Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
Whois “killer” is a recipe for a clusterfuck
An ICANN working group has come up with a proposal to completely replace the current Whois system for all gTLDs.
Outlined in 180 recommendations spread over 166 pages (pdf), it’s designed to settle controversies over Whois that have raged for 15 years or more, in one fell swoop.
But it’s a sprawling, I’d say confusing, mess that could turn domain name registration and the process of figuring out who owns a domain name into an unnecessarily bureaucratic pain in the rear.
That’s if the proposal is ever accepted by the ICANN community, which, while it’s early days, seems like a challenge.
The Expert Working Group, which was controversially convened by ICANN president Fadi Chehade in December 2012, proposes a Registration Data Service that would ultimately replace Whois.
It’s a complex document, which basically proposes rebuilding Whois from the ground up based on ideas first explored by George Orwell, Franz Kafka and Douglas Adams.
Having read it, I’ll do my best in this post to explain what the proposed Registration Data Service seems to entail and why I think it seems like a lot of hard work for very little benefit.
I note in advance as a matter of disclosure that the RDS as proposed would very possibly disenfranchise me professionally, making it harder for me to do my job. I explain why later in this post.
I also apologize in advance for, and will correct if notified of, any errors. It’s taken me a week from its publication to read and digest the proposal and I’m still not sure it’s all sunk in.
Anyway, first:
What’s RDS?
RDS would be a centralized Whois database covering all domains in all gTLDs, new and old, operated by a single entity.
What’s in an RDS record?
Under the hood, RDS records wouldn’t look a heck of a lot different than Whois records look today, in terms of what data they store.
There would be some new optional elements, such as social media user names, but otherwise it’s pretty much the same data as we’re used to seeing in Whois records today.
The big difference is which of these elements would be visible by default to an anonymous internet user doing a regular Whois look-up somewhere.
Some fields would be “public” and some would be “gated” or hidden. Some fields would always be public and some could be toggled between public and gated by the registrant.
Gated fields would not be visible to people doing normal Whois look-ups. To see gated data, you’d need to be accredited to a certain role (cop, trademark owner, etc) and have an RDS account.
By default, much of the data about the “registrant” — including their name, physical address, country, and phone number — would be gated.
No, you’re not reading that wrong — the name of the registrant would be hidden from regular Whois users by default. Their email address, however, would be always be public.
There would also be up to six “Purpose Based Contacts” — an Admin Contact, a Legal Contact, a Technical Contact, an Abuse Contact, a Privacy/Proxy Contact and a Business Contact.
So, for example, a registrant could specify his registrar as his technical PBC and his lawyer as his legal PBC.
The admin, legal, technical and abuse contacts would be mandatory, and would default to the registrant’s own personal contact info.
A newly registered domain would not be activated in the DNS until the mandatory PBCs had been provided.
Each of these four mandatory PBCs would have different levels of disclosure for each data element.
For example, the Admin PBC would be able to hide their mailing address and phone number (both public by default) but not their name, email address or country.
The Legal PBC would not be able to opt out of having their mailing address disclosed, but the Technical and Abuse PBCs would be able to opt out of disclosing pretty much everything including their own name.
Those are just examples. Several tables starting on page 49 of the report (pdf) give all the details about which data fields would be disclosed and which could be hidden.
I think it’s expected by the EWG that most registrants would just accept the defaults and publish the same data in each PBC, in much the same way as they do today.
“This PBC approach preserves simplicity for Registrants with basic contact needs and offers additional granularity for Registrants with more extensive contact needs,” the EWG says.
Who gets the see the hidden stuff?
In order to see the hidden or “gated” elements, you’d have to be an accredited user of the centralized RDS system.
The level of access you got to the hidden data would depend on the role assigned to your RDS account.
The name of the registrant, for example, would be available to anyone with an RDS account.
If you wanted access to the registrant’s mailing address or phone number, you’d need an RDS account that accredited you for one or more of seven defined purposes:
- Domain Name Control (ie, the registrant herself)
- Domain Name Certification (ie SSL Certificate Authorities)
- Business Domain Name Purchase/Sale (anyone who says they might be interested in buying the domain in question)
- Academic/Public Interest DNS Research
- Legal Actions (eg lawyers investigating fraud or trademark infringement)
- Regulatory/Contractual Enforcement (could be ICANN-related, such as UDRP, or unrelated stuff like tax investigations)
- Criminal Investigation/DNS Abuse Mitigation
Hopefully this all makes sense so far, but it gets more complicated.
Beware of the leopard!
