I have seen the online future - and it sucks: the time has come for customer revolt

This morning I attended one of the consultation meetings on the Nominet proposals to reserve .uk. for those with a physical presence in the UK and to make address spoofing rather harder. The meeting was supposedly for public interest groups but much of the time was taken up by arguments against the proposals by a US lawyer hired by registrars who wish to perpetuate the dominance of the Internet addressing system by those whose business is selling domain names to the best payer: without regard to physical address, trading record,  whether they are to be used (and how, e.g. impersonation of those with a similar name or in support of fast flux), suppressed (including by large brands to prevent impersonation, parody or use by customer protest groups) or resold at a profit.

His clients appear to also be opposed to the improvement of security, apparently because it can never be perfect and therefore improvements would lead to false confidence.

I believe that if such arguments prevail, it will be only a matter of time before the overall Internet Addressing system is handed “back” to the ITU as an extension of telephone numbering in time for a world of ubiquitous computing in which most traffic will be over mobiles with security based on checking the physical address, sim card and/or geo-location

We should remember that the rise of the Internet as we know it was mainly because of the mess that the ITU made of X25 . The ITU is now in a more credible position because of its apparent success in handling IPV6 standards and its offer to “mediate” the types of patent dispute that destroyed RIM and threatened to derail the global move to smart phones. I fear that at WCIT the Western Internet community will win the battle but lose the war. Control over Internet addressing then will pass to national governments (including in the UK) unless current attempts to make it trustworthy succeed. The growing scale and nature of impersonation (both corporate and personal) and associate fraud and the tendancy of corporations to use civil law and tort (rather than criminal law) against those who fail to help them obtain redress mean the current situation is unsustainable. 

Hence the importance of putting the Nominet consultation into broader context – and having a large number of response from those who really do wish to improve confidence in the on-line world and get the other 70% of business transacting on-line.  

I am told that Nominet have so received 450 submissions. I fear that many, perhaps most, are from the registrar and ISP community – split between those who wish to preserve their current business models and those who wish to earn more from supplying genuinely trustworthy names. Meanwhile it is apparent that almost all outside the closed community are unaware that .co.uk does not mean the supposed business is based in the UK, or even has a physical address of any kind in the UK. This comes as a shock whenever it is mentioned.

As most readers will be only too well aware I am committed to improving trust in the on-line and in the UK as the best place to base a globally trusted on-line business. Hence the effort I am putting onto the competiton for ideas on how to achieve this. But neither will happen unless customers are able to make an informed choice to deal only with .uk domain names which mean what they say on the tin, linked to physical addresses with routines for enforceable redress when things go wrong.

Until that happens on-line business will continue to implode onto a small number of dominant brands which consumers think they  can “trust”. Most of these (other than banking, insurance and travel booking) are parented in the United States with their EU operations based in Ireland or Luxembourg. This avoids liability UK regulation (e.g. that on consumer credit) and disputes resolution (e.g. County Court) as well as VAT and Corporation tax. The sums quoted by those opposing the Nominet plans are trivial by comparison. Hence another reason why HMG will not back down on the “polite” pressure it has put on Nominet to set its house in order.

The initial Nominet proposals are not perfect. How they should be packaged and implemented is not obvious. That is why there is such a long period for dialogue and response. I plan to blog again when I have got my head round the current state of responses, including the suggestions for reconciling and addressing the differences between those who genuinely wish to have a domain name system that serves the interests of society as a whole and gives a fair reward to registrars who verify the domain names to those who want us to trust them, give true anonymity to those who want it, and enable the rest of us to tell which is which. And when I say “verify” and “anonymise” I mean “with as much certainty as is reasonable in a world where nothing is certain for longer than it takes the minds of the Dark Market to find a way round”.

So why am I so concerned with confidence in the on-line world – and why do I think the future currently in prospect sucks – unless, that is,  we have a consumer revolt against the internetties in their cyberghettoes?

