Latest news of the domain name industry

Recent Posts

Here’s why registrars are boycotting .sexy

Kevin Murphy, February 25, 2014, Domain Registries

Will .sexy and .tattoo trip on the starting blocks today due to registrars’ fears about competition and Whois privacy?

Uniregistry went into general availability at 1600 UTC today with the two new gTLDs — its first to market — but it did so without the support of some of the biggest registrars.

Go Daddy — alone responsible for almost half of all new domain registrations — Network Solutions, Register.com and 1&1 are among those that are refusing to carry the new TLDs.

The reason, according to multiple sources, is that Uniregistry’s Registry-Registrar Agreement contains two major provisions that would dilute registrars’ “ownership” of their customer base.

First, Uniregistry wants to know the real identities of all of the registrants in its TLDs, even those who register names using Whois privacy services.

That’s not completely unprecedented; ICM Registry asks the same of .xxx registrars in order to authenticate registrants’ identities.

Second, Uniregistry wants to be able to email or otherwise contact those registrants to tell them about registry services it plans to launch in future. The Uniregistry RRA says:

Uniregistry may from time to time contact the Registered Name Holder directly with information about the Registered Name and related or future registry services.

We gather that registrars are worried that Uniregistry — which will shortly launch its own in-house registrar under ICANN’s new liberal rules on vertical integration — may try to poach their customers.

The difference between ICM and Uniregistry is that ICM does not own its own registrar.

The Uniregistry RRA seems to take account of this worry, however, saying:

Except for circumstances related to a termination under Section 6.7 below, Uniregistry shall never use Personal Data of a Registered Name Holder, acquired under this Agreement, (a) to contact the Registered Name Holder with a communication intended or designed to induce the Registered Name Holder to change Registrars or (b) for the purpose of offering or selling non-registry services to the Registered Name Holder.

Some registrars evidently do not trust this promise, or are concerned that Uniregistry may figure out a way around it, and have voted with their storefronts by refusing to carry these first two gTLDs.

Ownership of the customer relationship is a pretty big deal for registrars, especially when domain names are often a low-margin entry product used to up-sell more lucrative services.

What if a future Uniregistry “registry service” competes with something these registrars already offer? You can see why they’re worried.

A lot of registrars have asserted that with the new influx of TLDs, registrars have more negotiating power over registries than they ever did in a world of 18 gTLDs.

Uniregistry CEO Frank Schilling is basically testing out this proposition on his own multi-million-dollar investment.

But will the absence of these registrars — Go Daddy in particular — hurt the launch numbers for .sexy and .tattoo?

I think there could be some impact, but it might be tempered by the fact that a large number of early registrations are likely to come from domainers, and domainers know that Go Daddy is not the only place to buy domains.

Schilling tweeted at about 1605 UTC today that .sexy was over 1,800 registrations.

Longer term, who knows? This is uncharted territory. Right now Uniregistry seems to be banking on the 40-odd registrars — some of them quite large — that have signed up, along with its own marketing efforts, to make up any shortfall an absence of Go Daddy may cause.

Tomorrow, I’d be surprised if NameCheap, which is the distant number two registrar in new gTLDs right now (judging by name server counts) is not the leader in .sexy and .tattoo names.

Euro registrars miffed about ICANN privacy delays

Kevin Murphy, February 21, 2014, Domain Registrars

Registrars based in the European Union are becoming increasingly disgruntled by what they see as ICANN dragging its feet over registrant privacy rules.

Some are even refusing to sign the 2013 Registrar Accreditation Agreement until they receive formal assurances that ICANN won’t force them to break their local privacy laws.

The 2013 RAA, which is required if a registrar wants to sell new gTLD domains, requires registrars to keep hold of registrant data for two years after their registrations expire.

Several European authorities have said that this would be illegal under EU privacy directives, and ICANN has agreed to allow registrars in the EU to opt out of the relevant provisions.

Today, Luxembourgish registrar EuroDNS said it asked for a waiver of the data retention clauses on December 2, but has not heard back from ICANN over two months later.

The company had provided ICANN with the written legal opinion of Luxembourg’s Data Protection Agency

In a snippy letter (pdf) to ICANN, EuroDNS CEO Lutz Berneke wrote:

Although we understand that your legal department is solely composed of lawyers educated in US laws, a mere translation of the written guidance supporting our request should confirm our claim and allow ICANN to make its preliminary determination.

EuroDNS has actually signed the 2013 RAA, but says it will not abide by the provisions it has been told would be illegal locally.

Elsewhere in Europe, Ireland’s Blacknight Solutions, said two weeks ago that it had requested its waiver September 17 and had not yet received a pass from ICANN.

“Why is it my problem that ICANN doesn’t understand EU law? Why should our business be impacted negatively due to ICANN’s inability to listen?” CEO Michele Neylon blogged. “[W]hile this entire farce plays out we are unable to offer new top level domains to our clients.”

