Chaotic scenes as ‘Grumpies’ lose auDA board fight

Three directors of .au registry auDA managed to keep their seats on the board despite losing the “popular vote” of members late last week.
The vote happened at the conclusion of an occasionally chaotic three-hour meeting that saw former AusRegistry chief Adrian Kinderis kicked out of the room barely a minute into proceedings.
The results in each of the three votes to fire directors Suzanne Ewart, Sandra Hook and chair Chris Leptos were 57 or 58 in favor and 51 or 52 against, which would have been a narrow win for the so-called “Grumpies” who originally called for the sackings.
However, auDA rules require, Leptos said, a simple majority of both “Supply” and “Demand” classes of members, and the Supply class (ie, registrars) voted against the motions by 30 to 2 or 31 to 1.
Therefore, all three directors get to keep their jobs.
auDA noted in a statement that a greater proportion of Supply class members (the substantially smaller constituency) turned out to vote compared to Demand class, adding:

It is time now for all members to get behind the reform of auDA as demanded by the federal government.
auDA is not the plaything of a small group of self-interested parties.
It can no longer be run as a club type organisation with a small membership who wield undue influence.

A “club type organization” was pretty much what came across during the meeting, which was audio-only webcast Friday morning. ICANN, auDA ain’t.
I was left with the impression of something a bit like Nominet circa 2010 or my first ICANN meeting back in 1999. Not so much herding cats, as [RACIST JOKE ALERT] herding wallabies.
At times it felt like an ICANN Public Forum, with an infinite number of Paul Foodys lining up at the mic.
At the same time, the meeting was chaired by somebody who, despite never losing his cool, seemed set on limiting criticism from members to the greatest extent possible.
There was controversy from the very outset, with the former CEO of former .au back-end provider AusRegistry (now part of Neustar) getting kicked out in the opening minute.
Kinderis, who no longer works for Neustar and has vowed publicly to be a thorn in auDA’s side, said he was “unlawfully removed” from the meeting by venue security, at the instruction of Leptos.
Leptos disputed Kinderis’ claim that he was there as a proxy for a legit member and said he believed he had acted “entirely appropriately” in ordering his removal.
There was no suggestion of physical force being used. His exit was recorded by chief Grumpy Josh Rowe, who then posted a brief video to Twitter.

pic.twitter.com/zvfJhuqUm9

— Josh Rowe (@joshrowe) July 27, 2018

Leptos then threatened to throw out fellow Grumpy Jim Stewart, who was protesting Kinderis’ removal, before warning non-member attendees that they would not be permitted to ask questions.
Forty-five minutes later, he repeatedly threatened to kick out Stewart for live-streaming video of the meeting from his phone, having apparently received complaints from other members.
Fifteen minutes later, the threats returned after Stewart and another member attempted to engage Leptos in an argument about auDA’s member recruitment policy.
The words “take a seat Mr…” were a recurring meme throughout the meeting.
The original reasons for the call for the directors to be fired were myriad, ranging from lack of transparency to projects such as the Neustar-Afilias registry transition and auDA’s desire to start selling direct second-level .au domains.
But the bulk of the meeting was taken up with discussions, and attempted discussions, about auDA’s recent membership spike.
The Grumpies have audited the new member list — which has grown from 300-odd to 1,345 in just a few weeks — and found that the vast majority of new members are employees of just three registrars and one registry (Afilias, the new back-end).
They reckon these new members, many of whom do not live in Australia, represent an attempt by auDA leadership to capture the voting community, and that foreigners are not technically members of the “Australian internet community” that auDA is supposed to represent.
Leptos responded to such criticisms by saying that employees of Australia-focused registrars are indeed members of the Australian internet community, regardless of their country of residence.
He added that auDA is under the instruction of the Australian government to diversify its membership — he said that registrars have no board representation currently — and that the recently added members are a first step on that path.
The Grumpies had shortly before the meeting started making accusations that the membership influx amounts to “potential cartel behaviour”.
Leptos addressed this directly during the meeting, saying they had “accused the CEO of criminal conduct” and categorically denying any wrongdoing.
auDA later issued a statement saying:

This is a very serious allegation to have been made and auDA strongly disagrees that by encouraging others to join the auDA membership, or by approving membership applications which satisfy its constitutional requirements, auDA or its officers have engaged in cartel behaviour or otherwise acted improperly.

