spam, slower registrations and more complexity for 250,000 or so existing registrants. One has to balance that against the very small number of phishing scams which have used a .nz domain name for their website.

I would be strongly opposed to the changes advocated, except for the supplying of information to Registrars on restricted words.

David Farrar 29 January 2007