Latest news of the domain name industry

Recent Posts

auDA role “could have killed me” says resigning domainer

Domainer and activist blogger Ned O’Meara has resigned from the auDA board of directors, about four months after being elected.

He said in an apologetic blog post that the “negative stress” caused by being on the .au registry’s board had sent his blood pressure up, making him worry about having a third heart attack.

“[I]f I continued slugging it out at auDA, I believe it could have killed me,” he wrote.

He went on to say that he expected to be sidelined on key votes such as auDA’s decision to sell domains directly at the second level, due to perceived “conflicts of interest”, which he disputed.

O’Meara was elected in November as a “demand-class” member of the board, after using his blog to spearhead a campaign for greater transparency at the organization.

It sounds to me like he’s made the correct decision in stepping aside. No matter how important you believe a domain policy to be, it’s not worth your health. I wish him well.

auDA said it is now looking for two demand-class directors, to fill O’Meara’s vacant seat and another seat that is opening up due to the end of another director’s term.

2 Comments Tagged: ,

Whois policy group closes down in face of GDPR

Kevin Murphy, April 4, 2018, Domain Policy

An ICANN working group devoted to crafting Whois policy has closed down “until further notice” in light of the EU General Data Protection Regulation.

The Registration Data Service Policy Development Process Working Group will have no more meetings until it receives “guidance from the [ICANN] Board regarding how this WG will be affected by the GDPR compliance efforts”.

That’s according to WG co-chair Chuck Gomes, in an email to the group this morning. The mailing list will remain active to keep members informed of progress, he said.

The group has been tasked with developing “comprehensive Whois reform”.

It’s been working for over two years to attempt to find consensus on changes such as tiered access and data privacy, the latest iteration of fruitless, fractious Whois policy discussions dating back a couple of decades, and had made very little progress.

Recently, it’s also been hit by infighting and, in my opinion, a sense of helplessness in the face of GDPR, the EU privacy law that will take precedence over any policy ICANN comes up with.

Last month, prominent Non-Commercial Stakeholder Group member Stephanie Perrin publicly resigned from the WG, saying it was “fundamentally flawed” and complaining the process was an “antique” that wasn’t sufficiently taking GDPR into account.

As DI has been reporting for the last several months, there’s very little clarity right now about how GDPR will effect ICANN’s Whois policy.

ICANN CEO Goran Marby told us yesterday that he’s “cautiously optimistic” that EU data protection authorities will soon provide some firm guidance on what it means to be GDPR-compliant.

It appears that the RDS group’s fate may also lie in the hands of the DPAs, for now.

1 Comment Tagged: , , , ,

Marby ponders emergency powers to avoid fragmented Whois

Kevin Murphy, April 4, 2018, Domain Policy

ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.

That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.

Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.

But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.

“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”

I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.

Marby has asked European DPAs for two things.

First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.

Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.

“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.

A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.

If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.

“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”

While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.

It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.

ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.

But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.

Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”

He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.

The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.

Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.

Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.

But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.

This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.

Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.

A temporary policy could be replaced by a compatible, community-created Consensus Policy.

It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.

But that’s perhaps getting ahead of ourselves.

Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.

If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.

If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.

And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.

“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.

“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”

The community awaits the DPAs’ guidance with baited breath.

17 Comments Tagged: , , , , , ,

ICANN heads to Mar-a-Lago for budget crisis talks

Kevin Murphy, April 1, 2018, Gossip

Cash-strapped ICANN has invited select community members to emergency budget talks at the Mar-a-Lago resort in Florida, DI has learned.

The three-day summit next week will address how best to spend the organization’s $138 million annual budget, along with its $236 million auction proceeds war chest and its $80 million of leftover new gTLD application fees.

“Recent public comments have made it clear than many valued ICANN community members have misunderstood our FY19 budget,” CEO Goran Marby said. “I believe a long weekend of intensive discussions at Mar-a-Lago should persuade the community that we’re actually on the right track.”

To encourage participation from an increasingly weary volunteer pool, attendees will be treated to complimentary spa treatments, golfing, and the most beautiful pieces of chocolate cake, he said.

DI has managed to obtain a preliminary agenda for the summit, which can be read here (pdf).

Business-class flights and three nights’ accommodation at the exclusive members club will be covered by ICANN.

Mar-a-Lago, purchased by Donald Trump in the 1980s, is a “six-star” resort in Palm Beach, Florida. It was originally a five-star hotel, until 2004 when Trump purchased the one-star hotel next door and knocked through.

Marby defended the choice of venue, pointing out that the guest list is to be strictly limited to the ICANN board of directors, industry CEOs, and members of the Intellectual Property Constituency.

DI understands that the IPC will be permitted to invite members of the Non-Commercial Stakeholder Group to attend, should they require golf caddies.

To ensure gender diversity, all attendees will be able to bring along their spouses or partners. ICANN will make up any shortfall by hiring decorative females from a pool of Trump litigants.

A small support team of 50 ICANN staffers will also be available to hand out fresh towels, collect empty glasses, and so on.

Remote participation will be available via AOL Instant Messenger.

Chief financial officer Xavier Calvez declined to disclose the cost of the summit, citing privacy concerns caused by “GDPR or something”, but DI understands it is to be accounted for as a line item in ICANN’s Federal lobbying disclosure.

Calvez said ICANN has managed to negotiate “substantial” bulk discounts on the usual $200,000 Mar-a-Lago membership fees and $2,000-a-night room rates.

The cost will also be offset by sponsorship contributions from ICANNwiki and the National Rifle Association, he said.

Registry and registrar CEOs polled by DI this weekend were split on whether they would attend.

“Of course I’m going,” Blacknight CEO Michele Neylon told us by phone from an airport lounge in Kigali.

But .xyz chief Daniel Negari said he would attend only if he can secure sufficient funding for his bus fare to the airport.

Among the cost-cutting proposals on the menu, DI understands, is a request to consolidate all current and future policy working groups into a single, unified WG.

Sources say this would have the added benefit of reducing the annual policy implementation budget to zero dollars between now and, at the earliest, 2045.

17 Comments Tagged:

Registrars will miss GDPR deadline by a mile

Kevin Murphy, March 28, 2018, Domain Registrars

Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.

That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.

While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.

Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.

Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.

And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.

The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.

But the timetable lists many other sources of potential delay too.

Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.

Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.

Likewise, the more granular the controls on the data, the longer the implementation window.

For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.

Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.

The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.

The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).

It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.

But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.

The letter notes that the timetable is an estimate and does not apply to all contracted parties.

As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.

Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.

4 Comments Tagged: , , ,