Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.
A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.
The report says that P/P services should be accredited by ICANN much like registrars are today.
Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.
A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.
Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.
So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.
Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.
There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.
The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.
There are a lot of gaps in the report. Work, it seems, still needs to be done.
For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.
The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.
There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.
One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.
Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.
There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.
Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.
There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.
Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.
Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.
Most — 244 of the 330 — happened before April 30 last year.
The first breach, discovered by an independent audit of the portal, was January 22 2014.
ICANN says it was first notified of there being a problem on February 27, 2015.
The improper data disclosures were announced by ICANN last week.
As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.
Documents revealed could have included sensitive financial projections and registry technical details.
My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.
In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.
ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.
Ninety-six applicants and 21 registries were affected.
The sunrise periods for .porn and .adult netted just shy of 4,000 domains per TLD, according to ICM Registry.
The company said .porn received 3,995 registrations while .adult trailed slightly with 3,902.
Those numbers are a combination of regular Trademark Clearinghouse sunrise registrations and Sunrise B registrations.
The ICANN-mandated sunrise periods ended April 1 and were followed by unique Sunrise B periods, during which anyone who bought a .xxx block in 2011 could register the matching new gTLD names.
This time, however, Sunrise B domains actually do resolve.
I believe the the Sunrise B phases accounted for something like 1,500 names apiece.
The previous high bar for 2012-round new gTLD sunrises was .london, with just over 800 registrations.
While .porn and .adult may be record breakers for this round, sales were just a twentieth of the levels seen when .xxx launched in 2011 — about 80,000 names were defensively registered back then.
Later this week, ICM will kick off another launch phase — Domain Matching — during which anyone who owned a .xxx domain prior to April 30 can get their matching .porn and .adult names.
General availability is scheduled for June 4.
.sucks registry Vox Populi has annoyed intellectual property interests by trolling a trademark conference with a .sucks mobile billboard.
As tweeted by corporate registrar Marksmen, which described the move as “naked aggression”, attendees to the International Trademark Association conference in San Diego, California saw this roaming the streets this weekend.
— Marksmen (@MarksmenTweets) May 3, 2015
Vox Pop also has a booth at INTA 2015.
The company says .sucks is an opportunity for brands to engage more effectively with their customers, but most IP interests think it looks more like extortion.
The high annual $2,000+ sunrise fee has a lot to do with that, as does the special “Sunrise Premium” list of trademarks that will always incur similarly high prices.
Update: According to a reader, who submitted this photo, Vox Pop is also giving out free .sucks-branded condoms.
Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.
Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.
That’s according to ICANN, which released the results of a third-party audit this afternoon.
Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.
It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.
But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.
While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.
The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.
Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.
What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.
It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.
“The public/private data sharing setting can be On or Off and here it was set to On,” he said.
On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.
The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.
What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.
The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.
Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.
Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.
“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”
ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.
As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.
It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.
At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.
Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.