Latest news of the domain name industry

Recent Posts

Three reasons ICANN could swing the GDPR ban hammer on day one

Kevin Murphy, May 16, 2018, Domain Policy

While ICANN reckons it will act “reasonably” when it comes to enforcing compliance with its incoming GDPR emergency policy, there are some things it simply will not tolerate.

The policy expected to be approved tomorrow and immediately incorporated by reference into registry and registrar contracts, is a little light on expected implementation timetables, so this week ICANN has been pressured for clarity.

Will Compliance start firing off breach notices on May 26, the day after GDPR comes into effect, if the industry has not immediately implemented every aspect of the new policy?

Attendees at the Global Domains Division Summit in Vancouver managed to get some answers out of general counsel John Jeffrey at a session yesterday.

First off, if you’re a registrar planning to stop collecting registrants’ personal information for Whois, ICANN will not be happy, and you could be looking at a Compliance ticket.

Jeffrey said:

We don’t want any of the contracted parties to stop collecting the data. ICANN is confident that you can continue to collect the data. We will stand in front of you on it, if we can. Do not stop collecting the data. We believe we have a very strong, important point. We hear from the governments that were involved in passing this legislation that it’s important it continues to be collected.

Second, you have to have a mechanism in place for people with “legitimate purposes” to access thick Whois records that contain all the juicy personal information.

Jeffrey said:

We also believe it’s important there’s a need to continue to display information that will be behind that second tier. And we can demonstrate the need to do that as well. This is really important.

And if there was any doubt remaining, he added:

We will enforce on the temporary spec, if it’s approved, if you stop collecting data, or if you don’t provide any mechanism to allow access to it. It’s a very serious concern.

The problem right now is that the Temporary Policy (pdf), still in draft, doesn’t have a whole heck of lot of detail about who should be allowed such access and the mechanisms to enable it.

It says:

Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data

It goes on to list circumstances where access may be given and types of parties that may need access, but it seems to me to still give registries and registrars quite a lot of responsibility to decide how to balance privacy rights and the “legitimate” data requests.

Those two scenarios — not collecting data and not making it available to those who need it — seem to be the big two zero tolerance areas for ICANN.

Other issues, such as replacing the registrant’s email address in the thin Whois output, also appear to be a pressing concern.

Jeffrey said, noting that providing a way to contact registrants is important for myriad reasons, including UDRP:

Creating the anonymized emails or web forms is another really important aspect but we understand some won’t be able to have that in place immediately.

How long after GDPR Day ICANN starts swinging the ban hammer over the email issue seems to be something ICANN is still thinking about.

That said, Jeffrey said that the organization intends to act “as reasonably as possible”.

CentralNic now managing failing .fan and .fans

CentralNic appears to be acting as a caretaker for the failing new gTLDs .fan and .fans.

IANA records show that a company lawyer took over as administrative contact for the pair late last week.

Asiamix Digital, the original registry, is still listed as the sponsor for both, and its ICANN registry agreement does not appear to have been reassigned.

It does not appear to be an acquisition. I hear Asiamix is basically using CentralNic’s TLD management service, as it struggles to remain alive.

CentralNic already acts as the back-end registry for both TLDs.

ICANN hit Asiamix with a breach notice for tens of thousands of dollars of unpaid fees a month ago, terminating its affiliated registrar for the same reasons around the same time.

The registry had attempted to auction off the strings a couple of years ago, unsuccessfully.

While technically based in Hong Kong, ICANN has been sending Asiamix’s compliance notices to an address in Milan, Italy.

All of Asiamix’s official web sites still appear to be non-functional. I bought the .net address listed in its IANA records to make a silly point a month ago and the equivalent .com has since expired too.

.fans has about 1,400 names in its zone file right now, while .fan never actually launched.

$55 billion bank not paying its $6,250 ICANN fees

Kevin Murphy, April 30, 2018, Domain Registries

Kuwait Finance House has become the latest new gTLD registry to get slapped with an ICANN breach notice for not paying its quarterly fees.

The company is a 40-year-old, Sharia-compliant Kuwaiti bank managing assets of $55.52 billion, according to Wikipedia. It has annual revenue in excess of $700 million.

But apparently it has not paid its fixed ICANN dues — $6,250 per quarter — for at least six months, according to ICANN’s breach letter (pdf).

KFH runs .kfh and the Arabic internationalized domain name equivalent .بيتك (.xn--ngbe9e0a) as closed, dot-brand domains.

Neither appears to have any live sites, but both appear to be in their launch ramp-up phase.

ICANN has been nagging the company to pay overdue fees since November, without success, according to its letter.

They’re the third and fourth new gTLD registries to get deadbeat breach notices this month, after .qpon and .fan and .fans.

ICANN cancels registrar audit as GDPR headaches loom

Kevin Murphy, April 30, 2018, Domain Registrars

ICANN has decided to call off a scheduled audit of its registrar base, to enable registrars to focus on sorting out compliance with the General Data Protection Regulation.

The biannual audit, carried out by ICANN Compliance, was due to start in May. As you likely know by now, May 25 is GDPR Day, when the EU’s privacy law comes into full effect.

In a letter (pdf) to registrars, senior VP of compliance Jamie Hedlund said: “The April 2018 registrar audit round is on hold.”

He added: “We are reviewing the schedule, resources and risks associated with holding a single, larger audit round in autumn of 2018, as well as considering alternative approaches.”

His letter came in response to a plea (pdf) from Registrar Stakeholder Group chair Graeme Bunton, who said an audit that clashed with GDPR deadline would be an “enormous undertaking” for affected registrars.

The audits, which have been running for a few years, randomly select a subset of registries and registrars to spot-check compliance with their Registrar Accreditation Agreements and Registry Agreements.

The program looks at 20-odd areas of compliance, one of which is Whois provision.

Another failing new gTLD stopped paying its dues

Kevin Murphy, April 23, 2018, Domain Registries

Another new gTLD registry has been slapped with an ICANN breach notice after failing to pay its fees.

California-based dotCOOL, which runs .qpon, seems to be at least six months late in making its $6,250 quarterly payment to ICANN, according to the notice (pdf).

It’s perhaps not surprising. The TLD has been live since mid-2014 and yet has failed to top more than about 650 simultaneous domains under management, at least 100 of which were registry-owned.

Right now, its zone file contains about 470 domains.

It typically sells new domains in the single digits each month, with retail prices in the $15 to $20 range.

With that volume and the inferred registry fee, a full year’s revenue probably wouldn’t cover one quarter of ICANN fees.

The string “qpon” is a pun on “coupon”. The idea was that companies would use the TLD to push discount coupons on their customers.

But they didn’t.

The number of live sites indexed by Google is in the single figures and none of them are using .qpon for its intended purpose.

ICANN’s breach notice also demands the company start publishing a DNSSEC Practice Statement on its registry web site, but that seems like the least of its worries.

As a novel, non-dictionary string, I worry that .qpon may struggle to find a buyer.

Last week, .fan and .fans, both operated by Asiamix Digital, got similar breach notices from ICANN.