The closure of our local NatWest Bank came as shock – then I read of a raid on the local Tesco barely a five days later. It became apparent that the response of Lambeth Police and Council to local policing, rather than the orignal incident, was the probable reason for the bank closure – and that Tescobank is unlikely to fill the gap. I fear that instead of spending my declining years in comfortable independence, with the support of easy to use, reliable, resilient on-line products and services to compensate for lack of mobility – I will starve to death, unable to order groceries for delivery by armoured Tescovan because my electronic credentials were hijacked after I visited Tesc0van by mistake or because I clicked on the link in an e-mail asking me to change my delivery schedule because ….     

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Dear Mr. Virgo,

Your description of events and positions taken is so incorrect that if I had not met you yesterday at the NomiNet meeting I would have believed that you had never attended. Either you did not hear/understand what was being said or you are being intellectually dishonest. I am Paul Keating. My email is paul@law.es. I am not hiding. Neither I nor my clients are trying to game the system or feather their nests.

NomiNet is proposing to open a new domain name extension at the 2nd level (.UK). For those readers unfamiliar, NomiNet already has many 3rd level extensions (.co.uk, .gov.uk, .me.uk, .ltd.uk, etc). Hence a current domain could be usedcars.co.uk. They are now proposing to introduce the 2nd level domain. Hence, one would be able to register usedcars.UK. This would operate in tandem with the existing 3rd level domains. Thus, the consumer will be faced with usedcars.co.uk AND usedcars.UK.

NomiNet’s entire reason for accomplishing the above is:

A. There have been anecdotal requests indicating some would like a 2nd level domain.

B. The addition of the new 2nd level domain structure would add to the security of the Internet, offering consumers additional confidence.

C. The plan would help UK businesses and thus the economy.

My objection to the “plan” was in 4 parts and I repeated each several times for you during the session you attended.

1. There is no evidence of economic demand or benefit in having a new .UK domain name. NomiNet did not undertake even a basic economic study as to this matter. This same proposal was rejected 11-0 by the board in 2005. One would think that this would have been sorted well before “engaging” the public – at a huge cost per company/person to participate.

2. The cost to UK businesses could exceed £50 Billion. NomiNet performed no study of the costs to UK businesses. UK Business would be forced to purchase the new .UK domain name and rebrand. Once .UK issued, 3rd level domains would lose value and become “un cool”. NomiNet did not consider, for example the cost to the likes of John Lewis who may be required to re-paint their fleet of trucks on all sides to change JohnLewis.co.uk to JohnLewis.UK. They have what 10,000 trucks? John Lewis may well be able to afford it but the majority of small businesses would not. Would taxpayers be asked to foot the bill for BBC to become BBC.UK instead of BBC.co.UK? And, this does not account the added cost of modifying websites and altering SEO and other marketing efforts so that the business continued to show up in relevant searches.

3. The proposed security provides no actual security for the consumer. Worse, the consumer is being defrauded into thinking things will more secure when they are not.

The additional NomiNet security was described as:

a. Personal verification of registrants;

b. Required use of DNSSEC;

c. Introduction of Malware detection at the NomiNet server level.

Personal Verification. The verification is limited to sending the registrant both an email and a letter by post. The registrant will have to respond to the email by visiting the NomiNet website to introduce a PIN which is supplied in the posted letter. Both addresses will be supplied by the registrant. This “security” merely tests that email actually functions and the postal service will in fact deliver a letter to the address provided. There is nothing in the proposal which would in any manner actually identify the registrant or assist in determining if it was a person/company with a real “UK presence”. Even Mr. * who runs Police.UK laughed at it.

DNSSEC. DNSSEC ensures communications are not intercepted between the browser and the point of origin. It verifies that your browser is communicating with the domain name that you intend. This is already available on all “UK” domain names. When your browser says it is showing HSBC.co.UK, it is.

NomiNet already offers DNSSEC on ALL domain names. You only have to pay £1.00 to NomiNet. However, only 2,500 out of over 10 MILLION registrants have registered for DNSSEC. Even NomiNet does not use DNSSEC on its own systems. For a not-for-profit holding over £8MILLION in cash and touting DNSSEC as “the” secure system, one wonders why. In fact, we were told by other participants that no UK banks or other “secure” service providers require DNSSEC. Why?

