Latest news of the domain name industry

Recent Posts

Another deadline missed in registrar contract talks

Kevin Murphy, December 16, 2012, Domain Registrars

ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.

In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:

While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.

The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.

At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.

Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.

Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.

ICANN said Friday:

Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.

Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.

At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.

Judging by the latest update, it seems quite likely that the new RAA will be a full year late.

ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.

Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.

European privacy watchdog says ICANN’s Whois demands are “unlawful”

Kevin Murphy, September 28, 2012, Domain Policy

European Union privacy officials have told ICANN that it risks forcing registrars to break the law by placing “excessive” demands on Whois accuracy.

In a letter to ICANN yesterday, the Article 29 Working Party said that two key areas in the proposed next version of the Registrar Accreditation Agreement are problematic.

It’s bothered by ICANN’s attempt to make registrars retain data about their customers for up to two years after registration, and by the idea that registrars should re-verify contact data every year.

These were among the requests made by law enforcement, backed up by the Governmental Advisory Committee, that ICANN has been trying to negotiate into the RAA for almost a year.

The letter (pdf) reads:

The Working Party finds the proposed new requirement to re-verify both the telephone number and the e-mail address and publish these contact details in the publicly accessible WHOIS database excessive and therefore unlawful. Because ICANN is not addressing the root of the problem, the proposed solution is a disproportionate infringement of the right to protection of personal data.

The “root cause” points to a much deeper concern the Working Party has.

Whois was designed to help people find technical and operational contacts for domain names, it argues. Just because it has other uses — such as tracking down bad guys — that doesn’t excuse infringing on privacy.

The problem of inaccurate contact details in the WHOIS database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database.

It’s good news for registrars that were worried about the cost implications of implementing a new, more stringent RAA.

But it’s possible that ICANN will impose the new requirements anyway, giving European registrars an opt-out in order to comply with local laws.

The letter is potentially embarrassing for the GAC, which seemed to take offense at the Prague meeting this June when it was suggested that law enforcement’s recommendations were not being balanced with the views of privacy watchdogs.

During a June 26 session between the GAC and the ICANN board, Australia’s GAC rep said:

I don’t come here as an advocate for law enforcement only. I come here with an Australian government position, and the Australian government has privacy laws. So you can be sure that from a GAC point of view or certainly from my point of view that in my positions, those two issues have been balanced.

That view was echoed during the same session by the European Commission and the US and came across generally like a common GAC position.

The Article 29 Working Party is an advisory body set up by the EU in 1995. It’s independent of the Commission, but it comprises one representative from the data privacy watchdogs in each EU state.

Identity checks coming to Whois

Kevin Murphy, September 25, 2012, Domain Registrars

Pretty soon, if you want to register a domain name in a gTLD you’ll have to verify your email address and/or phone number or risk having your domain turned off.

That’s the latest to come out of talks between registrars, ICANN, governments and law enforcement agencies, which met last week in Washington DC to thrash out a new Registrar Accreditation Agreement.

While a new draft RAA has not yet been published, ICANN has reported some significant breakthroughs since the Prague meeting in June.

Notably, the registrars have agreed for the first time to do some minimal registrant identity checks — phone number and/or email address — at the point of registration.

Verification of mailing addresses and other data points — feared by registrars for massively adding to the cost of registrations — appears to be no longer under discussion.

The registrars have also managed to win another concession: newly registered domain names will be able to go live before identities have been verified, rather than only after.

The sticking point is in the “and/or”. Registrars think they should be able to choose which check to carry out, while ICANN and law enforcement negotiators think they should do both.

According to a memo released for discussion by ICANN last night:

It is our current understanding that law enforcement representatives are willing to accept post-­‐resolution verification of registrant Whois data, with a requirement to suspend the registration if verification is not successful within a specified time period. However, law enforcement recommends that if registrant Whois data is verified after the domain name resolves (as opposed to before), two points of data (a phone number and an email address) should be verified.

Among the other big changes is an agreement by registrars to an ICANN-run Whois privacy service accreditation system. Work is already underway on an accreditation framework.

After it launches, registrars will only be able to accept private registrations made via accredited privacy and proxy services.

Registrars have also agreed to some of law enforcement’s data retention demands, which has been a bone of contention due to worries about varying national privacy laws.

