The upcoming ICANN74 to be held both virtually and in-person in The Hague in June has some rather strange legalese when it comes to those attending regarding to COVID-19. There are some of the usual to be expected conditions such as to be vaccinated, wearing face masks and so on. But one that has stirred up a bit of a hornet’s nest is the requirement of attendees to sign a liability waiver [pdf].
Ireland’s ccTLD hit the quarter million domain name registrations mark last week as .ie has been on a mini boom since a relaxation in eligibility rules in March. Today there are 254,400 .ie domain names registered, and 34,000 have been registered this year. Continue reading .IE On A Roll As It Hits Quarter Million Domains
In a bid to “to protect the data collected in WHOIS”, ICANN last week sought a court ruling in a German court to “ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR.”
The “one-sided filing” in Bonn, Germany, was against German registrar EPAG, these days part of the Tucows group. EPAG had recently informed ICANN that it would no longer collect administrative and technical contact information for generic top level domain name registrations as it believes collection of that data would violate the GDPR rules, and further, it wasn’t needed.
EPAG had advised ICANN it no longer intended to collect such data, citing the GDPR law implementation as its rationale. In a statement from their parent company, Tucows, they said they “realised that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.”
Through its contract with registrars including EPAG, ICANN requires the WHOIS information be collected. In an effort to comply with the European Union’s General Data Protection Regulation, ICANN recently adopted a new Temporary Specification regarding how WHOIS data should be collected and which parts may be published, which ICANN believes is consistent with the GDPR.
The late announcement of the Temporary Specification, a week before the GDPR came into being, already had registrars irate, as they had to have their systems compliant ready for its implementation. Speaking to Domain Pulse at the Domain Pulse conference (unrelated), EPAG’s Managing Director Ashley La Bolle said at EPAG they wished “ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”
The German court ruled in favour of EPAG, at least in part, ruling it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, said ICANN in a statement, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
“While ICANN appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN's General Counsel and Secretary. “ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”
So where to from here? Michele Neylon from the Irish registrar and hosting company Blacknight suggests “there might be more at play here than initially meets the eye. ICANN is probably coming under a lot of pressure from the US government and other interests in relation to public whois. Recent speeches by US Department of Commerce’s head honcho David Redl in multiple venues have underlined the US government’s fixation with full public whois.”
It's not over yet. As Jeffrey noted, the ruling didn’t give the clarity ICANN sought. Watch this space.
ICANN has granted another two European registrars data retention waivers following concerns over how the Registrar Accreditation Agreement conflicts with European data retention laws.
One waiver was granted to Blacknight Internet Solutions who submitted to ICANN a Registrar Data Retention Waiver Request on the basis of Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Ireland.
The second waiver was granted to Nameweb BVBA on the basis of the Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Belgium.
The waivers shall remain in effect for the duration of the term of the 2013 RAA signed by the registrars.
The issue has come about as some registrars, particularly in Europe, have expressed concerns that local data protection and other privacy laws make it difficult for them to comply with these new requirements. ICANN has noted these concerns and that laws vary from country to country and that some of the new data retention requirements in the 2013 RAA may conflict with certain European data protection and privacy regulations. In a posting on the ICANN blog, ICANNâs Cyrus Namazi said, âto be clear, governing laws take precedence over the terms of the RAA.â
The issue from a European perspective was made clear in a letter from the European Commissionâs Article 29 Working Party in June 2013 who said âthe Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe.â Obviously this hasnât happened and ICANN is issuing waivers on a registrar-by-registrar basis on the specific laws that are being violated in the country the registrar is located.
The Working Party also reiterated âits strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political rights.â
âThe fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the propose d data retention requirement violates data protection law in Europe.â
Blacknight Internet Solutions Ltd. (“Blacknight”) submitted a data retention waiver request under the 2013 Registrar Accreditation Agreement (the “2013 RAA“) on the basis of its contention that compliance with the data collection and/or retention requirements of the Specification violates applicable law.
The Waiver Request was accompanied by a legal opinion from Irish counsel asserting that compliance with the data collection and/or retention requirements of the Specification violates Ireland Data Retention Acts 1998 â 2003.
Following receipt of the Waiver Request, and in accordance with the 2013 RAA, ICANN, through its staff and legal counsel, and Blacknight, through its staff and legal counsel, discussed the matter in good faith in an effort to reach a mutually acceptable resolution of the matter.
The outcome of those discussions is that Blacknight is seeking a waiver with respect to Sections 1.1.1 through 1.1.8 of the Specification that would reduce from two years to one year the period for which those specified data elements must be retained after the Registrar’s sponsorship of the Registration ends, and is seeking a waiver with respect to Sections 1.2.1 through 1.2.3 of the Specification that would reduce from 180 days to 90 days the period for which those specified data elements must be retained following the relevant interaction.
