Latest news of the domain name industry

Recent Posts

Amsterdam refuses to publish Whois records as GDPR row escalates

Kevin Murphy, October 23, 2017, Domain Policy

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.

Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.

ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.

FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.

dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.

Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.

That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.

It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.

Legal entities such as companies do not count as “private persons”.

Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.

It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.

But the registries have lawyered up already, regardless.

A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.

The GDPR is perhaps the most pressing issue for ICANN at the moment.

It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.

It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.

One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.

According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.

These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.

During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.

“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”

ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.

It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.

ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.

But the domain industry has accused ICANN the organization of not doing enough fast enough.

Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.

They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.

Complaining that ICANN is moving too slowly, the October 13 letter states:

The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.

GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.

For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.

Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.

The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.

UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.

Pilot program for Whois killer launches

Kevin Murphy, September 7, 2017, Domain Tech

ICANN is to oversee a set of pilot programs for RDAP, the protocol expected to eventually replace Whois.

Registration Data Access Protocol, an IETF standard since 2015, fills the same function as Whois, but it is more structured and enables access control rules.

ICANN said this week that it has launched the pilot in response to a request last month from the Registries Stakeholder Group and Registrars Stakeholder Group. It said on its web site:

The goal of this pilot program is to develop a baseline profile (or profiles) to guide implementation, establish an implementation target date, and develop a plan for the implementation of a production RDAP service.

Participation will be voluntary by registries and registrars. It appears that ICANN is merely coordinating the program, which will see registrars and registrars offer their own individual pilots.

So far, no registries or registrars have notified ICANN of their own pilots, but the program is just a few days old.

It is expected that the pilots will allow registrars and registries to experiment with different types of profiles (how the data is presented) and extensions before ICANN settles on a standard, contractually enforced format.

Under RDAP, ICANN/IANA acts as a “bootstrapping” service, maintaining a list of RDAP servers and making it easier to discover which entity is authoritative for which domain name.

RDAP is basically Whois, but it’s based on HTTP/S and JSON, making it easier to for software to parse and easier to compare records between TLDs and registrars.

It also allows non-Latin scripts to be more easily used, allowing internationalized registration data.

Perhaps most controversially, it is also expected to allow differentiated access control.

This means in future, depending on what policies the ICANN community puts in place, millions of current Whois users could find themselves with access to fewer data elements than they do today.

The ICANN pilot will run until July 31, 2018.

.sucks “gag order” dropped, approved

Kevin Murphy, April 19, 2016, Domain Registries

Vox Populi, the .sucks registry, has had controversial changes to its registrar contract approved after it softened language some had compared to a “gag order”.

ICANN approved changes to the .suck Registry-Registrar Agreement last week, after receiving no further complaints from registrar stakeholders.

Registrars had been upset by a proposed change that they said would prevent brand-protection registrars from publicly criticizing .sucks:

The purpose of this Agreement is to permit and promote the registration of domain names in the Vox Populi TLDs and to allow Registrar to offer the registration of the Vox Populi TLDs in partnership with Vox Populi. Neither party shall take action to frustrate or impair the purpose of this Agreement.

But Vox has now “clarified” the language to remove the requirement that registrars “promote” .sucks names. The new RRA will say “offer” instead.

Registrars had also complained that the new RRA would have allowed Vox to unilaterally impose new contractual terms with only 15 days notice.

Vox has amended that proposal too, to clarify that changes would come into effect 15 days after ICANN has given its approval.

Vox CEO John Berard told ICANN in a March 18 letter:

VoxPop’s intent was never to alter any material aspect of the Registry Registrar Agreement. Our intent was to clarify legal obligations that already exist in the Agreement, and conform the timeframes for any future amendments with those specified in our ICANN registry contract.

Anger as ICANN splashes out $160,000 on travel

Kevin Murphy, March 15, 2016, Domain Policy

Should representatives of Facebook, Orange, Thomson Reuters, BT and the movie industry have thousands of ICANN dollars spent on their travel to policy meetings?

Angry registrars are saying “no”, after it emerged that ICANN last month spent $80,000 flying 38 community members to LA for a three-day intersessional meeting of the Non-Contracted Parties House.

It spent roughly the same on the 2015 meeting, newly released data shows.

ICANN paid for fewer than 10 registries and registrars — possibly as few as two — to attend the equivalent Global Domains Division Summit last year, a few registrars told DI.