In today’s gTLD environment, Whois records are either stored with the registry or the registrar. You can do Whois lookups on the registrar/y’s site, or via a third-party commercial service.
As a registrant, you need only interact with your registrar. As a Whois user, you don’t need to sign up for an account anywhere, unless you want value-added services from a company such as DomainTools.
Under RDS, a whole lot of other entities start to come into play.
First, there’s RDS itself — a centralized Whois replacement.
It’s basically two databases. One contains contact details, each record containing a unique Contact ID identifier. The other database maps Contact IDs to the PBCs for each gTLD domain name.
It’s unclear who’d manage this service, but it looks like IBM is probably gunning for the contract.
Second, there would be Validators.
A Validator’s job would be to collect and validate contact information from registrants and PBCs.
While registrars and registries could also act as Validators — and the EWG envisages most registrars becoming Validators — this is essentially a new entity/role in the domain name ecosystem.
Third and Fourth, we’ve got newly created Accrediting Bodies and Accreditation Operators.
These entities would be responsible for accrediting users of the RDS system (that is, people who want to do a simple goddamn Whois lookup).
The EWG explains that an Accrediting Body “establishes membership rules, terms of service, and application and enforcement processes, etc., for a given RDS User community.”
An Accreditation Operator would “create and manage RDS User accounts, issue RDS access credentials, authenticate RDS access requests, and provide first-level abuse handling”.
Because it’s not complicated enough already, each industry (lawyers, academics, police, etc) would have their own different combination of Accrediting Bodies and Accreditation Operators.
Who benefits from all this?
The reason the EWG was set up in the first place was to try to resolve the conflict between those who think Whois accuracy should be more strictly enforced (generally law enforcement and IP owners) and those who think there should be greater registrant privacy (generally civil society types).
In the middle you’ve got the registries and registrars, who are generally resistant to anything that adds friction to their shopping carts or causes even moderate implementation costs.
The debate has been raging for years, and the EWG was told to:
1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and 2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.
So the EWG proposal could be seen as successful if a) privacy advocates are happy and b) trademark lawyers and the FBI are happy, c) registrars/ries are happy and d) Whois users are happy.
Are the privacy dudes happy?
No, they’re not.
The EWG only had one full-on privacy advocate: Stephanie Perrin, who’s a bit of a big deal when it comes to data privacy in Canada, having held senior privacy roles in public and private sectors there.
Perrin isn’t happy. Perrin thinks the RDS proposal as it stands won’t protect regular registrants’ privacy.
She wrote a Dissenting Report that seems to have been intended as an addendum to the EWG’s official report, but it was not published by the EWG or ICANN. The EWG report makes only a vague, fleeting reference, in a footnote, to the fact that the was any dissent at all.
Milton Mueller at the Internet Governance Project got his hands on it regardless and put it out there earlier this week.
Perrin disagrees with the recommendation (outlined above) that each domain name must have a Legal Contact (or Legal PBC) who is not permitted to hide their name and mailing address from public view.
She argues, quite reasonably I think, that regular registrants don’t have lawyers they can outsource this function to, which means their own name and mailing address will comprise their publicly visible Legal PBC.
This basically voids any privacy protection they’d get from having these details “gated” in the “registrant” record of the RDS. Perrin wrote:
the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously. Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.
The EWG report envisages the use of privacy/proxy services for people who don’t want their sensitive data published publicly.
But we already have privacy/proxy services today, so I’m unclear what benefit RDS brings to the table in terms of privacy protection.
It’s also worth noting that there are no circumstances under which a registrant’s email address is protected, not even from anonymous RDS queries. So there’s no question of RDS stopping Whois-based spam.
Are the trademark dudes going to be happy?
I don’t know. They do seem to be getting a better deal out of the recommendations than the other side (there were at least three intellectual property advocates on the EWG) but if you’re in the IP community the report still leaves much to be desired.
The RDS proposal would create a great big centralized repository of domain registrant information, which would probably be located in a friendly jurisdiction such as the US.
That would make tracking down miscreants a bit easier than in today’s distributed Whois environment.
RDS would also include a WhoWas service, so users can see who has historically owned domain names, and a Reverse Query service, so that users can pull up a list of all the other domains that share the same contact field(s).
Both services (commercially available via the likes of DomainTools already) would prove valuable when collating data for a UDRP complaint or cybersquatting lawsuit.
But it’s important to note that while the EWG report says all contact information should be validated, it stops short of saying that it should be authenticated.
That’s a big difference. Validation would reveal whether a mailing address actually exists, but not whether the registrant actually lives there.
