FFML-TLD-domain-policies

This document contains:

1. gTLD Acceptable Use and Takedown Policy

2. DATA PROTECTION AND PRIVACY POLICY

3. Reserved Names Policy

4. WHOIS POLICY

1. gTLD Acceptable Use and Takedown Policy

Version 1.0

(„Acceptable Use Policy“)

What is in the Acceptable Use Policy?

As the owner of a domain name, you are required to act responsibly inyour use of that domain and in accordance with this policy. Abusive or malicious conduct in registration of your domain name or incontent on a website will not be tolerated by the Registry. The Registry will act as set out in this Acceptable Use Policy to deal withabusive or malicious conduct of which it becomes aware or which is brought to its attention.

In all cases the Registry reserves the right to bring offending sites intocompliance using any of the methods set out in this policy, or others asmay be necessary in exceptional cases, whether or not stated in thispolicy.

Should a complaint be made, the Registry (or its designees) will alert itsrelevant Registrar partners about any identified threats, and will workclosely with them.

Who can bring a complaint under the Acceptable Use Policy?

The Acceptable Use Policy may be triggered through a variety ofchannels, including, among other things, private complaint, public alert,government or enforcement agency outreach, and the on-goingmonitoring by the Registry or its partners.

What actions can constitute abusive or malicious conduct?

“Abuse” or “malicious conduct” includes but is not limited to:

Infringement of Intellectual Property; which includes, but is not limitedto, passing off as the brand of another, unauthorised distribution ofcopyrighted material or the sale of counterfeit goods.
Phishing; a criminal activity employing tactics to defraud and defameInternet users via sensitive information with the intent to steal orexpose credentials, money or identities.
Malware; malicious software that was intentionally developed toinfiltrate or damage a computer, mobile device, software and/or operating infrastructure or website without the consent of the owner orauthorized party. This includes, amongst others, viruses, trojan horses, and worms.
Domain Name or Domain Theft; the act of changing the registration of adomain name without the permission of its original registrant.
Botnet Command and Control; services run on a domain name that isused to control a collection of compromised computers or “zombies,” orto direct Distributed Denial of Service attacks (“DDoS attacks”)
Distribution of Malware; the intentional creation and intentional orunintentional distribution of “malicious” software designed to infiltratea computer system without the owner’s consent, including, withoutlimitation, computer viruses, worms, keyloggers and trojan horses.
Fast Flux Attacks / Hosting; a technique used to shelter phishing,pharming and malware sites and networks from detection and tofrustrate methods employed to defend against such practices, wherebythe IP addresses associated with fraudulent sites are changed rapidly soas to make the true location of the sites difficult to find.
Hacking; the attempt to gain unauthorized access (or exceed the level ofauthorized access) to a computer, information system, user account orprofile, database, or security system.
Pharming; the redirecting of unknown users to fraudulent sites orservices, typically through, but not limited to, DNS hijacking orpoisoning.
Spam; the use of electronic messaging systems to send unsolicited bulkmessages. The term applies to email spam and similar abuses such asinstant messaging spam, mobile messaging spam, and spamming ofwebsites and Internet forums.
Child Pornography; the storage, publication, display and/or dissemination of pornographic materials depicting individuals under thelegal age in the relevant jurisdiction.
If the domain name is being used in a manner that appears to threatenthe stability, integrity or security of the Registry, or any of its Registrarpartners and/or that may put the safety and security of any registrantor user at risk, the domain name may be cancelled or suspended by theRegistry or any of the actions listed in the “what we can do” sectionbelow.

How do I complain? Abuse Point of Contact

All complaints should be addressed to: abuse@famousfourmedia.com

Certain registries require an APM seal to be displayed on the homepageof your domain name. Implementing the seal is extremely easy andinstructions will be provided to you when you register.

If you do not plan on using your domain for a website immediately, or atall or there are other reasons why this is not technically possible, pleaselet us know by completing a self-exception form, details of which will besent to you upon registration.

