ICANN chief tells industry to lawyer up as privacy law looms

The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.
That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.
The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.
“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.
“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.
GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.
For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.
But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.
The latest official line from ICANN is:

At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.
A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).
Even after this report, Marby said ICANN is still in “discovery” mode.
Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.
He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.
Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.
It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”
This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.
Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.
ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.
The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.
General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.
“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.
Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.
ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.

CentralNic and .CLUB reveal premium sales

CentralNic and .CLUB Domains have both revealed sales of premium domain names over the last several days.
CentralNic said yesterday that it has sold “a number” of premiums for $3.4 million.
The names are believed to be from its own portfolio, rather than registry-reserved names in any of the TLDs it manages. The company did not disclose which names, in which TLDs, it had sold.
The sale smooths out potential lumpiness in CentralNic’s revenue, and the company noted that the sales means that recurring revenue from its registrar and registry business will become an increasing proportion of its revenue as its premium portfolio diminishes.
Last week, .CLUB announced that it sold $380,793 of premium .club domains in the third quarter. That was spread over 452 domains.
The big-ticket domains were porn.club and basketball.club, sold by the registry for $85,000 together.
The Q3 headline number was a sharp decline from the Q2 spike of $2.7 million, which was boosted by auctions in China.
The company published a lot more data on its sales on its blog, here.

ICANN reveals $500 million gTLD buyback program

ICANN is to spend its half-billion dollar auction war chest on a buyback program for failing new gTLDs, DI can reveal.
Inspired by the “Cash for Clunkers” program that provided stimulus during the economic downturn in the US a decade ago, the new program will see ICANN offer $1 million per gTLD to any registry whose heart simply isn’t in it any more.
The scheme will work rather like a stock buyback, ICANN explained in a 489-page document (PDF).
Registries opting to sell back their gTLDs will see their strings abruptly removed from the DNS root and their contracts torn up and burned on a great big bonfire.
Any domains registered in these gTLDs will stop resolving to parking pages immediately.
“We believe this program offers the most equitable distribution of auction funds and the fairest way to ensure new gTLD program participants see a return on their investment,” ICANN chair Steve Crocker said in a statement.
Portfolio registries including Donuts, Uniregistry, MMX, Radix and XYZ.com are already believed to have expressed an interest in the scheme, and were already forming a disorderly queue outside ICANN’s Los Angeles headquarters last night.
While Verisign also qualifies for the program, much of the funding will be provided by the $130 million it spent at the .web auction.
The company said it welcomed the deal and plans to sell .web back to ICANN as soon as possible. It added that it will cover the $129 million loss by fueling its data center generators with ten-dollar bills, rather than twenties, for the first three weeks of April.
But registrant groups were outraged by the proposal, which will see millions of domain names erased from the internet.
Dr General President Colonel Lucky Mfwamba (Esq), chair of the New gTLD Registrants Association, said he expects the bottom to fall out of the penis enlargement market overnight.
And in China, thousands of domain investors flocked to forums to complain that the randomly generated domains they bought at $0.20 each and hoped to sell to other investors for $0.30 each are suddenly worthless.

Hacked ICANN data for sale on black market

If you were a user of ICANN’s Centralized Zone Data Service back in 2014 you may wish to think about changing some passwords today.
ICANN has confirmed that a bunch of user names and hashed passwords that were stolen in November 2014 have turned up for sale on the black market.
The batch reportedly contains credentials for over 8,000 users.
ICANN said yesterday:

ICANN recently became aware that some information obtained in the spear phishing incident we announced in 2014 is being offered for sale on underground forums. Our initial assessment is that it is old data and that no new breach of our systems has occurred. The data accessed in the 2014 incident breach included usernames and hashed passwords for our Centralized Zone Data System (CZDS). Once the theft was discovered, we reset all user passwords, and urged users to do the same for any other accounts where they used the same passwords.

