Latest news of the domain name industry

Recent Posts

Euro registrars miffed about ICANN privacy delays

Kevin Murphy, February 21, 2014, Domain Registrars

Registrars based in the European Union are becoming increasingly disgruntled by what they see as ICANN dragging its feet over registrant privacy rules.

Some are even refusing to sign the 2013 Registrar Accreditation Agreement until they receive formal assurances that ICANN won’t force them to break their local privacy laws.

The 2013 RAA, which is required if a registrar wants to sell new gTLD domains, requires registrars to keep hold of registrant data for two years after their registrations expire.

Several European authorities have said that this would be illegal under EU privacy directives, and ICANN has agreed to allow registrars in the EU to opt out of the relevant provisions.

Today, Luxembourgish registrar EuroDNS said it asked for a waiver of the data retention clauses on December 2, but has not heard back from ICANN over two months later.

The company had provided ICANN with the written legal opinion of Luxembourg’s Data Protection Agency

In a snippy letter (pdf) to ICANN, EuroDNS CEO Lutz Berneke wrote:

Although we understand that your legal department is solely composed of lawyers educated in US laws, a mere translation of the written guidance supporting our request should confirm our claim and allow ICANN to make its preliminary determination.

EuroDNS has actually signed the 2013 RAA, but says it will not abide by the provisions it has been told would be illegal locally.

Elsewhere in Europe, Ireland’s Blacknight Solutions, said two weeks ago that it had requested its waiver September 17 and had not yet received a pass from ICANN.

“Why is it my problem that ICANN doesn’t understand EU law? Why should our business be impacted negatively due to ICANN’s inability to listen?” CEO Michele Neylon blogged. “[W]hile this entire farce plays out we are unable to offer new top level domains to our clients.”

But while Blacknight is still on the old 2009 RAA, other European registrars seem to have signed the 2013 version some time ago, and are already selling quite a lot of new gTLD domains.

Germany’s United-Domains, for example, appears to be the third-largest new gTLD registrar, if name server records are anything to go by, with the UK’s 123-Reg also in the top ten.

ICANN is currently operating a public comment period on the waiver request of OVH, a French registrar, which ICANN says it is “prepared to grant”.

That comment period is not scheduled to end until February 27, however, so it seems registrars agitated about foot-dragging have a while to wait yet before they get what they want.

EU body tells ICANN that 2013 RAA really is illegal

Kevin Murphy, January 29, 2014, Domain Registrars

A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.

The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.

In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:

The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”

The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.

Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.

The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.

But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.

The Working Party is clearly a bit miffed at the snub, telling ICANN this month:

The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.

the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.

It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.

ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.

Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.

It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).

EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.

First European registrar to get Whois data opt-out

Kevin Murphy, January 28, 2014, Domain Registrars

ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.

OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.

The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.

ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.

OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.

If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.

It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.

Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.

ICANN has more details, including OVH’s request and links for commenting, here.

Latest Go Daddy phishing attack unrelated to 2013 RAA

Kevin Murphy, January 6, 2014, Domain Registrars

Fears that the 2013 Registrar Accreditation Agreement would lead to new phishing attacks appear to be unfounded, at least so far.

The 2013 RAA, which came into force at most of the big registrars on January 1, requires registrars to verify the registrant’s email address or phone number whenever a new name is registered.

It was long predicted that this new provision — demanded by law enforcement — would lead to phishers exploiting registrant confusion, obtaining login credentials, and stealing valuable domain names.

Over the weekend, it looked like this prediction had come true, with posts over at DNForum saying that a new Go Daddy scam was doing the rounds and reports that it was related to the 2013 RAA changes.

I disagree. Shane Cultra posted a screenshot of the latest scam on his blog, alongside a screenshot of Go Daddy’s actual verification email, and the two are completely dissimilar.

The big giveaways are the “Whois Data Reminder” banner and “Reminder to verify the accuracy of Whois data” subject line.

