EU body tells ICANN that 2013 RAA really is illegal

A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.
The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.
In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:

The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”
The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.

Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.
The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.
But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.
The Working Party is clearly a bit miffed at the snub, telling ICANN this month:

The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.
…
the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.

It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.
ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.
Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.
It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).
EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.

First European registrar to get Whois data opt-out

ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.
OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.
The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.
ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.
OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.
If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.
It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.
Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.
ICANN has more details, including OVH’s request and links for commenting, here.

Cartier sues Nominet hoping to set global domain name take-down precedent

Luxury watchmaker Cartier has taken .uk registry Nominet to court, hoping to set a precedent that would enable big brands to have domain names taken down at a whim.
The company sued Nominet in a London court in October, seeking an injunction to force the registry to take down 12 domain names that at the time led to sites allegedly selling counterfeit watches.
We’ve only become aware of the case today after Nominet revealed it has filed its defense documents.
Judging by documents attached to Nominet’s court filings, Cartier sees the suit as a test case that could allow it to bring similar suits against other “less cooperative” registries elsewhere in the world.
In a letter submitted as evidence as part of Nominet’s defense, Richard Graham, head of digital IP at Cartier parent company Richemont International, said that he was:

seeking to develop a range of tools that can be deployed quickly and efficiently to prevent Internet users accessing websites that offer counterfeit goods… [and] looking to establish a precedent that can be used to persuade courts in other jurisdictions where the registries are less cooperative.

It’s worth noting that Richemont has applied for 13 dot-brands under ICANN’s new gTLD program and that Graham is often the face of the applications at conferences and such.
Pretty soon Richemont will also be a domain name registry. We seem to be looking at two prongs of its brand protection strategy here.
According to the company’s suit, the 12 domains in question all had bogus Whois information and were all being used to sell bogus Cartier goods.
None of them used a Cartier trademark in the domain — this is explicitly about the contents of web sites, not their domains names — and Cartier says most appeared to be registered to people in China.
Rather than submitting a Whois inaccuracy complaint with Nominet — which could have led to the domains being suspended for a breach of the terms of service — Cartier decided to sue instead.
Graham actually gave Nominet’s lawyers over a week’s notice that the lawsuit was incoming, writing his letter (pdf) on October 22 and filing the complaint (pdf) with the courts November 4.
Cartier seems to have grown frustrated playing whack-a-mole with bootleggers who cannot be traced and just pop up somewhere else whenever their latest web host is persuaded to cut them off.
Graham’s letter, which comes across almost apologetic in its cordiality when compared to the usual legal threat, reads:

Cartier therefore believes the most cost effective and efficient way to disrupt access to the Counterfeiting Websites operating in the UK is to seek relief from you, as the body operating the registry of .uk domain names.

Armed with the foreknowledge provided by the letter, Nominet reviewed the Whois records of the domains in question, found them lacking, and suspended the lot.
Ten were suspended before Cartier sued, according to Nominet. Another expired before the suit was filed and was re-registered by a third party. A fourth, allegedly registered to a German whose scanned identity card was submitted as evidence by Nominet, was suspended earlier this month.
As such, much of Nominet’s defense (pdf) relies upon what seems to be a new and obscure legal guideline, the “Practice Direction on Pre-Action Conduct”, that encourages people to settle their differences without resorting to the courts.
Nominet’s basically saying that there was no need for Cartier to sue, because it already has procedures in place to deal with counterfeiters using fake Whois data.
Also offered in the defense are the facts that suspending a domain does not remove a web site, that Nominet does not operate web sites, and the following:

Nominet is not at liberty under its Terms and Conditions of Domain Name Registration to suspend .uk domain names summarily upon mere receipt of a demand from someone unconnected with the domain name registrant.

That seems to me to be among the most important parts of the defense.
If Cartier were to win this case, it may well set a precedent giving registries (in the UK at least, at first) good reason to cower when they receive dodgy take-down orders from multibillion-dollar brands.
Indeed, that seems to be what Cartier is going for here.
Unfortunately, Nominet has a track record of at least accelerating the takedown of domains based on nothing more than third-party “suspicion”. Its defense actually admits this fact, stating:

Inaccurate identity and contact information generally leads to the suspension of a domain within three weeks. Where suspicions of criminality are formally confirmed by a recognised law enforcement agency, suspension may be very significantly expedited.

I wonder if this lawsuit would have happened had Nominet not been so accommodating to unilateral third-party take-down notices in the past.
In a statement to members today, a copy of which was sent to DI, Nominet encouraged internet users to report counterfeiting web sites to the police if and when they find them.