While CZDS users have all presumably already changed their CZDS passwords, if they are still using that same password for a non-CZDS web site they may want to think about changing it.
ICANN first announced the hack back in December 2014.
It said at the time that the Government Advisory Committee’s wiki, and a selection of other less interesting pages, had also been compromised.
The attackers got in after a number of ICANN staffers fell for a spear-phishing attack — a narrowly targeted form of phishing that was specifically aimed at them.
If you email with ICANN staff with any regularity you will have noticed that for the last several months your email subject lines get prefixed [EXTERNAL] before the staffer receives them.
That’s to help avoid this kind of attack being successful again.

Pheenix adds 300 more registrars to drop-catch arsenal

The domain drop-catching arms race is heating up, with budget player Pheenix this week acquiring 300 more registrar accreditations from ICANN.
According to DI records, the company now has almost 500 registrar accreditations in its family.
More accreditations means more registry connections with which to attempt to acquire expired domains as they return to the available pool.
It also means that Pheenix’s dropnet (a word I just made up that sounds a bit like “botnet” in a pathetic attempt to coin a term for once in my career) is now a bit bigger than that of Web.com, the registrar pool behind Namejet and SnapNames.
It’s still a long way behind TurnCommerce, owner of DropCatch, which two weeks ago added a whopping 500 new accreditations, bringing its total to over 1,250.
An extra 300 accreditations would have cost Pheenix over $1 million in up-front ICANN fees and will incur ongoing fixed annual fees in excess of $1.2 million.

Go Daddy’s Merdinger named DNA chair

Go Daddy VP of domains Rich Merdinger has been appointed interim chair of the Domain Name Association, replacing Neustar’s Adrian Kinderis.
In a blog post, Merdinger said the DNA will become more “vocal” under its new leadership and outlined three priorities for 2017 — awareness, adoption and access.
He said the DNA will share ways businesses can pursue a strategy of “blending” TLD types in their online activities, promote domains as search engine optimization tools, and make it easier for DNA members to participate.
There will be a new series of DNA Virtual Town Hall meetings to facilliate communication. Merdinger wrote:

Expect to see a more vocal DNA – whether it is at the next virtual town hall or learning about new research on domain name strategies and their business impact. As Interim Chair, I will be working with our leadership team on ways to spotlight how domain names are being used strategically and tactically to support business objectives in 2017 and beyond.

He replaces Kinderis, formerly CEO of AusRegistry/ARI/Bombora, who is now, post-acquisition, VP of corporate development at Neustar.
Kinderis, DNA’s founding chair in April 2013, will remain on the DNA’s board of directors, representing Neustar.
It’s interesting that Merdinger’s appointment to chair is being linked with the DNA becoming more “vocal”.
While Merdinger certainly isn’t a shrinking violet, Kinderis, I’m sure he wouldn’t mind me saying, is one of the bluntest, mouthiest guys in the industry.
That said, GoDaddy has name recognition and has proven to be a bit of a headline magnet over the last decade or so.
It surely has a higher profile among would-be registrants — a big part of the DNA’s audience — than Neustar, which isn’t primarily a domain name company or even necessarily primarily an internet company.
The DNA will continue to operate without an in-house staff, having dumped its second executive director earlier this year in favor of outsourcing to a trade group management company, to cut costs.

Amazon backtracks after pricing free Alexa list at over $900,000

Amazon has reversed, at least temporarily, its decision to yank its free list of the world’s most popular domains, after an outcry from researchers.
The daily Alexa list, which contains the company’s estimate of the world’s top 1 million domains by traffic, suddenly disappeared late last week.
The list was popular with researchers in fields such as internet security. Because it was free, it was widely used.
DI PRO uses the list every day to estimate the relative popularity of top-level domains.
After deleting the list, Amazon directed users to its Amazon Web Services portal, which had started offering the same data priced at $0.0025 per URL.
That’s not cheap. The cost of obtaining same data suddenly leaped from nothing to $912,500 per year, or $2,500 per day.
That’s beyond the wallets, I suspect, of almost every Alexa user, especially the many domain name tools providers (including yours truly) that relied on the data to estimate domain popularity.
Even scaling back usage to the top 100,000 URLs would be prohibitively expensive for most researchers.
While Amazon is of course free to price its data at whatever it thinks it is worth, no notice was given that the file was to be deleted, scuppering without warning goodness knows how many ongoing projects.
Some users spoke out on Twitter.