All Cyrillic .eu domains to be deleted

Eurid has announced that Cyrillic domain names in .eu will be deleted a year from now.
The registry said that it’s doing so to comply with the “no script mixing” recommendations for internationalized domain names, which are designed to limit the risk of homograph phishing attacks.
The deletions will kick in May 31, 2019, and only apply to names that have Cyrillic before the dot and Latin .eu after.
Cyrillic names in Eurid’s Cyrillic ccTLD .ею will not be affected.
The plan has been in place since Eurid adopted the IDNA2008 standard three years ago, but evidently not all registrants have dropped their affected names yet.
Bulgaria is the only EU member state to use Cyrillic in its national language.

How all 33 European ccTLDs are handling GDPR

Happy GDPR Day everyone!
Today’s the day that the European Union’s not-quite-long-enough-awaited General Data Protection Regulation comes into effect, giving registries and registrars the world over the prospect of scary fines if they don’t keep their registrants’ Whois data private.
So I thought today would be the perfect day to summarize what each EU or European Economic Area ccTLD has said they are doing about GDPR as it pertains to Whois.
There are 33 such ccTLDs, arguably, and I’ve checked the public statements and web sites of each to hit the key changes they’ve announced.
Because ccTLDs are not governed by ICANN contracts, they had to figure out GDPR compliance for themselves (though some did take note of ICANN guidance).
So I’ve found there are differing interpretations of key points such as whether it’s kosher to continue to publish contact email addresses, and where the line between “natural persons” (ie humans) and “legal persons” (ie companies and other organizations) should be drawn.
Some have also been quite specific about when they will release private data to third parties with so-called “legitimate purposes”; others are more vague.
Note that some of the 33 do not appear to have published anything about GDPR. It’s possible this is because they didn’t need to make any changes. It’s also possible that I simply could not find the information because I’m rubbish.
I should also note that I did the majority of this research yesterday, so additional statements may have been made in the meantime.
Anyway, here’s the list, in alphabetical order.
Austria (.at)
In Austria, from last week public Whois records only show the domain name and technical information when the domain is owned by natural persons. Company-owned domains are unchanged. Any registrant can opt in to having their data published. Only verified “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed” are allowed to access full records.
Belgium (.be)
DNS.be has not been publishing personal info of natural person registrants, other than their email address, since 2000. As of last week, email addresses are not being published either. It’s also removed the contact name (though not the organization) for domains owned by legal persons. A web form is available to contact anonymized registrants.
Bulgaria (.bg)
There’s not currently any information on the registry web site to indicate any GDPR-related changes, at least in English, that I could find.
Croatia (.hr)
No info on GDPR to be found here either.
Cyprus (.cy)
Ditto.
Czechia/Czech Republic (.cz)
Nic.cz has new rules (pdf) coming in tomorrow that specify which Whois fields will or may be “hidden”, but the English version of the document is too confusing for me to follow. It appears as if plenty of contact information will be masked, and that the registry will only make it available to those who contact it directly with a good enough reason (and it may charge for access). It may also release historical records to those with legitimate purposes.
Denmark (.dk)
Remarkably, there will be NO CHANGE to Whois in .dk after tomorrow, according to an article published on the registry’s web site today. DIFO, the registry, is subject to a Danish law that makes publication of Whois mandatory so, the company said, “we will continue to publish the information – for the benefit of those who need to know who is behind a given domain name. Regardless of whether it is because you want to protect your brand, investigate a crime, do research or just satisfy your curiosity.” Wow!
