FFML TLD domain policies
This document contains:
1. gTLD Acceptable Use and Takedown Policy
4. WHOIS POLICY
1. gTLD Acceptable Use and Takedown Policy
("Acceptable Use Policy")
What is in the Acceptable Use Policy?
As the owner of a domain name, you are required to act responsibly in
your use of that domain and in accordance with this policy.
Abusive or malicious conduct in registration of your domain name or in
content on a website will not be tolerated by the Registry.
The Registry will act as set out in this Acceptable Use Policy to deal with
abusive or malicious conduct of which it becomes aware or which is
brought to its attention.
In all cases the Registry reserves the right to bring offending sites into
compliance using any of the methods set out in this policy, or others as
may be necessary in exceptional cases, whether or not stated in this
Should a complaint be made, the Registry (or its designees) will alert its
relevant Registrar partners about any identified threats, and will work
closely with them.
Who can bring a complaint under the Acceptable Use Policy?
The Acceptable Use Policy may be triggered through a variety of
channels, including, among other things, private complaint, public alert,
government or enforcement agency outreach, and the on-going
monitoring by the Registry or its partners.
What actions can constitute abusive or malicious conduct?
“Abuse” or “malicious conduct” includes but is not limited to:
- Infringement of Intellectual Property; which includes, but is not limited
to, passing off as the brand of another, unauthorised distribution of
copyrighted material or the sale of counterfeit goods.
- Phishing; a criminal activity employing tactics to defraud and defame
Internet users via sensitive information with the intent to steal or
expose credentials, money or identities.
- Malware; malicious software that was intentionally developed to
infiltrate or damage a computer, mobile device, software and?or
operating infrastructure or website without the consent of the owner or
authorized party. This includes, amongst others, viruses, trojan horses, and worms.
- Domain Name or Domain Theft; the act of changing the registration of a
domain name without the permission of its original registrant.
- Botnet Command and Control; services run on a domain name that is
used to control a collection of compromised computers or “zombies,” or
to direct Distributed Denial of Service attacks (“DDoS attacks”)
- Distribution of Malware; the intentional creation and intentional or
unintentional distribution of “malicious” software designed to infiltrate
a computer system without the owner’s consent, including, without
limitation, computer viruses, worms, keyloggers and trojan horses.
- Fast Flux Attacks / Hosting; a technique used to shelter phishing,
pharming and malware sites and networks from detection and to
frustrate methods employed to defend against such practices, whereby
the IP addresses associated with fraudulent sites are changed rapidly so
as to make the true location of the sites difficult to find.
- Hacking; the attempt to gain unauthorized access (or exceed the level of
authorized access) to a computer, information system, user account or
profile, database, or security system.
- Pharming; the redirecting of unknown users to fraudulent sites or
services, typically through, but not limited to, DNS hijacking or
- Spam; the use of electronic messaging systems to send unsolicited bulk
messages. The term applies to email spam and similar abuses such as
instant messaging spam, mobile messaging spam, and spamming of
websites and Internet forums.
- Child Pornography; the storage, publication, display and ?or
dissemination of pornographic materials depicting individuals under the
legal age in the relevant jurisdiction.
- If the domain name is being used in a manner that appears to threaten
the stability, integrity or security of the Registry, or any of its Registrar
partners and ?or that may put the safety and security of any registrant
or user at risk, the domain name may be cancelled or suspended by the
Registry or any of the actions listed in the “what we can do” section
How do I complain? Abuse Point of Contact
All complaints should be addressed to: email@example.com
Certain registries require an APM seal to be displayed on the homepage
of your domain name. Implementing the seal is extremely easy and
instructions will be provided to you when you register.
If you do not plan on using your domain for a website immediately, or at
all or there are other reasons why this is not technically possible, please
let us know by completing a self-exception form, details of which will be
sent to you upon registration.
Our automated systems will check any website hosted on your domain in
120 days from the registration of your domain. If your website is active,
and the APM seal not be found, you will be notified and have 30 days to
enact the seal. Should the seal not be enacted within that time, the
Registry reserves the right to suspend your domain.
Should your domain be ready for testing before the 120 day period has
elapsed, simply click the relevant link in the instructions sent to you to
start the validation process immediately.
What happens to your complaint?
We operate a policy of Rapid Domain Compliance, meaning we will
provide a timely response to abuse complaints concerning all names
registered in the gTLD by Registrars and their resellers.
The Registry Operator's customer support team is operational 24?7?365.