The quiet death of the @Alexa_Support top million sites is a grievous blow to internet researchers everywhere. $2500 per pull now.

— April King (@aprilmpls) November 21, 2016

Removing the top 1M list is a HUGE mistake. It was extremely useful to assess the impact of new security vulnerabilities. 🙁 @Alexa_Support

— Benjamin Beurdouche (@beurdouche) November 22, 2016

@Alexa_Support I'm disappointed, but I hope you reconsider. The Top 1M list is a standard reference in research. It's simply irreplaceable.

— Santiago Zanella (@xEFFFFFFF) November 22, 2016

I spent most of yesterday figuring out how to quickly rejigger DI PRO to cope with the new regime, but it seems I may have been wasting my time.
After an outcry from fellow researchers, Amazon has restored the free list. It said on Twitter:

Thanks to customer feedback, the top 1M sites is temporarily available again. We’ll provide notice before updating the file in the future

— Alexa Support (@Alexa_Support) November 22, 2016

It seems clear that the key word here is “temporarily”, and that the the restoration of the file may primarily be designed to give researchers more time to seek alternatives or wrap up their research.

Oracle buys Dyn just weeks after huge attack

Oracle has signed a deal to buy DNS services provider Dyn for an undisclosed amount probably in the nine-figure range.
The software giant said it plans to integrate Dyn’s services into its existing cloud computing platform. For the moment, existing Dyn customers are unaffected.
Dyn provides distributed DNS resolution services mainly to the enterprise market, where it has about 3,500 customers.
But it also provides redundant DNS to some TLD registries, notably Uniregistry.
Knowing how ruthlessly opportunistic Oracle can be when it comes to M&A, I have to wonder how much impact the recent denial of service attack against Dyn had on the timing of the deal being signed.
Dyn customers including Twitter and Netflix found themselves inaccessible for millions of North American internet users a couple of weeks ago.
Customers that may have been reconsidering their DNS options following the downtime may feel more reassured now that Dyn is about to become part of a much larger company.
While the acquisition price was not disclosed, it’s certainly going to be in the hundreds of millions.
Just six months ago, Dyn received $50 million in venture capital, following on from a $38 million round in 2012.

Domaining Europe heading to Berlin next year

Next year’s Domaining Europe conference will be held in Berlin, organizers announced today.
The three-day event is slated to start May 14, 2016, at the Steigenberger Hotel, covering the usual mix of sales, development and legal issues.
“This time we are going back to the roots,” organizer Dietmar Stefitz said in an email, “the majority of the panels will discuss about monetization and Market-places.”
This year’s Domaining Europe took place in the Netherlands, after taking place for a couple of years in Spain.
Full-price tickets will be €650 (currently about $705) but there’s an early-bird discount to €350 for anyone buying before December 15.
The conference is being managed in cooperation with ECO, the Germany internet industry association.

Famous Four VP goes solo, claims $400,000 sale

Former Famous Four Media VP of sales Richard Downs has launched a new consultancy business aimed at new gTLD registry operators.
The new company, GTLD Systems is offering a multitude of services but is mainly a way for smaller registries to outsource their sales and marketing operations.
Downs told DI an early success was a recent $400,000 deal, selling a few FFM premiums (in .review and .download) to a single end user. He says he has a pipeline that he hopes will bring his total sales to $1 million before the end of the year.
He said he’s sold over $3 million in premiums over the last few years at FFM.
Spain-based Downs said that he has three employees, one a Chinese-speaker, in three different western-European countries.
Among the services on offer are premium list creation and sales, registrar channel management, Chinese regulatory approval consulting, supplier negotiations and marketing consulting.
Downs was with FFM for about three years. Before that, he was in digital recruitment.