Below is Annex 1 to the Governmental Advisory Committee’s (GAC) communique to the ICANN Board delivered on 11 April 2013 in Beijing. It concerns a series of “safeguards” for new gTLDs.

Safeguards on New gTLDs

The GAC considers that Safeguards should apply to broad categories of strings. For clarity, this means any application for a relevant string in the current or future rounds, in all languages applied for. The GAC advises the Board that all safeguards highlighted in this document as well as any other safeguard requested by the ICANN Board and/or implemented by the new gTLD registry and registrars should:

  • be implemented in a manner that is fully respectful of human rights and fundamental freedoms as enshrined in international and, as appropriate, regional declarations, conventions, treaties and other legal instruments – including, but not limited to, the UN Universal Declaration of Human Rights.
  • respect all substantive and procedural laws under the applicable jurisdictions.
  • be operated in an open manner consistent with general principles of openness and non-­‐ discrimination.

Safeguards Applicable to all New gTLDs

The GAC Advises that the following six safeguards should apply to all new gTLDs and be subject to contractual oversight.

  1. WHOIS verification and checks – Registry operators will conduct checks on a statistically significant basis to identify registrations in its gTLD with deliberately false, inaccurate or incomplete WHOIS data at least twice a year. Registry operators will weight the sample towards registrars with the highest percentages of deliberately false, inaccurate or incomplete records in the previous checks. Registry operators will notify the relevant registrar of any inaccurate or incomplete records identified during the checks, triggering the registrar’s obligation to solicit accurate and complete information from the registrant.
  2. Mitigating abusive activity – Registry operators will ensure that terms of use for registrants include prohibitions against the distribution of malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.
  3. Security checks – While respecting privacy and confidentiality, Registry operators will periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. If Registry operator identifies security risks that pose an actual risk of harm, Registry operator will notify the relevant registrar and, if the registrar does not take immediate action, suspend the domain name until the matter is resolved.
  4. Documentation – Registry operators will maintain statistical reports that provide the number of inaccurate WHOIS records or security threats identified and actions taken as a result of its periodic WHOIS and security checks. Registry operators will maintain these reports for the agreed contracted period and provide them to ICANN upon request in connection with contractual obligations.
  5. Making and Handling Complaints – Registry operators will ensure that there is a mechanism for making complaints to the registry operator that the WHOIS information is inaccurate or that the domain name registration is being used to facilitate or promote malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.
  6. Consequences – Consistent with applicable law and any related procedures, registry operators shall ensure that there are real and immediate consequences for the demonstrated provision of false WHOIS information and violations of the requirement that the domain name should not be used in breach of applicable law; these consequences should include suspension of the domain name.

Category 1

Consumer Protection, Sensitive Strings, and Regulated Markets:

The GAC Advises the ICANN Board:

Strings that are linked to regulated or professional sectors should operate in a way that is consistent with applicable laws. These strings are likely to invoke a level of implied trust from consumers, and carry higher levels of risk associated with consumer harm. The following safeguards should apply to strings that are related to these sectors:

  1. Registry operators will include in its acceptable use policy that registrants comply with all applicable laws, including those that relate to privacy, data collection, consumer protection (including in relation to misleading and deceptive conduct), fair lending, debt collection, organic farming, disclosure of data, and financial disclosures.
  2. Registry operators will require registrars at the time of registration to notify registrants of this requirement.
  3. Registry operators will require that registrants who collect and maintain sensitive health and financial data implement reasonable and appropriate security measures commensurate with the offering of those services, as defined by applicable law and recognized industry standards.
  4. Establish a working relationship with the relevant regulatory, or industry self-­‐regulatory, bodies, including developing a strategy to mitigate as much as possible the risks of fraudulent, and other illegal, activities.
  5. Registrants must be required by the registry operators to notify to them a single point of contact which must be kept up-to-date, for the notification of complaints or reports of registration abuse, as well as the contact details of the relevant regulatory, or industry self-regulatory, bodies in their main place of business.

