German ccTLD registry DENIC has been given ICANN approval to provide data escrow services to registrars.
It becomes the seventh company to receive this accreditation, the second in Europe after the UK’s NCC Group.
DENIC said the ICANN contract is unique in that it is governed by German or Swiss law, rather than Californian.
It also said that it is in compliance with European Union data protection legislation, which is much stricter than the US equivalent, for the first time.
The deal with ICANN does not extend to data escrow services for gTLD registries, but DENIC said it is working on such a deal.
All registrars are required by their ICANN accreditation to escrow registrant data, to protect customers from catastrophic business failures or de-accreditation.
European domain registrars say they are facing increased costs of doing business due to a recent court ruling on privacy protection.
As a result, US data escrow giant Iron Mountain is likely to lose a lot of its ICANN business, as EU registrars defect to local alternatives such as UK-based NCC Group.
The ruling in question deals with the so-called “safe harbor” principles, under which European companies were able to transfer customers’ private data to US companies as long as the recipient promised to abide by EU privacy protection rules.
However, former spy Edward Snowden’s revelations of widespread privacy violations by the US government seemed to show that many US tech giants were complicit in handing over such data to US spooks.
And now the European Court of Justice has ruled the safe habor principles invalid.
This affects registrars because, under their ICANN contracts, they have to escrow registrant data on a weekly basis. That’s to prevent registrants losing their domains when registrars go out of business or turn out to be crooks.
While registrars have a choice of escrow agents, pretty much all of them use Iron Mountain, because ICANN subsidizes the service down to $0.
However, with the ECJ ruling, Euro-registrars have told ICANN that it would now be “illegal” to continue to use Iron Mountain.
In a recent letter (pdf) to ICANN, about 20 EU-based registrars said that non-European registrars would get a competitive advantage unless ICANN does something about it.
They want ICANN to start subsidizing one or more EU-based escrow agents, enabling them to switch without adding to costs.
the service fees of those [alternative] providers are not being supported by ICANN. Thus, the only solution for EU based registrars to comply with their local laws is to support this extra cost.
We are sure, you will agree this clearly constitutes an unfair disadvantage to a given category of a registrars.
This is why we ask ICANN to offer the same terms as it currently does to Iron Mountain to other RDE [Registrar Data Escrow] providers established in the European Economical Area to ensure a level playing field for registrars globally.
According to the registrars, they have until January to switch, so ICANN may have to move quickly to avoid unrest.
Domain Security Company CEO Mary Iqbal claims that NCC Group took many of her ideas for a high-security .secure top-level domain following unproductive investment talks.
Iqbal is also hinting at “potential future litigation” over the issue.
The surprising claims, made in emails to DI today, follow the announcement last week that a new NCC subsidiary, Artemis Internet, will also apply to ICANN for .secure.
“NCC Group has taken many of the security measures outlined in the Domain Security Company LLC security plan and incorporated them into the NCC Group’s proposed security measures,” Iqbal said.
Artemis chief technology officer Alex Stamos, a veteran security industry technologist, has dismissed the allegations as “completely ridiculous”.
“The only reason I know she is applying is because we did some Google searches when we were putting together our announcement,” he said.
Iqbal claims she was first contacted by NCC in January this year to talk about signing up for data escrow services – one of the technical services all new gTLD applicants need.
However, she says these talks escalated into discussions about a possible NCC investment in Domain Security Company, during which she shared the company’s security and business plans.
She said in an email:
These disclosures were made based on assurances from the NCC Group that the NCC Group was not then involved with any other applications for a secure Top Level Domain. Specific assurances were also given that the NCC Group was not involved with any other potential application for a .SECURE Top Level Domain.
But Stamos said that he’s been working on .secure at NCC since late last year, and he has no knowledge of any talks about investing in Iqbal’s company.
“All I know is that she talked to one of our salespeople about escrow,” he said. “I’ve never seen a business plan or security plan.”
Emails from an NCC executive sent to Iqbal in January and forwarded to DI by Iqbal today appear to be completely consistent with a sales call.
Iqbal said she has emails demonstrating that the talks went further, but she declined to provide them “since I may have to use it in any potential future litigation”.
Stamos pointed out that if NCC was in the habit with competing with its escrow clients, it would have applied for considerably more gTLDs than just .secure.
Artemis is proposing a significant technology development as part of its .secure bid, he said: the Domain Policy Framework, which he outlines on his personal blog here.
He added that Artemis is happy to compete with other .secure applicants – he evidently expects more to emerge – but on the merits of the application rather than “spurious claims”.
Domain Security Company “already has a very troubling history of using the legal process to overcome problems that should be based on merit”, he said.
That’s a reference to the company’s almost-successful attempt to secure US trademarks on .secure and .bank, in spite of the US trademark office’s rules against granting trademarks on TLDs.
Expect more stories like this to emerge about other gTLDs after ICANN’s Big Reveal of the applicant list next month.
Whether her claims have any merit or not, Iqbal’s not the first to claim that another applicant stole her idea, and she certainly won’t be the last.
ICANN has threatened to terminate the accreditation of Samjung Data Service, a South Korean domain name registrar.
The threat, the 13th ICANN’s compliance department has issued to a registrar this year, is notable because it’s a rare example where money does not appear to be an issue.
Samjung’s failing, according to ICANN’s termination letter, is its inability to escrow registrant data with Iron Mountain on the agreed schedule and in the required format.
The tiny registrar has also failed to make the technical contacts in its customers’ Whois records available online, and has been apparently ignoring ICANN’s calls and emails.
What ICANN does not do is accuse Samjung of not paying its accreditation fees, which in the past has been a notable feature of compliance actions.
Delinquent payments tend to alert ICANN that there may be other problems at a registrar, but this has led to criticisms that the organization is only concerned about its revenue.
Could the Samjung case be another example of the newly staffed-up ICANN compliance department taking the more proactive stance that was promised?