Colleagues,

Following up on my comments on today’s call, and without revisiting the underlying policy debate, I wanted to elaborate briefly on some of the processes we use already to identify associated domains using data and signals that are squarely within our operational control.

In practice, this is not a question of discovering new data, but of correlating existing indicators across registrations and post-registration activity. Common triggers we use include:

One report referencing multiple domains: very often, we see reports where reporters report more than one domain that they have detected through technical monitoring providers. When we see such reports, we analyse these domains for common denominators to check whether other domains match the same patterns.
Multiple reports referencing multiple domains: very often, we see multiple reports of similar domains at the same time or over a short amount of time. Agents recall these reports and start identifying common patterns that can be investigated.
Account-level linkage: on the end-customer level, we can detect other associated domains through shared registrant accounts. Note, some end customers are mere service providers (de-facto resellers).
Fraudulent payment transactions: (limited to end customer services) notices of payment fraud usually tend to lead to investigation of the services purchased with those transactions.
Linked accounts: sometimes, multiple end-customer accounts are detected that share billing credentials, payment instruments, common credentials.
Technical commonalities: repeated use of specific name servers, hosting infrastructure, IP ranges, particularly where patterns persist across otherwise distinct registrations.
Behavioural signals: synchronised registration timing
Common naming patterns: naming patterns such as bankname-country.TLD, phish54.TLD that immediately suggest the existence of similarly named (and used domains)
Account monitoring: in rare cases, new registrations with reseller accounts that have been determined to suffer from persistent abuse of their services by a threat actor may be monitored on a regular basis for suspicious signals matching one of the above triggers.

None of this requires speculative inference about intent; it is pattern recognition grounded in registrar-held data and already widely used for fraud prevention, AML-style controls, and contractual compliance.

The key policy point, in my view, is therefore not whether associated domains can be detected, but how expectations around the use of these existing capabilities should be framed, documented, and made auditable without creating disproportionate obligations or legal exposure.

I hope this clarification is helpful.