Recent Posts
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
EU body tells ICANN that 2013 RAA really is illegal
A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.
The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.
In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:
The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”
The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.
Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.
The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.
But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.
The Working Party is clearly a bit miffed at the snub, telling ICANN this month:
The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.
…
the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.
It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.
ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.
Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.
It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).
EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.
First European registrar to get Whois data opt-out
ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.
OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.
The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.
ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.
OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.
If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.
It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.
Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.
ICANN has more details, including OVH’s request and links for commenting, here.
ICANN says Article 29 letter does not give EU registrars privacy opt-out
Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.
ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.
Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.
While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.
The Article 29 letter was designed to give EU registrars that legal opinion across the board.
But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:
We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.
It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.
The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.
New registrar contract could be approved next week
ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.
The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.
It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.
ICANN has put approval of the contract on its board’s June 27 agenda.
But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.
For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.
There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.
Cops say new gTLDs shouldn’t launch without a Big Brother RAA
Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.
Another deadline missed in registrar contract talks
ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.
In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:
While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.
The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.
At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.
Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.
Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.
ICANN said Friday:
Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.
Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.
At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.
Judging by the latest update, it seems quite likely that the new RAA will be a full year late.
ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.
Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.
EU plays down “unlawful” Whois data worries
The European Commission yesterday gave short shrift to recent claims that ICANN’s proposed Whois data retention requirements would be “unlawful” in the EU.
A recent letter from the Article 29 Working Party — an EU data protection watchdog — had said that the next version of the Registrar Accreditation Agreement may force EU registrars to break the law.
The concerns were later echoed by the Council of Europe.
But the EC stressed at a session between the ICANN board of directors and Governmental Advisory Committee yesterday that Article 29 does not represent the official EU position.
That’s despite the fact that the Article 29 group is made up of privacy commissioners from each EU state.
Asked about the letter, the EC’s GAC representative said:
Just to put everyone at ease, this is a formal advisory group concerning EU data privacy protection.
…
They’re there to give advice and they themselves, and we as well, are very clear that they are independent of the European Union. That gives you an idea that this is not an EU position as such but the position of the advisory committee.
The session then quickly moved on to other matters, dismaying privacy advocates in the room.
Milton Mueller of the Internet Governance Project tweeted:
By telling ICANN that it can ignore Art 29 WG opinion on privacy, European commission is telling ICANN it can ignore their national DP [data privacy] laws
Registrars hopeful that the Article 29 letter would put another nail into the coffin of some of ICANN’s more unpalatable and costly RAA demands also expressed dismay.
ICANN’s current position, based on input from law enforcement and the GAC, is that the RAA should contain new more stringent requirements on Whois data retention and verification.
It proposes an opt-out process for registrars that believe these requirements would put them in violation of local law.
But registrars from outside the EU say this would create a two-tier RAA, which they find unacceptable.
With apparently no easy compromise in sight the RAA negotiations, originally slated to be wrapped up in the first half of this year, look set to continue for many weeks or months to come.
Council of Europe has Whois privacy concerns too
The Council of Europe has expressed concern about the privacy ramifications of ICANN’s proposed changes to Whois requirements in the Registrar Accreditation Agreement.
In a letter this week (pdf), the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to Personal Data (T-PD) said:
The Bureau of the T-PD took note of the position of the Article 29 Data Protection Working Parking in its comments of 26 September 2012 on the data protection impact of the revision of these arrangements concerning accuracy and data retention of the WHOIS data and fully shares the concern raised.
The Bureau of the T-PD is convinced of the importance of ensuring that appropriate consideration be given in the ICANN context to the relevant European and international privacy standards
The letter was sent in response to outreach from ICANN’s Non-Commercial Users Constituency.
The Article 29 letter referenced said that EU registrars risked breaking the law if they implemented ICANN’s proposed data retention requirements.
Earlier today, we reported on ICANN’s response, which proposes an opt-out for registrars based in the EU, but we noted that registrars elsewhere are unlikely to dig a two-tier RAA.