Our automated systems will check any website hosted on your domain in120 days from the registration of your domain. If your website is active,and the APM seal not be found, you will be notified and have 30 days toenact the seal. Should the seal not be enacted within that time, theRegistry reserves the right to suspend your domain.

Should your domain be ready for testing before the 120 day period haselapsed, simply click the relevant link in the instructions sent to you tostart the validation process immediately.

What happens to your complaint?

We operate a policy of Rapid Domain Compliance, meaning we willprovide a timely response to abuse complaints concerning all namesregistered in the gTLD by Registrars and their resellers.

The Registry Operator’s customer support team is operational 24/7/365. We will endeavour (but cannot guarantee) to address and potentiallyrectify the issue as it pertains to all forms of abuse and fraud within 24hours.

Once abusive behaviour is detected or reported, the customer supportcentre immediately creates a support ticket in order to monitor andtrack the issue through resolution.

A preliminary assessment will be performed in order to determinewhether the abuse claim is legitimate. The Registry will usecommercially reasonable efforts to verify the information in thecomplaint.

If that information can be verified to the best of the ability of theRegistry, the sponsoring Registrar will be notified and Registrar willendeavour to investigate the activity within 12 hours and either takedown the domain name by placing the domain name on hold or bydeleting the domain name in its entirety, or to provide a compellingargument to the Registry to keep the name in the zone.

If the Registrar has not taken the requested action after the 12-hourperiod (i.e., is unresponsive to the request or refuses to take action),the Registry may place the domain on “hold”.

We will classify each incidence of legitimately reported abuse into twocategories based on the probable severity and immediacy of harm toregistrants and Internet users.

Category 1:

Probable Severity or Immediacy of Harm: Low
Examples of types of abusive behaviour: Spam, Malware
Mitigation steps:
Investigate
Notify registrant
Response times – up to 3 days depending on severity.

Category 2:

Probable Severity or Immediacy of Harm: Medium to High
Examples of types of abusive behaviour: Fast Flux Hosting,Phishing, Illegal Access to other Computers or Networks, Pharming,Botnet command and control
Mitigation steps:
Investigate
Notify registrant
Response times – up to 5 days depending on severity.

Uniform Rapid Suspension system (“URS”)

We are obliged to follow ICANN’s requirements in respect of URS3. Alldefinitions in this section are as per the website.

The URS rules and procedures and all URS related definitions used in this policy are available on ICANN’s website at

newgtlds.icann.org/en/applicants/urs/

URS Lock: If a URS Provider has instructed us to set up a URS Lock, weare obliged to activate the following EPP-statuses in respect of theaffected domain name:

ServerUpdateProhibited
ServerTransferProhibited
ServerDeleteProhibited

URS Suspension: If a URS Provider has instructed us to set up a URSSuspension, we are obliged to redirect the suspended domain name to awebpage that mentions that the URL has been suspended due to a URSComplaint.

URS Rollback: If a URS Provider instructs us to „roll-back“ a suspendedor locked domain name, we will restore the original information on thedomain name at the time of the suspension or lock.

Domain Name Life Cycle: We are obliged to follow the normal domainname life-cycle for a URS Locked domain name. If a domain name that issubject to a URS procedure is purged (if we operate a Redemption GracePeriod) or deleted, the URS procedure will automatically terminate.Extension In the case where a URS Complainant has prevailed, theRegistry Operator MUST offer the option for the URS Complainant toextend a URS Suspended domain name’s registration for an additionalyear. The Registrar MUST pay the renewal fee for such domain name tothe Registry Operator.

What we can do.