ICANN is posting Blacknight’s proposed waiver for a period of thirty (30) days to seek feedback and input from the community on the proposed data retention waiver. After the thirty (30) day period following this posting has expired, ICANN will consider all feedback and input received before making a final determination on whether to grant the Waiver Request.
The scope of the proposed waiver would be to permit Blacknight to maintain the information specified in Sections 1.1.1 through 1.1.8 of the Specification for the duration of its sponsorship of the Registration and for a period of one (1) additional year thereafter rather than two (2) additional years thereafter, and to maintain the information specified in Sections 1.2.1 through 1.2.3 of the Specification for a period of 90 days after the relevant interaction rather than for 180 days thereafter. In all other respects the terms of the Specification would remain AS-IS.
The specific change to the Specification would be that, for the duration of the Waiver, the retention requirement of Section 1.1 of the Data Retention Specification be changed from “two additional years” to “one additional year” and the retention requirement of Section 1.2 of the Data Retention Specification would be changed from “one hundred eighty (180) days” to “ninety (90) days.”
If ICANN does make a final determination to grant the Waiver Request sought by Blacknight, the provisions of Section 3 of the Specification would apply to similar waivers requested by other registrars located in the same jurisdiction. Section 3 of the Specification provides as follows:
If (i) ICANN has previously waived compliance with the requirements of any requirement of this Data Retention Specification in response to a Waiver Request from a registrar that is located in the same jurisdiction as Registrar and (ii) Registrar is subject to the same applicable law that gave rise to ICANN‘s agreement to grant such wavier, Registrar may request that ICANN to grant a similar waiver, which request shall be approved by ICANN, unless ICANN provides Registrar with a reasonable justification for not approving such request, in which case Registrar may thereafter make an Wavier Request pursuant to Section 2 of this Data Retention Specification.
A public comment period will remain open until 23:59 UTC, 7 June 2014. Public comments will be available for consideration by ICANN staff and the ICANN Board.
Blacknight’s Waiver Request and supporting documents are available here: Blacknight Data Retention Waiver Request and Supporting Materials [PDF, 1.73 MB]
Comments can be posted to: firstname.lastname@example.org
Comments can be viewed at: forum.icann.org/lists/comments-blacknight-07may14/
This ICANN announcement was sourced from:
Michele Neylon is not happy with ICANN. Actually, heâs âangry, frustrated and unhappyâ.
The reason is, âICANN has put us and other European Union based registrars in an utterly ridiculous situation,â Neylon wrote on his Blacknight Solutions blog.
âWe are expected to ask ICANN for permission to comply with Irish and EU data privacy law.
âOr put another way, an Irish company is obliged to jump through hoops with a California based corporation in order to be able to operate within Irish law.â
Itâs a situation that has been brewing for some time Neylon wrote, with discussions with ICANN happening for the last two years.
His company went from being a domain name reseller to an ICANN-accredited registrar to cut out the middleman. And now a new contract has been published, but as he notes âthe new contract has issues if youâre based in the EU.â
âThe central tenet of data privacy law is summed up in Article 6(e) of the European Data Protection Directive 95/46/EC which deals with retention of data (emphasis added):
Â Â Â kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
âWhich under Irish law is Data Protection (Amendment) Act 2003:
Â Â Â âArticle 4 (e). preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are storedâ
âHowever ICANN explicitly demands that registrars retain the data for way longer.â
Neylonâs problem is that the period of time ICANN want the data to be held is âsimply too longâ.
To seek some clarification, Neylon reached out to Irelandâs Data Protection Commissioner, and they advised, in short, âwithout any rationale for the data being held for so long they had issues with itâ.
The EU also has problems with the requirement. Neylon writes the âEuropean Union, has written to ICANN on several occasions telling them clearly that the 2013 RAA is not compatible with EU law.
âThey also made it very clear that they didnât think it was reasonable to ask every EU based ICANN accredited registrar to jump through hoops to get an exemption to the clauses.â
And then he asks âWhat did ICANN do about it? Short answer â nothing.â
In his posting, Neylon finds it problematical that ICANN doesnât understand law.
To read the post in full, see blog.blacknight.com/blow-fuse.html.
Fake pharmaceutical products online not only take profits from large drug companies, they also often put the health of users at risk through dangerous or ineffective drugs or people self-diagnosing with drugs they donât know about the effects and side-effects.
Going on the front foot to do their bit to tackle this problem is a leading Irish registrar and hosting company, Blacknight, who have announced they are taking action against rogue pharmacy operators.
