Latest news of the domain name industry

Recent Posts

Privacy could be a million-dollar business for ICANN

Kevin Murphy, March 22, 2018, Domain Registrars

ICANN has set out the fees it plans to charge to officially accredit Whois proxy and privacy services, in the face of resistance from some registrars.

VP of finance Becky Nash told registrars during a session at ICANN 61 last week that they can expect to pay $3,500 for their initial accreditation and $4,000 per year thereafter.

Those are exactly the same fees as ICANN charges under its regular registrar accreditation program.

Registrars that also offer privacy should expect to see their annual ICANN flat fees double, in other words. Per-domain transaction fees would be unaffected.

The up-front application fee would be reduced $2,000 when the privacy service is to be offered by an accredited registrar, but it would stay at $3,500 if the company offering service is merely “affiliated” with the registrar.

Nash said all the fees have been calculated on a per-accreditation basis, independent of the volume of applications ICANN receives.

Director of registrar services Jennifer Gore said that while ICANN has not baked an estimate of the number of accredited providers into its calculations, registrars have previously estimated the number at between 200 and 250 companies.

That would put the upper end of annual accreditation fees at $1 million, with $875,000 up-front for initial applications.

Volker Greimann, general counsel of the registrar Key-Systems, pointed out during the session that many registrars give away privacy services for free or at cost.

“This just adds cost to an already expensive service that does not really make money for a lot of providers,” he said.

He suggested that the prices could lead to unexpected negative consequences.

“Pricing this in this region will just lead to a lot of unaccredited providers that will switch names every couple months, an underground that we don’t really want,” he said. “We want to have as many people on board as possible and the way to do that is to keep costs low.”

“Pricing them out of the market is not the way to attract providers to join this scheme,” he said.

Nash responded that registrars are forbidden under the incoming privacy/proxy policy from accepting registrations from unaccredited services.

She added that the fees have been calculated on a “cost-recovery” basis. Costs include the initial background checks, outreach, contract admin, compliance, billing and so on.

But some registrars expressed skepticism that the proposed fees could be justified, given that ICANN does not plan to staff up to administer the program.

Another big question is whether proxy/privacy services are going to continue to have value after May this year, when the European Union’s General Data Protection Regulation kicks in.

The current ICANN plan for GDPR compliance would see individual registrants have all of their private information removed from the public Whois.

It’s not currently clear how many people and what kinds of people will continue to have access to unmasked Whois, so there are likely still plenty of cases where individuals might feel they need an extra layer of protection — if they live in a dictatorship and are engaged in rebellious political speech, for example.

There could also be cases where companies wish to mask their details ahead of, say, a product launch.

And, let’s face it, bad actors will continue to want to use privacy services on domains they intend to misuse.

The proxy/privacy policy came up through the formal GNSO Policy Development Process and was approved two years ago. It’s currently in the implementation phase.

According to a presentation from the ICANN 61 session, ICANN hopes to put the final implementation plan out for public comment by the end of the month.

Pirate Bay founder launches piracy-friendly domain privacy service

Kevin Murphy, April 19, 2017, Domain Registrars

The founder of controversial BitTorrent search engine The Pirate Bay has entered the domain name market with a new proxy service.

It’s called Njalla, it’s based in a Caribbean tax haven, and it says it offers a higher level of privacy protection than you get anywhere else.

The company described itself in its inaugural blog post today like this:

Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions. As long as you keep within the boundaries of reasonable law and you’re not a right-wing extremist, we’re for promoting your freedom of speech, your political weird thinking, your kinky forums and whatever.

Founder Peter Sunde was reluctant to describe Njalla as a proxy registration service, but it’s difficult to think of another way of describing it.

When you buy a domain via the company’s web site, the name is registered by Njalla for itself. You can still use the domain as you would with a regular registrar, but the name is “owned” by Njalla (1337 LLC, based in Saint Kitts & Nevis).

The company is a Tucows reseller via OpenSRS, and it supports almost all gTLDs and several ccTLDs (it’s declined to support Uniregistry due to recent price increase announcements).

Prices are rather industry standard, with a .com setting you back €15 ($16).

The big difference appears to be that the service doesn’t want to know anything about its registrants. You can sign up with just an email address or, unusually, an XMPP address. It doesn’t want to know your name, home address, or anything like that.

This means that whenever Njalla receives a legal request for the user’s identity, it doesn’t have much to hand over.

It’s based on Nevis due to the strong privacy laws there, Sunde said.