ICANN says EU registrars could be exempt from stringent new Whois rules
Registrars based in the European Union could be let off the hook when it comes to the Whois verification requirements currently under discussion at ICANN.
That’s according to ICANN CEO Fadi Chehade, who this week responded to privacy concerns expressed by the Article 29 Working Party, a EU-based quasi-governmental privacy watchdog.
The Working Party said last month that if ICANN forced EU registrars to re-verify customer data and store it for longer than necessary, they would risk breaking EU privacy law.
Those are two of the many amendments to the standard Registrar Accreditation Agreement that ICANN — at the request of governments and law enforcement — is currently pushing for.
In reply, Chehade noted that ICANN currently plans to give registrars an opt-out:
ICANN proposes to adapt the current ICANN Procedures for Handling Whois Conflicts with Privacy Law, to enable registrars to seek an exempton from these new RAA WHOIS and data protection obligations in the even that the obligations would cause registrars to violate their local laws and regulations.
He also said that the Governmental Advisory Committee has “endorsed” the provisions at question, and encouraged the Working Party to work via the GAC to have its views heard.
I understand that registrars based in the US and elsewhere would not respond favorably to what would essentially amount to a two-tier RAA.
Some of the RAA changes would have cost implications, so there’s an argument that to exempt some registrars and not others would create an un-level competitive playing field.
The Article 29 Working Party is an advisory body, independent of the European Union, comprising one representative from the data privacy watchdogs in each EU state.
Some GAC representatives said during the ICANN meeting in Prague this June that they had already factored privacy concerns into their support for the RAA talks.
It’s going to interesting to see how both registrars and the GAC react to the Article 29 developments at the Toronto meeting, which begins this weekend.
European privacy watchdog says ICANN’s Whois demands are “unlawful”
European Union privacy officials have told ICANN that it risks forcing registrars to break the law by placing “excessive” demands on Whois accuracy.
In a letter to ICANN yesterday, the Article 29 Working Party said that two key areas in the proposed next version of the Registrar Accreditation Agreement are problematic.
It’s bothered by ICANN’s attempt to make registrars retain data about their customers for up to two years after registration, and by the idea that registrars should re-verify contact data every year.
These were among the requests made by law enforcement, backed up by the Governmental Advisory Committee, that ICANN has been trying to negotiate into the RAA for almost a year.
The letter (pdf) reads:
The Working Party finds the proposed new requirement to re-verify both the telephone number and the e-mail address and publish these contact details in the publicly accessible WHOIS database excessive and therefore unlawful. Because ICANN is not addressing the root of the problem, the proposed solution is a disproportionate infringement of the right to protection of personal data.
The “root cause” points to a much deeper concern the Working Party has.
Whois was designed to help people find technical and operational contacts for domain names, it argues. Just because it has other uses — such as tracking down bad guys — that doesn’t excuse infringing on privacy.
The problem of inaccurate contact details in the WHOIS database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database.
It’s good news for registrars that were worried about the cost implications of implementing a new, more stringent RAA.
But it’s possible that ICANN will impose the new requirements anyway, giving European registrars an opt-out in order to comply with local laws.
The letter is potentially embarrassing for the GAC, which seemed to take offense at the Prague meeting this June when it was suggested that law enforcement’s recommendations were not being balanced with the views of privacy watchdogs.
During a June 26 session between the GAC and the ICANN board, Australia’s GAC rep said:
I don’t come here as an advocate for law enforcement only. I come here with an Australian government position, and the Australian government has privacy laws. So you can be sure that from a GAC point of view or certainly from my point of view that in my positions, those two issues have been balanced.
That view was echoed during the same session by the European Commission and the US and came across generally like a common GAC position.
The Article 29 Working Party is an advisory body set up by the EU in 1995. It’s independent of the Commission, but it comprises one representative from the data privacy watchdogs in each EU state.
Recent Comments