European Union (.eu)
Eurid’s current Whois policy (pdf) states that only the email address of natural persons will be published publicly. Registrants get the option from their registrars to have this address anonymized. Private data can be released to those who show they have a legitimate interest in accessing it.
Estonia (.ee)
The Estonian Internet Foundation Council approved its GDPR changes (pdf) back in March. They say that no personal information on natural persons will be published, though it appears there will be a way to get in contact with them via the registry itself.
Finland (.fi)
The Finnish registry, FICORA, is a governmental entity that has published remarkably little about GDPR on its site. Its Whois shows the name of the registrant, even when they’re a natural person. Registrants can also opt in to reveal more information about themselves.
France (.fr)
Afnic didn’t have to do much to comply with RGPD (tut!) as it has been hiding the personal info of natural-person registrants since it started allowing them to register .fr names back in 2006. Likewise, it already has a procedure to enable the likes of trademark owners to get their hands on contact info in the event of a dispute, which involves filling out a form (pdf) and promising to only use the data acquired for the purposes specified.
Germany (.de)
DENIC, Europe’s largest ccTLD registry said a few months back that it would expunge personal data from its public Whois and implement a semi-automated system for requesting full records. It’s also adding two “non-personalized” contact email addresses for general and technical inquiries, which will be managed by the registrar in question.
Greece (.gr)
I couldn’t find any GDPR-related information on the registry web site, but its Whois appears to not output contact details for any registrant anyway.
Hungary (.hu)
Currently outputs “private registrant” as the registrant’s name when they’re a natural person, along with a technical contact email and no other personal information. Legal persons get their full contact info published. It’s not entirely clear how recent this policy is.
Iceland (.is)
Iceland’s ISNIC is one of the ccTLD registries to announce that it will continue to publish registrants’ email addresses, though no other contact info, until it is told to stop. In a somewhat defiant post last month, the registry said that GDPR as applied to Whois “will lead to less transparency in domain registrations and less trust in the domain registration system in general”.
Ireland (.ie)
IEDR will not publish contact information for any registrant, though it will publish their name if they’re a legal person. It will only disclose personal information to law enforcement, under court order, for technical matters, or to help a dispute resolution partner resolve a cybersquatting claim.
Italy (.it)
The current version of Registro.it’s Whois policy, dated September 2016, says it will publish all contact information over port 43 and a subset of some contact info (including phone and email) over the web query tool. There’s no mention I could find on its site of GDPR-related changes, though its 2016 policy acknowledges some might be needed.
Latvia (.lv)
Under its post-GDPR policy (pdf), Nic.lv will not publish any personal info about natural persons in its public Whois, and only law enforcement and the government can request the records. Legal-person registrants continue to have their full contact data published.
Liechtenstein (.li)
Liechtenstein is managed by Switzerland’s SWITCH and appears to have the same policies.
Lithuania (.lt)
DomReg’s new privacy policy (pdf) gives natural persons an opt-in to have their personal data published, but otherwise it will all be private. There’s an email-forwarding option. Lawyers with claims against registrants can pay the registry for the Whois record if the registrant has not responded to their forwarded emails within 15 days.
Luxembourg (.lu)
.lu registry RESTENA Foundation said it will cut all personal information for natural-person registrants and make a web-based form available for contact purposes. There will be an opt-in for those who want their data published at a later date. Legal persons continue to have their data published. The registry will make current and historical records available for those with legit purposes, and will create automated blanket access system for national authorities that require regular access.