Under what circumstances Njalla would suspend service to a customer and hand over their scant private information appears to be somewhat vague and based on the subjective judgement or politics of its management.

“As long as you don’t hurt anyone else, we’ll let you do your thing,” Sunde said.

Child abuse material is verboten. Spam is in a “gray zone” (although forbidden by Njalla’s terms of service).

Copyright infringement appears to be just fine and dandy, which might not be surprising. Sunde founded The Pirate Bay in 2003 and spent time in prison in Sweden for assisting copyright infringement as a result.

“You don’t hurt people by putting a movie online,” Sunde said. “You do hurt someone by putting child porn or revenge porn or stuff like that… If you look at any statistics on file sharing, it proves that the more people file-share the more money goes into the ecosystem of the media.”

While this is likely to upset the IP lobby within the domain name community, I think there’s a possibility that existing ICANN policy will soon have an impact on Njalla’s ability to operate as it hopes.

ICANN is in the process of implementing a privacy/proxy services accreditation program that will require registrars to only work with approved, accredited proxy services.

Sunde thinks Njalla doesn’t fall into the ICANN definition of a proxy service, and said his lawyers agree.

Personally, I can’t see the distinction. I expect ICANN Compliance will probably have to make a call one way or the other one day after the accreditation system comes online.

Pirates lose privacy rights under new ICANN rules

Kevin Murphy, January 22, 2016, Domain Registrars

People operating piracy web sites would have a harder time keeping their personal information private under new ICANN rules.

ICANN’s GNSO Council last night approved a set of recommendations that lay down the rules of engagement for when trademark and copyright owners try to unmask Whois privacy users.

Among other things, the new rules would make it clear that privacy services are not permitted to reject requests to reveal a domain’s true owner just because the IP-based request relates to the content of a web site rather than just its domain name.

The recommendations also contain safeguards that would allow registrants to retain their privacy if, for example, their safety would be at risk if their identities were revealed.

The 93-page document (pdf) approved unanimously by the Council carries a “Illustrative Disclosure Framework” appendix that lays out the procedures in some depth.

The framework only covers requests from IP owners to proxy/privacy services. The GNSO was unable to come up with a similar framework for dealing with, for example, requests from law enforcement agencies.

It states flatly:

Disclosure [of the registrant’s true Whois details] cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding; nor can refusal to disclose be solely based on the fact that the Request is founded on alleged intellectual property infringement in content on a website associated with the domain name.

This fairly explicitly prevents privacy services (which in most cases are registrars) using the “we don’t regulate content” argument to shoot down disclosure requests from IP owners.

Some registrars were not happy about this paragraph in early drafts, yet it remains.

Count that as a win for the IP lobby.

However, the new recommendations spend a lot more time giving IP owners a quite strict set of guidelines for how to file such requests in the first place.

If they persistently spam the registrar with automated disclosure requests, the registrar is free to ignore them. They can even share details of spammy IP owners with other registrars.

The registrar is also free to ignore requests that, for example, don’t give the exact or representative URL of an alleged copyright infringement, or if the requester has not first attempted to contact the registrant via an email relay service, should one be in place.

The registrant also gets a 15-day warning that somebody has requested their private details, during which, if they value their privacy more than their web site, they’re able to relinquish their domain and remain anonymous.

If the registrant instead uses that time to provide a good reason why they’re not infringing the requester’s rights, and the privacy service agrees, the request can also be denied.

The guidelines would make it easier for privacy service operators to understand what their obligations are. By formalizing the request format, it should make it easier to separate legit requests from the spurious requests.

They’re even allowed to charge IP owners a nominal fee to streamline the processing of their requests.

While these recommendations have been approved by the GNSO Council, they need to be approved by the ICANN board before becoming the law of the ‘net.

They also need to pass through an implementation process (conducted by ICANN staff and GNSO members) that turns the recommendations into written procedures and contracts which, due to their complexity, I have a hunch will take some time.

The idea is that the rules will form part of an accreditation program for privacy/proxy services, administered by ICANN.

Registrars would only be able to use P/P services that agree to follow these rules and that have been accredited by ICANN.

It seems to me that the new rules may be quite effective at cracking down on rogue, “bulletproof” registrars that automatically dismiss piracy-based disclosure requests by saying they’re not qualified to adjudicate copyright disputes.

ICANN confirms domain privacy is for all

Kevin Murphy, January 22, 2016, Domain Policy

Commercial entities will not be excluded from buying domain privacy services, ICANN’s GNSO Council has confirmed.

