By now anyone who’s part of the domain investment or broader ICANN community is aware of the curious saga of the recently launched .XYZ registry. Soon after its young CEO boldly stated, “we hope to reach 1 million .XYZ registrations in the first year and 5 million registrations in the first three years”, the registry launched with a remarkable total of nearly 18,000 registrations on its first day, a total that has quickly grown to more than 100,000.

But it was soon noted that “the zone files showed that over 70% of all .XYZ registrations had been made at NetworkSolutions, an expensive registrar that has a less than 5% share of most new gTLD registrations.” (The NetSol percentage of .XYZ registrations has reportedly since climbed to more than 85%.) Then it was further discovered that the surprisingly large number of registrations was not the result of affirmative registration decisions made by individuals responding to a compelling marketing or incentive campaign, but to a NetSol decision to give away “free domains” matching those already owned by its customers if they did not “opt out” of the domain registration in response to an e-mail. That revelation prompted one of the two organizations tracking new gTLD to delete all NetSol-supplied free .XYZ names from its gTLD rankings, dropping .XYZ from a number one position to “number 14 on the list of most registered new gTLD’s with just under 15,000 registrations”.

These events gave rise to questions whether the .XYZ registry had made arrangements with NetSol to embark on this promotion and thereby turbocharge its initial registration numbers. But in a published interview, its CEO stated:

Each Registrar (or store) then makes its own decision on the retail price it wants to charge for the different domain names (products) it offers.

We have over 200 registrars from all around the world in all languages offering .xyz domain names. I do not know the details of every promotion or marketing campaign that they are doing every day.

Here is what I do know:

Regardless of whether a registrar charges $100, $5, or gives the domains away for free, I get paid the ENTIRE wholesale price, which is the same price that every registrar pays.

Yet there remains no explanation for why NetSol embarked on this aggressive campaign for this one new gTLD registry. But, regardless of whether the registry had any active part in these actions, the damage to the registry’s reputation has been done. As one respected industry observer recently observed:

With NetSol you have a registrar that is three times more expensive than other registrars making themselves an even less attractive option by telling customers we will decide what domains are put in your account instead of you!

... With .XYZ you have a registry that has proclaimed themselves the next .com but instead are proving themselves not to be an alternate .com but an alternate reality based on fictional numbers of real registrants. Instead of becoming the next .com they are in danger of becoming the next .tk—the ccTLD for the obscure Pacific Ocean territory of Tokelau that gives away its domains for free.

Is deception really the business plan a registry expects to succeed with? While declaring oneself the winner based on a blatantly stuffed ballot box still happens in places like Syria it is generally regarded as poor form in the rest of the world (and is certainly not a good calling card for any business).

Of course new gTLD skeptics are loving this, saying that it proves the new extensions are already on the ropes, having so little of value to sell that they have to resort to giving the product away (and not just giving it away, but forcing it upon people who never asked for it) and then trumpeting inflated numbers. As you would expect registries that are doing it the right way hate that they are being unfairly painted with the same brush. I’ve seen key executives from at least three other new gTLD registries publicly post their dismay over how this is tarnishing the entire new GTLD program.

So far the discussion has mostly been about what arrangement if any existed between NetSol and .XYZ and how to dissect new gTLD registration numbers to meaningfully decide which ones are successful—should it be based on gross registrations, registry revenues, or websites that have been actively developed?

But that misses two other big issues.

What about the rights of the registrants who have been involuntarily signed up for these “free” .XYZ domains?

And, presuming that someone at ICANN monitors the domain industry press that has been feverishly reporting this story, why hasn’t it stepped forward to announce that, for the protection of registrants and to protect the integrity of the new gTLD program, it is investigating to see whether either party is in violation of its contract with ICANN.

After all, ICANN’s CEO proclaimed last year that registrants were its number one concern.

And, given continued misgivings about the effectiveness of ICANN’s contractual compliance enforcement efforts, as well as the intense scrutiny it is undergoing in conjunction with stakeholder consideration of IANA functions transition and accompanying enhanced accountability mechanisms, you’d think the organization would welcome a chance to demonstrate that it doesn’t need a third party monitor to tell it that it should look into the situation.

For one thing, NetSol may be creating potential trademark infringement liability for these involuntary registrants. As has been reported—”Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request... They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.”

One website cited in that article is www.disneytime.xyz . That parked website features a Network Solutions corporate name and logo in the upper right hand corner along with an “under construction” notice, and has links to entertainment-related topics such as “Top Ten Music Artist” and “Pop Hits Music”. Clicking on any of those links brings one to yet more pages with pay-per-click (PPC) ad links. Overall, the parked page appears to be under NetSol’s control and presumably they choose the PPC link labels and receive any income derived from the ads.

