As .wed goes EBERO, did the first new gTLD just fail?

A wedding-themed gTLD with a Bizarro World business model may become the first commercial gTLD to outright fail.
.wed, run by a small US outfit named Atgron, has become the first non-brand gTLD to be placed under ICANN’s emergency control, after it lost its back-end provider.
DI understands that Atgron’s arrangement with its small New Zealand back-end registry services provider CoCCA expired at the end of November and that there was a “controlled” transition to ICANN’s Emergency Back-End Registry Operator program.
The TLD is now being managed by Nominet, one of ICANN’s approved EBERO providers.
It’s the first commercial gTLD to go to EBERO, which is considered a platform of last resort for failing gTLDs.
A couple of unused dot-brands have previously switched to EBERO, but they were single-registrant spaces with no active domains.
.wed, by contrast, had about 40 domains under management at the last count, some apparently belonging to actual third-party registrants.
Under the standard new gTLD Registry Agreement, ICANN can put a TLD in the emergency program if they fail to meet up-time targets in any of five critical registry functions.
In this case, ICANN said that Atgron had failed to provide Whois services as required by contract. The threshold for Whois triggering EBERO is 24 hours downtime over a week.
ICANN said:

Registry operator, Atgron, Inc., which operates gTLD .WED, experienced a Registration Data Directory Services failure, and ICANN designated EBERO provider Nominet as emergency interim registry operator. Nominet has now stepped in and is restoring service for the TLD.
The EBERO program is designed to be activated should a registry operator require assistance to sustain critical registry functions for a period of time. The primary concern of the EBERO program is to protect registrants by ensuring that the five critical registry functions are available. ICANN’s goal is to have the emergency event resolved as soon as possible.

However, the situation looks to me a lot more like a business failure than a technical failure.
Multiple sources with knowledge of the transition tell me that the Whois was turned off deliberately, purely to provide a triggering event for the EBERO failover system, after Atgron’s back-end contract with CoCCA expired.
The logic was that turning off Whois would be far less disruptive for registrants and internet users than losing DNS resolution, DNSSEC, data escrow or EPP.
ICANN was aware of the situation and it all happened in a coordinated fashion. ICANN told DI:

WED’s backend registry operator recently notified ICANN that they would likely cease to provide backend registry services for .WED and provided us with the time and date that this would occur. As such, we were aware of the pending failure worked to minimize impact to registrants and end users during the transition to the Emergency Back-end Registry Operator (EBERO) service provider.

In its first statement, ICANN said that Nominet has only been appointed as the “interim” registry, while Atgron works on its issues.
It’s quite possible that the registry will bounce back and sign a deal with a new back-end provider, or build its own infrastructure.
KSregistry, part of the KeyDrive group, briefly provided services to .wed last week before the EBERO took over, but I gather that no permanent deal has been signed.
One wonders whether it’s worth Atgron’s effort to carry on with the .wed project, which clearly isn’t working out.
The company was founded by an American defense contractor with no previous experience of the domain name industry after she read a newspaper article about the new gTLD program, and has a business model that has so far failed to attract customers.
The key thing keeping registrars and registrants away in droves has been its policy that domains could be registered (for about $50 a year) for a maximum period of two years before a $30,000 renewal fee kicked in.
That wasn’t an attempt to rip anybody off, however, it was an attempt to incentivize registrants to allow their domains to expire and be used by other people, pretty much the antithesis of standard industry practice (and arguably long-term business success).
That’s one among many contractual reasons that only one registrar ever signed up to sell .wed domains.
Atgron’s domains under management peaked at a bit over 300 in March 2016 and were down to 42 in August this year, making it probably the failiest commercial new gTLD from the 2012 round.
In short, .wed isn’t dead, but it certainly appears extremely unwell.
UPDATE: This post was updated December 12 with a statement from ICANN.

ICANN: tell us how you will break Whois rules

ICANN has invited registrars and registries to formally describe how they plan to break the current rules governing Whois in order to come into compliance with European Union law.
The organization today published a set of guidelines for companies to submit proposals for closing off parts of Whois to most internet users.
It’s the latest stage of the increasingly panicky path towards reconciling ICANN’s contracts with the General Data Protection Regulation, the EU law that comes into full effect in a little over five months.
GDPR is designed to protect the privacy of EU citizens. It’s generally thought to essentially ban the full, blanket, open publication of individual registrants’ contact information, but there’s still some confusion about what exactly registries and registrars can do to become compliant.
Fines maxing out at of millions of euros could be levied against companies that break the GDPR.
ICANN said last month that it would not pursue contracted parties that have to breach their agreements in order to avoid breaking the law.
The catch was that they would have to submit their proposals for revised Whois services to ICANN for approval first. Today is the first time since then that ICANN has officially requested such proposals.
The request appears fairly comprehensive.
Registries and registrars will have to describe how their Whois would differ from the norm, how it would affect interoperability, how protected data could be accessed by parties with “legitimate interests”, and so on.
Proposals would be given to ICANN’s legal adviser on GDPR, the Swedish law firm Hamilton, and published on ICANN’s web site.
ICANN notes that submitting a proposal does not guarantee that it will be accepted.