Blacknight have formed a partnership with LegitScript, an anti-rogue pharmaceutical firm, which will allow Blacknight to ensure that no fake pharmaceutical will be funnelled through their channels. LegitScript currently works with Registrars, providing complimentary notifications and serving as an âoutsourcedâ abuse team on rogue online pharmacy issues.
âWe are pleased to announce that we are changing our terms of service to explicitly ban fake pharma,â said Michele Neylon of Blacknight. âBlacknight has a long history of aiding the fight against cybercrime and our partnership with LegitScript will allow us to take an active stance against rogue pharmacy operators.â
The word ârogueâ literally means, in this context, âoperating outside of normal controls.â Rogue Internet pharmacy operators tend to seek a âjurisdiction-lessâ zone or âsafe havensâ from where they can claim that they are not subject to any drug safety regulations whatsoever, thus putting customers at risk of receiving substandard or falsified medicines.
LegitScript is endorsed by the National Association of Boards of Pharmacy, on behalf of the government agencies that license and regulate pharmacies in the US, Canada, Australia and New Zealand, and works with drug safety regulators throughout the EU and other regions. The NABPâs endorsement is specifically for the purpose of working with domain name registrars, ISPs, search engines and financial institutions to determine which online pharmacies are legitimate and which are not in compliance with applicable drug safety laws and regulations.
âNot every entity selling pharmaceuticals operate as rogue,â said Neylon. âHowever, the ones that are doing so create an unsafe environment for the entire industry. Domain registrars often unwittingly aid this practice because they donât have the resources to dedicate to fighting it. LegitScript is a massive help to us in cleaning up the space we are responsible for and I highly recommend that more registrars incorporate these services.â
âRegistrars such as Blacknight are leading the way in making sure that the Internet is safe and secure, and that cyber-criminals selling fake medicines are not allowed to take advantage of patients or other vulnerable populations,â said LegitScript President John Horton. âWe commend Blacknightâs leadership in this area, and we look forward to working with them to help make the online healthcare market a secure, safe environment for all Internet users.â
Both the NABP and LegitScript have found that approximately 97% of all online pharmacies fail to comply with applicable laws and regulations. Of these, the vast majority ââ well over 90% ââ are overtly criminal in nature. However, a small percentage (roughly 4%) fail to comply with applicable laws and regulations, but in a way that is less serious and that typically does not warrant suspending the domain name.
With the launch of the first of the new TLDs coming later in 2013, there are growing concerns about the ability of large global businesses to monopolise the use of “closed generic” TLDs.An industry group led by Ireland’s only registrar, Blacknight, is urging the online community to take part in ICANN’s public comment period concerning these “closed generic” TLD Applications.For example, Blacknight asks is it reasonable to allow Google to monopolise “search” through their application for the .search TLD? Or should all bloggers be forced to use Blogger if they want to use theirname.blog?In recent months Blacknight has been leading the community in actively seeking clarification on pending TLD applications for broad term extensions like .blog, .music and .cloud, TLDs that would be severely restricted if monopolised by single entities that intend to use the terms solely to market their own products.Currently ICANN has a public comment period underway requesting comments regarding whether single entities may seek to operate non-trademarked generic word TLDs in a “closed” (not open to the public for registration) manner. The comment period, which opened on 5 February, will remain open until 7 March, 2013.”As longtime members of the ICANN community, we feel strongly on this issue and aim to raise community awareness of the effects of ‘closed generic’ TLDs, said Blacknight’s Michele Neylon. “We believe in an open and ‘free’ Internet and the idea of a small group of companies effectively monopolising terms that belong to all people just seems wrong.”Blacknight has expressed discontent with the possibility of closed non-trademarked key-word extensions through multiple letters to ICANN. The letters encourage ICANN to consider the adoption of a process in which applicants who wish to operate a closed TLD, meet certain, transparent criteria.According to Icann.org: “ICANN is seeking public comment on the subject of ‘closed generic’ gTLD applications and whether specific requirements should be adopted corresponding to this type of application. Stakeholder views are invited to help define and consider the issue. In particular, comments would be helpful in regard to proposed objective criteria for: classifying certain applications as ‘closed generic’ TLDs, i.e., how to determine whether a string is generic, and determining the circumstances under which a particular TLD operator should be permitted to adopt ‘open’ or ‘closed’ registration policies.”Responding to this Neylon says he “strongly urge[s] the online community to take advantage of this public comment period. Allowing companies that have no trademark claims to generic, key-terms such as ‘blog’, ‘beauty’ or ‘music’ is tantamount to granting them ownership of those words. This behaviour negates the purpose of creating a richer, more diverse Internet space. This is a slap in the face to those of us who worked so hard to help bring new TLDs into being.”The public comment period for “Closed Generic” TLD Applications is currently active and will remain open until 7 March 2013.To submit a comment, go to www.icann.org/en/news/public-comment/closed-generic-05feb13-en.htmPrevious letters from Blacknight to ICANN concerning “closed generic” TLD Applications are available at:blog.blacknight.com/letter-to-icann-clarifications-on-non-trademarked-generic-keyword-tld-are-needed.html