My point as to DNSSEC was that if it is to be implemented, it should be implemented for ALL domain name extensions and did not – of itself – justify the creation of the new 2nd level domain extension. To do otherwise would render the 3rd level extension to be “insecure”. DNSSEC is not a “reason” to offer the 2nd level domain.

Malware detection. We were told that NomiNet would install some sort of malware detection applicable only to the new domains. As explained, if malware were detected, the registrant would be notified and given an opportunity to correct the situation, failing which the domain name registration would be cancelled. The methodology was not explained. This would not halt malware. Those injecting malware tend to register a domain name, strike quickly, and then abandon the domain name in search of another. They have no intention to engage in discussion or solve the problem. Thus, the “bad apples” would be in and gone long before anything was accomplished.

As of September 20122, Nominet imposed rules that could allow law enforcement agencies to request a domain be shut down without a court order. NomiNet launched the process in response to a request from the Serious and Organised Crime Agency (SOCA). This seems to work. Use the current legal system.

As I repeatedly told you yesterday, my point is: (a) NomiNet are not experts in malware; (b) there are already private businesses who perform malware detection and are pushed by the market to continually improve and meet ever-changing threats; (c) the concern over false-positives would remain a burden to legitimate registrants; and, (d) the system would not halt the type of threat identified. And, as I pointed out, if it were a good system, it should be initiated as to all domain extensions and not simply the new one.

To succeed, security must provide security. To offer a system which provides no security but at the same time “market” it to consumers as security is nothing short of a fraud. It would be like finding out that all those scanners at Heathrow actually had nothing inside. Bad security systems bread reliance by the innocent while preventing no barrier to those who can easily skirt and exploit poorly designed systems. It is as if Nominet were creating a new Maginot Line.

So, as I repeatedly stated, I am in favor of security. The problem with the proposal was that the “security” being offerred was not security at all and moreover was not an excuse to create a new 2nd level extension. NomiNet has been charged with undertaking efforts to make the entirety of the system more secure. They should focus on what they have instead of running off half-cocked to create yet another system which would suffer from obvious problems while at the same time presenting huge costs to UK Businesses and providing no value to the consumer.

If the above were not sufficient, one must consider the uncertainty now injected into the marketplace by this “proposal”. We heard from actual online businesses who can no longer obtain capital investment because there was no assurance that the .co.uk online business being considered would remain relevant after the 2nd level was launched. Who would invest in a ABC.co.uk domain when there might be an ABC.UK domain? By analogy, NomiNet are the ECB who has published a proposal of Greece leaving the Euro and has been so poorly thought through the “proposal” that if it had been done by your elected officials you would have been on the phone to FM97.3 and written to The Guardian. In doing so, they have subjected every business (good or bad) to doom – financing has become non-existent. Fear and uncertainty prevails.

Follow the Money. Given that there was no marketing or risk assessment undertaken, one must ask why this is being considered at all, let alone in this fashion. The answer is “follow the money”.

NomiNet has suggested a price of £20 per domain. They currently have over 10 Million domains registered. If only 40% of the current registrations were undertaken, NomiNet would receive an added windfall of over £80,000,000 (80 MILLION POUNDS) EACH year for a cost of 0 (zero). This is amazing for a not-for-profit entity. The national treasury could do well with such a windfall.

The £80 Million is not the end. NomiNet has proposed that the new 2nd level be allocated in a step-process based on “rights”. In this process, conflicting claims of “rights” would result in an auction. Who might benefit from the auction? NomiNet of course. NomiNet would receive over £50 BILLION dollars. Let’s take a look at some possibilities.

NomiNet recently auctioned 1 & 2-letter .co.uk domain names. They marketed the auction as “.co.uk” “the place to be”. They obviously knew at the time that the .UK domains would be issued. The total windfall to NomiNet was over £3MILLION. The average high-value domain sold for over £39,000. How do you think that Chartered Institute of personnel and Development (CIPD) feels about having spent over £22,000? They must now pay NomiNet even more to protect this position by bidding in the .UK auction.