You’d need authentication — something law enforcement and IP interests have been pushing for but do not seem to have received with the EWG proposal — for that.
The EWG suggests that giving registrants more control over which bits of their data are public will discourage them from providing phony contact information for Whois/RDS.
The RDS proposes a lot more carrot than stick on this count.
But if Perrin is correct that it’s a false comfort (given that your name and address will be published as Legal PBC anyway) then wouldn’t a registrant be just as motivated to call themselves Daffy Duck, or use a proxy/privacy service, as they are today?
Are the registrar dudes going to be happy?
If the EWG’s recommendations become a reality registrars could get increased friction in their sales path, depending on how disruptive it is to create a “Contact ID” and populate all the different PBCs.
I think it’s certainly going to increase demand on support channels, as customers try to figure out the new regime.
Remember, the simple requirement to click on a link in an email is causing registrants and registrars all kinds of bother, including suspended domains, under recently introduced rules.
And there’s obviously going to be a bunch of (potentially costly) up-front implementation work registrars will need to do to hook themselves into RDS and the other new entities the system relies on.
I doubt the registrars are going to wholeheartedly embrace the proposal en masse, in other words.
Is Kevin Murphy happy?
No, I’m not happy.
It bugs me, personally, that the EWG completely ignored the needs of the media in its report. It strikes me as a bit of a slap in the face.
The “media” and “bloggers” (I’m definitely in one of those categories) would be given the same rights to gated RDS data as the “general public”, under the EWG proposal.
In other words, no special privileges and no ability to access the registrant name and address fields of an RDS record.
RDS may well give somebody who owns a trademark (such as a reverse domain name hijacker or a sunrise gamer) more rights to Whois records than the New York Times or The Guardian.
That can’t be cool, can it?
Murphy, brah, why you gotta cuss in your headline?
Good question. I do use swearwords on DI occasionally, but only to annoy people who don’t like them, and usually only in posts dated April 1 or in stories that seem to deserve it.
This post is dated June 13.
I think I’ve established that the EWG’s proposal as it stands today is a pretty big overhaul of the current system and that it’s not immediately obvious how the benefits to all sides warrant the massive effort that will have to be undertaken to get RDS to replace Whois.
But the clusterfuckery is going to begin not with the implementation of the proposal, but with the attempt to pass it through the ICANN process.
The proposal has to pass through the ICANN community before becoming a reality.
The Expert Working Group has no power under the ICANN bylaws.
It was created by Chehade while he was still relatively new to the CEO’s job and did not yet appreciate how seriously community members take their established procedures for creating policy.
I think it was a pretty decent idea — getting a bunch of people in a room and persuading them to think outside the box, in an effort to find radical solutions to a a long-stagnant debate.
But that doesn’t change the fact that the EWG’s proposals don’t become law until they’ve been subject to the Generic Names Supporting Organization’s lengthy Policy Development Process.
Some GNSO members were not happy when the EWG was first announced — they thought their sovereignty was being usurped by the uppity new CEO — and they’re probably not going to be happy about some of the language the EWG has chosen to use in its final report.
The EWG said:
The proposed RDS, while not perfect, reflects carefully crafted and balanced compromises with interdependent elements that should not be separated.
…
The RDS should be adopted as a whole. Adopting some but not all of the design principles recommended herein undermines benefits for the entire ecosystem.
It’s actually quite an audacious turn of phrase for a working group with no actual authority under ICANN bylaws.
It sounds a bit like “take it or leave it”.
But there’s no chance whatsoever of the report being adopted wholesale.
It’s going into the GNSO process, where the same vested interests (IP, LEA, registry, registrar, civil society) that have kept the debate stagnant for the duration of ICANN’s existence will continue to try (and probably fail) to come to an agreement about how Whois should evolve.
French registrar gets Whois data waiver
The French registrar OVH has been told by ICANN that it can opt out of a requirement to retain its customers’ contact data for two years after their domain names expire.
The move potentially means many more registrars based in the European Union will be able to sign the 2013 Registrar Accreditation Agreement and start selling new gTLD domains without breaking the law.
OVH was among the first to request a waiver to the 2013 RAA’s data retention provisions, which EU authorities say are illegal.
ICANN said last night:
ICANN agrees that, following Registrar’s execution of the 2013 RAA, for purposes of assessing Registrar’s compliance with the data retention requirement of Paragraph 1.1 of the Data Retention Specification in the 2013 RAA, the period of “two additional years” in Paragraph 1.1 of the Data Retention Specification will be deemed modified to “one additional year.”