Malta (.mt)
NIC(Malta)’s current Whois policy, which is only six months old, allows any registrant to opt out of having their personal data published in Whois, but appears to require than a “Administrative Agent” be appointed to take their place in the public database. There’s no info on its web site about any upcoming changes due to GDPR.
Netherlands (.nl)
SIDN explains in a recent paper (pdf) that it didn’t have to make many changes to its Whois service because personal information was already pretty much redacted. The biggest change appears to be more throttling of Whois queries applied to registrars when they’re querying domains they don’t already sponsor.
Norway (.no)
Norid said this week that it will publish the email address of private individual registrants, and full contact info for companies. It’s also the only European ccTLD I’m aware of to have a third class of registrant, the sole proprietorship, which will also see their organization names and numbers published. There does not appear to be an in-house email anonymization or forwarding service, for which Norid encourages registrants to look elsewhere.
Poland (.pl)
NASK has no GDPR related info on its web site, but its evidently quite old Whois policy states that the private information of individuals is not published.
Portugal (.pt)
DNS.pt has a comprehensive set of documents on its site explaining its pre- and post-GDPR policies. From today, natural-person registrants are given the option to provide their “informed, willing, and express consent” to having their data published. If they don’t give consent, it will be redacted from public records and email addresses may be replaced with an anonymized address. This is not available to legal entities. ARBITRARE, a local arbitration center tasked with handle IP disputes, will be able to have access to full records.
Romania (.ro)
RoTLD said yesterday that it would no longer publish private information of individuals, but that it may release such data to “carefully verified” third parties with legitimate interests. It also encouraged registrants to use non-personally-indentifying email addresses if they wish to have a further degree of privacy.
Slovakia (.sk)
SKNIC, now owned by UK-based CentralNic, has an interesting definition of the type of natural person you have to be to have your data protected — a “natural person non-enterpreneur” — according to its helpfully redlined policy update (pdf), suggesting that offering commercial services might void your right to natural-person status. (UPDATE: SKNIC tells me that “natural person–entrepreneur is a legal definition of a specific version of legal person” in Slovakia). There’s a carve-out that allows the registry to provide private data to third parties with legal claims, or to its cybersquatting dispute handler.
Slovenia (.si)
Register.si said this week that it will shortly publish its post-GDPR privacy policy, but it does not appear to have yet done so.
Spain (.es)
I could find no GDPR-related information on the Dominios.es site.
Sweden (.se)
IIS has not published the private fields of Whois records for natural persons since 2013. From today, it will also redact the contact name and email address from the records of legal-person registrants, as it may be considered “personal” data under the law.
Switzerland (.ch)
I don’t think GDPR actually applies to Switzerland, which is not an EEA member, but the .ch registry, SWITCH, also runs Liechtenstein’s .li, so I’m including it here. SWITCH says on both of its sites that it is required by Swiss law to publish Whois records, though they’re subject to an acceptable use policy that includes throttling. When I attempted to do a single Whois query via the SWITCH site today I was told I had already exceeded my quota. Shrug.
United Kingdom (.uk)
UK registry Nominet has long had a two-tier Whois, where private individuals do not have their contact information published in the public Whois. But as of this week it has started redacting all registrant contact information. It’s also going to be offering a paid-for searchable Whois service and a free data request service with a one-day turnaround.