We reserve the right for the Registry, at our sole discretion and withoutnotice to any other party, to take the appropriate actions (whetheradministrative, operational or otherwise) based on the type of abuse,including but not limited to:

lock down of the domain name preventing any changes to the contactand name server information associated with the domain name.placing the domain name “on hold” rendering the domain name nonresolvableor transferring the domain name to another Registrar.
substituting name servers in cases in which the domain name isassociated with an existing law enforcement investigation in order tocollect information about the DNS queries and when appropriate, wewill share information with law enforcement to assist the investigation.cancelling or transferring or taking ownership of any domain name,either temporarily or permanently.
denying attempted registrations from repeat violators (see the Sectionon registrant Disqualification, below).
using relevant technological services, whether our own or third party,such as computer forensics and information security.
sharing relevant information on abuse with other registries, Registrars,ccTLDs, law enforcement authorities (see , security professionals, etcnot only on abusive domain name registrations within its own gTLD, butalso information uncovered with respect to domain names in otherregistries to enable such parties to take appropriate action.

We may also take preventative measures at our sole discretion including(without limitation):

DNSSEC deployment which reduces the opportunity for pharming andother man-in-the-middle attacks.

Why will we act?

We will always endeavour to act with reasonable cause. Some examples of where we might act (not limited):

protecting the integrity and stability of the Registry.
complying with any applicable laws, government rules, ICANN or courtorders or requirements, requests or orders of law enforcement, or anydispute resolution process.
avoiding any liability, civil or criminal, on the part of the Registry as wellas its affiliates, subsidiaries, officers, directors, and employees.
if required by the terms of the registration agreement or the registryRegistrar agreement or ICANN.
to correct mistakes made by the Registry or any Registrar in connectionwith a domain name registration.
during resolution of a dispute of any sort whether or not the disputeappears to be unmerited or unsubstantiated.

What to do if you feel we have taken inappropriate action to deal with abuse or alleged abuse.

We take our goal of tackling abuse extremely seriously and we willalways endeavour to take prompt action as set out in this AcceptableUse Policy to deal with abuse or alleged abuse when we believe thatthere is reasonable justification for the complaint.

However, we are not an adjudicator of any dispute between partiesand cannot and do not accept any responsibility for any loss ordamage you or anyone else may suffer as a result of any action oromission by us or by anyone else under this Acceptable Use Policy. If you have an issue with abuse that we are unable to assist with,please approach the appropriate forum for dispute resolution. We will be able to act in the case that you are able to provide:

the final determination of an internationally recogniseddispute resolution body or a court of law, settling theinter-parties dispute in your favour or which otherwisemandates us to act as you request.
any requirement of ICANN or other recognised authoritywhich mandates us to act as you request.In the case of a wrongful transfer of a domain name, you may alsoprovide written agreement of the Registrar of record and the gainingRegistrar sent by email, letter or fax that the transfer was made bymistake or procedural error or was unauthorised(http://archive.icann.org/en/transfers/policy-12jul04.htm)

All notices served under this section should be served by email to

clo@famousfourmedia.com or otherwise addressed to:

Chief Legal Officer
Famous Four Media
2nd floor, Leisure Island Business Centre
Ocean Village
Gibraltar

Proof of posting is not proof of delivery. You are responsible for allcosts, fees, damages and other expenses relating to any action youtake, or which you require us to take, under this section.

How we work with law enforcement

The Registry will respond to legitimate law enforcement inquiries withinone business day from receiving the request. Such a response shallinclude, at a minimum, an acknowledgement of receipt of the request,questions or comments concerning the request, and an outline of thenext steps to be taken by the Registry for rapid resolution of therequest.

In the event such request involves any of the activities which can bevalidated by the Registry and involves the type of activity set out in theAcceptable Use Policy, the sponsoring Registrar will endeavour tofurther investigate the activity within 24 hours and either take down thedomain name by placing the domain name on hold or by deleting thedomain name in its entirety or providing a compelling argument to theRegistry to keep the name in the zone.

If the Registrar is not able to take the requested action after 24 hours orif the matter is urgent, (i.e., is unresponsive to the request or refuses totake action), the Registry may place the domain on “hold”.

How we disqualify registrants.

Registrant disqualification provides an additional disincentive forqualified registrants to maintain abusive registrations in that it puts atrisk even otherwise non-abusive registrations, through the possible lossof all registrations.

