2013 RAA is illegal, says EU privacy watchdog
European privacy regulators have slammed the new 2013 Registrar Accreditation Agreement, saying it would be illegal for registrars based in the EU to comply with it.
The Article 29 Working Party, which comprises privacy regulators from the 27 European Union nations, had harsh words for the part of the contract that requires registrars to store data about registrants for two years after their domains expire.
In a letter (pdf) to ICANN last month, Article 29 states plainly that such provisions would be illegal in the EU:
The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe.
The 2013 RAA allows any registrar to opt out of the data retention provisions if it can prove that to comply would be illegal its own jurisdiction.
The Article 29 letter has been sent to act as blanket proof of this for all EU-based registrars, but it’s not yet clear if ICANN will treat it as such.
The letter goes on to sharply criticize ICANN for allowing itself to be used by governments (and big copyright interests) to circumvent their own legislative processes. It says:
The fact that these data may be useful for law enforcement (including copyright enforcement by private parties) does not equal a necessity to retain these data after termination of the contract.
…
the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.
If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation
So why is ICANN trying to get many of its registrars to break the law?
While it’s tempting to follow the Article 29 WP’s reasoning and blame law enforcement agencies and the Governmental Advisory Committee, which pushed for the new RAA to be created in the first place, the illegal data retention provisions appear to be entirely ICANN’s handiwork.
The original law enforcement demands (pdf) say registrars should “securely collect and store” data about registrants, but there’s no mention of the period for which it should be stored.
And while the GAC has expressly supported the LEA recommendations since 2010, it has always said that ICANN should comply with privacy laws in their implementation.
The GAC does not appear to have added any of its own recommendations relating to data retention.
ICANN can’t claim it was unaware that the new RAA might be illegal for some registrars either. The Article 29 WP told it so last September, causing ICANN to introduce the idea of exemptions.
However, the European Commission’s GAC representative then seemed to dismiss the WP’s concerns during ICANN’s public meeting in Toronto last October.
Perhaps ICANN was justifiably confused by these mixed messages.
According to Michele Neylon, chair of the Registrars Stakeholder Group, it has yet to respond to European registrars’ inquiries about the Article 29 letter, which was sent June 6.
“We hope that ICANN staff will take the letter into consideration, as it is clear that the data protection authorities do not want create extra work either for themselves or for registrars,” Neylon said.
“For European registrars, and non-European registrars with a customer base in the EU, we look forward to ICANN staff providing us with clarity on how we can deal with this matter and respect EU and national law,” he said.
Geo gTLD bidders propose new constituency
Applicants for geographic gTLDs voted unanimously to form a new ICANN constituency last week.
According to minutes of a meeting hosted by .london applicant London & Partners in London last Thursday, 20 applicants voted in favor of a constituency and nobody voted for the alternatives.
Not every geo was in attendance, however. Twenty votes represents less than a third of the overall geographic gTLD applicant base.
A new constituency would likely join registries and registrars in the Contracted Parties House of the Generic Name Supporting Organization.
A constituency for dot-brand applicants, the Brand Registry Group, is also currently being formed.
Demand Media withdraws .bar application
Demand Media has withdrawn is application for the .bar new gTLD.
It’s the first of the company’s applications, filed via its United TLD subsidiary, to be withdrawn.
It was in a contention set with only one other applicant, a Mexican venture by the catchy name of Punto 2012 Sociedad Anonima de Capital Variable, which has also applied for .cafe and .rest.
There are now 97 withdrawn applications and a maximum of 1,357 future delegated gTLDs.
Amazon’s dot-brand likely doomed as US withdraws geo objection
The US government is set to allow the Governmental Advisory Committee to kill off Amazon’s application for .amazon, along with eight other new gTLDs with geographic flavors.
In a position paper published last night, the National Telecommunications and Information Administration said:
the United States is willing in Durban to abstain and remain neutral on .shenzen (IDN in Chinese), .persiangulf, .guangzhou (IDN in Chinese), .amazon (and IDNs in Japanese and Chinese), .patagonia, .yun, and .thai, thereby allowing the GAC to present consensus objections on these strings to the Board, if no other government objects.
