Recent Posts
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
- Domain universe grows despite .com drag
Latest Go Daddy phishing attack unrelated to 2013 RAA
Fears that the 2013 Registrar Accreditation Agreement would lead to new phishing attacks appear to be unfounded, at least so far.
The 2013 RAA, which came into force at most of the big registrars on January 1, requires registrars to verify the registrant’s email address or phone number whenever a new name is registered.
It was long predicted that this new provision — demanded by law enforcement — would lead to phishers exploiting registrant confusion, obtaining login credentials, and stealing valuable domain names.
Over the weekend, it looked like this prediction had come true, with posts over at DNForum saying that a new Go Daddy scam was doing the rounds and reports that it was related to the 2013 RAA changes.
I disagree. Shane Cultra posted a screenshot of the latest scam on his blog, alongside a screenshot of Go Daddy’s actual verification email, and the two are completely dissimilar.
The big giveaways are the “Whois Data Reminder” banner and “Reminder to verify the accuracy of Whois data” subject line.
The new attack is not exploiting the new 2013 RAA Whois verification requirements, it’s exploiting the 10-year-old Whois Data Reminder Policy, which requires registrars annually to remind their customers to keep their contact details accurate.
In fact, the language of the new scam has been used in phishing attacks against registrants since at least 2010.
That’s not to say the attack is harmless, of course — the attacker is still going to steal the contents of your Go Daddy account if you fall for it.
We probably will see attacks specifically targeting confusion about the new address verification policy in future, but it seems to me that the confusion we’re seeing with the latest scam may be coincidental.
Go Daddy told DI yesterday that the scam site in question had already been shut down. It’s not clear if anyone fell for it while it was live.
ICANN says Article 29 letter does not give EU registrars privacy opt-out
Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.
ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.
Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.
While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.
The Article 29 letter was designed to give EU registrars that legal opinion across the board.
But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:
We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.
It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.
The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.
ICANN approves 2013 RAA
ICANN has approved a new version of its standard Registrar Accreditation Agreement, after almost two years of talks with registrars.
The new 2013 RAA will be obligatory for any registrar that wants to sell new gTLD domain names, and may in future become obligatory for .org, .info and .biz.
The new deal’s primary changes include obligations for registrars to verify email addresses supplied for Whois records as well as stronger oversight on proxy/privacy services and resellers.
Akram Atallah, president of ICANN’s new Generic Domains Division said in a statement:
In no small way this agreement is transformational for the domain name industry. Our multiple stakeholders weighed in, from law enforcement, to business, to consumers and what we have ended up with is something that affords better protections and positively redefines the domain name industry.
Registrars Stakeholder Group chair Michele Neylon told DI:
The 2013 RAA does include lot of changes that will be welcomed by the broad community. It addresses the concerns of the Governmental Advisory Committee, it addresses the concerns of law enforcement, it addresses the concerns of IP rights advocates, end user consumer groups and many others.
But Neylon warned that ICANN will need “proactive outreach” to registrars, particularly those that do not regularly participate in the ICANN community or do not have English as their first language.
The new RAA puts a lot of new obligations on registrars that they all need to be fully aware of, he said.
“The unfortunate reality is that a lot of companies may sign contracts without being aware of what they’re agreeing to,” Neylon said. “The entire exercise could be seen as a failure if the outliers — registrars not actively engaged in the ICANN process or whose first language is not English — are not communicated with.”
A new RAA was also considered a gateway event for the launch of new gTLDs, so applicants have a reason to be cheerful today.
ICANN offers to split the cost of GAC “safeguards” with new gTLD registries
All new gTLD applicants will have to abide by stricter rules on security and Whois accuracy under government-mandated changes to their contracts approved by the ICANN board.
At least one of the new obligations is likely to laden new gTLDs registries with additional ongoing costs. In another case, ICANN appears ready to shoulder the financial burden instead.
The changes are coming as a result of ICANN’s New gTLD Program Committee, which on on Tuesday voted to adopt six more pieces of the Governmental Advisory Committee’s advice from March.
This chunk of advice, which deals exclusively with security-related issues, was found in the GAC’s Beijing communique (pdf) under the heading “Safeguards Applicable to all New gTLDs”.
Here’s what ICANN has decided to do about it.
Mandatory Whois checks
The GAC wanted all registries to conduct mandatory checks of Whois data at least twice a year, notifying registrars about any “inaccurate or incomplete records” found.
Many new gTLD applicants already offered to do something similar in their applications.