Domainers not welcome in this Whois database

Inquiries from domain investors are specifically barred under one registry’s take on GDPR compliance.
The Austrian ccTLD registry, nic.at, yesterday stopped publishing the personal information of human registrants in its public Whois database, unless the registrant has opted to have their data public.
The company said it will provide thick Whois records only to “people who provide proof of identity and are able to prove a legitimate interest for finding out who the domain holder is”.
But this specifically excludes people who are trying to buy the domain in question.
“A buying interest or the wish to contact the domain holder is definitely no legitimate interest,” the company said in a statement.
It quotes its head of legal, Barbara Schlossbauer, saying: “I am also not able to investigate a car driver’s address over his license number just because I like his car and want to buy it.”
She said that those able to access records include “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed”.
While nic.at is bound by GDPR, as a ccTLD registry it is not bound by the new GDPR-compliant Whois policy announced by ICANN overnight, where who will be able to request thick Whois records is still an open question.

Now South Africa looks to second-level domain sales

South Africa looks to be the next country to start letting people register domains directly at the second level of its ccTLD.
Local registry authority ZADNA this week opened a policy consultation on allowing registrants access to direct, second-level .za names.
Currently, if you want a .za you have to register at the third level under the likes of .co.za or .net.za.
But ZADNA says second-level names will help it continue to compete in a market now populated by hundreds of new gTLDs.
The company said it has been “inundated” by calls for such a move.
The policy shift would see South Africa follow the the path beaten in recent years by UK, New Zealand, Kenya and (probably) Australia, which have all changed policy to allow second-level names.
But these things are never without controversy.
Domain investors are typically resistant to such moves, fearing dilution and the possible devaluing of their portfolios.
There are often also intellectual property concerns, and concerns about priority “grandfathering” rights when matching .co.za and .org.za names, for example, have different owners.
ZADNA is floating the possibility of auctions to resolve these kinds of conflicts.
The proposal (pdf) is open for comment until April 16.

Domain universe grows almost 1% in 2017 despite new gTLD slump

The total number of registered domain names in all TLDs was up 0.9% in 2017, despite a third-quarter dip, according to the latest data compiled by Verisign.
The latest Domain Name Industry Brief, published yesterday, shows that there were 332.4 million domains registered at the end of the year.
That’s up by 1.7 million names (0.5%) on the third quarter and up 3.1 million names (0.9%) on 2016.
Growth is growth, but when you consider that 2015-2016 growth was 6.8%, under 1% appears feeble.
The drag factors in 2017 were of course the 2012-round new gTLDs and Verisign’s own .net, offset by increases in .com and ccTLDs.
New gTLD domains were 20.6 million at the end of the year, down by about 500,000 compared to the third quarter and five million names compared to 2016.
As a percentage of overall registrations, new gTLDs dropped from 7.8% at the end of 2016 to 6.2%.
The top 10 new gTLDs now account for under 50% of new gTLD regs for the first time.
The numbers were primarily affected by big declines in high-volume spaces such as .xyz, which caused the domain universe to actually shrink in Q3.
Verisign’s own .com fared better, as usual, with .net suffering a decline.
The year ended with 131.9 million .com names, up by five million names on the year, exactly offsetting the shrinkage in new gTLDs.
But .net ended up with 14.5 million names, a 800,000 drop on 2016.
In the ccTLD world, total regs were up 1.4 million (1%) quarterly and 3.4 million (2.4%) annually.
Excluding wild-card ccTLD .tk, which never deletes domains and for which data for 2017 was not available to Verisign, the growth was a more modest 0.7 million (0.5%) quarterly and 2.3 million (1.8%) annually.
The DNIB report for Q4 2017 can be downloaded here (pdf).

Roberts elected to ICANN board

Channel Islands ccTLD operator Nigel Roberts has been elected to ICANN’s board of directors.
He gathered an impressive 67% of the votes in an anonymous poll of ccNSO members conducted last week.
He received 60 votes versus the 29 cast for his only opponent, Pierre Ouedraogo, an internet pioneer from Burkina Faso.
Roberts, a Brit, runs ChannelIsles.net, registry manager for .gg (for the islands Guernsey, Alderney and Sark) and .je (for Jersey). These are the independent UK dependencies found floating between England and France.
He’s been in the ICANN community since pretty much day one.
His election still has to be formally confirmed by the ccNSO Council and then the ICANN Empowered Community.
Roberts will not take his seat on the ICANN board until October next year, at the end of public meeting in Barcelona.
He will replace Mike Silber, the South African who’s currently serving his ninth and therefore final year as a director.
The other ccNSO seat is held by Australian ICANN vice chair Chris Disspain, who is also term-limited and will leave at the end of 2019.

