Domainers could lose their names as .au loophole closes

Domain investors dabbling in the .au space could face losing their names under new policies set to be proposed.

The .au Policy Review Panel, which helps set policy for Australian ccTLD registry auDA, said this week it is thinking about closing a loophole related to domain monetization that has allowed “speculation and warehousing” in violation of longstanding rules.

Monetized domains are “largely detrimental” to .au and rules permitting the practice should be scrapped, the panel is expected to formally conclude.

Anyone currently monetizing domains could be given as little as a day to comply with the new rules or face losing their names.

The expected recommendations were outlined in a memo (pdf) penned by panel chair John Swinson, an intellectual property lawyer, who wrote:

the Panel received a lot of feedback and information from the public that Domain Monetisation is largely detrimental to the name space. Feedback, including from sophisticated businesses, domain brokers and portfolio owners, was one could register almost any domain name under the Domain Monetisation rule, and that the current rules were unclear, and that domain names were being registered under the cover of Monetisation primarily for the purposes of resale or warehousing (which is contrary to the current policy).

Current auDA policy on domaining, dating from 2012, is pretty clear when it comes to domainers: “A registrant may not register a domain name for the sole purpose of resale or transfer to another entity.”

However, there’s a loophole when it comes to domains that are monetized with ad links. If a domain is monetized, reselling no longer becomes its “sole purpose”.

Another auDA policy also from 2012 specifically permits monetization as a valid reason for owning a .com.au or .net.au name.

It says that monetized domains must carry ad content relevant to the topic of the domain, and that there should be no brand infringement in the domain itself.

Swinson’s panel agreed in a May 1 meeting (pdf) that this rule should be scrapped.

It’s not entirely clear what would come to replace it, as the panel doesn’t seem likely to actually ban monetization as such. Swinson wrote:

Because the current rules are outdated, inconsistent and unclear, it is difficult to enforce the current rules that prevent the registration of domain names for domain speculation and warehousing.

The Panel’ s current view is that Domain Monetisation will not be banned, but of itself will not be a basis to meet the allocation criteria.

The “allocation criteria” refers to the eligibility requirements for .au domains, which currently require a “close and substantial” link between the registrant and the name.

The panel’s memo states that there would be a “grandfathering” period during which domainers whose sites do not comply with the new policy would have time to update them:

The Panel’s current view is to recommend that any new eligibility and allocation rules should apply on the next renewal of a domain name license. This will give domain name licensees who meet the current rules, but who will not meet any new rules, time to deal with the non-compliance.

The problem here of course is that the “next renewal” could be anywhere from a day to two years away, depending on the domain. That’s probably an area the panel needs to look at.

The monetization issue is one of several addressed in the panel’s interim report (pdf), which also looks at the possibility of direct, second-level domain registration.

Any new policy on either issue is still many months away.

In GDPR case, ICANN ready to fight Tucows to the bitter end

ICANN has appealed its recent court defeat as it attempts to force a Tucows subsidiary to carry on collecting full Whois data from customers.

The org said yesterday that it is taking its lawsuit against Germany-based EPAG to a higher court and has asked it to bounce the case up to the European Court of Justice, as the first test case of the new General Data Protection Regulation.

In its appeal, an English translation (pdf) of which has been published, ICANN argues that the Higher Regional Court of Cologne must provide an interpretation of GDPR in order to rule on its request for an injunction.

And if it does, ICANN says, then it is obliged by the GDPR itself to refer that question to the ECJ, Europe’s highest judicial authority.

The case concerns Tucows’ refusal to carry on collecting contact information about the administrative and technical contacts for each domain name it sells, which it is contractually obliged to do under ICANN’s Whois policy.

These are the Admin-C and Tech-C fields that complement the registrant’s own contact information, which Tucows is of course still collecting.

Tucows says that these extra fields are unnecessary, and that GDPR demands it minimize the amount of data it collects to only that which it strictly needs to execute the registration contact.

It also argues that, if the Admin-C and Tech-C are third parties, it has no business collecting any data on them at all.

According to Tucows legal filings, more than half of its 10 million domains have identical data for all three contacts, and in more than three quarters of cases the registrant and Admin-C are identical.

In its appeal, ICANN argues that the data is “crucial for the objectives of a secure domain name system, including but not limited to the legitimate purposes of consumer protection,
investigation of cybercrime, DNS abuse and intellectual property protection and law enforcement needs”.

ICANN uses Tucows’ own numbers against it, pointing out that if Tucow has 7.5 million domains with shared registrant and Admin-C data, it therefore has 2.5 million domains where the Admin-C is a different person or entity, proving the utility of these records.