“Registrants” shouldn’t be involuntarily exposed to the potential for receiving a cease-and-desist letter, much less the target of UDRP or URS arbitration or even a trademark infringement suit. As for the trademark owners, they may not have effective recourse to the UDRP or URS. One element that must be proven by a complainant is “bad faith registration”, and bad faith involves affirmative intent—and there’s not much intent involved with a failure to click on an opt-out link in an e-mail that may or may not have been read. There’s even a plausible argument that NetSol might be considered the registrant for dispute resolution purposes, since it chose the domain name and completed the registration absent any clear direction from its customer. There’s also the twist that, where NetSol matched the registered .XYX domain to one the customer already had in an incumbent registry, the existing agreement with the registrant does not include consent to be subject to the Trademark Clearinghouse (TMCH) and Uniform Rapid Suspension (URS).

And that raises another critical question: If any of these opt-out registrations of infringing domains triggered a Trademark Claims Notice to the involuntary registrant, did any of them ever see it and have an opportunity to opt-out then? After all, as described above, the registrant’s real name was listed in the WHOIS record, but not their e-mail address; instead, the listed address was for NetSol’s proxy service.

There’s also the matter of whether involuntary registrations are in compliance with the 2013 Registrar Accreditation Agreement (RAA) entered into by all those selling new gTLDs. Section .7.7 states, “Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar”. An opt-out procedure arguably fails to satisfy that requirement. NetSol reportedly tried to get around that by including, as a less than conspicuous footnote in its e-mail, this statement, “Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.” But it’s not clear that any court would view that as satisfying the RAA’s contractual requirement.

The RAA also contains an addendum titled “ADDITIONAL REGISTRAR OPERATION SPECIFICATION” that includes a statement of “Registrants’ Benefits and Responsibilities”. One of those rights is, “You shall not be subject to false advertising or deceptive practices by your Registrar or though (sic) any proxy or privacy services made available by your Registrar. This includes deceptive notices, hidden fees, and any practices that are illegal under the consumer protection law of your residence.”

Was the opt-out registration a deceptive practice and notice, or illegal under any national law? If a registrant involuntarily received a free .XYZ domain, and had opted for automatic renewal of its domains held by NetSol, would reregistration a year hence at a hefty fee be an unfair and deceptive trade practice? Those are questions that the Federal Trade Commission (never a fan of the new gTLD program) or other national consumer protection agency might want to investigate, especially if ICANN doesn’t move quickly.

Overall, this situation appears to raise the most significant questions about the effectiveness of the RAA and ICANN’s compliance enforcement since the Registerfly fiasco of early 2007. It is not of the same character, since that situation involved a registrar stealing customer domains and funds, but it is still quite disturbing. Back in 2007 then-ICANN CEO Paul Twomey declared, “What has happened to registrants with RegisterFly.com has made it clear there must be comprehensive review of the registrar accreditation process and the content of the RAA. This is going to be a key debate at our Lisbon meeting scheduled for 26—30 March 2007. There must be clear decisions made on changes. As a community we cannot put this off… Registrants suffer most from weaknesses in the RAA and I want to make sure that ICANN’s accreditation process and our agreement gives us the ability to respond more strongly and flexibly in the future.”

While the 2013 RAA is substantially stronger on paper than the one in use seven years ago, in the end it is only as strong as ICANN’s compliance enforcement makes it.

As for .XYZ, if they did have some arrangement with NetSol to undertake this involuntary registration program, and if it involved any consideration not offered to other registrars, that might place them in violation of their Registry Agreement, as Section 2.9 of that contract requires non-discriminatory access for all registrars.

There’s also an open question regarding the efficacy of the ICANN background check for new gTLD registries and their top executives. The CEO of .XYZ, along with his company Cyber2media, were the lead defendants in a Lanham Act lawsuit filed by Facebook on July 22, 2011, months before the new gTLD application window opened in January 2012. That complaint alleged four separate violations of the Lanham Act as well as two other civil counts. Further, the scheme that defendants were alleged to be engaged in was far more sophisticated than the one described above for disneytime.xyz. According to the lawsuit, rather than landing on pages that were clearly parked, consumers who mistakenly typed in typographic variations of Facebook were redirected to websites that mimicked Facebook’s design and used its distinctive marks and logos. They were then invited to take part in social media “surveys” and thereby have a (fictional) chance to win a MacBook, iPad, or iPhone—in exchange for divulging proprietary personal information including their phone number and e-mail address.

Of course allegations are not proof of guilt, and this lawsuit appears to have been dismissed against those two defendants within days after the .XYZ application was submitted to ICANN. But, if only to inform ICANN of potential background check alterations for the next round of the gTLD program, it would be useful to know whether this very relevant litigation was revealed in that application—and, if not, whether the background screeners conducted a simple web search that should have brought up information about the lawsuit—and in either event what further investigation was undertaken and resolved.

Summing up here, there’s a lot more at stake in this situation than which registry has the most registrations or has suffered self-inflicted damage. There are significant contract compliance and consumer protection issues, compounded by possible involuntary trademark infringement. Thousands of registrants are directly affected, and all registrants are at risk.

It should be as simple as ABC for ICANN to realize it needs to step up to the plate and take responsibility for initiating a full inquiry and report on what’s transpired in the initial .XYZ registration phase. The answer is important for registrants, registrars who don’t engage in such practices, and other operators of new gTLD registries. It’s also of consequence for ICANN’s own reputation as a critical time in its history.