Registrants, their agents or affiliates found through the application ofthe Acceptable Use Policy to have repeatedly engaged in abusiveregistration may be disqualified from maintaining any registrations ormaking future registrations.

This will be triggered when the registry backend services provider’srecords indicate that a registrant has had action taken against it anunusual number of times through the application of our Acceptable UsePolicy.

In addition, name servers that are found to be associated only withfraudulent registrations may be added to a local blacklist and anyexisting or new registration that uses such fraudulent NS record will beinvestigated.

The disqualification of ‘bad actors’ and the creation of blacklistsmitigates the potential for abuse by preventing individuals known toengage in such behaviour from registering domain names. For a registrant to be placed on a list of bad actors, the Registry willexamine the factors noted above, and such determination shall be madeby the Registry at its sole discretion.

Once the Registry determines that a registrant should be placed ontothe list of bad actors, the Registry will notify its Registry backendservices provider, who will be instructed to cause all of the registrant’ssecond-level domains in the gTLD to resolve to a page which notes thatthe domain has been disabled for abuse-related reasons.

The second-level domains at issue will remain in this state until theexpiration of the registrant’s registration term or a decision from aUDRP panel or court of competent jurisdiction requires the transfer orcancellation of such domains.

Leisure Island Business Centre
23, Ocean Village Promenade
Gibraltar GX11 1AA
P: +350 216 50 000
E: pyoung@famousfourmedia.com
W: www.famousfourmedia.com

Famous Four Media Limited, registered in Gibraltar with company no. 105658 and Registered Office at 6A Queensway, Gibraltar.

2. DATA PROTECTION AND PRIVACY POLICY

Version 1.0

What personal data does the Registry collect?

The Registry Operator will collect all registrant data required byspecification 4 of the Registry Agreement with ICANN. This datais provided to us by the registrant’s domain Registrar for thepurpose of operating the Registry Operator’s WHOIS directoryIf you are an individual registrant, the collected data will includepersonal details which you provide to the Registrar which may beconsidered sensitive and from which you may be personallyidentifiable (“Personal Data”).

As part of our commitment to compliance with data privacyrequirements, and to reflect changes in Registry Operatoroperating procedures, we may need to update the terms of thispolicy from time-to-time.

How do we process data?

We will only use data provided to us about any registrant,including Personal Data, for the following purposes:

inclusion in the said searchable WHOIS directory providingfree public query-based access to the details as required byclauses 1.5 and 1.6 of specification 4 of the RegistryAgreement (please see our WHOIS Policy);
research on an anonymised amalgamated statistical basis;
day to day operations of the Registry Operator, includingemail contact by the Registry Operator with the registrant asrequired in accordance with our Acceptable Use Policy;
to our service providers which/who provide legal, accounting,delivery, installation, systems support, escrow, marketing,clearinghouse and directory services on our behalf;
as may be required by law enforcement agencies or a courtorder or other compulsory operation of law applicable to theRegistry Operator;
as may be required by ICANN in accordance with a zone fileaccess request in accordance with specification 4 of theRegistry Agreement.

For more information please contact abuse@famousfourmedia.com

Third party use:

We will only share Personal Data with third parties as statedabove. Our service providers companies are prohibited fromretaining, sharing, storing or using Personal Data for anysecondary purposes. However, please note that these thirdparties may use cookies and action tags to measure advertisingeffectiveness on an anonymous basis.

We will never sell Personal Data to a third party. However, wecannot control the use made by third parties of WHOIS datawhich is in the public domain and is searchable globally. Wedisclaim all liability for any misuse of the data made by a thirdparty of WHOIS data.

We will also provide Personal Data to third parties when obligedby applicable law. We may also provide such information wherelegal action is proceeding or contemplated or as requested by alegitimate law enforcement agency.

How can you correct or delete Data if you are a registrant?