But ICANN, in response to the GAC advice, has volunteered to do these checks itself. The NGPC said:
ICANN is concluding its development of a WHOIS tool that gives it the ability to check false, incomplete or inaccurate WHOIS data
…
Given these ongoing activities, ICANN (instead of Registry Operators) is well positioned to implement the GAC’s advice that checks identifying registrations in a gTLD with deliberately false, inaccurate or incomplete WHOIS data be conducted at least twice a year. To achieve this, ICANN will perform a periodic sampling of WHOIS data across registries in an effort to identify potentially inaccurate records.
While the resolution is light on detail, it appears that new gTLD registries may well be taken out of the loop completely, with ICANN notifying their registrars instead about inaccurate Whois records.
It’s not the first time ICANN has offered to shoulder potentially costly burdens that would otherwise encumber registry operators. It doesn’t get nearly enough credit from new gTLD applicants for this.
Contractually banning abuse
The GAC wanted new gTLD registrants contractually forbidden from doing bad stuff like phishing, pharming, operating botnets, distributing malware and from infringing intellectual property rights.
These obligations should be passed to the registrants by the registries via their contracts with registrars, the GAC said.
ICANN’s NGPC has agreed with this bit of advice entirely. The base new gTLD Registry Agreement is therefore going to be amended to include a new mandatory Public Interest Commitment reading:
Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.
The decision to include it as a Public Interest Commitment, rather than building it into the contract proper, is noteworthy.
PICs will be subject to a Public Interest Commitment Dispute Resolution Process (PICDRP) which allows basically anyone to file a complaint about a registry suspected of breaking its commitments.
ICANN would act as the enforcer of the ruling, rather than the complainant. Registries that lose PICDRP cases face consequences up to an including the termination of their contracts.
In theory, by including the GAC’s advice as a PIC, ICANN is handing a loaded gun to anyone who might want to shoot down a new gTLD registry in future.
However, the proposed PIC language seems to be worded in such a way that the registry would only have to include the anti-abuse provisions in its contract in order to be in compliance.
Right now, the way the PIC is worded, I can’t see a registry getting terminated or otherwise sanctioned due to a dispute about an instance of copyright infringement by a registrant, for example.
I don’t think there’s much else to get excited about here. Every registry or registrar worth a damn already prohibits its customers from doing bad stuff, if only to cover their own asses legally and keep their networks clean; ICANN merely wants to formalize these provisions in its chain of contracts.
Actually fighting abuse
The third through sixth pieces of GAC advice approved by ICANN this week are the ones that will almost certainly add to the cost of running a new gTLD registry.
The GAC wants registries to “periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats such as pharming, phishing, malware, and botnets.”
It also wants registries to keep records of what they find in these analyses, to maintain a complaints mechanism, and to shut down any domains found to be perpetrating abusive behavior.
ICANN has again gone the route of adding a new mandatory PIC to the base Registry Agreement. It reads:
Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.
You’ll notice that the language is purposefully vague on how registries should carry out these checks.
ICANN said it will convene a task force or GNSO policy development process to figure out the precise details, enabling new gTLD applicants to enter into contracts as soon as possible.
It means, of course, that applicants could wind up signing contracts without being fully apprised of the cost implications. Fighting abuse costs money.
There are dozens of ways to scan TLDs for abusive behavior, but the most comprehensive ones are commercial services.
ICM Registry, for example, decided to pay Intel/McAfee millions of dollars — a dollar or two per domain, I believe — for it to run daily malware scans of the entire .xxx zone.
More recently, Directi’s .PW Registry chose to sign up to Architelos’ NameSentry service to monitor abuse in its newly relaunched ccTLD.
There’s going to be a fight about the implementation details, but one way or the other the PIC would make registries scan their zones for abuse.
What the PIC does not state, and where it may face queries from the GAC as a result, is what registries must do when they find abusive behavior in their gTLDs. There’s no mention of mandatory domain name suspension, for example.
But in an annex to Tuesday’s resolution, ICANN’s NGPC said the “consequences” part of the GAC advice would be addressed as part of the same future technical implementation discussions.
In summary, the NGPC wants registries to be contractually obliged to contractually oblige their registrars to contractually oblige their registrants to not do bad stuff, but there are not yet any obligations relating to the consequences, to registrants, of ignoring these rules.
This week’s resolutions are the second big batch of decisions ICANN has taken regarding the GAC’s Beijing communique.
Earlier this month, it accepted some of the GAC’s direct advice related to certain specific gTLDs it has a problem with, the RAA and intergovernmental organizations and pretended to accept other advice related to community objections.