We will endeavour (but cannot guarantee) to address and potentially
rectify the issue as it pertains to all forms of abuse and fraud within 24
Once abusive behaviour is detected or reported, the customer support
centre immediately creates a support ticket in order to monitor and
track the issue through resolution.
A preliminary assessment will be performed in order to determine
whether the abuse claim is legitimate. The Registry will use
commercially reasonable efforts to verify the information in the
If that information can be verified to the best of the ability of the
Registry, the sponsoring Registrar will be notified and Registrar will
endeavour to investigate the activity within 12 hours and either take
down the domain name by placing the domain name on hold or by
deleting the domain name in its entirety, or to provide a compelling
argument to the Registry to keep the name in the zone.
If the Registrar has not taken the requested action after the 12-hour
period (i.e., is unresponsive to the request or refuses to take action),
the Registry may place the domain on “hold”.
We will classify each incidence of legitimately reported abuse into two
categories based on the probable severity and immediacy of harm to
registrants and Internet users.
- Probable Severity or Immediacy of Harm: Low
- Examples of types of abusive behaviour: Spam, Malware
- Mitigation steps:
- Notify registrant
- Response times – up to 3 days depending on severity.
- Probable Severity or Immediacy of Harm: Medium to High
- Examples of types of abusive behaviour: Fast Flux Hosting,
Phishing, Illegal Access to other Computers or Networks, Pharming,
Botnet command and control
- Mitigation steps:
- Notify registrant
- Response times – up to 5 days depending on severity.
Uniform Rapid Suspension system (“URS”)
We are obliged to follow ICANN's requirements in respect of URS3. All
definitions in this section are as per the website.
rules and procedures and all URS related definitions used in this policy are available on ICANN's website at
URS Lock: If a URS Provider has instructed us to set up a URS Lock, we
are obliged to activate the following EPP-statuses in respect of the
affected domain name:
URS Suspension: If a URS Provider has instructed us to set up a URS
Suspension, we are obliged to redirect the suspended domain name to a
webpage that mentions that the URL has been suspended due to a URS
URS Rollback: If a URS Provider instructs us to "roll-back" a suspended
or locked domain name, we will restore the original information on the
domain name at the time of the suspension or lock.
Domain Name Life Cycle: We are obliged to follow the normal domain
name life-cycle for a URS Locked domain name. If a domain name that is
subject to a URS procedure is purged (if we operate a Redemption Grace
Period) or deleted, the URS procedure will automatically terminate.
Extension In the case where a URS Complainant has prevailed, the
Registry Operator MUST offer the option for the URS Complainant to
extend a URS Suspended domain name's registration for an additional
year. The Registrar MUST pay the renewal fee for such domain name to
the Registry Operator.
What we can do.
We reserve the right for the Registry, at our sole discretion and without
notice to any other party, to take the appropriate actions (whether
administrative, operational or otherwise) based on the type of abuse,
including but not limited to:
lock down of the domain name preventing any changes to the contact
and name server information associated with the domain name.
placing the domain name “on hold” rendering the domain name nonresolvable
or transferring the domain name to another Registrar.
substituting name servers in cases in which the domain name is
associated with an existing law enforcement investigation in order to
collect information about the DNS queries and when appropriate, we
will share information with law enforcement to assist the investigation.
cancelling or transferring or taking ownership of any domain name,
either temporarily or permanently.
denying attempted registrations from repeat violators (see the Section
on registrant Disqualification, below).
using relevant technological services, whether our own or third party,
such as computer forensics and information security.
sharing relevant information on abuse with other registries, Registrars,
ccTLDs, law enforcement authorities (see , security professionals, etc
not only on abusive domain name registrations within its own gTLD, but
also information uncovered with respect to domain names in other
registries to enable such parties to take appropriate action.
We may also take preventative measures at our sole discretion including
DNSSEC deployment which reduces the opportunity for pharming and
other man-in-the-middle attacks.
Why will we act?
We will always endeavour to act with reasonable cause. Some examples
of where we might act (not limited):
protecting the integrity and stability of the Registry.
complying with any applicable laws, government rules, ICANN or court
orders or requirements, requests or orders of law enforcement, or any
dispute resolution process.
avoiding any liability, civil or criminal, on the part of the Registry as well
as its affiliates, subsidiaries, officers, directors, and employees.
if required by the terms of the registration agreement or the registry
Registrar agreement or ICANN.
to correct mistakes made by the Registry or any Registrar in connection
with a domain name registration.
during resolution of a dispute of any sort whether or not the dispute
appears to be unmerited or unsubstantiated.