We only accept registrant data from the relevant Registrar. In thecase that you may wish to access, update, correct, rectify ordelete Personal Data, please contact the relevant Registrar. In case that the Registrar has failed to take the appropriateaction within the timelines they have specified, you may contactyour national data protection or information commissioner or our abuse point of contact: abuse@famousfourmedia.com

Please note that deactivation an account with the Registrar doesnot mean that relevant that Personal Data for that account hasbeen deleted from our database entirely. While as a general rulewe will not retain Personal Data records for more than two yearsafter the expiry of the relevant domain name registration, wereserve the right to retain and use Personal Data for longer inorder to comply with our legal obligations, resolve disputes or toenforce our agreements.

How do we prevent unauthorised access to Personal Data?

We have implemented the appropriate technical andorganizational security measures to protect Personal Data,including internal security procedures that restrict access to anddisclosure of Personal Data.

We also use encryption, firewalls and other technology andsecurity procedures to help ensure the accuracy and security ofPersonal Data and to prevent unauthorized access or improperuse.

We will also cooperate with duly authorised law enforcementagencies regarding any allegations of abuse or violation of systemor network security as set out in our Acceptable Use Policy.

Regulatory:

Any party who feels that its data protection issue has not beendealt with appropriately under the Registrar’s procedures canconsult the Registry Operator’s Acceptable Use Policy and maysubmit a data protection complaint directly to the Registry at abuse@famousfourmedia.com or contact the Gibraltar Regulatory Authority.

Further data protection issues can be raised with:

The Gibraltar Regulatory Authority
Suite 603, Europort
Gibraltar GX11 1AA
Tel:(+350) 20074636
Fax:(+350) 20072166

Email:

www.gra.gi/index.php

%20us

3. Reserved Names Policy

Version 1.0

Registry Operator Obligations

Except to the extent that ICANN otherwise expressly authorises in writing, theRegistry Operator is obliged to comply with the requirements set out inClause 2.6 and Specification 5 of the Registry Agreement.

Right to reserve domain names

The Registry Operator may at any time establish or modify policiesconcerning Registry Operator’s ability to reserve (i.e. withhold fromregistration or allocate to the Registry Operator) or block any characterstrings within the TLD at its discretion. The Registry Operatorhas the right to reserve any unallocated domain names at any time andreserves the right to sell certain domain names at a premium at its discretion. Registry Operator’s Use

Registry Operator may activate in the DNS at all levels up to 100 names (plusIDN variants where applicable) necessary for the operation or the promotionof the TLD as set out in Section 3.2 of Specification 5. All such withheld orallocated names may be released for registration to another person or entityat Registry Operator’s discretion in compliance with the Registry Agreement.Other Uses EXAMPLE: The ASCII label “EXAMPLE” has been allocated to Registry Operator at thesecond level within the TLD at which Registry Operator offers registrations.

Two character labels

All two character ASCII labels have been either withheld from registration orallocated to Registry Operator at the second level, provided that such twocharacterlabel strings may be released to the extent that Registry Operatorreaches agreement with the related government or ICANN as set out inSection 2 of Specification 5.

WWW,RDDS, WHOIS, NIC.

The following ASCII labels have been allocated to Registry Operator at alllevels for use in connection with the operation of the registry for the TLD:WWW, RDDS, WHOIS and NIC and may not be released to a third party.

International Olympic Committee; International Red Cross and Red Crescent Movement and other IGOs and INGOs

As instructed from time to time by ICANN, the names (including their IDNvariants, where applicable) relating to the International Olympic Committee,International Red Cross and Red Crescent Movement listed at www.icann.org/en/resources/registries/reserved and any other IGOsand INGOs identified as part of an ICANN Policy Development Process shall bewithheld from registration or allocated to Registry Operator at the secondlevel within the TLD. Additional International Olympic Committee, International Red Cross and Red Crescent Movement names (including theirIDN variants) IGO or INGO identifiers may be added to the list upon ten (10)calendar days‘ notice from ICANN to Registry Operator. Such names may notbe activated in the DNS, and may not be released for registration to anyperson or entity other than Registry Operator.