The NGPC has yet to address the egregiously incompetent “Category 1” GAC advice, which was the subject of a public comment period.
Whois headed for the scrap heap in “paradigm shift”
Whois’ days are numbered.
An “Expert Working Group” assembled by ICANN CEO Fadi Chehade has proposed that the old Whois service we all love to hate be scrapped entirely and replaced with something (possibly) better.
After several months of deliberations the EWG today issued an audacious set of preliminary recommendations that would completely overhaul the current system.
Registrants’ privacy might be better protected under the new model, and parties accessing Whois data would for the first time have obligations to use it responsibly.
There’d also be a greater degree of data validation than we have with today’s Whois, which may appease law enforcement and intellectual property interests.
The new concept may also reduce costs for registries and registrars by eliminating existing Whois service obligations.
The EWG said in its report:
After working through a broad array of use cases, and the myriad of issues they raised, the EWG concluded that today’s WHOIS model—giving every user the same anonymous public access to (too often inaccurate) gTLD registration data—should be abandoned.
Instead, the EWG recommends a paradigm shift whereby gTLD registration data is collected, validated and disclosed for permissible purposes only, with some data elements being accessible only to authenticated requestors that are then held accountable for appropriate use.
The acronym being proposed is ARDS, for Aggregated Registration Data Services.
For the first time, gTLD registrant data would be centralized and maintained by a single authority — likely a company contracted by ICANN — instead of today’s mish-mash of registries and registrars.
The ARDS provider would store frequently cached copies of Whois records provided by registries and registrars, and would be responsible for validating it and handling accuracy complaints.
To do a Whois look-up, you’d need access credentials for the ARDS database. It seems likely that different levels of access would be available depending on the user’s role.
Law enforcement could get no-holds-barred access, for example, while regular internet users might not be able to see home addresses (my example, not the EWG’s).
Credentialing users may go some way to preventing Whois-related spam.
A centralized service would also provide users with a single, more reliable and uniform, source of registrant data.
Registrars and registries would no longer have to provide Whois over port 43 or the web, potentially realizing cost savings as a result, the EWG said.
For those concerned about privacy, the EWG proposes two levels of protection:
- An Enhanced Protected Registration Service for general personal data privacy needs; and
- A Maximum Protected Registration Service that offers Secured Protected Credentials Service for At-Risk, Free-Speech uses.
If I understand the latter category correctly, the level privacy protection could even trump requests for registrant data from law enforcement. This could be critical in cases of, for example, anti-governmental speech in repressive regimes.
The proposed model would not necessarily kill off existing privacy/proxy services, but such services would come under a greater degree of ICANN regulation than they are today.
It appears that there’s a lot to like about the EWG’s concepts, regardless of your role.
It is very complex, however. The devil, as always, will be in the details. ARDS is going to need a lot of careful consideration to get right.
But it’s a thought-provoking breakthrough in the age-old Whois debate, all the more remarkable for being thrown together, apparently through a consensus of group members, in such a short space of time.
The EWG’s very existence is somewhat controversial; some say it’s an example of Chehade trying to circumvent standard procedures. But it so far carries no official weight in the ICANN policy-making process.
Its initial report is currently open for public comment either via email direct to the group or planned webinars. After it is finalized it will be submitted to the ICANN board of directors.
The board would then thrown the recommendations at the Generic Names Supporting Organization for a formal Policy Development Process, which would create a consensus policy applicable to all registries and registrars.
With all that in mind, it’s likely to be a few years before (and if) the new model becomes a reality.
New registrar contract could be approved next week
ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.
The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.
It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.
ICANN has put approval of the contract on its board’s June 27 agenda.
But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.
For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.
There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.
Nominet brings back second-level .uk proposal
Nominet has resurrected Direct.uk, its plan to allow people to register domain names directly under .uk.
But the proposal, which was killed off in February, has been significantly revised in response to complaints from domain investors and others.
The idea is one of a collection being announced by Nominet this afternoon.
It’s also proposing to shake up how it accredits .uk registrars and, borrowing a page from the current ICANN playbook, how .uk registrant Whois information is verified.
Second-level domains make a comeback
If the Direct.uk proposal is approved and you own a .co.uk, .me.uk or .org.uk domain name, you’ll get rights to the matching .uk name, according to Nominet COO Eleanor Bradley.
“The registrant of oldest current domain name at the third level will have first right of refusal to register that name at the second level,” she said.
When a .uk is contested by, for example, the owners of matching .co.uk and .org.uk domains, the older registration would win the name.
The clock on registration period is reset to the date of the current registration if the domain has ever dropped before, but not if it’s been transferred between registrants, she said.