But while Blacknight is still on the old 2009 RAA, other European registrars seem to have signed the 2013 version some time ago, and are already selling quite a lot of new gTLD domains.

Germany’s United-Domains, for example, appears to be the third-largest new gTLD registrar, if name server records are anything to go by, with the UK’s 123-Reg also in the top ten.

ICANN is currently operating a public comment period on the waiver request of OVH, a French registrar, which ICANN says it is “prepared to grant”.

That comment period is not scheduled to end until February 27, however, so it seems registrars agitated about foot-dragging have a while to wait yet before they get what they want.

EU body tells ICANN that 2013 RAA really is illegal

Kevin Murphy, January 29, 2014, Domain Registrars

A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.

The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.

In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:

The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”

The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.

Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.

The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.

But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.

The Working Party is clearly a bit miffed at the snub, telling ICANN this month:

The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.

the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.

It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.

ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.

Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.

It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).

EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.

First European registrar to get Whois data opt-out

Kevin Murphy, January 28, 2014, Domain Registrars

ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.

OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.

The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.

ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.

OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.

If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.

It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.

Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.

ICANN has more details, including OVH’s request and links for commenting, here.

ICANN says Article 29 letter does not give EU registrars privacy opt-out

Kevin Murphy, July 15, 2013, Domain Policy

Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.

ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.

Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.

While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.

The Article 29 letter was designed to give EU registrars that legal opinion across the board.

But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:

We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.

It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.

The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.

New registrar contract could be approved next week

ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.

The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.

It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.

ICANN has put approval of the contract on its board’s June 27 agenda.

But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.

For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.

There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.

Cops say new gTLDs shouldn’t launch without a Big Brother RAA

Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.

Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.

They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.

The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.

“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”

“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.

He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.

Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.

Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.

The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.

Another deadline missed in registrar contract talks

Kevin Murphy, December 16, 2012, Domain Registrars

ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.

In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:

While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.

The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.

At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.

Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.

Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.

ICANN said Friday:

Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.

Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.

At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.

Judging by the latest update, it seems quite likely that the new RAA will be a full year late.

ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.

Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.

EU plays down “unlawful” Whois data worries

Kevin Murphy, October 17, 2012, Domain Policy

The European Commission yesterday gave short shrift to recent claims that ICANN’s proposed Whois data retention requirements would be “unlawful” in the EU.

A recent letter from the Article 29 Working Party — an EU data protection watchdog — had said that the next version of the Registrar Accreditation Agreement may force EU registrars to break the law.

The concerns were later echoed by the Council of Europe.

But the EC stressed at a session between the ICANN board of directors and Governmental Advisory Committee yesterday that Article 29 does not represent the official EU position.

That’s despite the fact that the Article 29 group is made up of privacy commissioners from each EU state.

Asked about the letter, the EC’s GAC representative said:

Just to put everyone at ease, this is a formal advisory group concerning EU data privacy protection.

They’re there to give advice and they themselves, and we as well, are very clear that they are independent of the European Union. That gives you an idea that this is not an EU position as such but the position of the advisory committee.

The session then quickly moved on to other matters, dismaying privacy advocates in the room.

Milton Mueller of the Internet Governance Project tweeted:

By telling ICANN that it can ignore Art 29 WG opinion on privacy, European commission is telling ICANN it can ignore their national DP [data privacy] laws

Registrars hopeful that the Article 29 letter would put another nail into the coffin of some of ICANN’s more unpalatable and costly RAA demands also expressed dismay.

ICANN’s current position, based on input from law enforcement and the GAC, is that the RAA should contain new more stringent requirements on Whois data retention and verification.

It proposes an opt-out process for registrars that believe these requirements would put them in violation of local law.

But registrars from outside the EU say this would create a two-tier RAA, which they find unacceptable.

With apparently no easy compromise in sight the RAA negotiations, originally slated to be wrapped up in the first half of this year, look set to continue for many weeks or months to come.

Council of Europe has Whois privacy concerns too

Kevin Murphy, October 11, 2012, Domain Policy

The Council of Europe has expressed concern about the privacy ramifications of ICANN’s proposed changes to Whois requirements in the Registrar Accreditation Agreement.

In a letter this week (pdf), the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to Personal Data (T-PD) said:

The Bureau of the T-PD took note of the position of the Article 29 Data Protection Working Parking in its comments of 26 September 2012 on the data protection impact of the revision of these arrangements concerning accuracy and data retention of the WHOIS data and fully shares the concern raised.

The Bureau of the T-PD is convinced of the importance of ensuring that appropriate consideration be given in the ICANN context to the relevant European and international privacy standards

The letter was sent in response to outreach from ICANN’s Non-Commercial Users Constituency.

The Article 29 letter referenced said that EU registrars risked breaking the law if they implemented ICANN’s proposed data retention requirements.

Earlier today, we reported on ICANN’s response, which proposes an opt-out for registrars based in the EU, but we noted that registrars elsewhere are unlikely to dig a two-tier RAA.