It is likely that purely descriptive domains in the 2nd level would achieve a substantially higher sum. If you are a scrabble player you are well aware of the number of good descriptive terms. A good comparison would be the current market prices for .co.uk domains. Here are a few examples:

Cruises.co.uk 1,100,000

webhosting.co.uk 500,000

Recycle.co.uk 308,000

Phones.co.uk 175,000

Software.co.uk 150,000

Sport.co.uk 135,000

Ink.co.uk 130,425

Mobile.co.uk 120,000

If one were to extrapolate, it is not unreasonable to see that NomiNet may receive over £50 BILLION in auction windfall from the auction process.

We have just seen headlines in FT that Mr. Osborne was “raiding” £35Billion from the QE surplus. Mr. Osborn of course was presumably going to use this for the government. NomiNet is a private not-for-profit entity. It is beholding to no one. It has no shareholders. It is supposed to deliver services at or about the level of costs. It pays no taxes. It has over £8 Million in the bank now. Does this not bother you? It certainly bothers me.

The allocation process. Aside from the windfall to NomiNet, will UK business benefit? No. What are “Rights”? Domains will first be awarded to holders of trademarks. If there were no trademarks, the domain would be awarded to the holders of unregistered prior “Rights”. Lastly, they would be available for new registrants. If there were any “conflict” (multiple applicants) at any stage, NomiNet would auction the domain to the highest bidder. So, let’s take a look at what might happen.

Trademark Allocation. Trademarks are not limited to the UK but instead include European trademarks and even US Trademarks. Thus, a US company could easily obtain a .UK 2nd level domain name even though existing UK businesses had a long-developed business using the 3rd level domain. Those without a trademark are simply left out. Remember that virtually every word in the English language is subject to some sort of trademark.

One can have a trademark in “car”, “truck”, “beer”, “bank”, etc. How can this be you might ask? A trademark can be registered as long as it is not generic – meaning it cannot be used to sell the very thing it describes – “cars” to sell automobiles. Thus, Apple Computer has “Apple” to sell computers. However, figurative trademarks are allowed. Thus a fleur-de-lis with “cars” can be registered to in fact sell automobiles. And, in the US, a descriptive mark can be registered merely by having declared that consumers recognize the mark as referring to the applicant – no proof required!

Unregistered Rights. Businesses as well as 2nd level domain registrants would compete only if the domain had not been taken by a trademark holder. Thus, the holder of usedcars.me.uk would have equal rights with the holder of usedcars.co.uk.

The Public. Lastly would come those who had no current rights – those say who wanted to start a new business.

In conclusion, NomiNet has publicly announced a “proposal” for upsetting the apple cart. There is no basis in need, demand or desire. They are attempting to sell the “proposal” on the basis of security which does not exist and even if it did should be applied to all domain names. Absent a sound basis, the only purpose must be kingdom building and money raising – that NomiNet must be doing this to gain a windfall of £50 BILLION. This tax is being imposed upon the UK internet business community. And, it is not all of it because every UK online business will have its own internal costs (the John Lewis trucks, the BBC, etc.). I see no help to the economy here. I see only a transfer of wealth from UK businesses to NomiNet. I for one would prefer the government assume control. At least the money would be used to pave the streets or, God forbid, provide for continued healthcare.

So, before you go on about that “US Attorney” stop and think abit. This is a scam and you are being scammed. That you did not see this after it was repeatedly explained says something. You have the right to freedom of speech. However, that right comes with a responsibility and you should have exercised that responsibility.

I am delighted you have gone on record with your position. It indicates clearly why the consultation is so important and Internet users, large and small, need to make their views known. This is not just an issue for registrars and ISPs. It goes to the heart of rebuidling confidence in the on-line world. As I said at the meeting - Nominet was given a "polite but firm deadline" by Ministers to start the process of tidying up the .UK domain name system (including the verification of applicants and resolution of disputes) before Government took over and did the job itself - or gave the role to Ofcom in the next Communications Bill. The proposals are not yet perfect - and the consultation is not over - but think of the alternatives. It may also be helpful to note that the electronic identity regulation (NB regulation not just directive) also imposes duties and liabilities with regard to website addresses as an electronic identity.