Nominet bans rape domains

Nominet has banned “rape” domains from the .uk space, following an independent review spurred by a newspaper article.
The company announced today that it is to adopt the recommendations of Lord Macdonald (pdf), who said domains that “signal or encourage serious sexual offences” should be deleted.
The policy applies retroactively and at least a dozen domains have already been suspended.
Nominet CEO Lesley Cowley said in a statement:

Even though we are only talking about a handful of domain names, we agreed that we do not want those domain names on the register – regardless of whether there was an associated website or content.

Under the new policy, Nominet will review all new domain name registrations within the first 48 hours. It said it will:

Institute a system of post-registration domain name screening, within 48 hours of registration, for domain names that appear to signal or encourage serious sexual offences. Where examples that meet these criteria are discovered, they will be suspended or de-registered.

It’s pretty vague at the moment, both in terms of what constitutes a “signal” and how the oversight process will be carried out. Nominet said it will reveal implementation details at a later date.
Importantly, there will be no pre-screening of domains for potentially offensive substrings. It will still be possible to register names if you’re a “therapist” or enjoy “grapes”.
Macdonald said in his report:

any process of pre-registration scrutiny is likely to be slow, technologically blunt, and have minimal useful impact. It would likely damage the credibility of the .uk space in the market place and it would bring few discernible advantages.

He seems to be envisaging a system of manual review, aided by keyword searches, that looks only for domains that seem to be unambiguously “egregious”. He wrote:

it is precisely because of the inadequacies of the screening technology that Nominet has available to it, and the utmost importance of avoiding unnecessary or mistaken interference with free expression rights, that any post registration screening process should be strictly designed to target only the most egregious examples

Keywords under scrutiny are likely to include “rape”, “incest”, “bestiality”, “paedophilia” and derivatives.
Macdonald noted that Nominet gets 20 – 25 registrations containing these strings per week, but that the “vast majority” were false positives that should not trigger a suspension.
The Macdonald report gives examples of existing domains that would be likely to trigger Nominet action, including rapeme.co.uk, rapemyteacher.co.uk and rapeporn.co.uk.
According to Whois records, all of the domains listed in the report have already been suspended by Nominet.
Macdonald wrote:

it is difficult to see any reasonable basis whatsoever upon which the registration of a domain name such as rapemyteacher.co.uk could be consistent with any reasonable terms of business that Nominet might draw up.

It’s not clear from archives whether many of these domains even led to sites with content. An Archive.org capture of rapeporn.co.uk from 2009 contains a short essay (looks like a hasty attempt to justify the domain to me) on why rape fantasy and actual rape are different.
I suspect that “rapemyteacher.co.uk” was supposed to be a joke, a play on the popular site RateMyTeachers.com.
However, in Macdonald’s view, it’s easily possible for Nominet to suspend these names without infringing anyone’s free speech rights under the European Convention on Human Rights and UK law.
He said that in some cases the domain name itself may be illegal, if it encourages others to commitment crimes. Incitement is a crime, after all.
But his report seems to envisage that the use of the word “rape” may be justifiable when used in a figurative sense not related to actual sexual violence. It would also not be banned in positive contexts such as rape victim support services.
He recommended against instituting bans on swearwords and racist terms for similar reasons.
The one thing missing from the report, and Nominet’s response to it so far, is any requirement for Nominet to disclose which domain names it has suspended under the new policy.
That would be an important oversight mechanism, in my view.
If Nominet is going to be deleting names based on an as-yet-undisclosed review process, wouldn’t free speech be served by at least telling the public what has been censored?
What if rapemyteacher.co.uk was supposed to be a parody of RateMyTeachers.com? Did Nominet just suspend a humor site for no good reason and without telling anyone but the registrant?
The Macdonald report was commissioned following an outraged Sunday Times article based on a blog post by anti-porn crusader John Carr, who wanted a ban on “depraved or disgusting words”.
Neither Carr, the Sunday Times, Nominet or Macdonald have ever presented any examples of “egregious” .uk domain names leading to content encouraging or glorifying sexual violence, nor have they ever said that they’ve seen one with their own eyes.
It’s possible that such domains do not exist.
The review and the new Nominet policy, I think it’s fair to say, has probably not protected a single man, woman, child, corpse or sheep from unwelcome interference. It was, I suspect, a waste of time and resources.
But at first look the policy, properly implemented, does not appear to present a huge risk of infringing free speech rights or throwing up vast numbers of false positives.

