Latest news of the domain name industry

Recent Posts

Zero registrars pass ICANN audit

Some of the biggest names in the registrar game were among a bewildering 100% that failed an ICANN first-pass audit in the latest round of random compliance checks.

Of the 55 registrars picked to participate in the audit, a resounding 0 passed the initial audit, according to data released today.

Among them were recognizable names including Tucows, Register.com, 1&1, Google and Xin Net.

ICANN found 86% of the registrars had three or more “deficiencies” in their compliance with the 2013 Registrar Accreditation Agreement.

By far the most problematic area was compliance with sections 3.7.7.1 to 3.7.7.12 of the RAA, which specifies what terms registrars must put in their registration agreements and how they verify the contact details of their customers.

A full three quarters of audited registrars failed on that count, according to ICANN’s report (pdf).

More than half of tested registrars failed to live up to their commitments to respond to reports of abuse, where they’re obliged among other things to have a 24/7 contact number available.

There was one breach notice to a registrar as a result of the audit, but none of the failures were serious enough for ICANN to terminate the deficient registrar’s contract. Two registrars self-terminated during the process.

ICANN’s audit program is ongoing and operates in rounds.

In the current round, registrars were selected from those which either hadn’t had an audit in a couple of years, were found lacking in previous rounds, or had veered dangerously close to formal breach notices.

The round kicked off last September with requests for documents. The initial audit, which all registrars failed, was followed by a remediation phase from January to May.

Over the remediation phase, only one third of the registrars successfully resolved all the issues highlight by the audit. The remainder issued remediation plans and will be followed up on in future rounds.

The 0% pass rate is not unprecedented. It’s the same as the immediately prior audit (pdf), which ran from May to October 2016.

Registrar accused of pimping prescription penis pills

Kevin Murphy, October 14, 2016, Domain Registrars

ICANN has implicated a Chinese domain name registrar in the online selling of medications, including Viagra and Cialis, without the required prescription.

The organization’s Compliance department filed a contract breach notice with Nanjing Imperiosus, which does business as DomainersChoice.com, today.

The move follows an allegation from pharmacy watchdog LegitScript in the US Congress that DomainersChoice is “rogue internet pharmacy operator”.

Because ICANN has no authority to police online pharmacies, it’s gone after the registrar based on an obscure part of the Registrar Accreditation Agreement.

Section 3.7.7 of the 2013 RAA says that domains must be registered to a third party, unless they’re used by the registrar in the course of providing its registrar services.

According to ICANN, DomainersChoice has refused to provide evidence that many of its domains are not in fact registered to itself and CEO Stefan Hansmann, in violation of this clause.

It cites 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net as examples of domains apparently registered to Hansmann and his company.

Historical Whois records show Hansmann and Nanjing Imperiosus as the registrant of these names until recently.

The domains all refer to erectile dysfunction medicines, which are usually only available in the US with a prescription.

A reverse Whois lookup reveals Hansmann’s name in the records for many more pharmaceuticals-related domains, some of which are for more serious medical conditions.

Several of the domains contain the words “without prescription” or similar, where the drug in question requires a prescription in the US.

Some of the domains do not currently resolve or no longer provide current Whois records and others have been recently transferred, but some resolve to apparently active e-commerce sites.

ICANN’s breach notice (pdf) doesn’t allege any illegal activity.

The same cannot be said for LegitScript CEO John Horton, who lumped DomainersChoice in with a few other registrars he believes are operating “illegal online pharmacies”.

Horton testified (pdf) before Congress last month that the registrar was playing host to 2,300 such sites.

The testimony was filed September 14, the same day ICANN began its compliance investigation.

ICANN’s notice, which alleges a handful of other relatively trivial breaches, asks that Hansmann provide a full list of domains registered in his and his company’s name via DomainersChoice.

It also demands evidence that the domains were either used to provide registrar services or were registered to a third party.

It wants all that by November 2, after which it may start to terminate the company’s RAA.

European privacy ruling could add to registrars’ costs

Kevin Murphy, November 6, 2015, Domain Registrars

European domain registrars say they are facing increased costs of doing business due to a recent court ruling on privacy protection.