The new attack is not exploiting the new 2013 RAA Whois verification requirements, it’s exploiting the 10-year-old Whois Data Reminder Policy, which requires registrars annually to remind their customers to keep their contact details accurate.

In fact, the language of the new scam has been used in phishing attacks against registrants since at least 2010.

That’s not to say the attack is harmless, of course — the attacker is still going to steal the contents of your Go Daddy account if you fall for it.

We probably will see attacks specifically targeting confusion about the new address verification policy in future, but it seems to me that the confusion we’re seeing with the latest scam may be coincidental.

Go Daddy told DI yesterday that the scam site in question had already been shut down. It’s not clear if anyone fell for it while it was live.

Registrars given access to Trademark Clearinghouse

Kevin Murphy, October 5, 2013, Domain Registrars

Accredited registrars on older contracts can now get access to the Trademark Clearinghouse for testing purposes, ICANN announced last night.

Previously, ICANN was only handing out credentials to registrars on the new 2013 Registrar Accreditation Agreement, but many registrars complained that this didn’t give them time to evaluate the TMCH and the RAA at the same time.

ICANN had originally argued that the restriction made sense because the TMCH is used only for new gTLDs, and registrars must have signed the 2013 RAA to sell new gTLD domains.

But feedback from registrars has helped it change its mind. ICANN said:

all ICANN accredited Registrars, not just those that have signed the 2013 Registrar Accreditation Agreement (RAA), will be able to request registration tokens and start testing their systems with the Trademark Clearinghouse database before it must begin its authenticating and verifying services for trademark data.

Instruction for signing up for TMCH testing can be found here.

ICANN says Article 29 letter does not give EU registrars privacy opt-out

Kevin Murphy, July 15, 2013, Domain Policy

Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.

ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.

Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.

While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.

The Article 29 letter was designed to give EU registrars that legal opinion across the board.

But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:

We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.

It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.

The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.

2013 RAA is illegal, says EU privacy watchdog

European privacy regulators have slammed the new 2013 Registrar Accreditation Agreement, saying it would be illegal for registrars based in the EU to comply with it.

The Article 29 Working Party, which comprises privacy regulators from the 27 European Union nations, had harsh words for the part of the contract that requires registrars to store data about registrants for two years after their domains expire.

In a letter (pdf) to ICANN last month, Article 29 states plainly that such provisions would be illegal in the EU:

The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe.

The 2013 RAA allows any registrar to opt out of the data retention provisions if it can prove that to comply would be illegal its own jurisdiction.

The Article 29 letter has been sent to act as blanket proof of this for all EU-based registrars, but it’s not yet clear if ICANN will treat it as such.

The letter goes on to sharply criticize ICANN for allowing itself to be used by governments (and big copyright interests) to circumvent their own legislative processes. It says:

The fact that these data may be useful for law enforcement (including copyright enforcement by private parties) does not equal a necessity to retain these data after termination of the contract.

the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.

If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation

So why is ICANN trying to get many of its registrars to break the law?

While it’s tempting to follow the Article 29 WP’s reasoning and blame law enforcement agencies and the Governmental Advisory Committee, which pushed for the new RAA to be created in the first place, the illegal data retention provisions appear to be entirely ICANN’s handiwork.

The original law enforcement demands (pdf) say registrars should “securely collect and store” data about registrants, but there’s no mention of the period for which it should be stored.

And while the GAC has expressly supported the LEA recommendations since 2010, it has always said that ICANN should comply with privacy laws in their implementation.

The GAC does not appear to have added any of its own recommendations relating to data retention.

ICANN can’t claim it was unaware that the new RAA might be illegal for some registrars either. The Article 29 WP told it so last September, causing ICANN to introduce the idea of exemptions.

However, the European Commission’s GAC representative then seemed to dismiss the WP’s concerns during ICANN’s public meeting in Toronto last October.

