Latest news of the domain name industry

Recent Posts

ICANN: we won’t force registrars to suspend domains

Kevin Murphy, October 2, 2015, Domain Registrars

In one of the ongoing battles between registrars and the intellectual property lobby, ICANN’s compliance department seems to have sided with the registrars, for now.

Registrars will not be forced to suspend domain names when people complain about abusive or illegal behavior on the associated web sites, according to chief contract compliance office Allen Grogan.

The decision will please registrars but will come as a blow to the likes of music and movie studios and those who fight to shut down dodgy internet pharmacies.

Grogan yesterday published his interpretation of the 2013 Registrar Accreditation Agreement, specifically the section (3.18) that obliges registrars to “investigate and respond appropriately” abuse reports.

The IP crowd take this to mean that if they submit an abuse report claiming, for example, that a web site sells medicines across borders without an appropriate license, the registrar should check out the site then turn off the domain.

Registrars, on the other hand, claim they’re in no position to make a judgment call about the legality of a site unless presented with a proper court order.

Grogan appears to have taken this view also, though he indicated that his work is not yet done. He wrote:

Sometimes a complaining party takes the position that that there is only one appropriate response to a report of abuse or illegal activity, namely to suspend or terminate the domain name registration. In the same circumstances, a registrar may take the position that it is not qualified to make a determination regarding whether the activity in question is illegal and that the registrar is unwilling to suspend or terminate the domain name registration absent an order from a court of competent jurisdiction. I am continuing to work toward finding ways to bridge these gaps.

It’s a testament to how little agreement there is on this issue that, when we asked Grogan back in June how long it would take to provide clarity, he estimated it would take “a few weeks”. Yet it’s still not fully resolved.

His blog post last night contains a seven-point checklist that abuse reporters must conform to in order to give registrars enough detail to with with.

They must, for example, be specific about who they are, where the allegedly abusive content can be found, whose rights are being infringed, and which laws are being broken in which jurisdiction.

It also contains a six-point checklist for how registrars must respond.

Registrars are only obliged to investigate the URL in question (unless they fear exposure to malware or child abuse material), inform the registrant about the complaint, and inform the reporter what, if anything, they’ve done to remediate the situation.

There’s no obligation to suspend domains, and registrars seem to have great leeway in how they treat the report.

In short, Grogan has interpreted RAA 3.18 in a way that does not seem to place any substantial additional burden on registrars.

He’s convening a roundtable discussion for the forthcoming ICANN meeting in Dublin with a view to getting registrars to agree to some non-binding “voluntary self-regulatory” best practices.

Is the Defending Internet Freedom Act pro-crime?

The Defending Internet Freedom Act of 2015, introduced to the US Congress last month, contains a provision that could be interpreted as pro-pron, pro-piracy or even just pro-crime.

The act is designed to prevent the US giving up its oversight of ICANN/IANA unless certain quite strict conditions are met.

It’s a revised version of a bill that was introduced last year but didn’t make it through the legislative process.

Like the 2014 version, it says that the US cannot sever ties with ICANN until its bylaws have been amended in various ways, including:

ICANN is prohibited from engaging in activities unrelated to ICANN’s core mission or entering into an agreement or modifying an existing agreement to impose on a registrar or registry with which ICANN conducts business any condition (such as a condition relating to the regulation of content) that is unrelated to ICANN’s core mission.

It’s the “regulation of content” bit that caught my eye.

Presumably written as a fluffy, non-controversial protection against censorship, it ignores where the real content regulation conversations are happening within the ICANN community.

It’s a constant mantra of ICANN that is “doesn’t regulate content”, but the veracity of that assertion has been chipped away relentlessly over the last several years by law enforcement, governments and intellectual property interests.

Today, ICANN’s contracts are resplendent with examples of what could be argued is content regulation.

Take .sucks, for a timely example. Its Registry Agreement with ICANN contains provisions banning pornography, cyber-bulling and parked pages.

That’s three specific types of content that must not be allowed in any web site using a .sucks domain.

It’s one of the Public Interest Commitments that were voluntarily put forward by .sucks registry Vox Populi, but they’re still enforceable contract provisions.

Using a dispute resolution process (PICDRP), ICANN would be able to levy fines against Vox Pop, or terminate its contract entirely, if it repeatedly allows porn in .sucks web sites.

This sounds quite a lot like content regulation to me.

It’s not just .sucks, of course. Other registries have PICs that regulate the content of their gTLDs.

