Latest news of the domain name industry

Recent Posts

IP Mirror rapped for failing to deal with abuse

Kevin Murphy, November 17, 2014, Domain Registrars

Here’s something you don’t see every day: a corporate brand management registrar getting smacked by an ICANN breach notice.

Singapore-based registrar IP Mirror has been sent a warning by ICANN Compliance about a failure to respond to abuse complaints filed by law enforcement, which appears to be another first.

Under the 2013 Registrar Accreditation Agreement, registrars are obliged to have a 24/7 abuse hotline to field complaints from “law enforcement, consumer protection, quasi-governmental or other similar authorities” designated by the governments of places where they have a physical office.

According to its web site, IP Mirror has offices in Singapore, Australia, Canada, Hong Kong, Indonesia, Japan, Malaysia, South Korea, Taiwan and the UK, but ICANN’s breach notice does not specify which authority filed the complaint or which domains were allegedly abusive.

Registrars have to respond to such complaints within 24 hours, the RAA says.

The ICANN notice (pdf) takes the company to task for alleged breaches of other related parts of the RAA, such as failure to retain records about complaints and to publish an abuse contact on its web site.

The company has been given until December 5 to come back into compliance or risk losing its accreditation.

IP Mirror isn’t massive in terms of gTLD names. According to the latest registry reports it has somewhere in the region of 30,000 gTLD domains under management.

But it is almost 15 years old and establishment enough that it has been known to sponsor the occasional ICANN meeting. It’s not your typical Compliance target.

US-based Moniker gets Euro data retention waiver

Kevin Murphy, September 11, 2014, Domain Registrars

ICANN has approved Moniker’s request for a partial waiver of the Registrar Accreditation Agreement based on European privacy law, despite the fact that the registrar is based in the US.

The data retention waiver for Moniker was one of a few granted to members of the KeyDrive group of registrars that were approved by ICANN yesterday.

KeyDrive is based in Luxembourg, but the waiver request was granted because complying with the 2013 RAA could violate German privacy law and Moniker’s data is stored in Germany.

ICANN said:

Registrar’s technical backend services provider as well as data storage and collection occur on servers hosted and operated in Germany, and is subject to German law. Accordingly, ICANN has determined that it is appropriate to grant Registrar a data retention waiver

Group members Key-Systems AG (a German company) Key-Systems LLC (an American company) also received waivers yesterday.

InternetX, part of Germany-based United Internet, and http.net Internet also had their requests approved.

The waiver process was introduced because the 2013 RAA requires registrars to store customer data long after their domains expire, which registrars’ lawyers say forces them to break local laws.

An EU directive implemented in many European countries says that companies cannot store personal data for longer than it is needed for the purpose for which is was collected.

ICANN terminates billion-dollar gTLD applicant over unpaid $3,000 bill

Kevin Murphy, August 27, 2014, Domain Registrars

Telefonica Brasil, part of the massive Telefonica group of telecoms companies, has lost its registrar accreditation after failing to pay its ICANN fees.

The company, which had revenue last year of $14.6 billion, is facing termination of its Registrar Accreditation Agreement over the pitiful sum of $3,082.12.

It’s also embarrassing because Telefonica is applying for the new gTLD .vivo, its consumer brand in Brasil, which will require it to sign a Registry Agreement with ICANN.

I don’t think the loss of the RAA affects the company’s ability to get its gTLD contracted and delegated.

According to ICANN (pdf), Telefonica also failed to comply with the Registrar Information Specification, a pretty basic rule in the 2013 Registrar Accreditation Agreement requiring registrars to provide their address and names of officers and any parent companies.

The company has no gTLD names under management, so registrants will not be affected by the termination, which will take effect September 25.

ICANN sent its initial breach notice in July, but Telefonica did not comply before the August deadline. It also received a breach notice over an unpaid $10,000 bill a year ago.

Are Whois email checks doing more harm than good?

“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.

These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.

Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.

The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.

There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.

Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.

Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.

“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.

Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.

At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.

“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”

Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.

Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.

The exact Chehade line, from the Durban public forum transcript, was:

law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.

Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”

Speaking at greater length, director Mike Silber said:

What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.

So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?

It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.

I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.

But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.

They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.

Law enforcement may be about to find itself on the back foot in this long-running debate.

French registrar gets Whois data waiver

Kevin Murphy, March 14, 2014, Domain Registrars

The French registrar OVH has been told by ICANN that it can opt out of a requirement to retain its customers’ contact data for two years after their domain names expire.

The move potentially means many more registrars based in the European Union will be able to sign the 2013 Registrar Accreditation Agreement and start selling new gTLD domains without breaking the law.

OVH was among the first to request a waiver to the 2013 RAA’s data retention provisions, which EU authorities say are illegal.

ICANN said last night:

ICANN agrees that, following Registrar’s execution of the 2013 RAA, for purposes of assessing Registrar’s compliance with the data retention requirement of Paragraph 1.1 of the Data Retention Specification in the 2013 RAA, the period of “two additional years” in Paragraph 1.1 of the Data Retention Specification will be deemed modified to “one additional year.”

It’s a minor change, maybe, and many EU-based registrars have been signing the 2013 RAA regardless, but many others have resisted the new contract in fear of breaking local laws.

Now that OVH has had its waiver granted, it’s looking promising that ICANN will also start to allow other EU registrars that have requested waivers to opt-out also.

ICANN has been criticized for dragging its feet on this issue, and I gather the OVH is still the only registrar to have been given the ability to opt out.