What to do if you feel we have taken inappropriate action to deal with abuse or alleged abuse.
We take our goal of tackling abuse extremely seriously and we will
always endeavour to take prompt action as set out in this Acceptable
Use Policy to deal with abuse or alleged abuse when we believe that
there is reasonable justification for the complaint.
However, we are not an adjudicator of any dispute between parties
and cannot and do not accept any responsibility for any loss or
damage you or anyone else may suffer as a result of any action or
omission by us or by anyone else under this Acceptable Use Policy.
If you have an issue with abuse that we are unable to assist with,
please approach the appropriate forum for dispute resolution. We
will be able to act in the case that you are able to provide:
(i) the final determination of an internationally recognised
dispute resolution body or a court of law, settling the
inter-parties dispute in your favour or which otherwise
mandates us to act as you request.
(ii) any requirement of ICANN or other recognised authority
which mandates us to act as you request.
In the case of a wrongful transfer of a domain name, you may also
provide written agreement of the Registrar of record and the gaining
Registrar sent by email, letter or fax that the transfer was made by
mistake or procedural error or was unauthorised
All notices served under this section should be served by email to
firstname.lastname@example.org or otherwise addressed to:
Chief Legal Officer
Famous Four Media
2nd floor, Leisure Island Business Centre
Proof of posting is not proof of delivery. You are responsible for all
costs, fees, damages and other expenses relating to any action you
take, or which you require us to take, under this section.
How we work with law enforcement
The Registry will respond to legitimate law enforcement inquiries within
one business day from receiving the request. Such a response shall
include, at a minimum, an acknowledgement of receipt of the request,
questions or comments concerning the request, and an outline of the
next steps to be taken by the Registry for rapid resolution of the
In the event such request involves any of the activities which can be
validated by the Registry and involves the type of activity set out in the
Acceptable Use Policy, the sponsoring Registrar will endeavour to
further investigate the activity within 24 hours and either take down the
domain name by placing the domain name on hold or by deleting the
domain name in its entirety or providing a compelling argument to the
Registry to keep the name in the zone.
If the Registrar is not able to take the requested action after 24 hours or
if the matter is urgent, (i.e., is unresponsive to the request or refuses to
take action), the Registry may place the domain on “hold”.
How we disqualify registrants.
Registrant disqualification provides an additional disincentive for
qualified registrants to maintain abusive registrations in that it puts at
risk even otherwise non-abusive registrations, through the possible loss
of all registrations.
Registrants, their agents or affiliates found through the application of
the Acceptable Use Policy to have repeatedly engaged in abusive
registration may be disqualified from maintaining any registrations or
making future registrations.
This will be triggered when the registry backend services provider’s
records indicate that a registrant has had action taken against it an
unusual number of times through the application of our Acceptable Use
In addition, name servers that are found to be associated only with
fraudulent registrations may be added to a local blacklist and any
existing or new registration that uses such fraudulent NS record will be
The disqualification of ‘bad actors’ and the creation of blacklists
mitigates the potential for abuse by preventing individuals known to
engage in such behaviour from registering domain names.
For a registrant to be placed on a list of bad actors, the Registry will
examine the factors noted above, and such determination shall be made
by the Registry at its sole discretion.
Once the Registry determines that a registrant should be placed onto
the list of bad actors, the Registry will notify its Registry backend
services provider, who will be instructed to cause all of the registrant’s
second-level domains in the gTLD to resolve to a page which notes that
the domain has been disabled for abuse-related reasons.
The second-level domains at issue will remain in this state until the
expiration of the registrant’s registration term or a decision from a
UDRP panel or court of competent jurisdiction requires the transfer or
cancellation of such domains.
Leisure Island Business Centre
23, Ocean Village Promenade
Gibraltar GX11 1AA
P: +350 216 50 000
Famous Four Media Limited, registered in Gibraltar with company no. 105658 and Registered Office at 6A Queensway, Gibraltar.
What personal data does the Registry collect?
The Registry Operator will collect all registrant data required by
specification 4 of the Registry Agreement with ICANN. This data
is provided to us by the registrant’s domain Registrar for the
purpose of operating the Registry Operator's WHOIS directory
If you are an individual registrant, the collected data will include
personal details which you provide to the Registrar which may be
considered sensitive and from which you may be personally
identifiable (“Personal Data”).
As part of our commitment to compliance with data privacy
requirements, and to reflect changes in Registry Operator
operating procedures, we may need to update the terms of this
policy from time-to-time.
How do we process data?