Under the new RAA, they would keep some registrant transaction data for six months after a domain is registered and other data for two years. It’s not yet clear which data falls into which category.

These and other issues outlined in ICANN’s latest update are expected to be talking points in Toronto next month.

It looks like a lot of progress has been made since Prague — no doubt helped by the fact that law enforcement has actually been at the table — and I’d be surprised if we don’t see a draft RAA by Beijing next April.

How long it takes to be adopted ICANN’s hundreds of accredited registrars is another matter.

GAC slams registrars over “silly” crime domain moves

Kevin Murphy, October 24, 2011, Domain Registrars

ICANN’s Governmental Advisory Committee is seriously annoyed with domain name registrars over what it sees as a failure to take the demands of law enforcement seriously.

The first official day of ICANN’s 42nd public meeting in Dakar, Senegal, was highlighted by a fractious discussion between the GAC and the Generic Names Supporting Organization.

Governments are evidently losing patience with the industry over what they see as incessant foot-dragging and, now, halfhearted bone-throwing.

The US, which is easily the most influential GAC member, was harshly critical of recent efforts by registrars to self-regulate themselves some law enforcement cooperation policies.

US GAC representative Suzanne Radell, saying she was speaking on behalf of the GAC, described a registrar move to start publishing legal service addresses on their web sites at some point in the future as as “paltry”, “mind-boggling” and “silly”.

She heavily implied that if the industry can’t self-regulate, the alternative is governments doing it for them. She was backed up by her counterparts from the UK, Australia and the European Commission.

Registrars have been talking to law enforcement for a few years about how to more effectively work together to prevent crime online.

In October 2009, agencies including the FBI and the UK Serious Organised Crime Agency publish a set of 12 recommendations about how to clean up the industry.

A lot of it was pretty basic stuff like a prohibition on registrar cybersquatting and an obligation to publish an abuse point of contact.

Despite a lot of talking at ICANN meetings, up until a couple of weeks ago there had not been a great deal of tangible progress.

The GNSO passed a resolution, proposed by registrars, to ask for an Issue Report to discuss whether registrars should be forced to post on their sites: a physical address for legal service, the names of key executives, and an abuse contact.

In ICANN’s world, an Issue Report usually precedes a Policy Development Process, which can take a year or more to produce results.

While the GNSO motion passed, it was opposed as inadequate by factions such as the Intellectual Property Constituency, which has close ties to the US government.

As the IPC seemed to correctly predict, the GAC was not amused.

“It is simply impossible for us to write a briefing memo for our political managers to explain why you need a policy to simply put your name on your web site,” Radell told the GNSO Council yesterday. “It is simply mind-boggling that you would require that.”

She pointed out that at a session during the Singapore meeting, registrars had indicated a willingness to address more of the law enforcement demands.

“That’s the context in which we are now coming to you saying this looks pretty paltry and actually it looks a little silly,” she said.

Mason Cole from the registrar constituency denied that they were “roadblocking” law enforcement’s demands, saying that a PDP is the fastest way to create a policy binding on all registrars.

“I think law enforcement was very clear when they made their proposals to us that what they were looking for was binding, enforceable provisions of policy that could be imposed on the registrars,” he said. “A code of conduct or a voluntary method would not arrive at binding, enforceable policy and therefore probably wouldn’t achieve the outcomes that law enforcement representatives were seeking.”

The debate didn’t end yesterday. Radell said she intends to take it up with the ICANN board of directors, presumably at their joint meeting tomorrow.

The implicit threat underlying the GAC’s protest is a legislative one, and Radell and other GAC members made it pretty clear that their governments back home regard domain names as a crucial tool in fighting online crime.

ICANN tries to limit rogue registrars

As part of its growing efforts to clean up the domain name registrar market, ICANN has introduced background checks for companies applying for accreditation.

ICANN will check criminal and financial records, as well as doing credit checks, on companies that want to be able to sell domains in gTLDs.

As a result, the cost of applying to become a registrar is going up by $1,000, to $3,500, to cover the cost of accessing the relevant third-party databases.

The changes, made largely at the behest of law enforcement participants in ICANN, concerned that some registrars are not what you’d call responsible netizens, come into effect July 1.

The intellectual property lobby had called for the checks to include cybersquatting and UDRP judgements, but those suggestions were not taken on board.