Latest news of the domain name industry

Recent Posts

Amsterdam refuses to publish Whois records as GDPR row escalates

Kevin Murphy, October 23, 2017, Domain Policy

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.

Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.

ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.

FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.

dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.

Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.

That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.

It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.

Legal entities such as companies do not count as “private persons”.

Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.

It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.

But the registries have lawyered up already, regardless.

A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.

The GDPR is perhaps the most pressing issue for ICANN at the moment.

It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.

It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.

One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.

According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.

These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.

During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.

“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”

ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.

It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.

ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.

But the domain industry has accused ICANN the organization of not doing enough fast enough.

Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.

They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.

Complaining that ICANN is moving too slowly, the October 13 letter states:

The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.

GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.

For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.

Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.

The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.

UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.

Double-charging claims as registries ramp up new gTLD refund demands

Kevin Murphy, October 10, 2017, Domain Registries

Registry operators have stepped up demands for ICANN to dip into its $100 million new gTLD cash pile to temporarily lower their “burdensome” accreditation fees.

A new missive from the Registries Stakeholder Group to ICANN this week also introduces a remarkable claim that ICANN may have “double charged” new gTLD applications to the tune of potentially about $6 million.

The RySG wants ICANN to reduce the quarterly fixed fees new gTLD registries must pay by 75% from the current $6,250, for a year, at a cost to ICANN of $16.87 million.

ICANN still has roughly $96 million in leftover money from the $185,000 per-TLD application fees paid in 2012, roughly a third of which had been earmarked for unexpected expenses.

When Global Domains Division president Akram Atallah refused this request in August, he listed some of the previously unexpected items ICANN has had to pay for related to the program, one of which was “implementation of the Trademark Clearinghouse”.

But in last week’s letter (pdf), the RySG points out that each registry was already billed an additional $5,000 fee specifically to set up the TMCH.

Your letter states that registry operators knew about the fee structure from the start and implies that changes of circumstance should be irrelevant. The TMCH charge, however, was not detailed in the applicant guidebook. ICANN added it on its own after all applications were accepted and without community input. Therefore, ICANN is very much in a position to refund registry operators for this overcharge, and we request that ICANN do so. Essentially, you would be refunding the amounts we paid with our own application fees, which should have been used to set up the TMCH in the first place.

These additional fees could have easily topped $6 million, given that there are over 1,200 live new gTLDs.

Was this a case of double-charging, as the RySG says?

My gut feeling is that Atallah probably just forgot about the extra TMCH fee and misspoke in his August letter. The alternative would be a significant accounting balls-up that would need rectifying.

RySG has asked ICANN for a “detailed accounting” of its new gTLD program expenses to date. If produced, that could clear up any confusion.

Group chair Paul Diaz, who signed the letter, has also asked for a meeting with Atallah at the Abu Dhabi public meeting later this month, to discuss the issue.

The letter also accuses ICANN of costing applicants lost revenue by introducing policies such as the ban on two-letter domains, increased trademark protections, and other government-requested restrictions that were introduced after application fees had already been paid.

The tone of the letter is polite, but seems to mask an underlying resentment among registries that ICANN has not been giving them a fair chance to grow their businesses.

UPDATE: This story was updated October 12 to correct the estimate of the total amount of TMCH setup fees collected.

Pilot program for Whois killer launches

Kevin Murphy, September 7, 2017, Domain Tech

ICANN is to oversee a set of pilot programs for RDAP, the protocol expected to eventually replace Whois.

Registration Data Access Protocol, an IETF standard since 2015, fills the same function as Whois, but it is more structured and enables access control rules.

ICANN said this week that it has launched the pilot in response to a request last month from the Registries Stakeholder Group and Registrars Stakeholder Group. It said on its web site:

The goal of this pilot program is to develop a baseline profile (or profiles) to guide implementation, establish an implementation target date, and develop a plan for the implementation of a production RDAP service.

Participation will be voluntary by registries and registrars. It appears that ICANN is merely coordinating the program, which will see registrars and registrars offer their own individual pilots.

So far, no registries or registrars have notified ICANN of their own pilots, but the program is just a few days old.

It is expected that the pilots will allow registrars and registries to experiment with different types of profiles (how the data is presented) and extensions before ICANN settles on a standard, contractually enforced format.

Under RDAP, ICANN/IANA acts as a “bootstrapping” service, maintaining a list of RDAP servers and making it easier to discover which entity is authoritative for which domain name.

RDAP is basically Whois, but it’s based on HTTP/S and JSON, making it easier to for software to parse and easier to compare records between TLDs and registrars.