We will only use data provided to us about any registrant,
including Personal Data, for the following purposes:
- inclusion in the said searchable WHOIS directory providing
free public query-based access to the details as required by
clauses 1.5 and 1.6 of specification 4 of the Registry
Agreement (please see our WHOIS Policy);
- research on an anonymised amalgamated statistical basis;
- day to day operations of the Registry Operator, including
email contact by the Registry Operator with the registrant as
required in accordance with our Acceptable Use Policy;
- to our service providers which/who provide legal, accounting,
delivery, installation, systems support, escrow, marketing,
clearinghouse and directory services on our behalf;
- as may be required by law enforcement agencies or a court
order or other compulsory operation of law applicable to the
- as may be required by ICANN in accordance with a zone file
access request in accordance with specification 4 of the
For more information please contact email@example.com
Third party use:
We will only share Personal Data with third parties as stated
above. Our service providers companies are prohibited from
retaining, sharing, storing or using Personal Data for any
secondary purposes. However, please note that these third
effectiveness on an anonymous basis.
We will never sell Personal Data to a third party. However, we
cannot control the use made by third parties of WHOIS data
which is in the public domain and is searchable globally. We
disclaim all liability for any misuse of the data made by a third
party of WHOIS data.
We will also provide Personal Data to third parties when obliged
by applicable law. We may also provide such information where
legal action is proceeding or contemplated or as requested by a
legitimate law enforcement agency.
How can you correct or delete Data if you are a registrant?
We only accept registrant data from the relevant Registrar. In the
case that you may wish to access, update, correct, rectify or
delete Personal Data, please contact the relevant Registrar.
In case that the Registrar has failed to take the appropriate
action within the timelines they have specified, you may contact
your national data protection or information commissioner or
our abuse point of contact: firstname.lastname@example.org
Please note that deactivation an account with the Registrar does
not mean that relevant that Personal Data for that account has
been deleted from our database entirely. While as a general rule
we will not retain Personal Data records for more than two years
after the expiry of the relevant domain name registration, we
reserve the right to retain and use Personal Data for longer in
order to comply with our legal obligations, resolve disputes or to
enforce our agreements.
How do we prevent unauthorised access to Personal Data?
We have implemented the appropriate technical and
organizational security measures to protect Personal Data,
including internal security procedures that restrict access to and
disclosure of Personal Data.
We also use encryption, firewalls and other technology and
security procedures to help ensure the accuracy and security of
Personal Data and to prevent unauthorized access or improper
We will also cooperate with duly authorised law enforcement
agencies regarding any allegations of abuse or violation of system
or network security as set out in our Acceptable Use Policy.
Any party who feels that its data protection issue has not been
dealt with appropriately under the Registrar’s procedures can
consult the Registry Operator's Acceptable Use Policy and may
submit a data protection complaint directly to the Registry at
email@example.com or contact the Gibraltar
Further data protection issues can be raised with:
The Gibraltar Regulatory Authority
Suite 603, Europort
Gibraltar GX11 1AA
3. Reserved Names Policy
Registry Operator Obligations
Except to the extent that ICANN otherwise expressly authorises in writing, the
Registry Operator is obliged to comply with the requirements set out in
Clause 2.6 and Specification 5 of the Registry Agreement.
Right to reserve domain names
The Registry Operator may at any time establish or modify policies
concerning Registry Operator’s ability to reserve (i.e. withhold from
registration or allocate to the Registry Operator) or block any character
strings within the TLD at its discretion. The Registry Operator
has the right to reserve any unallocated domain names at any time and
reserves the right to sell certain domain names at a premium at its discretion.
Registry Operator's Use
Registry Operator may activate in the DNS at all levels up to 100 names (plus
IDN variants where applicable) necessary for the operation or the promotion
of the TLD as set out in Section 3.2 of Specification 5. All such withheld or
allocated names may be released for registration to another person or entity
at Registry Operator's discretion in compliance with the Registry Agreement.
Other Uses EXAMPLE: The ASCII label “EXAMPLE” has been allocated to Registry Operator at the
second level within the TLD at which Registry Operator offers registrations.
Two character labels
All two character ASCII labels have been either withheld from registration or
allocated to Registry Operator at the second level, provided that such twocharacter
label strings may be released to the extent that Registry Operator
reaches agreement with the related government or ICANN as set out in
Section 2 of Specification 5.
WWW,RDDS, WHOIS, NIC.
The following ASCII labels have been allocated to Registry Operator at all
levels for use in connection with the operation of the registry for the TLD:
WWW, RDDS, WHOIS and NIC and may not be released to a third party.