As a result, US data escrow giant Iron Mountain is likely to lose a lot of its ICANN business, as EU registrars defect to local alternatives such as UK-based NCC Group.

The ruling in question deals with the so-called “safe harbor” principles, under which European companies were able to transfer customers’ private data to US companies as long as the recipient promised to abide by EU privacy protection rules.

However, former spy Edward Snowden’s revelations of widespread privacy violations by the US government seemed to show that many US tech giants were complicit in handing over such data to US spooks.

And now the European Court of Justice has ruled the safe habor principles invalid.

This affects registrars because, under their ICANN contracts, they have to escrow registrant data on a weekly basis. That’s to prevent registrants losing their domains when registrars go out of business or turn out to be crooks.

While registrars have a choice of escrow agents, pretty much all of them use Iron Mountain, because ICANN subsidizes the service down to $0.

However, with the ECJ ruling, Euro-registrars have told ICANN that it would now be “illegal” to continue to use Iron Mountain.

In a recent letter (pdf) to ICANN, about 20 EU-based registrars said that non-European registrars would get a competitive advantage unless ICANN does something about it.

They want ICANN to start subsidizing one or more EU-based escrow agents, enabling them to switch without adding to costs.

the service fees of those [alternative] providers are not being supported by ICANN. Thus, the only solution for EU based registrars to comply with their local laws is to support this extra cost.

We are sure, you will agree this clearly constitutes an unfair disadvantage to a given category of a registrars.

This is why we ask ICANN to offer the same terms as it currently does to Iron Mountain to other RDE [Registrar Data Escrow] providers established in the European Economical Area to ensure a level playing field for registrars globally.

According to the registrars, they have until January to switch, so ICANN may have to move quickly to avoid unrest.

Grogan hopeful of content policing clarity within “a few weeks”

ICANN may be able to provide registrars, intellectual property interests and others with clarity about when domain names should be suspended as early as next month, according to compliance chief Allen Grogan.

With ICANN 53 kicking off in Buenos Aires this weekend, Grogan said he intends to meet with a diverse set of constituents in order to figure out what the Registrar Accreditation Agreement requires registrars to do when they receive abuse complaints.

“I’m hopeful we can publish something in the next few weeks,” he told DI. “It depends to some extent on what direction the discussions take.”

The discussions center on whether registrars are doing enough to take down domains that are being used, for example, to host pirated content or to sell medicines across borders.

Specifically at issue is section 3.18 of the 2013 RAA.

It requires registrars to take “reasonable and prompt steps to investigate and respond appropriately” when they receive abuse reports.

The people who are noisiest about filing such reports — IP owners and pharmacy watchdogs such as LegitScript — reckon “appropriate action” means the domain in question should be suspended.

The US Congress heard these arguments in hearings last month, but there were no witnesses from the ICANN or registrar side to respond.

Registrars don’t think they should be put in the position of having to turn off what may be a perfectly legitimate web site due to a unilateral complaint that may be flawed or frivolous.

ICANN seems to be erring strongly towards the registrars’ view.

“Whatever the terms of the 2013 RAA mean, it can’t really be interpreted as a broad global commitment for ICANN to enforce all illegal activity or all laws on the internet,” Grogan told DI.

“I don’t think ICANN is capable of that, I don’t think we have the expertise or resources to do that, and I don’t think the ICANN multistakeholder community has ever had that discussion and delegated that authority to ICANN,” he said.

CEO Fadi Chehade recently told the Washington Post that it isn’t ICANN’s job to police web content, and Grogan has expanded on that view in a blog post last week.

Grogan notes that what kind of content violates the law varies wildly from country to country — some states will kill you for blasphemy, in some you can get jail time for denying the Holocaust, in others political dissent is a crime.

“Virtually everybody I’ve spoken with has said that is far outside the scope of ICANN’s remit,” he said.

However, he’s leaving some areas open for discussion,

“There are some constituents, including some participants in the [Congressional] hearing — from the intellectual property community and LegitScript — who think there’s a way to distinguish some kinds of illegal activities from others,” he said. “That’s a discussion I’m willing to have.”

The dividing line could be substantial risk to public health or activities that are broadly, globally deemed to be illegal. Child abuse material is the obvious one, but copyright infringement — where Grogan said treaties show “near unanimity” — could be too.