Concerns about what companies plan to do with some of their generic keyword new Top Level Domains have been expressed by one of Ireland’s leading registrars and hosting companies.Blacknight CEO Michele Neylon has corralled a group of industry people to co-sign the letter that urges ICANN “to formally clarify its position on Generic Key Word TLDs.”The letter also asks “specifically whether ICANN will allow [the new TLDs] to be operated in a ‘closed’ manner. The most recent version of the ‘Registry Operator Code of Conduct’ states that any applicant who wishes to operate a closed TLD would file an exception request to operate the TLD thusly.”The signatories are encouraging ICANN to consider the adoption of a process in which applicants who wish to operate a closed TLD, meet certain, transparent criteria.To gain an exception, the signatories believe a registry must only use the TLD for its exclusive use, not make domain names available for public registration and provide proof that “application of this Code of Conduct to the TLD is not necessary to protect the public interest.”The letter also expresses the view that while there are several issues regarding new gTLDs that remain unclear, this issue most directly affects the public.”As a community, we supported a program that would expand the name space for competition, to further the internet and to provide a broader choice for our customers,” said Neylon. “Our collective aim is to help the Internet into this next stage, not to take generic key words that essentially belong to ‘everyone’ and tie him or her up.”The letter follows on from another that was sent by Blacknight to ICANN in September 2012 expressing concern that it is generally understood that new gTLDs would be operated in a closed manner only under very defined circumstances.The letter is available online at blog.blacknight.com/letter-to-icann-clarifications-on-non-trademarked-generic-keyword-tld-are-needed.html.
ICANN’s new gTLD project has received a lot of media attention over the last few months. A new group headed by Irish registrar and hosting company Blacknight has supported the opening up of the internet via new domain names, but they also have serious concerns about how some companies want to “corner off” generic terms ie. keep an entire domain extension (the right of the dot) to themselves.
The news release expressing the concerns of the group is below.
Blacknight to ICANN – The Registration of Generic Key Word TLDs Should Be Available to All People
Irish registrar and hosting company Blacknight have sent an objection letter to ICANN concerning several new gTLD applications, which may seek to operate non-trademarked generic word TLDs in a “closed” manner.
Blacknight have drafted a letter to ICANN seeking clarification on pending gTLD applications for generic term TLDs, which intend to operate in a “closed” (not open to the public for registration) manner. The letter expresses concern over applications for broad term extensions like .blog, .music and .cloud as domains that would be severely restricted if monopolized by single, corporate entities that intend to use the terms solely to market their own products.
The letter states: “generic words used in a generic way belong to all people. It is inherently in the public interest to allow access to generic new gTLDs to the whole of the Internet Community, e.g., .BLOG, .MUSIC, .CLOUD. Allowing everyone to register and use second level domain names of these powerful, generic TLDs is exactly what we envisioned the new gTLD Program would do. In contrast, to allow individual Registry Operators to segregate and close-off common words for which they do not possess intellectual property rights in effect allows them to circumvent nation-states’ entrenched legal processes for obtaining legitimate and recognized trademark protections.”
Michele Neylon explains: “No one company should have control of a generic name space like that. If the goal of the new gTLD program is to increase competition in the domain space and to provide a wider range of choice for end users, giving single companies use of generic terms violates that ideal. The new TLD project spent thousands of hours working on protecting IP rights. We did not fight for those rights so large companies could turn around and blatantly abuse that good will.”
Consumer rights advocacy group Consumer Watchdog has sent a separate letter on September 19, 2012 stating: “If these applications are granted, large parts of the Internet would be privatized. It is one thing to own a domain associated with your brand, but it is a huge problem to take control of generic strings.”
Blacknight’s letter to ICANN states that it is generally understood that new gTLDs would be operated in a closed manner only under very defined circumstances. The letter asks that ICANN might clarify the circumstances and allow the applicants to amend their applications to comply with this clarification.
The letter has also been signed by over a dozen other companies including EuroDNS, DomainPeople, Cronon AG, Artic Names, MailClub, 1API, Nordreg and Banc Media.
To read Blacknight’s letter to ICANN, please visit : blog.blacknight.com/letter-to-icann-on-big-brands-proposed-usage-of-generic-domain-extensions.html
To read the letter from Consumer Watchdog, please visit www.consumerwatchdog.org/resources/ltrrockefeller091912.pdf