ICANN has suspended the accreditation of Korean registrar Dotname Korea over failures to comply with Whois accuracy rules.
The company was told this week that it will lose the ability to sell names for three months.
“No new registrations or inbound transfers will be accepted from 7 October 2014 through 5 January 2015,” ICANN compliance chief Maguy Serad told the company (pdf).
The suspension follows breach notices earlier in the year pertaining to Dotname’s failure to show that it was responding adequately to Whois inaccuracy complaints.
Other breaches of the Whois-related parts of the 2013 Registrar Accreditation Agreement were also alleged.
The company has until December 16 to show compliance of face the possibility of termination.
ICANN has approved Moniker’s request for a partial waiver of the Registrar Accreditation Agreement based on European privacy law, despite the fact that the registrar is based in the US.
The data retention waiver for Moniker was one of a few granted to members of the KeyDrive group of registrars that were approved by ICANN yesterday.
KeyDrive is based in Luxembourg, but the waiver request was granted because complying with the 2013 RAA could violate German privacy law and Moniker’s data is stored in Germany.
Registrar’s technical backend services provider as well as data storage and collection occur on servers hosted and operated in Germany, and is subject to German law. Accordingly, ICANN has determined that it is appropriate to grant Registrar a data retention waiver
Group members Key-Systems AG (a German company) Key-Systems LLC (an American company) also received waivers yesterday.
InternetX, part of Germany-based United Internet, and http.net Internet also had their requests approved.
The waiver process was introduced because the 2013 RAA requires registrars to store customer data long after their domains expire, which registrars’ lawyers say forces them to break local laws.
An EU directive implemented in many European countries says that companies cannot store personal data for longer than it is needed for the purpose for which is was collected.
If you have an account at NameCheap, now might be a good time to think about changing your password.
According to the registrar, hackers based in Russia are using a haul of a reported 4.5 billion username/password combinations to attempt to break into its customers’ accounts.
Some attempts have been successful, NameCheap warned.
The attackers are using credentials stolen from third-party sources in a large-scale, automated attempt to log in to user accounts, disguised as regular users, the company said in a blog post.
The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.
While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.
Affected users have been emailed, the company said.
NameCheap suspects the attack is linked to a reported cache of 1.2 billion unique username/password combinations amassed by a hacker group from databases vulnerable to SQL injection.
The registrar pointed out that its own systems haven’t been hacked. Customers should only be vulnerable if they use the same username and password at NameCheap as they use on other sites.
Telefonica Brasil, part of the massive Telefonica group of telecoms companies, has lost its registrar accreditation after failing to pay its ICANN fees.
The company, which had revenue last year of $14.6 billion, is facing termination of its Registrar Accreditation Agreement over the pitiful sum of $3,082.12.
It’s also embarrassing because Telefonica is applying for the new gTLD .vivo, its consumer brand in Brasil, which will require it to sign a Registry Agreement with ICANN.
I don’t think the loss of the RAA affects the company’s ability to get its gTLD contracted and delegated.
According to ICANN (pdf), Telefonica also failed to comply with the Registrar Information Specification, a pretty basic rule in the 2013 Registrar Accreditation Agreement requiring registrars to provide their address and names of officers and any parent companies.
The company has no gTLD names under management, so registrants will not be affected by the termination, which will take effect September 25.
ICANN sent its initial breach notice in July, but Telefonica did not comply before the August deadline. It also received a breach notice over an unpaid $10,000 bill a year ago.
Canadian registrar EasyDNS has amended its take-down policy after a customer of one of its registrants died of an overdose.
In a frank blog post today, CEO Mark Jeftovic said that the man had died using a “controlled substance” ordered online. The web site in question used a domain registered via EasyDNS.
As a result of the death, and conversations with ICANN and the US Food and Drug Administration, EasyDNS has changed its policy.
It will now turn off any domain used for a pharmacy web site unless the registrant can produce a license permitting it to sell pharmaceuticals in the territories it sells to.
Previously, the company would only turn off a pharmacy-related domain with a court order.
It’s a notable U-turn for the company because Jeftovic is an outspoken critic of unilateral take-down notices.
In January, he referred to the National Association of Boards of Pharmacy as a “batch of clowns” for demanding that EasyDNS and other registrars take down unlicensed pharmacies without court orders.
He also has an ongoing beef with the UK police over its repeated requests for file-sharing and counterfeiting-related domains to be taken down without judicial review.
Jeftovic blogged today:
[I]n one case we have people allegedly pirating Honey Boo Boo reruns and on the other we have people dying. We don’t know where exactly, but the line goes somewhere in between there.
We have always done summary takedowns on net abuse issues, spam, botnets, malware etc. It seems reasonable that a threat to public health or safety that has been credibly vetted fits in the same bucket.
As a private company we feel within our rights to set limits and boundaries on what kinds of business risk we are willing to take on and under what circumstances. Would we tell the US State Department to go to hell if they wanted us to take down ZeroHedge? Absolutely. Do we want to risk criminally indicted by the FDA because of unregulated vicodin imports? Not so much.
You can read his full blog post here.