How much power should governments have over the domain name industry? Should the industry be held responsible for the actions of its customers? Are domain names the way to stop crime?
These are some of the questions likely to be addressed during ICANN’s latest public comment period, which could prove to be one of the most important consultations it’s ever launched.
ICANN wants comments on governmental advice issued during the Beijing meeting two weeks ago, which sought to impose a broad regulatory environment on new gTLD registries.
According to this morning’s announcement:
[ICANN’s Board New gTLD Committee] has directed staff to solicit comment on how it should address one element of the advice: safeguards applicable to broad categories of New gTLD strings. Accordingly, ICANN seeks public input on how the Board New gTLD Committee should address section IV.1.b and Annex I of the GAC Beijing Communiqué.
Annex 1 of the Beijing communique is the bit in which the GAC told ICANN to impose sweeping new rules on new gTLD registries. It’s only a few pages long, but that’s because it contains a shocking lack of detail.
For all new gTLDs, the GAC wants ICANN to:
- Apply a set of abuse “safeguards” to all new gTLDs, including mandatory annual Whois accuracy audits. Domain names found to use false Whois would be suspended by the registry.
- Force all registrants in new gTLDs to provide an abuse point of contact to the registry.
- Make registries responsible for adjudicating complaints about copyright infringement and counterfeiting, suspending domains if they decide (how, it’s not clear) that laws are being broken.
For the 385 gTLD applications deemed to represent “regulated or professional sectors”, the GAC wants ICANN to:
- Reject the application unless the applicant partners with an appropriate industry trade association. New gTLDs such as .game, .broadway and .town could only be approved if they had backing from “relevant regulatory, or industry self-regulatory, bodies” for gaming, theater and towns, for example.
- Make the registries responsible for policing registrants’ compliance with financial and healthcare data security laws.
- Force registries to include references to organic farming legislation in their terms of service.
For gTLD strings related to “financial, gambling, professional services, environmental, health and fitness, corporate identifiers, and charity” the GAC wants even more restrictions.
Essentially, it’s told ICANN that a subset of the strings in those categories (it didn’t say which ones) should only be operated as restricted gTLDs, a little like .museum or .post are today.
It probably wouldn’t be possible for a poker hobbyist to register a .poker domain in order to blog about his victories and defeats, for example, unless they had a license from an appropriate gambling regulator.
Attempting to impose last-minute rules on applicants appears to reverse one of the GAC’s longstanding GAC Principles Regarding New gTLDs, dating back to 2007, which states:
All applicants for a new gTLD registry should therefore be evaluated against transparent and predictable criteria, fully available to the applicants prior to the initiation of the process. Normally, therefore, no subsequent addition selection criteria should be used in the selection process.
The Beijing communique also asks ICANN to reconsider allowing singular and plural versions of the same string to coexist, and says “closed generic” or “exclusive access” single-registrant gTLDs must serve a public interest purpose or be rejected.
There’s a lot of stuff to think about in the communique.
But ICANN’s post-Beijing problem isn’t whether it should accept the GAC’s advice, it’s to first figure out what the hell the GAC is actually asking for.
Take this bit, for example:
Registry operators will require that registrants who collect and maintain sensitive health and financial data implement reasonable and appropriate security measures commensurate with the offering of those services, as defined by applicable law and recognized industry standards.
This one paragraph alone raises a whole bunch of extremely difficult questions.
How would registry operators identify which registrants are handling sensitive data? If .book has a million domains, how would the registry know which are used to sell books and which are just reviewing them?
How would the registries “require” adherence to data security laws? Is it just a case of paying lip service in the terms of service, or do they have to be more proactive?
What’s a “reasonable and appropriate security measure”? Should a .doctor site that provides access to healthcare information have the same security as one that merely allows appointments to be booked? What about a .diet site that knows how fat all of its users are? How would a registry differentiate between these use cases?
Which industry standards are applicable here? Which data security laws? From which country? What happens if the laws of different nations conflict with each other?
If a registry receives a complaint about non-compliance, how on earth does the registry figure out if the complaint is valid? Do they have to audit the registrant’s security practices?
What should happen if a registrant does not comply with these laws or industry standards? Does its domain get taken away? One would assume so, but the GAC, for some reason, doesn’t say.
The ICANN community could spend five years discussing these questions, trying to build a framework for registries to police security compliance, and not come to any consensus.
The easier answer is of course: it’s none of ICANN’s business.
Is it ICANN’s job to govern how web sites securely store and transmit healthcare data? I sure hope not.
And those are just the questions raised by one paragraph.
The Beijing communique as a whole is a perplexing, frustrating mess of ideas that seems to have been hastily cobbled together from a governmental wish-list of fixes for perceived problems with the internet.
It lacks detail, which suggests it lacks thought, and it’s going to take a long time for the community to discuss, even as many affected new gTLD applicants thought they were entering the home stretch.
Underlying everything, however, is the question of how much weight the GAC’s advice — which is almost always less informed than advice from any other stakeholder group — should carry.
ICANN CEO Fadi Chehade and chair Steve Crocker have made many references recently to the “multi-stakeholder model” actually being the “multi-equal-stakeholder model”.
This new comment period is the first opportunity the other stakeholders get to put this to the test.
ICANN has sent compliance notices to three registrars for allegedly not paying their dues.
Dotted Ventures, Basic Fusion and A. Telecom S.A owe a total of roughly $25,000 in unpaid ICANN fees, according to the notices.
Basic Fusion and A Telecom also didn’t notify ICANN about changes of address, according to the notices.