It says that registrars must continue to collect the disputed data, at the very least if it has secured consent from the third parties named.

ICANN says that nothing in the Whois policy requires personal data to be collected on “natural persons” — Admin-C and Tech-C could quite easily be legal persons — therefore there is no direct clash with GDPR, which only covers natural persons.

Its appeal, in translation, reads: “the GDPR is irrelevant if no data about natural persons are collected. In this respect, the Defendant is contractually obliged to collect such data, and failure to do so violates its contract with the Applicant.”

It goes on to argue that even if the registrant chooses to provide natural-person data, that’s still perfectly fine as a “legitimate purpose” under GDPR.

ICANN was handed a blow last month after a Bonn-based court refused to give it an injunction obliging EPAG (and, by inference, all registrars) to continue collecting Admin-C and Tech-C.

The lower court had said that registrants would be able to continue to voluntarily provide Admin-C and Tech-C, but ICANN’s appeal points out that this is not true as EPAG is no longer requesting or collecting this data.

In ICANN’s estimation, the lower court declined to comment on the GDPR implications of its decision.

It says the appeals court, referred to in translation as the “Senate”, cannot avoid interpreting GDPR if it has any hope of ruling on the injunction request.

Given the lack of GDPR case law — the regulation has only been in effect for a few weeks — ICANN reckons the German court is obliged by GDPR itself to kick the can up to the ECJ.

It says: “If the Senate is therefore convinced that the outcome of this procedure depends on the interpretation of certain provisions of the GDPR, the Senate must refer these possible questions to the ECJ for a preliminary ruling”.

It adds that should a referral happen it should happen under the ECJ’s “expedited” procedures.

An ECJ ruling has been in ICANN’s sights for some time; late last year CEO Goran Marby was pointing out that a decision from the EU’s top court would probably be the only way full legal clarity on GDPR’s intersection with Whois could be obtained.

It should be pointed out of course that this case is limited to the data collection issue.

The far, far trickier issue of when this data should be released to people who believe they have a legitimate purpose to see it — think: trademark guys — isn’t even up for discussion in the courts.

It will be, of course. Give it time.

All of ICANN’s legal filings, in the original German and unofficial translation, can be found here.

Atallah encourages domainers to get involved in ICANN

ICANN Global Domains Division chief Akram Atallah today encouraged domain investors to participate more in the ICANN community.

“Domain investors’ voices need to be heard in ICANN,” he said during brief remarks opening NamesCon Europe here in Valencia this morning.

“Your voices are as important as everyone else’s and should be heard,” he said.

He noted to the largely European crowd here that ICANN has a public meeting coming up in Barcelona toward the end of the year.

The call came within the context of comments that focused almost exclusively on GDPR and Whois.

Atallah said that the absence of Whois would make it difficult to track down bad guys and harder for the average person to ensure that the information they get online comes from a reputable source.

“Not everything on the internet is true,” he said, to an faux-incredulous “WHAT?!?” from a member of the audience. “You need to know who is behind this information.”

He said that ICANN hopes to keep Whois as transparent as possible, and played up the fact that most community members are now in agreement that a tiered access system seems like the best way forward, which he called a “major shift from 12 months ago, when the community could not agree on anything”.

He added that now that the Article 29 Working Party has been replaced by the European Data Protection Board, it could help ICANN figure out how to proceed on GDPR compliance efforts.

“I think we’ll get more clarity,” he said.

Disclosure: I’m at NamesCon on my own dime, but with a complementary complemintary complimentary press pass.

US asks if it should take back control over ICANN

The US government has asked the public whether it should reverse its 2016 action to relinquish oversight of the domain name system root.

“Should the IANA Stewardship Transition be unwound? If yes, why and how? If not, why not?”

That’s the surprisingly direct question posed, among many others, in a notice of inquiry (pdf) issued yesterday by the National Telecommunications and Information Administration.

The inquiry “is seeking comments and recommendations from all interested stakeholders on its international internet policy priorities for 2018 and beyond”. The deadline for comments is July 2.

The IANA transition, which happened in September 2016, saw the NTIA remove itself from the minor part it played, alongside meatier roles for ICANN and Verisign, in the old triumvirate of DNS root overseers.

At the handover, ICANN baked many of its previous promises to the US government into its bylaws instead, and handed oversight of itself over to the so-called Empowered Community, made up of internet stakeholders of all stripes.

The fact that the question is being asked at all would have been surprising not too long ago, but new NTIA chief David Redl and Secretary of Commerce Wilbur Ross expressed their willingness to look into a reversal as recently as January.