According to a GAC source, US protests were the “only reason” the GAC was unable to reach a consensus objection to these applications during the Beijing meeting three months ago.
Consensus would strengthen the objection, giving the ICANN board the presumption that the applications, some of which have already passed Initial Evaluation, should not be approved.
None of the nine applications in question met ICANN’s strict definition of a “geographic” string, but they nevertheless look geographic enough to raise concerns with GAC members.
Amazon’s application for .amazon raised the eyebrows of the Latin American countries that share the Amazonia region.
The company has been in talks with these GAC members since Beijing. If it wants to secure .amazon, it has a little over a week to address their concerns, if it wants to avoid an objection.
While the US is now promising to drop its objection to the GAC’s objection, it does not appear to have changed its position, claiming that governments have no rights to geographic strings. NTIA said:
The United States affirms our support for the free flow of information and freedom of expression and does not view sovereignty as a valid basis for objecting to the use of terms, and we have concerns about the effect of such claims on the integrity of the process.
…
the United States is not aware of an international consensus that recognizes inherent governmental rights in geographic terms.
It’s calling for a rethink of the process, during the mandatory review of the new gTLD program that ICANN must conduct before accepting a second round of applications.
Given that the GAC currently has the ability to object to any string for any reason, it’s difficult to see how a review could achieve the NTIA’s goal without reining in the GAC’s powers.
Today’s new gTLD updates: two withdrawals and two “Not Approved”
DotConnectAfrica and GCCIX WLL have become the first new gTLD applicants to have their applications — for .africa and .gcc respectively — officially flagged as “Not Approved” by ICANN.
Both were killed by Governmental Advisory Committee advice.
While GCC had passed its Initial Evaluation already, DCA’s IE results report (pdf), which were published last night, simply states: “Overall Initial Evaluation Summary: Incomplete”.
In both cases the decision to flunk the applications was taken a month ago by ICANN’s New gTLD Program Committee.
DCA filed a formal Reconsideration Request (pdf), challenging the decision in typically incomprehensible style, on June 19, threatening to take ICANN to an Independent Review Panel (ICANN’s very expensive court of appeals) if it does not overturn its decision.
Here’s a sample:
We have no intention of withdrawing our application against the backdrop that we rightly believe that the Board decision is injudicious, very wrong and injurious to our application and to our organizational aspirations. We are placing faith in the possibility that this particular communication will serve the purpose of causing the ICANN Board to have a rethink, and see the wisdom in allowing DCA Trust to continue to participate in the new gTLD Program without the necessity of going to an Independent Review Process (IRP) Panel to challenge the ICANN Board Decision which we presently disagree with in the most absolute terms.
The Board Governance Committee, which handles Reconsideration Requests, has a sturdy track record of denying them, so I think the chances of DCA’s being approved are roughly zero.
But if the company is nutty enough to try its hand at an IRP, which could quite easily set it back a few million dollars in legal fees, the story might not be over yet.
The GAC didn’t like DCA’s .africa bid because African governments back UniForum, DCA’s South Africa-based competitor for the string.
Had the application made it to Initial Evaluation — its processing number wasn’t up for a few weeks — it would have been flunked by the Geographic Names Panel due to its lack of support anyway.
GCC’s application for .gcc was also rejected by the GAC on geographic grounds. It stands for Gulf Cooperation Council, and the Persian/Arabian Gulf nations in question didn’t support the bid.
Also today, the American insurance company Allstate withdrew its applications for .carinsurance and .autoinsurance. Both were single-registrant “closed generics”, which ICANN has indicated might not be approved, also due to GAC advice.
ICANN says DotConnectAfrica’s .africa bid is officially “Not Approved”
Artemis signs 30 anchor tenants for .secure gTLD
Artemis, the NCC Group subsidiary applying for .secure, says it has signed up 30 big-name customers for its expensive, high-security new gTLD offering.
CTO Alex Stamos said that the list includes three “too big to fail” banks and three of the four largest social networking companies. They’ve all signed letters of intent to use .secure domains, he said.