And every contracted new gTLD registry operator has to agree to this PIC:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

It’s convoluted, but it basically indirectly forces (via registrars) new gTLD domain registrants to, for example, agree to not infringe copyright.

The PIC is paired with a provision (3.18) of the 2013 Registrar Accreditation Agreement that requires all registrars to investigate and “take necessary and appropriate actions” in response to abuse reports within 24 hours of receipt.

Section 3.18 is essentially the RAA mechanism through which ICANN can enforce the PIC from the RA.

This is currently one of the most divisive issues in the ICANN community, as we witnessed during the recent Congressional hearings into ICANN oversight.

On the one hand, big copyright owners and online pharmacy watchdogs want ICANN to act much more ruthlessly against registrars that fail to immediately take down sites that they have identified as abusive.

On the other hand, some registrars say that they should not have to engage in regulating what content their customers publish, at least without court orders, in areas that can sometimes be amorphously grey and fuzzy.

Steve Metalitz, from a trade group that represents the movie and music industies at ICANN, told the US Congress that registrars are dismissing piracy reports without investigating them, and that “unless registrars comply in good faith, and ICANN undertakes meaningful and substantive action against those who will not, these provisions will simply languish as empty words”.

John Horton from pharmacy watchdog used the same Congressional hearing to out several registrars he said were refusing to comply with 3.18.

One Canadian registrar named in Horton’s testimony told DI that every complaint it has received from LegitScript has been about a web site that is perfectly legal in Canada.

In at least some cases, it seems that those pushing for ICANN to more stringently regulate content may have “internet freedom” as the least of their concerns.

If the Defending Internet Freedom Act becomes law in the US, perhaps it could prove a boon to registries and registrars upset with constant meddling from rights owners and others.

On the other hand, perhaps it could also prove a boon for those operating outside the law.

Two legit registrars held to account for lack of abuse tracking

Kevin Murphy, January 26, 2015, Domain Registrars

ICANN Compliance’s campaign against registrars that fail to respond to abuse reports continued last week, with two registrars hit with breach notices.

The registrars in question are Above.com and Astutium, neither of which one would instinctively bundle in to the “rogue registrar” category.

Both companies have been told they’ve breached section 3.18.1 of their Registrar Accreditation Agreement, which says: “Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”

Specifics were not given, but it seems that people filed abuse reports with the registrars then complained to ICANN when they did not get the response they wanted. ICANN then was unable to get the registrars to show evidence that they had responded.

Both companies have until February 12 to come back into compliance or risk losing their accreditations.

Domain investor-focused Above.com had over 150,000 gTLD domains on its books at the last official count. UK-based Astutium has fewer than 5,000 (though it says the current number, presumably including ccTLD names, is 53,350).

It’s becoming increasingly clear that registrars under the 2013 RAA are going to be held to account by ICANN to the somewhat vague requirements of 3.18.1, and that logging communications with abuse reports is now a must.

Big registrar dumps .uk — a glimpse of Christmas future?

Kevin Murphy, December 30, 2014, Domain Registrars

German registrar Cronon, which retails domains under the Strato brand, has stopped carrying .uk domains due to what it says are onerous Whois validation rules.

In a blog post, company spokesperson Christina Witt said that over one third of all .uk sales the registrar has been making are failing Nominet’s registry-end validation checks, which she said are “buggy”.

With the introduction of direct second-level registration under .uk, Nominet introduced a new requirement that all new domains must have a UK address in the Whois for legal service, even if the registrant is based overseas.

According to its web site, Nominet checks registrant addresses against the Royal Mail Postcode Address file, which contains over 29 million UK addresses, and does a confidence-based match.

If attempts to match the supplied address with a UK address in this file prove fruitless, and after outreach to the registrant, Nominet suspends the domain 30 days after registration and eventually deletes it.

It’s this policy of terminating domains that has caused Strato to despair and stop accepting new .uk registrations.

“Databases of street directories or company registers are often inaccurate and out of date,” Witt wrote (translated from the original German). “The result: addresses that are not wrong, in fact, are be found to be invalid.”

Nominet is throwing back over a third of all .uk names registered via Strato, according to the blog post, creating a customer support nightmare.

Its affected registrants are also confused about the verification emails they receive from Nominet, a foreign company of which they have often never heard, Witt wrote.

I don’t know how many .uk names the registrar has under management, but it’s reasonably large in the gTLD space, with roughly 650,000 domains under management at the last count.

If Strato’s claim that Nominet is rejecting a third of valid addresses (and how Strato could know they’re valid is open to question), that’s quite a scary statistic.