Open Whois must die, Europe privacy chiefs tell ICANN

Unfettered public access to full Whois records is illegal and has to got to go, an influential European Union advisory body has told ICANN.
The Article 29 Working Party on Data Protection, WP29, wrote to ICANN yesterday to say that “that the original purposes of the WHOIS directories can be achieved via layered access” and that the current system “does not appear to meet the criteria” of EU law.
WP29 is made up of representatives of the data protection agencies in each EU member state. It’s named after Article 29 of the EU’s 1995 Data Protection Directive.
This directive is parent legislation of the incoming General Data Protection Regulation, which from May 2018 will see companies fined potentially millions of euros if they fail to protect the privacy of EU citizens’ data.
But WP29 said that there are questions about the legality of full public Whois under even the 1995 directive, claiming to have been warning ICANN about this since 2003:

WP29 wishes to stress that the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.

Under the directive and GDPR, companies are not allowed to make consent to the publication of private data a precondition of a service, which is currently the case with domain registration, according to WP29.
Registrars cannot even claim the publication is contractually mandated, because registrants are not party to the Registrar Accreditation Agreement, the letter (pdf) says.
WP29 adds that law enforcement should still be able to get access to Whois data, but that a “layered” access control approach should be used to prevent full disclosure to anyone with a web browser.
ICANN recently put a freeze on its contract compliance activities surrounding Whois, asking registries and registrars to supply the organization with the framework and legal advice they’re using to become compliant with GDPR.
Registries and registrars are naturally impatient — after a GDPR-compatible workaround is agreed upon, they’ll still need to invest time and resources into actually implementing it.
But ICANN recently told contracted parties that it hopes to lay out a path forward before school breaks up for Christmas December 22.

ICANN chief tells industry to lawyer up as privacy law looms

The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.
That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.
The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.
“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.
“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.
GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.
For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.
But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.
The latest official line from ICANN is:

At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.
A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).
Even after this report, Marby said ICANN is still in “discovery” mode.
Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.
He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.
Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.
It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”
This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.
Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.
ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.
The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.
General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.
“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.
Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.
ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.

Verisign and Afilias testing Whois killer

Verisign and Afilias have become the first two gTLD registries to start publicly testing a replacement for Whois.
Both companies have this week started piloting implementations of RDAP, the Registration Data Access Protocol, which is expected to usurp the decades-old Whois protocol before long.
Both pilots are in their very early stages and designed for a technical audience, so don’t expect your socks to be blown off.
The Verisign pilot offers a web-based, URL-based or command-line interface for querying registration records.
The output, by design, is in JSON format. This makes it easier for software to parse but it’s not currently very easy on the human eye.
To make it slightly more legible, you can install a JSON formatter browser extension, which are freely available for Chrome.
Afilias’ pilot is similar but does not currently have a friendly web interface.
Both pilots have rudimentary support for searching using wildcards, albeit with truncated result sets.
The two new pilots only currently cover Verisign’s .com and .net registries and Afilias’ .info.
While two other companies have notified ICANN that they intend to run RDAP pilots, these are the first two to go live.
It’s pretty much inevitable at this point that RDAP is going to replace Whois relatively soon.
Not only has ICANN has been practically champing at the bit to get RDAP compliance into its registry/registrar contracts, but it seems like the protocol could simplify the process of complying with incoming European Union privacy legislation.
RDAP helps standardize access control, meaning certain data fields might be restricted to certain classes of user. Cops and IP enforcers could get access to more Whois data than the average blogger or domainer, in other words.
As it happens, it’s highly possible that this kind of stratified Whois is something that will be legally mandated by the EU General Data Protection Regulation, which comes into effect next May.

Amsterdam refuses to publish Whois records as GDPR row escalates

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.
Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.
ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.
dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.
Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.
That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.
It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.
Legal entities such as companies do not count as “private persons”.
Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.
It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.
But the registries have lawyered up already, regardless.
A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.
The GDPR is perhaps the most pressing issue for ICANN at the moment.
It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.
It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.
One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.
According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.
These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.
During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.
“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”
ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.
It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.
ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.
But the domain industry has accused ICANN the organization of not doing enough fast enough.
Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.
They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.
Complaining that ICANN is moving too slowly, the October 13 letter states:

The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.
…
GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.

For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.
Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.
The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.
UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.