In the current round the GAC has identified the following non-exhaustive list of strings that the above safeguards should apply to:

  • Children:

    • .kid, .kids, .kinder, .game, .games, .juegos, .play, .school, .schule, .toys
  • Environmental:

    • .earth, .eco, .green, .bio, .organic
  • Health and Fitness:

    • .care, .diet, .fit, .fitness, .health, .healthcare, .heart, .hiv, .hospital,, .med, .medical, .organic, .pharmacy, .rehab, .surgery, .clinic, .healthy (IDN Chinese equivalent), .dental, .dentist .doctor, .dds, .physio
  • Financial:

    • .capital, . cash, .cashbackbonus, .broker, .brokers, .claims, .exchange, .finance, .financial, .fianancialaid, .forex, .fund, .investments, .lease, .loan, .loans, .market, . markets, .money, .pay, .payu, .retirement, .save, .trading, .autoinsurance, .bank, .banque, .carinsurance, .credit, .creditcard, .creditunion, .insurance, .insure, ira, .lifeinsurance, .mortgage, .mutualfunds, .mutuelle, .netbank, .reit, .tax, .travelersinsurance, .vermogensberater, .vermogensberatung and .vesicherung.
  • Gambling:

    • .bet, .bingo, .lotto, .poker, and .spreadbetting, .casino
  • Charity:

    • .care, .gives, .giving, .charity (and IDN Chinese equivalent)
  • Education:

    • .degree, .mba, .university
  • Intellectual Property

    • .audio, .book (and IDN equivalent), .broadway, .film, .game, .games, .juegos, .movie, .music, .software, .song, .tunes, .fashion (and IDN equivalent), .video, .app, .art, .author, .band, .beats, .cloud (and IDN equivalent), .data, .design, .digital, .download, .entertainment, .fan, .fans, .free, .gratis, .discount, .sale, .hiphop, .media, .news, .online, .pictures, .radio, .rip, .show, .theater, .theatre, .tour, .tours, .tvs, .video, .zip
  • Professional Services:

    • .abogado, .accountant, .accountants, .architect, .associates, .attorney, .broker, .brokers, .cpa, .doctor, .dentist, .dds, .engineer, .lawyer, .legal, .realtor, .realty, .vet
  • Corporate Identifiers:

    • .corp, .gmbh, .inc, .limited, .llc, .llp, .ltda, .ltd, .sarl, .srl, .sal 
  • Generic Geographic Terms:

    • .town, .city, .capital
  • .reise, .reisen
  • .weather
  • .engineering
  • .law
  • Inherently Governmental Functions:

    • .army, .navy, .airforce
  • In addition, applicants for the following strings should develop clear policies and processes to minimise the risk of cyber bullying/harassment

    • .fail, .gripe, .sucks, .wtf

The GAC further advises the Board:

In addition, some of the above strings may require further targeted safeguards, to address specific risks, and to bring registry policies in line with arrangements in place offline. In particular, a limited subset of the above strings are associated with market sectors which have clear and/or regulated entry requirements (such as: financial, gambling, professional services, environmental, health and fitness, corporate identifiers, and charity) in multiple jurisdictions, and the additional safeguards below should apply to some of the strings in those sectors:

  1. At the time of registration, the registry operator must verify and validate the registrants’ authorisations, charters, licenses and/or other related credentials for participation in that sector.
  2. In case of doubt with regard to the authenticity of licenses or credentials, Registry Operators should consult with relevant national supervisory authorities, or their equivalents.
  3. The registry operator must conduct periodic post-­‐registration checks to ensure registrants’ validity and compliance with the above requirements in order to ensure they continue to conform to appropriate regulations and licensing requirements and generally conduct their activities in the interests of the consumers they serve.

Category 2

Restricted Registration Policies

The GAC advises the ICANN Board:

  1. Restricted Access:

    As an exception to the general rule that the gTLD domain name space is operated in an open manner registration may be restricted, in particular for strings mentioned under category 1 above. In these cases, the registration restrictions should be appropriate for the types of risks associated with the TLD. The registry operator should administer access in these kinds of registries in a transparent way that does not give an undue preference to any registrars or registrants, including itself, and shall not subject registrars or registrants to an undue disadvantage.

  2. Exclusive Access:

    For strings representing generic terms, exclusive registry access should serve a public interest goal. In the current round, the GAC has identified the following non-exhaustive list of strings that it considers to be generic terms, where the applicant is currently proposing to provide exclusive registry access:

    • .antivirus, .app, .autoinsurance, .baby, .beauty, .blog, .book, .broker, .carinsurance, .cars, .cloud, .courses, .cpa, .cruise, .data, .dvr, .financialaid, .flowers, .food, .game, .grocery, .hair, .hotel, .hotels .insurance, .jewelry, .mail, .makeup, .map, .mobile, .motorcycles, .movie, .music, .news, .phone, .salon, .search, .shop, .show, .skin, .song, .store, .tennis, .theater, .theatre, .tires, .tunes, .video, .watches, .weather, .yachts, .クラウド [cloud], .ストア [store], .セール [sale], .ファッション [fashion], .家電 [consumer electronics], .手表 [watches], .書籍 [book], .珠宝 [jewelry], .通販 [online shopping], .食品 [food]