Nominet seems to be using an address database, from the Royal Mail, which is about as close to definitive as it gets. And it’s only verifying addresses from a single country.

I shudder to imagine what the false negative rate would be like for a gTLD registrar compelled to validate addresses across 200-odd countries and territories.

The latest version of the ICANN Registrar Accreditation Agreement requires registrars to partially validate addresses, such as checking whether the street and postal code exist in the given city, but there’s no requirement for domains to be suspended if these checks fail.

[UPDATE: Thanks to Michele Neylon of the Registrars Stakeholder Group for the reminder that this RAA requirement hasn’t actually come into force yet, and won’t until the RrSG and ICANN come to terms on its technical and commercial feasibility.]

Where the 2013 RAA does require suspension is when the registrant fails to verify their email address (or, less commonly, phone number), which as we’ve seen over the last year leads to hundreds of thousands of names being yanked for no good reason.

If Strato’s story about .uk is correct and its experience shared by other registrars, I expect that will become and important data point the next time law enforcement or other interests push for even stricter Whois rules in the ICANN world.

.health backer has cop-like takedown powers for all gTLDs in Japan

Kevin Murphy, December 8, 2014, Domain Registrars

LegitScript, a US company focused on eradicating illegal online pharmacies, which backs the .pharmacy and .health gTLDs, has been given police-like powers to have domain names taken down in Japan.

It has also emerged that when IP Mirror, a brand protection registrar, was hit with an embarrassing ICANN contract-breach notice in November, it was as a result of a LegitScript complaint.

Under section 3.18.2 of ICANN’s 2013 Registrar Accreditation Agreement, registrars must have a 24/7 abuse hotline that can be used by “law enforcement, consumer protection, quasi-governmental or other similar authorities” to report illegal activity.

Registrars must act on complaints made to the hotline within 24 hours, but only authorities designated by national governments get to use it.

Now, it transpires that LegitScript has been formally designated a 3.18.2 authority by the Japanese Ministry of Health, Labor and Welfare.

That means the US company’s complaints about domains hosting potentially illegal pharmacy sites have the same weight as complaints from the Japanese police, when made to registrars that have an office in Japan, even if they’re headquartered elsewhere.

IP Mirror, which was recently acquired by CSC Digital Brand Services, is based in Singapore but has an office in Tokyo.

As far as I can tell, most of the top 10 registrars do not have offices in Japan. KeyDrive (Moniker, Key-Systems etc) may be the exception. GMO is the largest registrar based in Japan.

LegitScript announced its relationship with the Japanese ministry in September (I missed it at the time) and company president John Horton provided some context to the IP Mirror breach notice on CircleID today.

I only report the deal today because it strikes me as noteworthy that a private enterprise has been given the same powers under the 2013 RAA as law enforcement and government consumer protection agencies — and it’s not even in its home territory.

Horton told DI today that while LegitScript is legally based in the US and has offices in the EU, only Japan has so far formally granted it 3.18.2 powers. He said in an email:

We only have formal Section 3.18.2 designation in Japan at present. We have some other endorsements or recommendations by or on behalf of government authorities, although they do not specifically reference Section 3.18.2. We work closely with the Italian Medicines Agency and the Irish Medicines Board, for example, and report rogue Internet pharmacies in consultation with them.

Horton pointed out that anybody is able to to file abuse complaints under the 2013 RAA — and registrars are obliged to “take reasonable and prompt steps to investigate and respond appropriately”.

His CircleID piece cites two instances in which such complaints from LegitScript resulted in ICANN breach notices.

The chief difference is that under 3.18.2 registrars do not have much flexibility in their response times. They have to “take necessary and appropriate actions” within a black-and-white 24-hour deadline.

IP Mirror rapped for failing to deal with abuse

Kevin Murphy, November 17, 2014, Domain Registrars

Here’s something you don’t see every day: a corporate brand management registrar getting smacked by an ICANN breach notice.

Singapore-based registrar IP Mirror has been sent a warning by ICANN Compliance about a failure to respond to abuse complaints filed by law enforcement, which appears to be another first.

Under the 2013 Registrar Accreditation Agreement, registrars are obliged to have a 24/7 abuse hotline to field complaints from “law enforcement, consumer protection, quasi-governmental or other similar authorities” designated by the governments of places where they have a physical office.

According to its web site, IP Mirror has offices in Singapore, Australia, Canada, Hong Kong, Indonesia, Japan, Malaysia, South Korea, Taiwan and the UK, but ICANN’s breach notice does not specify which authority filed the complaint or which domains were allegedly abusive.

Registrars have to respond to such complaints within 24 hours, the RAA says.