Latest Go Daddy phishing attack unrelated to 2013 RAA

Fears that the 2013 Registrar Accreditation Agreement would lead to new phishing attacks appear to be unfounded, at least so far.
The 2013 RAA, which came into force at most of the big registrars on January 1, requires registrars to verify the registrant’s email address or phone number whenever a new name is registered.
It was long predicted that this new provision — demanded by law enforcement — would lead to phishers exploiting registrant confusion, obtaining login credentials, and stealing valuable domain names.
Over the weekend, it looked like this prediction had come true, with posts over at DNForum saying that a new Go Daddy scam was doing the rounds and reports that it was related to the 2013 RAA changes.
I disagree. Shane Cultra posted a screenshot of the latest scam on his blog, alongside a screenshot of Go Daddy’s actual verification email, and the two are completely dissimilar.
The big giveaways are the “Whois Data Reminder” banner and “Reminder to verify the accuracy of Whois data” subject line.
The new attack is not exploiting the new 2013 RAA Whois verification requirements, it’s exploiting the 10-year-old Whois Data Reminder Policy, which requires registrars annually to remind their customers to keep their contact details accurate.
In fact, the language of the new scam has been used in phishing attacks against registrants since at least 2010.
That’s not to say the attack is harmless, of course — the attacker is still going to steal the contents of your Go Daddy account if you fall for it.
We probably will see attacks specifically targeting confusion about the new address verification policy in future, but it seems to me that the confusion we’re seeing with the latest scam may be coincidental.
Go Daddy told DI yesterday that the scam site in question had already been shut down. It’s not clear if anyone fell for it while it was live.

Google registers its first new gTLD domain

Google took part in dotShabaka Registry’s Sunrise period, according to today’s zone files.
The company registered جوجل.شبكة, in the .شبكة (Arabic “.web”) TLD, via MarkMonitor at some point prior to December 30.
“جوجل” seems to be the Arabic transliteration of “Google”.
The domain is not resolving, but Whois says it belongs to Google and it’s configured to use Google name servers.
It’s only the fifth confirmed Sunrise registration in the .شبكة space — the only new gTLD to so far conclude a Sunrise period.
Rolex registered its trademark and Richemont International registered three of its luxury goods brands. So far, Rolex is the only confirmed new gTLD registrant that is not also an applicant.
None of the registrants to date are from the Arabic-speaking regions.
These may all be defensive registrations, of course, and may never resolve to anything useful.

These are the first four new gTLD domain names

Two luxury goods companies have the honor of being the first to register domain names in a new gTLD.
Today, the first four domain names registered to actual registrants popped up in the zone file for dotShabaka Registry’s Arabic “.web” — شبكة.
شبكة. exited its mandatory Sunrise period on Sunday; the four new names appear to be the first ones to get name servers after their Sunrise applications were approved.
The two registrants, according to Whois records, are Richemont International and Rolex.
Richemont is itself a new gTLD applicant. The company has taken a strong interest in the program, with head of digital IP Richard Graham even moderating a new gTLDs conference in March.
The four names (with my best guesses at a translation) are:

• لانسيل.شبكة — seems to mean “Lancel”, Richemont’s brand of expensive leather bags.
• مونتبلان.شبكة — “Montblanc”, Richemont’s brand for selling watches, pens, cufflinks and such.
• بياجيه.شبكة — “Piaget”, another Richemont brand of watches and jewelry.
• رولكس.شبكة — seems to be the translation or transliteration of “Rolex”.

None appear to be resolving on the web yet, not even to placeholder pages, at least from where I’m sitting.
Because they’re Sunrise names, it’s possible that all four are defensive registrations that may never lead anywhere meaningful.
Richemont used Com Laude as its registrar while Rolex used Key-Systems.
The Sunrise was limited to Arabic-script trademarks.
dotShabaka said yesterday that it had “very few” Sunrise applications. Now we know that number was at least four.