It’s a minor change, maybe, and many EU-based registrars have been signing the 2013 RAA regardless, but many others have resisted the new contract in fear of breaking local laws.
Now that OVH has had its waiver granted, it’s looking promising that ICANN will also start to allow other EU registrars that have requested waivers to opt-out also.
ICANN has been criticized for dragging its feet on this issue, and I gather the OVH is still the only registrar to have been given the ability to opt out.
Here’s why registrars are boycotting .sexy
Will .sexy and .tattoo trip on the starting blocks today due to registrars’ fears about competition and Whois privacy?
Uniregistry went into general availability at 1600 UTC today with the two new gTLDs — its first to market — but it did so without the support of some of the biggest registrars.
Go Daddy — alone responsible for almost half of all new domain registrations — Network Solutions, Register.com and 1&1 are among those that are refusing to carry the new TLDs.
The reason, according to multiple sources, is that Uniregistry’s Registry-Registrar Agreement contains two major provisions that would dilute registrars’ “ownership” of their customer base.
First, Uniregistry wants to know the real identities of all of the registrants in its TLDs, even those who register names using Whois privacy services.
That’s not completely unprecedented; ICM Registry asks the same of .xxx registrars in order to authenticate registrants’ identities.
Second, Uniregistry wants to be able to email or otherwise contact those registrants to tell them about registry services it plans to launch in future. The Uniregistry RRA says:
Uniregistry may from time to time contact the Registered Name Holder directly with information about the Registered Name and related or future registry services.
We gather that registrars are worried that Uniregistry — which will shortly launch its own in-house registrar under ICANN’s new liberal rules on vertical integration — may try to poach their customers.
The difference between ICM and Uniregistry is that ICM does not own its own registrar.
The Uniregistry RRA seems to take account of this worry, however, saying:
Except for circumstances related to a termination under Section 6.7 below, Uniregistry shall never use Personal Data of a Registered Name Holder, acquired under this Agreement, (a) to contact the Registered Name Holder with a communication intended or designed to induce the Registered Name Holder to change Registrars or (b) for the purpose of offering or selling non-registry services to the Registered Name Holder.
Some registrars evidently do not trust this promise, or are concerned that Uniregistry may figure out a way around it, and have voted with their storefronts by refusing to carry these first two gTLDs.
Ownership of the customer relationship is a pretty big deal for registrars, especially when domain names are often a low-margin entry product used to up-sell more lucrative services.
What if a future Uniregistry “registry service” competes with something these registrars already offer? You can see why they’re worried.
A lot of registrars have asserted that with the new influx of TLDs, registrars have more negotiating power over registries than they ever did in a world of 18 gTLDs.
Uniregistry CEO Frank Schilling is basically testing out this proposition on his own multi-million-dollar investment.
But will the absence of these registrars — Go Daddy in particular — hurt the launch numbers for .sexy and .tattoo?
I think there could be some impact, but it might be tempered by the fact that a large number of early registrations are likely to come from domainers, and domainers know that Go Daddy is not the only place to buy domains.
Schilling tweeted at about 1605 UTC today that .sexy was over 1,800 registrations.
Longer term, who knows? This is uncharted territory. Right now Uniregistry seems to be banking on the 40-odd registrars — some of them quite large — that have signed up, along with its own marketing efforts, to make up any shortfall an absence of Go Daddy may cause.
Tomorrow, I’d be surprised if NameCheap, which is the distant number two registrar in new gTLDs right now (judging by name server counts) is not the leader in .sexy and .tattoo names.
Euro registrars miffed about ICANN privacy delays
Registrars based in the European Union are becoming increasingly disgruntled by what they see as ICANN dragging its feet over registrant privacy rules.
Some are even refusing to sign the 2013 Registrar Accreditation Agreement until they receive formal assurances that ICANN won’t force them to break their local privacy laws.
The 2013 RAA, which is required if a registrar wants to sell new gTLD domains, requires registrars to keep hold of registrant data for two years after their registrations expire.
Several European authorities have said that this would be illegal under EU privacy directives, and ICANN has agreed to allow registrars in the EU to opt out of the relevant provisions.
Today, Luxembourgish registrar EuroDNS said it asked for a waiver of the data retention clauses on December 2, but has not heard back from ICANN over two months later.
The company had provided ICANN with the written legal opinion of Luxembourg’s Data Protection Agency
In a snippy letter (pdf) to ICANN, EuroDNS CEO Lutz Berneke wrote:
Although we understand that your legal department is solely composed of lawyers educated in US laws, a mere translation of the written guidance supporting our request should confirm our claim and allow ICANN to make its preliminary determination.