The Council last night voted unanimously to approve a set of recommendations that would make it compulsory for privacy and proxy services to be accredited by ICANN for the first time.

The recommendations govern among other things how privacy services are expected to behave when they receive notices of trademark or copyright infringement.

But missing is a proposal that would have prevented the use of privacy for “transactional” web sites, something which caused a great deal of controversy last year.

The newly adopted recommendations clearly state that nobody is to be excluded from privacy on these grounds.

The Council voted to adopt the final, 93-page report of the Privacy and Proxy Services Accreditation Issues (pdf) working group, which states:

Fundamentally, P/P services should remain available to registrants irrespective of their status as commercial or non-commercial organizations or as individuals. Further, P/P registrations should not be limited to private individuals who use their domains for non-commercial purposes.

The minority view that web sites that process financial transactions should not be able to use privacy came from intellectual property, anti-abuse and law enforcement community members.

However, opponents said it would infringe the privacy rights of home business owners, bloggers, political activists and others.

It could even lead to vicious “doxing”-related crimes, such as “swatting”, where idiots call in fake violent crime reports against rivals’ home addresses, some said.

It also turned out, as we revealed last November, that 55% of US presidential candidates operate transactional web sites that use privacy on their domains.

Two separate registrar initiatives, one backed by the Electronic Frontier Foundation, started letter-writing campaigns that resulted in over 20,000 comments being received on the the PPSAI’s initial report last July.

Those comments are acknowledged in the PPSAI final report that the GNSO Council just approved.

The adopted recommendations (which I’ll get into in a separate article) still have to be approved by the ICANN board of directors and have to undergo an implementation process that puts the rather broad policies into concrete processes and procedures.

OpenTLD cybersquatting fight escalates

Kevin Murphy, August 7, 2015, Domain Registrars

ICANN has accused OpenTLD, the registrar arm of Freenom, of cybersquatting famous brands even after it was threatened with suspension.

The claims may be worrying for some registrars as ICANN may in fact be holding the registrar responsible for the actions of its proxy service customers.

OpenTLD was suspended by ICANN in early July, after two UDRP rulings found the company had cybersquatted rival registrars’ brands in order to poach customers.

The suspension was lifted after just a few hours when OpenTLD took ICANN to arbitration under the terms of its Registrar Accreditation Agreement.

In ICANN’s latest arbitration filing, the organization’s lawyers argue that the suspension should not be stayed, because OpenTLD has been shown to engage in a pattern of cybersquatting.

Like the original suspension notice, the filing cites the two UDRP losses, along with footnotes indicating that as many as seven competing brands had been cybersquatted.

But ICANN has now also escalated its allegations to bring in non-registrar brands where it’s far from clear that OpenTLD is the actual registrant.

ICANN’s filing states:

even a brief review of the domain names in OpenTLD’s portfolio demonstrates that OpenTLD appears to be continuing to engage in bad faith and abusive registration practices. As of 3 August 2015, there were at least 73 gTLD domains registered to Stichting OpenTLD WHOIS Proxy (which is OpenTLD’s proxy service) that are identical to or contain the registered trademarks or trade names of third parties, including, by way of small example, the domain names barnesandnoble.link, sephora.bargains, at-facebook.com, ebaybh.com, googlefreeporn.com, global-paypal.com, hotmailtechnicalsupport.com, and secure-apple.com. ICANN is not aware of any legitimate interest or right that OpenTLD has to use these third-party trademarks and trade names.

Even more concerning is the fact that at least 14 gTLD domain names that contain the registered trademarks or trade names of third parties were registered by OpenTLD’s proxy service after the 23 June 2015 Suspension Notice was issued to OpenTLD, further demonstrating that OpenTLD’s overtures of “cooperation” ring hollow.

To be clear, that’s ICANN accusing OpenTLD of cybersquatting because some of the domains registered via its privacy service appear to be trademark infringements.

It’s basically equating infringing use of OpenTLD’s proxy service (such the registration of barnesandnoble.link) with the infringing behavior of OpenTLD itself (such as the registration of godaddy.cf, a February 2015 screenshot of which can be seen below.)

This may just be legal posturing, but I imagine many other registrars would be worried to know that they could have their accreditation suspended for cybersquatting simply because some of their privacy customers are cybersquatters.

I’d wager that every proxy/privacy service available has been used by blatant cybersquatters at one time or another.

Filings in the arbitration case can be found here.

  • Page 1 of 2
  • 1
  • 2
  • >