It also allows non-Latin scripts to be more easily used, allowing internationalized registration data.

Perhaps most controversially, it is also expected to allow differentiated access control.

This means in future, depending on what policies the ICANN community puts in place, millions of current Whois users could find themselves with access to fewer data elements than they do today.

The ICANN pilot will run until July 31, 2018.

No $17 million rebate for struggling new gTLDs

Kevin Murphy, August 31, 2017, Domain Registries

ICANN has turned down a request for about $17 million to be refunded to under-performing new gTLD registries.

The organization cannot spare the cash from its $96 million new gTLD program war chest because it does not yet know how much it will need to spend in future, Global Domains Division president Akram Atallah told registries this week.

The Registries Stakeholder Group made the request for fee relief back in March, arguing that the $25,000 per-TLD fixed annual fee each registry must pay amounts to an unfair “burden” that has “hampered their success and put them at a competitive disadvantage”.

The RySG proposed that this $6,250 per quarter fee should be reduced by $4,687.50 per quarter for a year, a 75% reduction, at a cost to ICANN of $16.87 million.

The money, they said, should be drawn from the $96.1 million in new gTLD application fees that were still unspent at the time.

The new gTLD program charged each applicant $185,000 per application. About third of the fee was to cover unforeseen events, and is often sniggeringly referred to as its legal defense fund.

Because the program was meant to work only on a cost-recovery basis, there are question marks hanging over what ICANN should ultimately do with whatever cash is left over.

(It should be noted that this cash is separate from and does not include the quarter-billion dollars ICANN has squirreled away from its new gTLD last-resort auctions).

Now that the vast majority of the 2012 round’s 1,930 applications have been fully processed, it must have seemed like a good time for the RySG to ask for some cashback, but ICANN has declined.

Atallah said in a August 29 letter (pdf) to the group that ICANN has had to spent lots of its program reserve on unanticipated projects such as name collisions, universal acceptance, the EBERO program and the Trademark Clearinghouse. He wrote:

We do not yet know how much of the New gTLD Program remaining funds will be required to address future unanticipated expenses, and by when. As such, at this time, ICANN is not in a position to commit to the dispensation of any potential remaining funds from the New gTLD Program applications fees.

It seems for now the hundreds of new gTLDs with far fewer than 10,000 registrations in their zones are going to keep having to fork over $25,000 a year for the privilege.

Crocker: no date on next new gTLD round

Kevin Murphy, July 27, 2017, Domain Policy

ICANN will NOT set a date for the next round of new gTLD applications, despite recent pleas from registry operators.

That’s according to a letter (pdf) from ICANN chair Steve Crocker to the Registries Stakeholder Group published today.

The RySG had asked (pdf) last month for ICANN’s leadership to set a fourth-quarter 2018 deadline for the next application window.

It said that that drawing a line in the sand would allow potential applicants to plan and would prevent current policy-development processes from being abused to delay the next round.

But Crocker says in his letter that it is up to the ICANN community, not its board of directors, to determine if and when a new round should commence. He wrote:

Once the community completes its work, the Board will consider the community’s recommendations to introduce additional new gTLDs. Without the final findings and recommendations from the review and PDP, the Board won’t be able to determine what needs to be done prior to the opening of another application process…

The Registry Stakeholder Group’s letter suggests that by setting a date for the opening of another application process, the Board will provide the community with a target date to work toward. Although the Board setting a date would achieve this, doing so might contravene the multi-stakeholder process that allows for the community to have the necessary discussions to arrive at consensus, and to determine the timing of their own work

It seems this is an instance in which the board does not like the idea of setting policy in a top-down manner.

Crocker said the two remaining gating factors for a next round are the consumer choice and competition review of the first round, which is ongoing, and the GNSO’s New gTLD Subsequent Procedures Policy Development Process (PDP).

The PDP has now been going on for 18 months and yet discussions remain at a very early stage, with hardly any preliminary recommendations being agreed upon.

There’s not even agreement on foundational issues such as whether to carry on dividing the program into discreet application rounds or to start a first-come, first-served process.

The RySG had suggested in its letter that the next window could open after certain threshold issues had been resolved but before all policy work was complete, and that at the very least ICANN staff should get to work on a new version of the Applicant Guidebook while the PDP is still ongoing.

But Crocker again responded that the staff cannot get to work on implementation until the board has considered the community’s final recommendations.

ICANN’s most recent estimates for the opening of the next round would see applications accepted in 2020, eight years after the last round.

  • Page 1 of 2
  • 1
  • 2
  • >