Perhaps ICANN was justifiably confused by these mixed messages.

According to Michele Neylon, chair of the Registrars Stakeholder Group, it has yet to respond to European registrars’ inquiries about the Article 29 letter, which was sent June 6.

“We hope that ICANN staff will take the letter into consideration, as it is clear that the data protection authorities do not want create extra work either for themselves or for registrars,” Neylon said.

“For European registrars, and non-European registrars with a customer base in the EU, we look forward to ICANN staff providing us with clarity on how we can deal with this matter and respect EU and national law,” he said.

ICANN approves 2013 RAA

ICANN has approved a new version of its standard Registrar Accreditation Agreement, after almost two years of talks with registrars.

The new 2013 RAA will be obligatory for any registrar that wants to sell new gTLD domain names, and may in future become obligatory for .org, .info and .biz.

The new deal’s primary changes include obligations for registrars to verify email addresses supplied for Whois records as well as stronger oversight on proxy/privacy services and resellers.

Akram Atallah, president of ICANN’s new Generic Domains Division said in a statement:

In no small way this agreement is transformational for the domain name industry. Our multiple stakeholders weighed in, from law enforcement, to business, to consumers and what we have ended up with is something that affords better protections and positively redefines the domain name industry.

Registrars Stakeholder Group chair Michele Neylon told DI:

The 2013 RAA does include lot of changes that will be welcomed by the broad community. It addresses the concerns of the Governmental Advisory Committee, it addresses the concerns of law enforcement, it addresses the concerns of IP rights advocates, end user consumer groups and many others.

But Neylon warned that ICANN will need “proactive outreach” to registrars, particularly those that do not regularly participate in the ICANN community or do not have English as their first language.

The new RAA puts a lot of new obligations on registrars that they all need to be fully aware of, he said.

“The unfortunate reality is that a lot of companies may sign contracts without being aware of what they’re agreeing to,” Neylon said. “The entire exercise could be seen as a failure if the outliers — registrars not actively engaged in the ICANN process or whose first language is not English — are not communicated with.”

A new RAA was also considered a gateway event for the launch of new gTLDs, so applicants have a reason to be cheerful today.

New .org contract could make registrars sign up to 2013 RAA

Registrars risk losing their right to sell .org domain names unless they sign up to the new 2013 Registrar Accreditation Agreement.

The change is among several proposed to Public Interest Registry’s .org Registry Agreement with ICANN, which was published for public comment over the weekend.

Amendments to the .org RA, which came to the end of its six-year term in April, are very similar to those put forward for the .info and .biz contracts last month.

But .org is a far larger and more popular TLD, putting more pressure on more registrars to sign up to the 2013 RAA, with its new Whois verification and privacy service obligations.

For registrars on the 2009 and 2001 RAAs, the clock would start ticking the day that registrars representing two thirds of all .org registrations sign the 2013 RAA.

That threshold could be met in .org if the top eight or nine registrars make the switch.

PIR would then get 60 days to tell its remaining registrars that they have 270 days to move to the new RAA. Any registrar that failed to adopt it in that time would lose its right to sell .org domain names.

As with the .info and .biz contracts, the provisions related to the 2013 RAA would only kick in if Verisign asks for the same changes for its .com and .net agreements, which may never happen.

Other changes proposed for the .org contract include:

  • Cross-ownership restrictions. PIR will be able to own a registrar under the new deal, lifting the long-standing ban on gTLD registries selling domains in their own TLD.
  • Price increases. PIR will be able to raise its .org registry fee by 10% per year, from its current level of $8.25.
  • Code of Conduct. PIR will have to abide by the same registry Code of Conduct as new gTLD operators, which contains provisions mainly related to equal registrar access.

The propose .org contract is open for public comment until August 12.

New registrar contract could be approved next week

ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.

The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.

It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.

ICANN has put approval of the contract on its board’s June 27 agenda.

But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.

For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.

There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.