The ICANN notice (pdf) takes the company to task for alleged breaches of other related parts of the RAA, such as failure to retain records about complaints and to publish an abuse contact on its web site.

The company has been given until December 5 to come back into compliance or risk losing its accreditation.

IP Mirror isn’t massive in terms of gTLD names. According to the latest registry reports it has somewhere in the region of 30,000 gTLD domains under management.

But it is almost 15 years old and establishment enough that it has been known to sponsor the occasional ICANN meeting. It’s not your typical Compliance target.

US-based Moniker gets Euro data retention waiver

Kevin Murphy, September 11, 2014, Domain Registrars

ICANN has approved Moniker’s request for a partial waiver of the Registrar Accreditation Agreement based on European privacy law, despite the fact that the registrar is based in the US.

The data retention waiver for Moniker was one of a few granted to members of the KeyDrive group of registrars that were approved by ICANN yesterday.

KeyDrive is based in Luxembourg, but the waiver request was granted because complying with the 2013 RAA could violate German privacy law and Moniker’s data is stored in Germany.

ICANN said:

Registrar’s technical backend services provider as well as data storage and collection occur on servers hosted and operated in Germany, and is subject to German law. Accordingly, ICANN has determined that it is appropriate to grant Registrar a data retention waiver

Group members Key-Systems AG (a German company) Key-Systems LLC (an American company) also received waivers yesterday.

InternetX, part of Germany-based United Internet, and http.net Internet also had their requests approved.

The waiver process was introduced because the 2013 RAA requires registrars to store customer data long after their domains expire, which registrars’ lawyers say forces them to break local laws.

An EU directive implemented in many European countries says that companies cannot store personal data for longer than it is needed for the purpose for which is was collected.

ICANN terminates billion-dollar gTLD applicant over unpaid $3,000 bill

Kevin Murphy, August 27, 2014, Domain Registrars

Telefonica Brasil, part of the massive Telefonica group of telecoms companies, has lost its registrar accreditation after failing to pay its ICANN fees.

The company, which had revenue last year of $14.6 billion, is facing termination of its Registrar Accreditation Agreement over the pitiful sum of $3,082.12.

It’s also embarrassing because Telefonica is applying for the new gTLD .vivo, its consumer brand in Brasil, which will require it to sign a Registry Agreement with ICANN.

I don’t think the loss of the RAA affects the company’s ability to get its gTLD contracted and delegated.

According to ICANN (pdf), Telefonica also failed to comply with the Registrar Information Specification, a pretty basic rule in the 2013 Registrar Accreditation Agreement requiring registrars to provide their address and names of officers and any parent companies.

The company has no gTLD names under management, so registrants will not be affected by the termination, which will take effect September 25.

ICANN sent its initial breach notice in July, but Telefonica did not comply before the August deadline. It also received a breach notice over an unpaid $10,000 bill a year ago.

Are Whois email checks doing more harm than good?

“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.

These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.

Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.

The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.

There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.

Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.

Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.

“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.

Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.

At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.

“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”

Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.

Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.

The exact Chehade line, from the Durban public forum transcript, was:

law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.

Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”

Speaking at greater length, director Mike Silber said:

What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.

So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?

It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.

I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.

But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.

They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.

Law enforcement may be about to find itself on the back foot in this long-running debate.

French registrar gets Whois data waiver

Kevin Murphy, March 14, 2014, Domain Registrars

The French registrar OVH has been told by ICANN that it can opt out of a requirement to retain its customers’ contact data for two years after their domain names expire.

The move potentially means many more registrars based in the European Union will be able to sign the 2013 Registrar Accreditation Agreement and start selling new gTLD domains without breaking the law.

OVH was among the first to request a waiver to the 2013 RAA’s data retention provisions, which EU authorities say are illegal.

ICANN said last night:

ICANN agrees that, following Registrar’s execution of the 2013 RAA, for purposes of assessing Registrar’s compliance with the data retention requirement of Paragraph 1.1 of the Data Retention Specification in the 2013 RAA, the period of “two additional years” in Paragraph 1.1 of the Data Retention Specification will be deemed modified to “one additional year.”

It’s a minor change, maybe, and many EU-based registrars have been signing the 2013 RAA regardless, but many others have resisted the new contract in fear of breaking local laws.

Now that OVH has had its waiver granted, it’s looking promising that ICANN will also start to allow other EU registrars that have requested waivers to opt-out also.

ICANN has been criticized for dragging its feet on this issue, and I gather the OVH is still the only registrar to have been given the ability to opt out.