He was speaking at a small gathering of customers and potential customers in London yesterday, to which DI was invited on the condition that we not report the name of anyone else in attendance.
Artemis is doing this outreach despite the facts that a) .secure is still in a two-way contention set and b) deep-pocketed online retailer Amazon is the other applicant.
Stamos told DI he’s confident that Artemis will win .secure one way or the other — hopefully Amazon’s single-registrant bid will run afoul of ICANN’s current rethink of “closed generics”.
He expects to launch .secure in the second or third quarter of next year with a few dozen registrants live from pretty much the start.
The London event yesterday, which was also attended by executives from a few household names, was the second of three the company has planned. New York was the first and there’ll soon be one in California.
I’m hearing so many stories about new gTLD applicants that still haven’t figured out their go-to-market strategies recently that it was refreshing to see one that seems to be on the ball.
Artemis’ vision for .secure is also probably the most technologically innovative proposed gTLD that I’m currently aware of.
As the name suggests, security is the order of the day. Registrants would be vetted during the lengthy registration process and the domain names themselves would be manually approved.
Not only will there not be any typosquatting, but there’s even talk of registering common typos on behalf of registrants.
Registrants would also be expected to adhere to levels of security on their web sites (mandatory HTTPS, for example) and email systems (mandatory TLS). Domains would be scanned daily for malware and would have manual penetration testing at least annually.
Emerging security standards would be deployed make sure that browsers would only trust SSL certificates provided by Artemis (or, more likely, its CA partner) when handling connections to .secure sites.
Many of the policies are still being worked out, sometimes in conversation with an emerging “community” of the aforementioned anchor tenants, but there’s one thing that’s pretty clear:
This is not a domain name play.
If you buy a .secure domain name, you’re really buying an NCC managed security service that allows you to use a domain name, as opposed to an easily-copied image, as your “trust mark”.
Success for .secure, if it goes live as planned, won’t be measured in registration volume. I wouldn’t expect it to be much bigger than .museum, the tiniest TLD today, within its first few years.
Prices for .secure have not yet been disclosed, but I’m expecting them to be measured in the tens of thousands of dollars. If “a domain” costs $50,000 a year, don’t be surprised.
Artemis’ .secure would however be available to any enterprise that can afford it and can pass its stringent security tests, which makes it more “open” than Amazon’s vaguely worded closed generic bid.
Other ICANN accredited registrars will technically be allowed to sell .secure domains, but the Registry-Registrar Agreement will be written in such a way as to make it economically non-viable for them to do so.
Overall, the company has a bold strategy with some significant challenges.
I wonder how enthusiastic enterprises will be about using .secure if their customers start to assume that their regular domain name (which may even be a dot-brand) is implicitly insecure.
Artemis is also planning to expose some information about how well its registrants are complying with their security obligations to end users, which may make some potential registrants nervous.
Even without this exposure, simply complying appears to be quite a resource-intensive ongoing process and not for the faint-hearted.
However, that’s in keeping with the fact that it’s a managed security service — companies buy these things in order to help secure their systems, not cover up problems.
Stamos also said that its eligibility guidelines are being crafted with its customers in such a way that registrants will only ever be kicked out of .secure if they’re genuinely bad actors.
Artemis’ .secure is a completely new concept for the gTLD industry, and I wouldn’t like to predict whether it will work or not, but the company seems to be going about its pre-sales marketing and outreach in entirely the correct way.
97 new gTLD applicants get pass from ICANN
ICANN has just released this week’s batch of Initial Evaluation results, with 97 passing applications to report.
The results were published a couple of days early due to the Independence Day holiday in the US.
There were no failures this week. The following applications received passing scores and proceed to the next phase of the program.