Extortion.sucks — Vox Pop CEO defends “under-priced” $25,000 sunrise fee

Vox Populi Registry, the .sucks new gTLD applicant backed by Momentous Corp, is to charge trademark owners $25,000 to participate in its Sunrise period, should it win the TLD.
Not only that, but it’s become the first new gTLD applicant that I’m aware of to start taking pre-registration fees from trademark owners while it’s still in a contention set with other applicants.
At first glance, it looks like plain old trademark-owner extortion, taken to an extreme we’ve never seen before.
But after 45 minutes talking to Vox Pop CEO John Berard this evening, I’m convinced that it’s worse than that.
The company is setting itself up as the IP lobby’s poster child for everything that is wrong with the new gTLD program.
If Vox Pop wins the .sucks contention set — it’s competing against Donuts and Top Level Spectrum — it plans to charge trademark owners $25,000 to participate in Sunrise and $25,000 a year thereafter.
Registrations during general availability, whether they match a trademark or not, will cost $300 a year.
During the pre-registration period, the Sunrise fee is $2,500 and the “Priority Reservation” fee is $250.
The Sunrise fee is, I believe, higher than any sunrise fee in any TLD ever to launch.
But Berard said that he believes Vox Pop’s .sucks proposition is, if anything, “under-priced”.
“Most companies spend far more than $25,000 a month on a public relations agency, most companies spend more than $25,000 a month on a Google ad campaign,” he said.
“Companies spend millions of dollars a year on customer service. We view .sucks as an element of customer service on the part of companies,” he said.
Berard, a 40-year veteran of the public relations business, said that he believes .sucks represents an opportunity for brands to engage with their customers, gaining valuable insight that could help them improve product development or customer service.
“The last thing I view .sucks as is a domain name. That’s the last value proposition for .sucks,” he said. “The primary value proposition is as a key and innovative part of customer service, retention and loyalty.”
It’s about giving companies “the ability to bring internet criticism and commentary out of the shadows and into the light” and “an opportunity to actually have a legitimate ability to correct misconceptions and engage, in much the way they’re doing now with Facebook”, he said.
It’s all about helping companies create a dialogue, in other words.
But Berard said that Vox Pop does not intend to launch any value-added services on .sucks domains.
While a domain name may be the “last value proposition” of .sucks, it is also the only thing that Vox Pop is actually planning to sell.
Asked to justify the $25,000 Sunrise fee, at first Berard pointed to policies that he said will ensure a transparent space for conversation.
“A company might not have to register its brand in .sucks, because if someone else does the policies and practices that we hope to deploy give that company a transparent opportunity to participate,” Berard said. “There’s no chasing unknown people down dark alleys for unfounded criticism. It will all be done in the light of day.”
“We have built-in policies that prevent sites from being parked pages,” he said. “The site must be put to that use — of customer service — whether you are the company that owns [the brand] or a customer that wants to complain about it.”
There was some confusion during our conversation about what the policies are going to be.
At first it sounded like companies would be obliged to run criticism/conversation sites targeting their own brands or risk losing their domains, but Berard later called to clarify that while pages cannot be parked under the policy, they can be left inactive.
It will be possible, in other words, for a company to register its brand.sucks and leave the associated site dark.
The registry would also have an “authenticated Whois database”, he said, though it would allow registrants to use privacy services.
There would also be prohibitions on cyber-bullying and porn in .sucks, if Vox Pop wins it. It has committed to these policies in its Public Interest Commitments (pdf)
But the company does not appear to be doing anything that ICM Registry did not already do when it launched .xxx a couple of years ago, when it comes to making brand owners’ lives easier.
In fact, it’s planning to do a lot less, while being literally a hundred times more expensive.
By contrast, if Donuts wins .sucks, brand owners will be able to defensively block their marks using the Domain Protected Marks List for $3,000 over five years, which would cover all of Donuts 200-300 new gTLDs.
There doesn’t appear to be any good reason Vox Pop is charging prices well above the market rate, in my view, other than the fact that the company reckons it can get away with it.
In what may well be a deliberate move to put pressure on trademark owners, Vox Pop is also the first registry I’ve encountered to say it will do a 30-day, as opposed to a 60-day, Sunrise period.
Under ICANN rules, registries have to give at least 30 days warning before a 30-day Sunrise starts, but once it’s underway they are allowed to allocate domains on a first-come-first-served basis.
All of the 30-odd registries currently in Sunrise have opted for the traditional 60-day option instead, where no domains are allocated until the end of the period.
There’s also the question of accepting Sunrise pre-registrations before Vox Pop even knows whether it will get to run .sucks.
There are two other applicants and Berard said that he reckons the contention set is likely to go to an ICANN last-resort auction.
Judging by ICANN’s preliminary timetable, the .sucks auction wouldn’t happen until roughly September next year, by my reckoning.
Anyone who pre-registers today will have to wait a year before they can use (or not) their domain, if they even get to register it at all.
Any money that is taken during the pre-reg period will be refunded if Vox Pop fails to launch.
In the meantime, it will be sitting in Momentous’ bank account where the company, presumably, will be able to use it to try to win the .sucks auction.
Trademark owners, in my view, should vote with their wallets and stay the hell away from Vox Pop’s pre-registration service.
I’m not usually in the business of endorsing one new gTLD applicant over another, but I think Vox Pop’s Sunrise pricing is going to make the whole new gTLD program — and probably also ICANN and the domain name industry itself — look bad.
It’s a horrible reminder of a time when domain name companies were often little better than spammers, operating at the margins and beyond of acceptable conduct, and it makes me sad.
The new gTLD program is about increasing choice and competition in the TLD space, it’s not supposed to be about applicants bilking trademark owners for whatever they think they can get away with.

