Latest news of the domain name industry

Recent Posts

Council of Europe has Whois privacy concerns too

Kevin Murphy, October 11, 2012, Domain Policy

The Council of Europe has expressed concern about the privacy ramifications of ICANN’s proposed changes to Whois requirements in the Registrar Accreditation Agreement.

In a letter this week (pdf), the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to Personal Data (T-PD) said:

The Bureau of the T-PD took note of the position of the Article 29 Data Protection Working Parking in its comments of 26 September 2012 on the data protection impact of the revision of these arrangements concerning accuracy and data retention of the WHOIS data and fully shares the concern raised.

The Bureau of the T-PD is convinced of the importance of ensuring that appropriate consideration be given in the ICANN context to the relevant European and international privacy standards

The letter was sent in response to outreach from ICANN’s Non-Commercial Users Constituency.

The Article 29 letter referenced said that EU registrars risked breaking the law if they implemented ICANN’s proposed data retention requirements.

Earlier today, we reported on ICANN’s response, which proposes an opt-out for registrars based in the EU, but we noted that registrars elsewhere are unlikely to dig a two-tier RAA.

ICANN says EU registrars could be exempt from stringent new Whois rules

Kevin Murphy, October 11, 2012, Domain Registrars

Registrars based in the European Union could be let off the hook when it comes to the Whois verification requirements currently under discussion at ICANN.

That’s according to ICANN CEO Fadi Chehade, who this week responded to privacy concerns expressed by the Article 29 Working Party, a EU-based quasi-governmental privacy watchdog.

The Working Party said last month that if ICANN forced EU registrars to re-verify customer data and store it for longer than necessary, they would risk breaking EU privacy law.

Those are two of the many amendments to the standard Registrar Accreditation Agreement that ICANN — at the request of governments and law enforcement — is currently pushing for.

In reply, Chehade noted that ICANN currently plans to give registrars an opt-out:

ICANN proposes to adapt the current ICANN Procedures for Handling Whois Conflicts with Privacy Law, to enable registrars to seek an exempton from these new RAA WHOIS and data protection obligations in the even that the obligations would cause registrars to violate their local laws and regulations.

He also said that the Governmental Advisory Committee has “endorsed” the provisions at question, and encouraged the Working Party to work via the GAC to have its views heard.

I understand that registrars based in the US and elsewhere would not respond favorably to what would essentially amount to a two-tier RAA.

Some of the RAA changes would have cost implications, so there’s an argument that to exempt some registrars and not others would create an un-level competitive playing field.

The Article 29 Working Party is an advisory body, independent of the European Union, comprising one representative from the data privacy watchdogs in each EU state.

Some GAC representatives said during the ICANN meeting in Prague this June that they had already factored privacy concerns into their support for the RAA talks.

It’s going to interesting to see how both registrars and the GAC react to the Article 29 developments at the Toronto meeting, which begins this weekend.

European privacy watchdog says ICANN’s Whois demands are “unlawful”

Kevin Murphy, September 28, 2012, Domain Policy

European Union privacy officials have told ICANN that it risks forcing registrars to break the law by placing “excessive” demands on Whois accuracy.

In a letter to ICANN yesterday, the Article 29 Working Party said that two key areas in the proposed next version of the Registrar Accreditation Agreement are problematic.

It’s bothered by ICANN’s attempt to make registrars retain data about their customers for up to two years after registration, and by the idea that registrars should re-verify contact data every year.

These were among the requests made by law enforcement, backed up by the Governmental Advisory Committee, that ICANN has been trying to negotiate into the RAA for almost a year.

The letter (pdf) reads:

The Working Party finds the proposed new requirement to re-verify both the telephone number and the e-mail address and publish these contact details in the publicly accessible WHOIS database excessive and therefore unlawful. Because ICANN is not addressing the root of the problem, the proposed solution is a disproportionate infringement of the right to protection of personal data.

The “root cause” points to a much deeper concern the Working Party has.

Whois was designed to help people find technical and operational contacts for domain names, it argues. Just because it has other uses — such as tracking down bad guys — that doesn’t excuse infringing on privacy.

The problem of inaccurate contact details in the WHOIS database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database.

It’s good news for registrars that were worried about the cost implications of implementing a new, more stringent RAA.

But it’s possible that ICANN will impose the new requirements anyway, giving European registrars an opt-out in order to comply with local laws.

The letter is potentially embarrassing for the GAC, which seemed to take offense at the Prague meeting this June when it was suggested that law enforcement’s recommendations were not being balanced with the views of privacy watchdogs.

During a June 26 session between the GAC and the ICANN board, Australia’s GAC rep said:

I don’t come here as an advocate for law enforcement only. I come here with an Australian government position, and the Australian government has privacy laws. So you can be sure that from a GAC point of view or certainly from my point of view that in my positions, those two issues have been balanced.

