Will .sexy and .tattoo trip on the starting blocks today due to registrars’ fears about competition and Whois privacy?
Uniregistry went into general availability at 1600 UTC today with the two new gTLDs — its first to market — but it did so without the support of some of the biggest registrars.
Go Daddy — alone responsible for almost half of all new domain registrations — Network Solutions, Register.com and 1&1 are among those that are refusing to carry the new TLDs.
The reason, according to multiple sources, is that Uniregistry’s Registry-Registrar Agreement contains two major provisions that would dilute registrars’ “ownership” of their customer base.
First, Uniregistry wants to know the real identities of all of the registrants in its TLDs, even those who register names using Whois privacy services.
That’s not completely unprecedented; ICM Registry asks the same of .xxx registrars in order to authenticate registrants’ identities.
Second, Uniregistry wants to be able to email or otherwise contact those registrants to tell them about registry services it plans to launch in future. The Uniregistry RRA says:
Uniregistry may from time to time contact the Registered Name Holder directly with information about the Registered Name and related or future registry services.
We gather that registrars are worried that Uniregistry — which will shortly launch its own in-house registrar under ICANN’s new liberal rules on vertical integration — may try to poach their customers.
The difference between ICM and Uniregistry is that ICM does not own its own registrar.
The Uniregistry RRA seems to take account of this worry, however, saying:
Except for circumstances related to a termination under Section 6.7 below, Uniregistry shall never use Personal Data of a Registered Name Holder, acquired under this Agreement, (a) to contact the Registered Name Holder with a communication intended or designed to induce the Registered Name Holder to change Registrars or (b) for the purpose of offering or selling non-registry services to the Registered Name Holder.
Some registrars evidently do not trust this promise, or are concerned that Uniregistry may figure out a way around it, and have voted with their storefronts by refusing to carry these first two gTLDs.
Ownership of the customer relationship is a pretty big deal for registrars, especially when domain names are often a low-margin entry product used to up-sell more lucrative services.
What if a future Uniregistry “registry service” competes with something these registrars already offer? You can see why they’re worried.
A lot of registrars have asserted that with the new influx of TLDs, registrars have more negotiating power over registries than they ever did in a world of 18 gTLDs.
Uniregistry CEO Frank Schilling is basically testing out this proposition on his own multi-million-dollar investment.
But will the absence of these registrars — Go Daddy in particular — hurt the launch numbers for .sexy and .tattoo?
I think there could be some impact, but it might be tempered by the fact that a large number of early registrations are likely to come from domainers, and domainers know that Go Daddy is not the only place to buy domains.
Schilling tweeted at about 1605 UTC today that .sexy was over 1,800 registrations.
Longer term, who knows? This is uncharted territory. Right now Uniregistry seems to be banking on the 40-odd registrars — some of them quite large — that have signed up, along with its own marketing efforts, to make up any shortfall an absence of Go Daddy may cause.
Tomorrow, I’d be surprised if NameCheap, which is the distant number two registrar in new gTLDs right now (judging by name server counts) is not the leader in .sexy and .tattoo names.
The US government is not pleased with ICANN’s rather liberal interpretation of Governmental Advisory Committee advice on new gTLDs and wants more talks about “safeguards”.
Not only that, but it wants to start talking to ICANN about extending safeguards applicable to new gTLDs to old gTLDs, presumably including the likes of .com, too.
A letter to ICANN from Department of Commerce assistant secretary Larry Strickling, obtained by DI today, calls for more talks before ICANN finalizes its handling of the GAC’s Beijing communique.
Strickling notes, as DI has previously, that ICANN softened the meaning of the advice in order to smooth its implementation.
as can be the case when translating GAC Advice to contractual provisions, the NGPC [the ICANN board's New gTLD Program Committee] made adjustments to the GAC Advice that the United States believes could cause enforcement problems and as such merits further discussion. The National Telecommunications and Information Administration (NTIA), on behalf of the United States, is planning to raise these concerns for discussion at the March GAC meeting in Singapore and requests that ICANN take this fact into account before moving forward with applications for strings impacted by the relevant portions of GAC advice
The New gTLD Applicants Group had urged the NGPC to finally put the GAC Advice to rest, highlighting the “heavy burden that the delay in the implementation of GAC Category 1 Advice has imposed upon affected applicants” in a letter last week.