EuroDNS has actually signed the 2013 RAA, but says it will not abide by the provisions it has been told would be illegal locally.
Elsewhere in Europe, Ireland’s Blacknight Solutions, said two weeks ago that it had requested its waiver September 17 and had not yet received a pass from ICANN.
“Why is it my problem that ICANN doesn’t understand EU law? Why should our business be impacted negatively due to ICANN’s inability to listen?” CEO Michele Neylon blogged. “[W]hile this entire farce plays out we are unable to offer new top level domains to our clients.”
But while Blacknight is still on the old 2009 RAA, other European registrars seem to have signed the 2013 version some time ago, and are already selling quite a lot of new gTLD domains.
Germany’s United-Domains, for example, appears to be the third-largest new gTLD registrar, if name server records are anything to go by, with the UK’s 123-Reg also in the top ten.
ICANN is currently operating a public comment period on the waiver request of OVH, a French registrar, which ICANN says it is “prepared to grant”.
That comment period is not scheduled to end until February 27, however, so it seems registrars agitated about foot-dragging have a while to wait yet before they get what they want.
EU body tells ICANN that 2013 RAA really is illegal
A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.
The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.
In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:
The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”
The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.
Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.
The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.
But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.
The Working Party is clearly a bit miffed at the snub, telling ICANN this month:
The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.
…
the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.
It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.
ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.
Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.
It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).
EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.
First European registrar to get Whois data opt-out
ICANN plans to give a French registrar the ability to opt out of parts of the 2013 Registrar Accreditation Agreement due to data privacy concerns.
OVH, the 14th-largest registrar of gTLD domains, asked ICANN to waive parts of the RAA that would require it to keep hold of registrant Whois data for two years after it stops having a relationship with the customer.
The company asked for the requirement to be reduced to one year, based on a French law and a European Union Directive.
ICANN told registrars last April that they would be able to opt-out of these rules if they provided a written opinion from a local jurist opining that to comply would be illegal.
OVH has provided such an opinion and now ICANN, having decided on a preliminary basis to grant the request, is asking for comments before making a final decision.
If granted, it would apply to “would apply to similar waivers requested by other registrars located in the same jurisdiction”, ICANN said.
It’s not clear if that means France or the whole EU — my guess is France, given that EU Directives can be implemented in different ways in different member states.
Throughout the 2013 RAA negotiation process, data privacy was a recurring concern for EU registrars. It’s not just a French issue.
ICANN has more details, including OVH’s request and links for commenting, here.
ICANN says Article 29 letter does not give EU registrars privacy opt-out
Registrars based in the European Union won’t immediately be able to opt out of “illegal” data retention provisions in the new 2013 Registrar Accreditation Agreement, according to ICANN.
ICANN VP Cyrus Namazi on Saturday told the Governmental Advisory Committee that a recent letter from the Article 29 Working Party, which comprises the data protection authorities of EU member states, is “not a legal authority”.
Article 29 told ICANN last month that the RAA’s provisions requiring registrars to hold registrant data for two years after the domain expires were “illegal”.
While the RAA allows registrars to opt out of clauses that would be illegal for them to comply with, they can only do so with the confirmation of an adequate legal opinion.
The Article 29 letter was designed to give EU registrars that legal opinion across the board.
But according to Namazi, the letter does not meet the test. In response to a question from the Netherlands, he told the GAC:
We accept it from being an authority, but it’s not a legal authority, is our interpretation of it. That it actually has not been adopted into legislation by the EU. When and if it becomes adopted then of course there are certain steps to ensure that our contracted parties are in line with — in compliance with it. But we look at them as an authority but not a legal authority at this stage.
It seems that when the privacy watchdogs of the entire European Union tell ICANN that it is in violation of EU privacy law, that’s not taken as an indication that it is in fact in violation of EU privacy law.
The European Commission representative on the GAC expressed concern about this development during Saturday’s session, which took place at ICANN 47 in Durban, South Africa.
New registrar contract could be approved next week
ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.
The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.
It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.
ICANN has put approval of the contract on its board’s June 27 agenda.
But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.
For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.
There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.
Cops say new gTLDs shouldn’t launch without a Big Brother RAA
Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.
Another deadline missed in registrar contract talks
ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.
In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:
While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.
The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.
At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.
Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.
Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.
ICANN said Friday:
Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.
Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.
At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.
Judging by the latest update, it seems quite likely that the new RAA will be a full year late.
ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.
Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.
Recent Comments