That view was echoed during the same session by the European Commission and the US and came across generally like a common GAC position.

The Article 29 Working Party is an advisory body set up by the EU in 1995. It’s independent of the Commission, but it comprises one representative from the data privacy watchdogs in each EU state.

Identity checks coming to Whois

Kevin Murphy, September 25, 2012, Domain Registrars

Pretty soon, if you want to register a domain name in a gTLD you’ll have to verify your email address and/or phone number or risk having your domain turned off.

That’s the latest to come out of talks between registrars, ICANN, governments and law enforcement agencies, which met last week in Washington DC to thrash out a new Registrar Accreditation Agreement.

While a new draft RAA has not yet been published, ICANN has reported some significant breakthroughs since the Prague meeting in June.

Notably, the registrars have agreed for the first time to do some minimal registrant identity checks — phone number and/or email address — at the point of registration.

Verification of mailing addresses and other data points — feared by registrars for massively adding to the cost of registrations — appears to be no longer under discussion.

The registrars have also managed to win another concession: newly registered domain names will be able to go live before identities have been verified, rather than only after.

The sticking point is in the “and/or”. Registrars think they should be able to choose which check to carry out, while ICANN and law enforcement negotiators think they should do both.

According to a memo released for discussion by ICANN last night:

It is our current understanding that law enforcement representatives are willing to accept post-­‐resolution verification of registrant Whois data, with a requirement to suspend the registration if verification is not successful within a specified time period. However, law enforcement recommends that if registrant Whois data is verified after the domain name resolves (as opposed to before), two points of data (a phone number and an email address) should be verified.

Among the other big changes is an agreement by registrars to an ICANN-run Whois privacy service accreditation system. Work is already underway on an accreditation framework.

After it launches, registrars will only be able to accept private registrations made via accredited privacy and proxy services.

Registrars have also agreed to some of law enforcement’s data retention demands, which has been a bone of contention due to worries about varying national privacy laws.

Under the new RAA, they would keep some registrant transaction data for six months after a domain is registered and other data for two years. It’s not yet clear which data falls into which category.

These and other issues outlined in ICANN’s latest update are expected to be talking points in Toronto next month.

It looks like a lot of progress has been made since Prague — no doubt helped by the fact that law enforcement has actually been at the table — and I’d be surprised if we don’t see a draft RAA by Beijing next April.

How long it takes to be adopted ICANN’s hundreds of accredited registrars is another matter.

How Uniregistry wants to make Whois “two-way”

Kevin Murphy, June 11, 2012, Domain Services

If someone uses a Whois database to look up personal information such as your home address and phone number, wouldn’t it be nice to know a little something about them, too?

That’s the philosophy behind one of Uniregistry’s more interesting new gTLD policies, according to Frank Schilling, founder of the new new gTLD portfolio applicant.

Uniregistry has applied for dozens of gTLDs and says it has a “registrant-centered” outlook that extends to the mandatory thick Whois databases.

If its gTLDs are approved, the company will record the IP addresses of people doing Whois queries and make the records available to its registrants, Schilling said.

He suggested that Whois users may have to give up more info about themselves, in certain cases, too.

“To get certain pieces of information, you’ll have to agree to share some information about yourself,” Schilling said in an interview with DI yesterday.

Registrants would be able to view archived data about who’s been looking them up, which could help them during subsequent legal disputes about names, or during sales negotiations.

For domainers, this could be handy. Imagine you own the domain soft.drink and you receive a low-ball offer from a random stranger you suspect might be a proxy for a large corporation. Wouldn’t it be nice to know Coca-Cola has recently been checking out your Whois?

It’s going to be interesting to see how IP interests and law enforcement agencies – the two ICANN lobbies most deeply invested in Whois accuracy – react to Uniregistry turning the tables.

Newbie domain registrant discovers Whois, has Twitter meltdown

Kevin Murphy, April 26, 2012, Domain Tech

The need for the domain name industry to enforce accurate Whois is often cited by law enforcement and intellectual property interests as a consumer protection measure.

But most regular internet users haven’t got a clue that Whois even exists, let alone what data it contains or how to use it.

A study (pdf) carried out for ICANN’s Whois Review Team last year found that only 24% of consumers know what Whois is.

This stream of tweets I chanced across this afternoon, from what appears to be a first-time domain registrant, is probably more representative of consumer attitudes to Whois.

UPDATE (April 27): I’ve removed the tweets per the request of the Twitter user in question.

Big Content issues gTLD lock-down demands

Kevin Murphy, March 11, 2012, Domain Policy

Twenty members of the movie, music and games businesses have asked ICANN to impose strict anti-piracy rules on new top-level domains related to their industries.