What if there are more IGOs or INGOs with an interest in the same domain names?

Where there are competing rights to any label, the Registry reserves the right(but is not obliged) to place a hold on the label and/or to notify other partieswith an interest or potential interest („Potential Parties“) in the string in thecase there is an applicant for the label. Depending on the response from thePotential Parties, the Registry Operator reserves the right to write to ICANNto seek advice on how to allocate the label or to determine another basis forallocation, based on all the circumstances.

Countries and Territories

Country and territory names contained in the following internationallyrecognized lists shall be initially reserved at the second level and at all otherlevels within the TLD at which the Registry Operator provides forregistrations:

the short form (in English) of all country and territory names containedon the ISO 3166-1 list, as updated from time to time, including theEuropean Union, which is exceptionally reserved on the ISO 3166-1 list,and its scope extended in August 1999 to any application needing torepresent the name European Union http://www.iso.org/iso/support/country_codes/iso_3166_code_lists/iso-3166-1_decoding_table.htm#EU>;
the United Nations Group of Experts on Geographical Names, TechnicalReference Manual for the Standardization of Geographical Names, PartIII Names of Countries of the World; and
the list of United Nations member states in 6 official United Nationslanguages prepared by the Working Group on Country Names of theUnited Nations Conference on the Standardization of GeographicalNames”.

The Registry will reserve all labels appearing on the above referenced listsfrom time to time, and prevent registration, delegation or use of such namesin accordance with ICANN requirements and as described above.

Note on Capital Cities:

While capital city names are not required by ICANN to be reserved orwithheld from registration, Registry Operator implements a Capital City Claim(CCC) service whereby additional protection will be granted to the capital citynames of a country or territory listed in the ISO 3166-1 standard as follows:

A prospective registrant applying to register a domain name identical to thecapital city name of a listed country or territory will receive a CCC notificationhighlighting that fact. The applicant must then agree to comply with allrequirements as to representations and warranties requested by the Registryas notified to them by ICANN, GAC or the official designate of the country orterritory in order to protect the reputation of the city as well as otherrelevant terms. From time to time,Registry Operator will send a notification in writing to the ICANN Government Advisory Committee (?GAC?) Chair advising on all capital city namesregistered. This process also applies during Sunrise and Landrush.

4. WHOIS POLICY Version 1.0

Thick WHOIS

The Registry Operator will include a thick searchable WHOIS database bothaccessible on port 43 as well as on port 80 (http) as required in specification4 of the Registry Agreement.

ICANN requirements

The WHOIS data will be held by the Registry Operator in accordance with itsRegistry Agreement with ICANN (“Registry Agreement”).The Registry Operator will also comply with all the security, WHOIS, andprivacy requirements required by ICANN whether in the Consensus orTemporary Policies (as defined in the Registry Agreement) or elsewhere.

Efforts to promote WHOIS Accuracy

The Registry Operator or its outsourced service provider will must performa biannual review of a random sampling of domain names within theapplied-for gTLD to test the accuracy and authenticity of the WHOISinformation. Registrars must verify WHOIS data for each record they haveregistered in the gTLD twice a year or as required by the relevant ICANNconsensus policy or accreditation agreement.

The Registry Operator will examine WHOIS data for evidence of inaccurateor incomplete WHOIS information. In the event that such errors or missinginformation exists, it shall be forwarded to the relevant Registrar, who shallbe required to address such deficiencies with the relevant registrants. All registrants are required to provide accurate WHOIS contact details, andto keep those details current.

Registrars are obliged to obtain accurate WHOIS information from allregistrants and to submit this data to the Registry for information for alldomain names they sponsor.

Correcting errors

The registrant’s first point of contact for correcting any WHOIS error is theRegistrar. Registrar shall accept written complaints from a registrant or anythird party regarding false and/or inaccurate WHOIS data which they arerequired to investigate and to correct in accordance with their guidelines.