International Olympic Committee; International Red Cross and Red Crescent Movement and other IGOs and INGOs
As instructed from time to time by ICANN, the names (including their IDN
variants, where applicable) relating to the International Olympic Committee,
International Red Cross and Red Crescent Movement listed at
www.icann.org/en/resources/registries/reserved and any other IGOs
and INGOs identified as part of an ICANN Policy Development Process shall be
withheld from registration or allocated to Registry Operator at the second
level within the TLD. Additional International Olympic Committee,
International Red Cross and Red Crescent Movement names (including their
IDN variants) IGO or INGO identifiers may be added to the list upon ten (10)
calendar days' notice from ICANN to Registry Operator. Such names may not
be activated in the DNS, and may not be released for registration to any
person or entity other than Registry Operator.
What if there are more IGOs or INGOs with an interest in the same domain names?
Where there are competing rights to any label, the Registry reserves the right
(but is not obliged) to place a hold on the label and/or to notify other parties
with an interest or potential interest ("Potential Parties") in the string in the
case there is an applicant for the label. Depending on the response from the
Potential Parties, the Registry Operator reserves the right to write to ICANN
to seek advice on how to allocate the label or to determine another basis for
allocation, based on all the circumstances.
Countries and Territories
Country and territory names contained in the following internationally
recognized lists shall be initially reserved at the second level and at all other
levels within the TLD at which the Registry Operator provides for
- the short form (in English) of all country and territory names contained
on the ISO 3166-1 list, as updated from time to time, including the
European Union, which is exceptionally reserved on the ISO 3166-1 list,
and its scope extended in August 1999 to any application needing to
represent the name European Union
- the United Nations Group of Experts on Geographical Names, Technical
Reference Manual for the Standardization of Geographical Names, Part
III Names of Countries of the World; and
- the list of United Nations member states in 6 official United Nations
languages prepared by the Working Group on Country Names of the
United Nations Conference on the Standardization of Geographical
The Registry will reserve all labels appearing on the above referenced lists
from time to time, and prevent registration, delegation or use of such names
in accordance with ICANN requirements and as described above.
Note on Capital Cities:
While capital city names are not required by ICANN to be reserved or
withheld from registration, Registry Operator implements a Capital City Claim
(CCC) service whereby additional protection will be granted to the capital city
names of a country or territory listed in the ISO 3166-1 standard as follows:
A prospective registrant applying to register a domain name identical to the
capital city name of a listed country or territory will receive a CCC notification
highlighting that fact. The applicant must then agree to comply with all
requirements as to representations and warranties requested by the Registry
as notified to them by ICANN, GAC or the official designate of the country or
territory in order to protect the reputation of the city as well as other
relevant terms. From time to time,
Registry Operator will send a notification in writing to the ICANN Government
Advisory Committee (?GAC?) Chair advising on all capital city names
registered. This process also applies during Sunrise and Landrush.
4. WHOIS POLICY Version 1.0
The Registry Operator will include a thick searchable WHOIS database both
accessible on port 43 as well as on port 80 (http) as required in specification
4 of the Registry Agreement.
The WHOIS data will be held by the Registry Operator in accordance with its
Registry Agreement with ICANN (“Registry Agreement”).
The Registry Operator will also comply with all the security, WHOIS, and
privacy requirements required by ICANN whether in the Consensus or
Temporary Policies (as defined in the Registry Agreement) or elsewhere.
Efforts to promote WHOIS Accuracy
The Registry Operator or its outsourced service provider will must perform
a biannual review of a random sampling of domain names within the
applied-for gTLD to test the accuracy and authenticity of the WHOIS
information. Registrars must verify WHOIS data for each record they have
registered in the gTLD twice a year or as required by the relevant ICANN
consensus policy or accreditation agreement.
The Registry Operator will examine WHOIS data for evidence of inaccurate
or incomplete WHOIS information. In the event that such errors or missing
information exists, it shall be forwarded to the relevant Registrar, who shall
be required to address such deficiencies with the relevant registrants.
All registrants are required to provide accurate WHOIS contact details, and
to keep those details current.
Registrars are obliged to obtain accurate WHOIS information from all
registrants and to submit this data to the Registry for information for all
domain names they sponsor.
The registrant's first point of contact for correcting any WHOIS error is the
Registrar. Registrar shall accept written complaints from a registrant or any
third party regarding false and/or inaccurate WHOIS data which they are
required to investigate and to correct in accordance with their guidelines.