The numbers were released after a Documentary Information Disclosure Policy request by the Registrars Stakeholder Group a month ago, and published on Friday (pdf).

It appears from the DIDP release that every one of the 38 people who showed up in person was reimbursed for their expenses to the tune of, on average, $2,051 each.

The price tag covers flights, hotels, visa costs and a cash per diem allowance that worked out to an average of $265 per person.

ICANN also recorded travel expenses for another two people who ultimately couldn’t make it to the event.

The NCPH is made up of both commercial and non-commercial participants. Many are academics or work for non-profits.

However, representatives of huge corporations such as Facebook and BT also work in the NCPH and let ICANN pick up their expenses for the February meeting.

Lawyers from influential IP-focused trade groups such as the Motion Picture Association of America and International Trademark Association were also happy for ICANN to pay.

One oddity on the list is the CEO of .sucks registry Vox Populi, who is still inexplicably a member of the Business Constituency.

MarkMonitor, a corporate registrar and Thomson Reuters subsidiary that attends the Intellectual Property Constituency, also appears.

Despite $80,000 being a relatively piddling amount in terms of ICANN’s overall budget, members of the Contracted Parties House — registries and registrars — are not happy about this state of affairs as a matter of principle.

ICANN’s budget is, after all, primarily funded by the ICANN fees registries and registrars — ultimately registrants — must pay.

“CPH pays the bills and the non-CPH travels on our dime,” one registrar told DI today.

One RrSG member said only two registrars were reimbursed for their GDD Summit travel last year. Another put the number at five. Another said it was fewer than 10.

In any event, it seems to be far fewer than those in the NCPH letting ICANN pick up the tab.

It’s not entirely clear why the discrepancy exists — it might be just because fewer contracted parties apply for a free ride, rather than evidence of a defect in ICANN expenses policy.

The NCPH intersessional series was designed to give stakeholders “the opportunity, outside of the pressures and schedule strains of an ICANN Public Meeting to discuss longer-range substantial community issues and to collaborate with Senior ICANN Staff on strategic and operational issues that impact the community”, according to ICANN.

Registrars object to “unreasonable” .bank demands

Registrars are upset with fTLD Registry Services for trying to impose new rules on selling .bank domains that they say are “unreasonable”.

The Registrar Stakeholder Group formally relayed its concerns about a proposed revision of the .bank Registry-Registrar Agreement to ICANN at the weekend.

A key sticking point is fTLD’s demand that each registrar selling .bank domains have a dedicated .bank-branded web page.

Some registrars are not happy about this, saying it will “require extensive changes to the normal operation of the registrar.”

“Registrars should not be required to establish or maintain a “branded webpage” for any extension in order to offer said extension to its clients,” they told ICANN.

i gather that registrars without a full retail presence, such as corporate registrars that sell mainly offline, have a problem with this.

There’s also a slippery slope argument — if every gTLD required a branded web page, registrars would have hundreds of new storefronts to develop and maintain.

fTLD also wants registrars to more closely align their sales practices with its own, by submitting all registration requests from a single client in a single day via a bulk registration form, rather than live, or pay an extra $125 per-name fee.

This is to cut down on duplicate verification work at the registry, but registrars say it would put a “severe operational strain” on them.

There’s also a worry about a proposed change that would make registrars police the .bank namespace.

The new RRA says: “Registrar shall not enable, contribute to or willing aid any third party in violating Registry Operator’s standards, policies, procedures, or practices, and shall notify Registry Operator immediately upon becoming aware of any such violation.”

But registrars say this “will create a high liability risk for registrars” due to the possibility of accidentally overlooking abuse reports they receive.

The registrars’ complaints have been submitted to ICANN, which will have to decide whether fTLD is allowed to impose its new RRA or not.

The RrSG’s submission is not unanimously backed, however. One niche-specializing registrar, EnCirca, expressed strong support for the changes.

In a letter also sent to ICANN, it said that none of the proposed changes are “burdensome”, writing:

EnCirca fully supports the .BANK Registry’s efforts to ensure potential registrants are fully informed by Registrars of their obligations and limitations for .BANK.  This helps avoid confusion and mis‐use by registrants, which can cause a loss of trust in the Registry’s stated mission and commitments to the banking community.

fTLD says the proposed changes would bring the .bank RRA in line with the RRA for .insurance, which it also operates.

The .insurance contract has already been signed by several registrars, it told ICANN.

  • Page 1 of 2
  • 1
  • 2
  • >