China and cheapo TLDs drag down industry growth — CENTR

The growth of the worldwide domain industry continued to slow in the third quarter, according to data out today from CENTR.
There were 311.1 million registered domains across over 1,500 TLDs at the end of September, according to the report, 0.7% year-over-year growth.
The new gTLD segment, which experienced a 7.2% decline to 20.6 million names, was the biggest drag.
But that decline is largely due to just two high-volume, low-price gTLDs — .xyz and .top — which lost millions of names that had been registered for pennies apiece.
Excluding these TLDs, year-over-year growth for the whole industry would have been 2.5%, CENTR said. The report states:

Over the past 2 years, quarterly growth rates have been decreasing since peaks in early 2016. The slowdown is the result of deletes after a period of increased investment from Chinese registrants. Other explanations to the slowdown are specific TLDs, such as .xyz and .top, which have contracted significantly.

The legacy gTLDs inched up by 0.2%, largely driven by almost two million net new names in .com. In fact, only five of the 17 legacy gTLDs experienced any growth at all, CENTR said.
In the world of European ccTLDs, the average (median) growth rate has been flat, but CENTR says it sees signs of a turnaround.
CENTR is the Council of European National Top-Level Domain Registries. Its Q3 report can be downloaded here (pdf).

New gTLDs blamed as .pl starts to shrink

Polish ccTLD .pl has lost over 125,000 domains in the last year, a change of growth trajectory blamed partly on new gTLDs.
NASK, the registry, released its third-quarter report in English today. It’s overflowing with more statistics than you could possibly need about the TLD’s performance.
The headline is that .pl is on the decline. On NASK’s web site, it reports registrations as of today are down 128,671 on the last 12 months.
It has 2,577,566 active domains in total today, 2,592,014 at the end of September, about three quarters of which are direct second-level registrations.
It’s one of many ccTLDs to have started to feel the pinch over the last few years. Increased competition, spurred by the expansion of the gTLD space, has been fingered as a likely culprit.
In the report’s introduction, NASK director Wojciech Kamieniecki wrote:

Temporary slowdown of the dynamics of the .pl domain market, observed from the beginning of the year — decrease in the number of new registrations — should be perceived in the light of extending the selection of attractive names as well as a growing number of new generic domains and increase in competition in the global domain market.

The renewal rate overall was 62.22%, a slight increase on 2016 but still on the low side for an established TLD. However, if you exclude third-level registrations (under .com.pl and .net.pl for example) the rate was a much more respectable 76.37%.
There were 203,898 new domains registered in the third quarter.
The vast majority — 93.96% — of current .pl domains are registered to Polish registrants, with registrants from Germany, the UK and the US also contributing to the total.
The full Q3 report can be downloaded here (pdf).

In harsh tones, ccNSO rejects NomCom appointee

ICANN’s Country Code Names Supporting Organization has rejected the appointment to its Council of a Canadian registry director.
Saying NomCom ignored long-standing guidance to avoid appointing registry employees, the ccNSO Council has said the recent naming of Marita Moll to the role is “unacceptable”.
Moll will have to choose between sitting on the Council and being a director of .ca registry CIRA, the Council said in a letter to NomCom and the ICANN board.
Three of the Council’s 18 voting members are selected by NomCom. The rest are elected from ccTLD registries, three from each of ICANN’s five geographic regions.
To maintain balance, and promote independent views, the Council told NomCom most recently back in 2012 that it should refrain from appointing people connected to ccTLD registries.
The new Council letter (pdf) reads:

Council’s view (none dissenting) is that your Committee’s proposed selection directly contravenes this requirement, notwithstanding the clear and explicit assurance we received in 2012 from the then Chair of Nominating Committee that the Committee would be “avoiding any member already belonging to the ccTLD management participating in the ccNSO”.

The situation is exacerbated by the fact that CIRA already has representation on the Council in the form of CEO Byron Holland.
The letter concludes that the conflict is “irreconcilable” and the appointment “unacceptable”.
As the ccNSO does not appear to have refusal powers on NomCom appointees, it will presumably be up to Moll to decline the appointment.