In a position statement, “New gTLDs Targeting Creative Sectors: Enhanced Safeguards”, the groups say that such gTLDs are “fraught with serious risks” and should be controlled more rigorously than other gTLDs.

“If new gTLDs targeted to these sectors – e.g., .music, .movies, .games – are launched without adequate safeguards, they could become havens for continued and increased criminal and illegal activity,” the statement says.

It goes on to make seven demands for regulations covering Whois accuracy, enforced anti-piracy policies, and private requests for domain name take-downs.

The group also says that the content industries should be guaranteed “a seat at the table” when these new gTLD registries make their policies.

The statement is directed to ICANN, but it also appears to address the Governmental Advisory Committee, which has powers to object to new gTLD applications:

In evaluating applications for such content-focused gTLDs, ICANN must require registry operators (and the registrars with whom they contract) to implement enhanced safeguards to reduce these serious risks, while maximizing the potential benefits of such new domains.

Governments should use similar criteria in the exercise of their capability to issue Early Warnings, under the ICANN-approved process, with regard to new gTLD applications that are problematic from a public policy or security perspective.

The statement was sent to ICANN by the Coalition for Online Accountability, which counts the American Society of Composers, Authors and Publishers, the Motion Picture Association of America, the Recording Industry Association of America and Disney among its members.

It was separately signed by the many of the same groups that are supporting Far Further’s .music application, including the American Association for Independent Music and the International Federation of the Phonographic Industry.

Thick .com Whois policy delayed

Kevin Murphy, February 16, 2012, Domain Registries

ICANN’s GNSO Council has deferred a decision on whether Verisign should have to thicken up the Whois database for .com and its other gTLDs.

A motion to begin an official Policy Development Process on thick Whois was kicked down the road by councilors this afternoon at the request of the Non-Commercial Users Constituency.

It will now be discussed at the Council’s face-to-face meeting in Costa Rica in March. But there were also calls from registries to delay a decision for up to a year, calling the PDP a “distraction”.

Verisign’s .com registry contract and the standard Registrar Accreditation Agreement are currently being renegotiated by ICANN, both of which could address Whois in some way.

Today, all contracted gTLD registries have to operate a thick Whois, except Verisign with its .com, .net, .jobs, etc, where the registrars manage the bulk of the Whois data.

ICANN tells Congressmen to chillax

Kevin Murphy, January 25, 2012, Domain Policy

ICANN senior vice president Kurt Pritz has replied in writing to great big list of questions posed by US Congressmen following the two hearings into new gTLDs last month.

The answers do what the format of the Congressional hearings made impossible – provide a detailed explanation, with links, of why ICANN is doing what it’s doing.

The 27-page letter (pdf), which addresses questions posed by Reps. Waxman, Eshoo and Dingell, goes over some ground you may find very familiar, if you’ve been paying attention.

These are some of the questions and answers I found particularly interesting.

Why are you doing this?

Pritz gives an overview of the convoluted ICANN process responsible for conceiving, creating and honing the new gTLD program over the last few years.

It explains, for example, that the original GNSO Council vote, which set the wheels in motion back in late 2007, was 19-1 in favor of introducing new gTLDs.

The “lone dissenting vote”, Pritz notes, was cast by a Non-Commercial Users Constituency member – it was Robin Gross of IP Justice – who felt the program had too many restrictions.

The letter does not mention that three Council members – one from the Intellectual Property Constituency and two more from the NCUC – abstained from the vote.

Why aren’t the trademark protection mechanisms finished yet?

The main concern here is the Trademark Clearinghouse.

New gTLD applicants will not find out how the Clearinghouse will operate until March at the earliest, which is cutting it fine considering the deadline for registering as an applicant is March 29.

Pritz, however, tells the Congressmen that applicants have known all they need to know about the Clearinghouse since ICANN approved the program’s launch last June.

The Clearinghouse is a detail that ideally should have been sorted out before the program launched, but I don’t believe it’s the foremost concern for most applicants or trademark owners.

The unresolved detail nobody seems to be asking about is the cost of a Uniform Rapid Suspension complaint, the mechanism to quickly take down infringing second-level domain names.

ICANN has said that it expects the price of URS – which involves paying an intellectual property lawyer to preside over the case – to be $300 to $500, but I don’t know anyone who believes that this will be possible.

Indeed, one of the questions asked by Rep. Waxman starts with the premise “Leading providers under Uniform Dispute Resolution Policy (UDRP) have complained that current fees collected are inadequate to cover the costs of retaining qualified trademark attorneys.”

UDRP fees usually start at around $1,000, double what ICANN expects the URS – which I don’t think is going to be a heck of a lot simpler for arbitration panels to process – to cost trademark owners.

Why isn’t the Trademark Claims service permanent?