All three have until May 14 to pay up or risk losing their registrar accreditation.
None of them are of notable size in the gTLD space, with fewer than 1,000 domains under management between them.
Big changes are coming to Whois, privacy services and resellers, among other things, under the terms of a newly agreed contract between domain name registrars and ICANN.
A proposed 2013 Registrar Accreditation Agreement that is acceptable to the majority of registrars, along with a plethora of supporting documentation, has been posted by ICANN this morning.
This “final” version, which is expected to be approved by ICANN in June, follows 18 months of often strained talks between ICANN and a negotiating team acting for all registrars.
It’s expected that only 2013 RAA signatories will be able to sell domain names in new gTLDs.
Overall, the compromise reflects ICANN’s desire to ensure that all registrars adhere to the same high standards of conduct, bringing contractual oversight to some currently gray, unregulated areas.
It also provides registrars with greater visibility into their future businesses while giving ICANN ways to update the contract in future according to the changing industry landscape.
For registrants, the biggest changes are those that came about due to a set of 12 recommendations made a few years ago by law enforcement agencies including the FBI and Interpol.
Notably, registrars under the 2013 RAA will be obliged to verify the phone number or email address of each registrant and suspend the domains of those it cannot verify.
That rule will apply to both new registrations, inter-registrar transfers and domains that have changes made to their Whois records. It will also apply to existing registrations when registrars have been alerted to the existence of possibly phony Whois information.
It’s pretty basic stuff. Along with provisions requiring registrars to disclose their business identities and provide abuse points of contact, it’s the kind of thing that all responsible online businesses should do anyway (and indeed all the big registrars already do).
Registrars have also agreed to help ICANN create an accreditation program for proxy and privacy services. Before that program is created, they’ve agreed to some temporary measures to regulate such services.
This temporary spec requires proxy services to investigate claims of abuse, and to properly inform registrants about the circumstances under which it will reveal their private data.
It also requires the proxy service to hold the registrant’s real contact data in escrow, to be accessed by ICANN if the registrar goes out of business or has its contract terminated.
This should help registrants keep hold of their names if their registrar goes belly-up, but of course it does mean that their private contact information will be also stored by the escrow provider.
But the biggest changes in this final RAA, compared to the previously posted draft versions, relate to methods of changing the contract in future.
Notably, registrars have won the right to perpetual renewal of their contracts, giving them a bit more long-term visibility into their businesses.
Under the current arrangement, registrars had to sign a new RAA every five years but ICANN was under no obligation to grant a renewal.
The 2013 contract, on the other hand, gives registrars automatic renewal in five-year increments after the initial term expires, as long as the registrar remains compliant.
The trade-off for this is that ICANN has codified the various ways in which the agreement can be modified in future.
The so-called “unilateral right to amend” clauses introduced a few months ago — designed to enable “Special Amendments” — have been watered down now to the extent that “unilateral” is no longer an accurate way to describe them.
If the ICANN board wants to introduce new terms to the RAA there’s a series of complex hoops to jump through and more than enough opportunities for registrars to kill off the proposals.
Indeed, there are so many caveats and a so many procedural kinks that would enable registrars to prevent ICANN taking action without their consent I’m struggling to imagine any scenario in which the Special Amendment process is successfully used by the board.
But the final 2013 RAA contains something entirely new, too: a way for ICANN’s CEO to force registrars back to the negotiating table in future.
This seems to have made an appearance at this late stage of negotiations precisely because the Special Amendment process has been castrated.
It would enable ICANN’s CEO or the chair of the Registrars Stakeholder Group to force the other party to start talking about RAA amendments with a “Negotiation Notice”. If the talks failed, all concerned would head to mediation, and then arbitration, to sort out their differences.
My guess is that this Negotiation Notice process is much more likely to be used than the Special Amendment process.
It seems likely that these terms will provide the template for similar provisions in the new gTLD Registry Agreement, which is currently under negotiation.
The 2013 RAA public comment period is open until June 4, but I don’t expect to see any major changes after that date. The documents can be downloaded, and comments filed, here.
The National Arbitration Forum has released its price list for Uniform Rapid Suspension complaints, saying that the cheapest case will cost $375.
That’s for cases involving one to 15 domains. Prices increase based on the number of domains in the filing, capped at $500 for cases involving over 100 names.
The prices are within the range that ICANN had asked of its URS providers.
Some potential URS vendors had argued that $500 was too low to administer the cases and pay lawyers to act as panelists, but changed their tune after ICANN opened up an RFP process.
NAF’s price list also includes response fees of $400 to $500, which are refundable to the prevailing party. There are also extra fees for cases involving more than one panelist.
The prices are found in the NAF’s Supplemental Rules for URS, which have not yet been given the okay by ICANN. NAF expects that to come by July 1.
The Asian Domain Name Dispute Resolution Centre has been approved by ICANN as a provider of Uniform Rapid Suspension services.
The two organizations signed a memorandum of understanding last week, ICANN said.
ADNDRC is the second URS resolution provider to be named, after the US-based National Arbitration Forum. It’s got offices in Beijing, HongKong, Seoul and Kuala Lumpur and tends to hand local cases.
While it’s been a UDRP provider since 2001, it’s only handled about 1,000 cases in that time, according to DI’s records. That’s about 16 times fewer than NAF and 17 times fewer than WIPO.
ICANN said that more providers will be appointed in future.
URS is a faster, cheaper version of UDRP that allows obviously trademark-infringing domains to be suspended — not transferred — for about $500 a pop. It will only apply to new gTLDs at first.