Back then Redl told Congresspeople, in response to questions raised primarily by Senator Ted Cruz during his confirmation process:

I am not aware of any specific proposals to reverse the IANA transition, but I am interested in exploring ways to achieve this goal. To that end, if I am confirmed I will recommend to Secretary Ross that we begin the process by convening a panel of experts to investigate options for unwinding the transition.

Cruz had objected to the transition largely based on his stated (albeit mistaken or disingenuous) belief that it gave China, Iran and a plethora of bad guys control over Americans’ freedom of speech, something that has manifestly failed to materialize.

But in the meantime another big issue has arisen — GDPR, the EU’s General Data Protection Regulation — which is in the process of eroding access rights to Whois data, beloved of US law enforcement and intellectual property interests.

NTIA is known to be strongly in favor of retaining access to this data to the greatest extent possible.

The notice of inquiry does not mention Whois or GDPR directly but it does ask several arguably related questions:

A. What are the challenges to the free flow of information online?

B. Which foreign laws and policies restrict the free flow of information online? What is the impact on U.S. companies and users in general?

C. Have courts in other countries issued internet-related judgments that apply national laws to the global internet? What have been the practical effects on U.S. companies of such judgements? What have the effects been on users?

NTIA’s statement announcing the inquiry prominently says that the agency is “working on” items such as “protecting the availability of WHOIS information”.

It also says it “has been a strong advocate for the multistakeholder approach to Internet governance and policy development”.

While GPDR and Whois are plainly high-priority concerns for NTIA, it’s beyond my ken how reversing the IANA transition would help at all.

GDPR is not ICANN policy, after all. It’s a European Union law that applies to all companies doing business in Europe.

Even if the US were to fully nationalize ICANN tomorrow and rewrite Whois policy to mandate the death penalty for any contracted party that refused to openly publish full Whois records, that would not make GDPR go away, it would probably just kick off a privacy trade war or mean that all US contracted parties would have to stop doing business in Europe.

That sounds like an extreme scenario, but Trump.

The NTIA’s inquiry closes July 2, so if you think the transition was a terrible idea or a wonderful idea, this is where to comment.

Court denies ICANN’s GDPR injunction against Tucows

A German court has refused ICANN’s request for a GDPR-related injunction against Tucows’ local subsidiary EPAG, throwing a key prong of ICANN’s new Whois policy into chaos.

EPAG now appears to be free to stop collecting contact information for each domain’s administrative and technical contacts — the standard Admin-C and Tech-C fields.

The ruling may even leave the door open for registrars to delete this data from their existing Whois databases, a huge blow to ICANN’s Whois compliance strategy.

According to an ICANN-provided English translation of the ruling (pdf), the Bonn judges (whose names are redacted — another win for GDPR?) decided that the Admin-C and Tech-C records are unnecessary, because they can be (and usually are) the same person as the registrant.

The judges said that if the additional contact names were needed, it would have historically been a condition of registration that three separate people’s data was required.

They wrote that this “is proof that any data beyond the domain holder — different from him — was not previously necessary”.

“Against the background of the principle of data minimization, the Chamber is unable to see why further data sets are needed in addition to the main person responsible,” they wrote.

Data minimization is a core principle of GDPR, the General Data Protection Regulation, which came into force in the EU less than a week ago. Tucows and ICANN have different interpretations on how it should be implemented.

The judges said that the registrant’s contact information should be sufficient for any criminal or security-related investigations, which had been one of ICANN’s key claims.

They also said that ICANN’s attempt to compare Whois to public trademark databases was irrelevant, as no international treaties govern Whois.

If the ruling stands, it means registries and registrar in at least Germany could no longer have to collect Admin-C and Tech-C contacts.

Tucows had also planned to delete this data for its existing EPAG registrations, but had put its plan on hold ahead of the judge’s ruling.

The ruling also gives added weight to the part of ICANN’s registry and registrar agreements that require contracted parties to abide by local laws.

That’s at the expense of the new Temporary Policy governing Whois introduced two weeks ago, which still requires Admin-C and Tech-C data collection.

There was no word in ICANN’s statement on the ruling last night as to the possibility of appealing.

But the org seized on the fact that the ruling does not directly state that EPAG would be breaching GDPR rules by collecting the data. General counsel John Jeffrey is quoted as saying:

While ICANN appreciates the prompt attention the Court paid to this matter, the Court’s ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings. ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29 [the Article 29 Working Party], to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

Tucows has yet to issue a statement on the decision.

It may not be the last time ICANN resorts to the courts in order to seek clarity on matters related to GDPR and its new Temporary Policy.