This change may settle some of the concerns emerging from the domain investor community, which was outraged by Nominet’s original plan to give trademark holders first rights to .uk names.
Giving the .uk and .co.uk to different people would stand to confuse internet users, they said, not to mention devaluing their portfolios.
It wasn’t just domainers that stood to lose out under the old plan, however.
British domainer Edwin Hayward compiled a some examples of big brands that have invested in generic .co.uk domains but do not own matching trademarks, meaning they would not necessary get the second-level.
Barclays owns bank.co.uk and Kellogg owns breakfast.co.uk, for examples. Under the new Nominet proposal, it looks like these companies would get first dibs on the matching .uk addresses.
“We feel we’re responding to the feedback we heard, but it’s also our strong view that registrations at the second level are really important for what we do to maintain the relevance of .uk going forward,” Bradley said.
Plans to ramp up Whois verification
The revamped plan will also see Nominet drop its demands for mandatory extra security features under second-level .uk names.
Some critics had said that this would ghettoize .co.uk by suggesting it’s not secure.
Instead, the company is proposing blanket Whois verification for the whole of .uk — second and third-level — and a suite of optional security services to be provided in-house and via partners.
The Whois checks will take the form of email verification, in much the same way as ICANN has proposed for gTLDs in its new Registrar Accreditation agreement.
Nominet also plans to check physical mailing addresses against public databases to make sure they’re genuine. This apparently already happens to an extent.
Three tiers of registrar
The company today also unveiled plans for three types of registrar: Self-Managed, Channel Partner and Accredited Channel Partner.
Self-Managed would be domainers and big corporate users that manage their own portfolios. Channel Partners would be the vanilla registrars we know today, and Accredited would have been certified as having a certain level of security and Whois quality, among other things.
Existing registrars could do nothing and become Channel Partners, or migrate to one of the other two tiers, Bradley said.
Those in the Self-Managed and Accredited tiers would get free inter-registrant transfers, she said. Accredited registrars would also be trusted to handle their own Whois verification.
The proposals are still currently proposals, but it sounds like Nominet is determined to get it right this time.
The Direct.uk consultation is not expected to be over until November, so we’re not likely to see any movement until next year.
Cops say new gTLDs shouldn’t launch without a Big Brother RAA
Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.
Another deadline missed in registrar contract talks
ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.
In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:
While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.
The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.
At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.
Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.
Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.
ICANN said Friday:
Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.
Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.
At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.
Judging by the latest update, it seems quite likely that the new RAA will be a full year late.
ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.
Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.
Chehade kicks off massive Whois review
ICANN has started the ball rolling on its potentially radical rethink of how Whois works with formation of a new “Expert Working Group” tasked with examining the issue.
As ICANN chair Steve Crocker told DI last month, this is the first stage of a root-and-branch reexamination of Whois databases, what they’re for, and how they’re accessed.
According to ICANN, which is referring to Whois as “gTLD registration data” presumably to avoid confusion with the Whois technical standard, the group will:
1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and
2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.
Whatever the new Expert Working Group on gTLD Directory Services comes up with between January and April next year will be punted to the Generic Names Supporting Organization for an ICANN board-mandated Policy Development Process.
The PDP could create policies binding on gTLD registries and registrars.
Jean-Francois Baril has been hand-picked to chair the group. He has no connection to the domain name industry but appears to have worked with ICANN CEO Fadi Chehade on the RosettaNet standards-setting project.
Crocker and fellow ICANN director Chris Disspain will also join the group.
ICANN wants volunteers to fill the other positions and it seems to be eager to find outsiders who do not already represent entrenched ICANN constituency positions, saying:
Volunteer working group members should: have significant operational knowledge and experience with WHOIS, registrant data, or directory services; be open to new ideas and willing to forge consensus; be able to think strategically and navigate conflicting views; have a record of fostering improvements and delivering results; have a desire to create a new model for gTLD directory services; and be able to volunteer approximately 12-20 hours a month during January – April 2013 to the working group.
Individuals who have worked extensively in the areas of registration data collection, access, accuracy, use, privacy, security, law enforcement, and standards and protocols are also encouraged to consider working group membership. As the working group will be a collection of experts, it is not expected to be comprised solely of representatives of current ICANN community interests. Although members may not come directly from ICANN structures, the working group will have a deep understanding of, and concern for, the ICANN communities’ interests.
Obviously law enforcement and intellectual property interests will be keen to make sure they’re amply represented in the group, as will registries/registrars and privacy advocates.
Recent Comments