Finally, domain-slamming registrar gets ICANN breach notice

Domain “slamming” registrar Brandon Gray Internet Services, which does business as NameJuice.com, has finally received its first ICANN compliance notice.
If you’ve been around the industry for a while you’ll know Brandon Gray better as Domain Registry of America, Domain Registry of Canada, Domain Renewal Group and various other pseudonyms.
DROA is known for being the prime perpetrator of the old “slamming” scam, where fake postal renewal notices that look like invoices trick busy or gullible registrants into transferring their names.
It was sued for slamming by Register.com back in 2002, spanked by the UK’s Advertising Standards Agency as recently as 2009, and de-accredited by .ca registry CIRA.
There’s a list of the various times it’s run afoul of regulators over on Wikipedia.
ICANN yesterday sent a breach notice (pdf) to Brandon Gray, saying the company failed to “maintain and make available to ICANN registration records relating to dealings with the Registered Name Holder” of businesspotion.com, in violation of the Registrar Accreditation Agreement.
A Whois look-up reveals that businesspotion.com has belonged to the same registrant since 2009. However, in April 2011 it was transferred from 1&1 to Brandon Gray (DROA/NameJuice).
I can only guess why it might have been transferred.
However, the material ICANN wants only relates to the period from July this year.
It appears from the compliance notice that the owner of the domain tried to transfer his name away from DROA recently but claims to have not received the necessary authorization codes.
Brandon Gray has until January 13 to provide ICANN with the requested documentation or face losing its accreditation.
Back in 2011, the last time Brandon Gray tried to slam me, I asked: “Isn’t it about time ICANN shut these muppets down?”
Hopefully, that wish is a step closer to reality today.

Why Hansen quit .nyc for .co.com

Ken Hansen has surprised many by resigning from Neustar, where he was general manager of the slam-dunk .nyc new gTLD initiative, to become CEO of .co.com, a new pseudo-TLD registry.
The announcement raises a couple of big questions.
First, why is .co.com being launched as a registry?
The name belongs to domain investor Paul Goldstone. He put it up for sale in March 2012, with broker DomainAdvisors speculating aloud that it would fetch a price in the millions.
We wondered at the time whether CentralNic, whose bread and butter back then (before its interests in new gTLDs became clear) was two-letter country-codes in .com, would swoop to buy it.
We also wondered whether .CO Internet would make an offer, in order to eliminate competition and reduce existing and potential confusion with its own ccTLD, .co.
If either company made an offer, it does not seem to have been accepted.
Goldstone is instead going to try to build a registry around the name, with Hansen as CEO and himself as president. DomainAdvisors founder Gregg McNair is chairman of the new venture.
Second, why on earth would Hansen, who has been leading business development for Neustar’s own .nyc — the forthcoming new gTLD for the city of New York — join an unproven .com subdomain provider?
He tells us that his confidence in .nyc’s prospects has not waned, but that he is one of the owners of the new company.
He said in an email:

Sometimes following the crowd is not the best thing to do in business. New gTLDs have always been about choice from my perspective. I still believe in new gTLDs in general, but there is still a VERY significant market for short recognizable domains ending in .com. We will meet that demand. Not to mention, we can move quickly without waiting on ICANN.

Gaining visibility for a subdomain product can be tricky at the best of times, but with hundred of new generic TLDs coming to market… Hansen, Goldstone and McNair really do have a challenge on their hands.
The new company intends to run sunrise, landrush and “premium” names phases for its launch, which is expected to kick off in the first quarter next year. No word yet on whether it will follow the CentralNic model and also voluntarily incorporate ICANN policies on UDRP, Whois and so forth.