Pilot program for Whois killer launches

ICANN is to oversee a set of pilot programs for RDAP, the protocol expected to eventually replace Whois.
Registration Data Access Protocol, an IETF standard since 2015, fills the same function as Whois, but it is more structured and enables access control rules.
ICANN said this week that it has launched the pilot in response to a request last month from the Registries Stakeholder Group and Registrars Stakeholder Group. It said on its web site:

The goal of this pilot program is to develop a baseline profile (or profiles) to guide implementation, establish an implementation target date, and develop a plan for the implementation of a production RDAP service.

Participation will be voluntary by registries and registrars. It appears that ICANN is merely coordinating the program, which will see registrars and registrars offer their own individual pilots.
So far, no registries or registrars have notified ICANN of their own pilots, but the program is just a few days old.
It is expected that the pilots will allow registrars and registries to experiment with different types of profiles (how the data is presented) and extensions before ICANN settles on a standard, contractually enforced format.
Under RDAP, ICANN/IANA acts as a “bootstrapping” service, maintaining a list of RDAP servers and making it easier to discover which entity is authoritative for which domain name.
RDAP is basically Whois, but it’s based on HTTP/S and JSON, making it easier to for software to parse and easier to compare records between TLDs and registrars.
It also allows non-Latin scripts to be more easily used, allowing internationalized registration data.
Perhaps most controversially, it is also expected to allow differentiated access control.
This means in future, depending on what policies the ICANN community puts in place, millions of current Whois users could find themselves with access to fewer data elements than they do today.
The ICANN pilot will run until July 31, 2018.

EFF recommends against new gTLDs

The Electronic Frontier Foundation has recommended that domain registrants concerned about intellectual property “bullies” steer clear of new gTLDs.
The view is expressed in a new EFF report today that is particularly critical of policies in place at new gTLD portfolio registries Donuts and Radix.
The report (pdf) also expresses strong support for .onion, the pseudo-TLD available only to users of the Tor browser and routing network, which the EFF is a long-term supporter of.
The report makes TLD recommendations for “security against trademark bullies”, “security against identity theft and marketing”, “security against overseas speech regulators” and “security against copyright bullies”.
It notes that no one TLD is “best” on all counts, so presents a table explaining which TLD registries — a broad mix of the most popular gTLD and ccTLD registries — have which relevant policies.
For those afraid of trademark “bullies”, the EFF recommends against 2012-round new gTLDs on the basis that they all have the Uniform Rapid Suspension service. It singles out Donuts for special concern due to its Domain Protected Marks List, which adds an extra layer of protection for trademark owners.
On copyright, the report singles out Donuts and Radix for their respective “trusted notifier” schemes, which give the movie and music industries a hotline to report large-scale piracy web sites.
These are both well-known EFF positions that the organization has expressed in previous publications.
On the other two issues, the report recommends examining ccTLDs for those which don’t have to kowtow to local government speech regulations or publicly accessible Whois policies.
In each of the four areas of concern, the report suggests taking a look at .onion, while acknowledging that the pseudo-gTLD would be a poor choice if you actually want people to be able to easily access your web site.
While the opinions expressed in the report may not be surprising, the research that has gone into comparing the policies of 40-odd TLD registries covering hundreds of TLDs appears on the face of it to be solid and possibly the report’s biggest draw.
You can read it here (pdf).

Ombudsman steps in after harassment claims in Whois group

ICANN Ombudsman Herb Waye has started monitoring an ICANN mailing list after multiple complaints of disrespectful behavior.
Waye this week told participants in the Registration Data Services working group that he is to trawl through their list archives and proactively monitor the group following “multiple complaints regarding behavior that contravenes the ICANN Expected Standards of Behavior and possibly the Community Anti-Harassment Policy”.
The RDS working group is exploring the possibility of replacing the current Whois system, in which all data is completely open, with something “gated”, restricting access to authenticated individuals based on their role.
Law enforcement agencies, for example, may be able to get a greater level of access to personal contact information than schmucks like me and you.
Privacy advocates are in favor of giving registrants more control over their data, while anti-abuse researchers hate anything that will limit their ability to stop spam, phishing and the like.
It’s controversial stuff, and arguments on the RDS WG list have been been very heated recently, sometimes spilling over into ad hominem attacks.
The Expected Standards of Behavior requires all ICANN community members to treat each other with civility.
I haven’t seen anything especially egregious, but apparently the disrespect on display has been sufficiently upsetting that the Ombudsman has had to step in.
It’s the first time, that I’m aware of, that the ICANN Ombudsman has proactively monitored a list rather than simply responding to complaints.
Waye said that he plans to deliver his verdict before ICANN 59, which kicks off in a little over a week.

ICANN loosens Whois privacy rules for registrars

ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.
From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.
Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.
In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.
The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.
European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.
ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.
Dozens of European registrars have applied for and obtained this RAA opt-out.