The Category 1 advice, you may recall, comprised eight “safeguards” mandating policies such as industry engagement and registrant authentication, applicable to at least 386 gTLD applications.
Back in November, ICANN announced how it planned to handle this advice, but changed its meaning to make it more palatable to ICANN and applicants.
Those changes are what Strickling is not happy with.
He’s particularly unhappy with changes made to the GAC’s demand for many gTLDs to be restricted to only card-carrying members of the industries the strings seem to represent.
The GAC said in Beijing:
At the time of registration, the registry operator must verify and validate the registrants’ authorisations, charters, licenses and/or other related credentials for participation in that sector.
In other words, you’d have to provide your doctor license before you could register a .doctor domain.
But ICANN proposed to implement it like this:
Registry operators will include a provision in their Registry-Registrar Agreements that requires Registrars to include in their Registration Agreements a provision requiring a representation that the Registrant possesses any necessary authorisations, charters, licenses and/or other related credentials for participation in the sector associated with the Registry TLD string.
The doctor under this policy would only require the doctor to check a box confirming she’s a doctor. As Strickling said:
The NGPC has changed the GAC-coveyed concept of “verification and validation” to “representation”
Requirements for registries to mandate adherence to government regulations on the protection of financial and healthcare data are also his targets for further discussion.
What all this boils down to is that, assuming ICANN paid heed to Strickling’s letter, it seems unlikely that NTAG will get closure it so desperately wants until the Singapore meeting in late March — a year after the original Beijing communique — at the earliest.
In other words, lots of new gTLD applicants are probably going to be in limbo for a bit longer yet.
But Strickling also has another bombshell to drop in the final sentence of the letter, writing:
In addition, we will recommend that cross community discussion begin in earnest on how the safeguards that are being applied to new gTLDs can be applied to existing gTLDs.
So it seems the GAC is likely to start pressing to retroactively apply its new gTLDs advice to legacy gTLDs too.
Registrant verification in .com? Stricter Whois checks and enforcement? That conversation has now started, it seems.
ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.
OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.
The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.
ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.
OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.
If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.
It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.
Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.
ICANN has more details, including OVH’s request and links for commenting, here.
Fears that the 2013 Registrar Accreditation Agreement would lead to new phishing attacks appear to be unfounded, at least so far.
The 2013 RAA, which came into force at most of the big registrars on January 1, requires registrars to verify the registrant’s email address or phone number whenever a new name is registered.
It was long predicted that this new provision — demanded by law enforcement — would lead to phishers exploiting registrant confusion, obtaining login credentials, and stealing valuable domain names.
Over the weekend, it looked like this prediction had come true, with posts over at DNForum saying that a new Go Daddy scam was doing the rounds and reports that it was related to the 2013 RAA changes.
I disagree. Shane Cultra posted a screenshot of the latest scam on his blog, alongside a screenshot of Go Daddy’s actual verification email, and the two are completely dissimilar.
The big giveaways are the “Whois Data Reminder” banner and “Reminder to verify the accuracy of Whois data” subject line.
The new attack is not exploiting the new 2013 RAA Whois verification requirements, it’s exploiting the 10-year-old Whois Data Reminder Policy, which requires registrars annually to remind their customers to keep their contact details accurate.
In fact, the language of the new scam has been used in phishing attacks against registrants since at least 2010.
That’s not to say the attack is harmless, of course — the attacker is still going to steal the contents of your Go Daddy account if you fall for it.
We probably will see attacks specifically targeting confusion about the new address verification policy in future, but it seems to me that the confusion we’re seeing with the latest scam may be coincidental.
Go Daddy told DI yesterday that the scam site in question had already been shut down. It’s not clear if anyone fell for it while it was live.
Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.
ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.
Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.
While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.
The Article 29 letter was designed to give EU registrars that legal opinion across the board.
But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:
We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.
It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.
The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.