.cloud .app .marketing .corp .llp .blog .dnb .radio .mtr .gay .gmbh .accountant .site .yodobashi .norton .rmit .host .auto .ltd .play .cafe .bosch .jaguar .realestate .cashbackbonus .plus .mobile .cityeats .uol .amica .hair .yahoo .philips .corp .beauty .schmidt .tiaa .yellowpages .alsace .gent .lds .home .auction .chat .travelersinsurance .delta .corsica .dvag .bugatti .online .living .golf .flowers .hot .sharp .guitars .store .video .discount .realestate .mozaic .club .builders .build .whoswho .vote .limited .international .hdfc .yun .sakura .ifm .group .ceb .gifts .box .hbo .dev .asda .sport .allfinanzberater .radio .sale .taobao .training .dtv .mail .sncf .rent .marriott .jpmorganchase .audio .guide .statefarm .now .gucci .work
The results bring the total number of passing bids to 1,006. Only 823 applications remain in Initial Evaluation.
New gTLD registry contract approved, but applicants left hanging by GAC advice
ICANN has approved the standard registry contract for new gTLD registries after many months of controversy.
But its New gTLD Program Committee has also decided to put hundreds more applications on hold, pending talks with the Governmental Advisory Committee about its recent objections.
The new Registry Agreement is the baseline contract for all new gTLD applicants. While some negotiation on detail is possible, ICANN expects most applicants to sign it as is.
Its approval by the NGPC yesterday — just a couple of days later than recently predicted by ICANN officials — means the first contracts with applicants could very well be signed this month.
The big changes include the mandatory “Public Interest Commitments” for abuse scanning and Whois verification that we reported on last month, and the freeze on closed generics.
But a preliminary reading of today’s document suggests that the other changes made since the previous version, published for comment by ICANN in April, are relatively minor.
There have been no big concessions to single-registrant gTLD applicants, such as dot-brands, and ICANN admitted that it may have to revise the RA in future depending on how those discussions pan out.
In its resolution, the NGPC said:
ICANN is currently considering alternative provisions for inclusion in the Registry Agreement for .brand and closed registries, and is working with members of the community to identify appropriate alternative provisions. Following this effort, alternative provisions may be included in the Registry Agreement.
But many companies that have already passed through Initial Evaluation now have little to worry about in their path to signing a contract with ICANN and proceeding to delegation.
“New gTLDs are now on the home stretch,” NGPC member Chris Disspain said in a press release “This new Registry Agreement means we’ve cleared one of the last hurdles for those gTLD applicants who are approved and eagerly nearing that point where their names will go online.”
Hundreds more, however, are still in limbo.
The NGPC also decided yesterday to put a hold on all “Category 1” applications singled out for advice in the Governmental Advisory Committee’s Beijing communique.
That’s a big list, comprising hundreds of applications that GAC members had concerns about.
The NGPC resolved: “the NGPC directs staff to defer moving forward with the contracting process for applicants who have applied for TLD strings listed in the GAC’s Category 1 Safeguard Advice, pending a dialogue with the GAC.”
That dialogue is expected to kick off in Durban a little over a week from now, so the affected applicants may not find themselves on hold for too long.
Negotiations, however, are likely to be tricky. As the NGPC’s resolution notes, most people believe the Beijing communique was “untimely, ill-conceived, overbroad, and too vague to implement”.
Or, as I put it, stupid.
By the GAC’s own admission, its list of strings is “non-exhaustive”, so if the delay turns out to have a meaningful impact on affected applicants, expect all hell to break loose.
GNSO still breathing as ICANN retracts “flawed” Trademark+50 thinking
The Generic Names Supporting Organization isn’t dead after all.
ICANN’s Board Governance Committee has retracted a document related to new gTLD trademark protections that some on the GNSO Council believed spelled the end of the multistakeholder model as we know it.
The BGC, in rejecting a formal Reconsideration Request related to the “Trademark+50” mechanism, had used a rationale that some said was overly confrontational, legalistic and gave ICANN staff the ability to ignore community input more or less at will.
We reported on the issue in considerable detail here.
The committee on Friday retracted the original rationale, replacing it with one (pdf) that, while still containing some of the flawed reasoning DI noted last month, seems to have appeased the GNSO Council.
Neustar policy VP Jeff Neuman, who raised the original concerns, told the Council: “I believe the rationale is much more consistent with, and recognizes, the value of the multi-stakeholder model.”
The BGC did not change its ultimate decision — the Reconsideration Request has still been rejected and Trademark+50 is still being implemented in the new gTLD program.
Recent Comments