So is ICANN saying it’s not the content police except when it comes to pharmacies and intellectual property?

“No,” said Grogan. “I’m saying I’m willing to engage in that dialogue and have that conversation with the community to see if there’s consensus that some activities are different to others.”

“In a multistakeholder model I don’t think any one constituency should control,” he said.

In practical terms, this all boils down to 3.18 of the RAA, and what steps registrars must take to comply with it.

It’s a surprisingly tricky one even if, like Grogan, you’re talking about “minimum criteria” for compliance.

Should registrars, for example, be required to always check out the content of domains that are the subject of abuse reports? It seems like a no-brainer.

But Grogan points out that even though there could be broad consensus that child abuse material should be taken down immediately upon discovery, in many places it could be illegal for a registrar employee to even check the reported URL, lest they download unwanted child porn.

Similarly, it might seem obvious that abuse reports should be referred to the domain’s registrant for a response. But what of registrars owned by domain investors, where registrar and registrant are one and the same?

These and other topics will come up for discussion in various sessions next week, and Grogan said he’s hopeful that decisions can be made that do not need to involve formal policy development processes or ICANN board action.

Cops can’t block domain transfers without court order, NAF rules

Kevin Murphy, January 12, 2014, Domain Registrars

Law enforcement and IP owners were dealt a setback last week when the National Arbitration Forum ruled that they cannot block domain transfers unless they have a court order.

The ruling could make it more difficult for registrars to acquiesce to requests from police trying to shut down piracy sites, as they might technically be in breach of their ICANN contracts.

NAF panelist Bruce Meyerson made the call in a Transfer Dispute Resolution Policy ruling after a complaint filed by EasyDNS against Directi (PublicDomainRegistry.com).

You’re probably asking right about now: “The what policy?”

I had to look it up, too.

TDRP, it turns out, has been part of the ICANN rulebook since the Inter-Registrar Transfer Policy was adopted in 2004.

It’s designed for disputes where one registrar refuses to transfer a domain to another. As part of the IRTP, it’s a binding part of the Registrar Accreditation Agreement.

It seems to have been rarely used in full over the last decade, possibly because the first point of complaint is the registry for the TLD in question, with only appeals going to a professional arbitrator.

Only NAF and the Asian Domain Name Dispute Resolution Centre are approved to handle such cases, and their respective records show that only one TDRP appeal has previously filed, and that was in 2013.

In the latest case, Directi had refused to allow the transfer of three domains to EasyDNS after receiving a suspension request from the Intellectual Property Crime Unit of the City of London Police.

The IPCU had sent suspension requests, targeting music download sites “suspected” of criminal activity, to several registrars.

The three sites — maxalbums.com, emp3world.com, and full-albums.net — are all primarily concerned with hosting links to pirated music while trying to install as much adware as possible on visitors’ PCs.

The registrants of the names had tried to move from India-based Directi to Canada-based EasyDNS, but found the transfers denied by Directi.

EasyDNS, which I think it’s fair to say is becoming something of an activist when it come to this kind of thing, filed the TDRP first with Verisign then appealed its “No Decision” ruling to NAF.

NAF’s Meyerson delivered a blunt, if reluctant-sounding, win to EasyDNS:

Although there are compelling reasons why the request from a recognized law enforcement agency such as the City of London Police should be honored, the Transfer Policy is unambiguous in requiring a court order before a Registrar of Record may deny a request to transfer a domain name… The term “court order” is unambiguous and cannot be interpreted to be the equivalent of suspicion of wrong doing by a policy agency.

To permit a registrar of record to withhold the transfer of a domain based on the suspicion of a law enforcement agency, without the intervention of a judicial body, opens the possibility for abuse by agencies far less reputable than the City of London Police.

That’s a pretty unambiguous statement, as far as ICANN policy is concerned: no court order, no transfer block.

It’s probably not going to stop British cops trying to have domains suspended based on suspicion alone — the Metropolitan Police has a track record of getting Nominet to suspend thousands of .uk domains in this way — but it will give registrars an excuse to decline such requests when they receive them, if they want the hassle.