The Trademark Claims service is a mandatory trademark protection mechanism. One of its functions is to alert trademark holders when somebody tries to register their mark in a new gTLD.

It’s only mandatory for the first 60 days following the launch of a new gTLD, but I’m in agreement with the IP community here – in an ideal world, it would be permanent.

However, commercial services already exist that do pretty much the same thing, and ICANN doesn’t want to anoint a monopoly provider to start competing with its stakeholders. As Pritz put it:

“IP Watch” services are already provided by private firms, and it was not necessary for the rights protection mechanisms specific to the New gTLD Program to compete with those ongoing watch services already available.

In other words, brands are going to have to carry on paying if they want the ongoing benefits of an infringement notification service in new gTLDs.

When’s the second round?

Nothing new here. Pritz explains why the date for the second round has not been named yet.

Essentially, it’s a combination of not knowing how big the first round is going to be and not knowing how long it will take to conduct the two (or three) post-first-round reviews that ICANN has promised to the Governmental Advisory Committee.

I tackle the issue of second-round timing in considerable detail on DomainIncite PRO. My feeling is 2015.

On Whois verification

Pritz reiterates what ICANN CEO Rod Beckstrom told the Department of Commerce last week: ICANN expects that many registrars will start to verify their customers’ Whois data this year.

ICANN is currently talking to registrars about a new Registrar Accreditation Agreement that would mandate some unspecified degree of Whois verification.

This issue is at the top of the law enforcement wish list, and it was taken up with gusto by the Governmental Advisory Committee at the Dakar meeting in October.

Pritz wrote:

ICANN is currently in negotiations with its accredited registrars over amendments to the Registrar Accreditation Agreement. ICANN is negotiating amendments regarding to the verification of Whois data, and expects its accredited registrars to take action to meet the rising call for verification of data. ICANN expects that the RAA will incorporate – for the first time – Registrar commitments to verify Whois data.

He said ICANN expects to post the amendments for comment before the Costa Rica meeting in mid-March, and the measures would be in place before the first new gTLDs launch in 2013.

I’ve heard from a few registrars with knowledge of these talks that Whois verification mandates may be far from a dead-cert in the new RAA.

But by publicly stating to government, twice now, that Whois verification is expected, the registrars are under increased pressure to make it happen.

IF Whois verification is not among the RAA amendments, expect the registrars to get another dressing down from the GAC at the Costa Rica meeting this March.

On the other hand, ICANN has arguably handed them some negotiating leverage when it comes to extracting concessions, such as reduced fees.

The registrars were prodded into these talks with the GAC stick, the big question now is what kind of carrots they will be offered to adopt an RAA that will certainly raise their costs.

ICANN expects to post the proposed RAA changes for public comment by February 20.

Whois verification rules coming this year

Kevin Murphy, January 11, 2012, Domain Policy

No more Donald Duck in the Whois?

Registrars could be obliged to verify their customers’ identities when they sell domain names under new rules proposed for later this year, according to ICANN president Rod Beckstrom.

He told National Telecommunications and Information Administration boss Larry Strickling today that the new provisions could make it into the new Registrar Accreditation Agreement by March.

Beckstrom wrote:

ICANN expects that the RAA will incorporate – for the first time – Registrar commitments to verify WHOIS data. ICANN is actively considering incentives for Registrars to adopt the anticipated amendments to the RAA prior to the rollout of the first TLD in 2013.

The RAA is currently being renegotiated by ICANN and the registrar community, following governmental outrage about the RAA at its meeting in Dakar last October.

If new Whois rules are added to the RAA, it will be up to registrars to decide whether to implement them immediately or wait until their existing ICANN contracts expire — hence the need for “incentives”.

Documents ICANN has been posting following its RAA meetings have been less than illuminating, so the letter to Strickling today is the first public insight into what the new contract may contain.

Whois verification, which is often found at the top of the wish-lists of intellectual property and law enforcement communities, is of course hugely controversial.

Civil rights advocates believe that checking registrant identities will infringe on rights to privacy and free speech, while not helping to prevent crime. Actual criminals will of course not hand over their true identities when registering domain names.

The process of verifying Whois data may also wind up making domain names more expensive, due to the costs registrars will incur implementing or subscribing to automated verification systems.

Nevertheless, the anti-new-gTLDs campaign in Washington DC led by the Association of National Advertisers recently led to Whois – a separate issue – being placed firmly on the new gTLDs agenda.

The chairman of the Federal Trade Commission, as well as Strickling, both wrote to ICANN to express concern about the lack of progress on strengthening Whois over the last few years.

Beckstrom’s letter to Strickling can be read here. His reply to FTC chairman Leibowitz – which also schools him in why new gTLDs probably won’t increase fraud – can be read here.