Tag Archives: privacy

.NZ Gets Another Victory In DomainTools Battle Over registrant Privacy Rights

New Zealand’s Domain Name Commission (DNC) had their third victory in three appearances in their ongoing court battle with DomainTools, the latest being in March. DomainTools had appealed three claims, following losing their first appeal, but won only one, while the DNC won the remaining two, with consideration being given by the DNC to appeal the remaining claim. It is a battle over whether a top-level domain registry protect the privacy of their registrants. As Jordan Carter, InternetNZ’s CEO, told the Goldstein Report back in March 2019, “this test case will be significant for protecting the privacy rights of .nz registrants in the .nz domain name space and it is likely to have an impact on other ccTLDs and the wider industry.” It seems that the privacy rights of .nz registrants has been protected.

Continue reading .NZ Gets Another Victory In DomainTools Battle Over registrant Privacy Rights

CIRA Provides Canadians With Free DNS Firewall To Enhance Security And Privacy

Canada’s ccTLD registry, CIRA, has made the internet a bit safer and more private this week with the launch of CIRA Canadian Shield – a free DNS firewall service that will provide online privacy and security to individuals and families across Canada.

Continue reading CIRA Provides Canadians With Free DNS Firewall To Enhance Security And Privacy

Investing in Privacy Shows Benefits Averaging 2.7 Times Investment: Cisco

Organisations, on average, receive benefits 2.7 times their investment, and more than 40% are seeing benefits that are at least twice that of their privacy spend according to Cisco’s 2020 Data Privacy Benchmark Study. Privacy has become a big issue globally in recent years, particularly following the introduction of the European Union’s General Data Protection Regulation (GDPR) that caused domain name registrars and registries to make major changes to their practices.

The Cisco study, released in observance of International Data Privacy Day, also found that up from 40% last year, over 70% of organisations now say they receive significant business benefits from privacy efforts beyond compliance, including better agility, increased competitive advantage and improved attractiveness to investors, and greater customer trust.

Other benefits included companies with higher accountability scores (as assessed using the Centre for Information Policy Leadership’s Accountability Wheel, a framework for managing and assessing organisational maturity) experience lower breach costs, shorter sales delays, and higher financial returns while 82% of organisations see Privacy Certifications as a Buying Factor. These included privacy certifications such as the ISO 27701,  EU/Swiss-US Privacy Shield, and APEC Cross Border Privacy Rules system becoming an important buying factor when selecting a third-party vendor. India and Brazil topped the list with 95% of respondents agreeing external certifications are now an important factor.

In a blog post, Robert Waitman, Director, Data Privacy Security and Trust Office at Cisco said “the results of this study highlight that privacy is good for business, beyond any compliance requirements.” Waitman writes Cisco recommends organisations:

  • Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
  • Work to obtain external privacy certifications; these have become an important factor in the buying process.
  • Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.

Cisco’s 2020 Data Privacy Benchmark Study is their third annual look into corporate data privacy practices worldwide and shows growing tangible benefits for businesses that adopt strong privacy practices.

The study is based on results from a double-blind survey of over 2,800 security professionals in organisations of various sizes across 13 countries. It provides deep insight into the state of privacy a year and a half after the effective date of the European Union’s General Data Protection Regulation (GDPR), widely considered a turning point on how organisations control and manage the use of personal data. Customer demands for increased data protection and privacy, the ongoing threat of data breaches and misuse by both unauthorised and authorised users, and preparation for the GDPR and similar laws around the globe spurred many organisations to make considerable privacy investments – which are now delivering strong returns.

The European Union’s General Data Protection Regulation (GDPR), introduced in May 2018 but adopted in 2016, has been a focus in the domain name world due to required changes to contact information that has been required for WHOIS and ICANN’s ham-fisted attempts to deal with the situation which led to ICANN losing multiple court actions and exemptions provided to many registrars located within the EU regarding information they were required to collect under their Registrar Accreditation Agreements. Additionally, almost all, if not all, country code top level domain (ccTLD) registries located either within the EU or who allowed EU citizens to register their domains were required to make changes as to the information they required registrars to collect upon registering a domain name.

For more information, see:

Radix’s Karn Jajoo Discusses GDPR Benefits, How New gTLDs Are Looking Good and Radix’s Impressive Growth

In the latest Domain Pulse Q&A, we talk to Karn Jajoo, Head of Premium Portfolio at Radix, the registry behind successful new domain extensions such as .TECH, .STORE, .ONLINE, .SPACE and .SITE. Radix is one of the world’s largest nTLD portfolio registries with over 4M domains under management.

Jajoo discusses Radix’s impressive growth in 2018, the positive impact of the EU’s GDPR has been it’s spawned privacy discussions in developing countries with local data privacy laws, how registries should be deploying a long-term strategy now and keep away from the practice of trying to sell as many names as possible and instead focus on sustainable growth and usage and that the wider industry is developing products to support. Not unsurprisingly, Jajoo is excited about the prospects for the new generic top-level domains.

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Karn Jajoo: 2018 was a great year for new domains with some solid premium sales across top nTLDs, and two premium name sales over $500,000 that have set a new benchmark. Good meaningful names in suitable extensions will continue to find end users willing to pay a premium price.

Many globally popular brands warmed up to using new domains with the industry experiencing increasing adoption across different verticals globally.

There was also a 25% YoY growth in overall new domain registrations from registrars outside China; in fact, there were a total of 10 million registrations in 2018 vs 8 million in 2017. Specifically for us, it was a great year as Radix grossed $16.95M in total revenue in 2018, a 30% rise over its revenue in 2017. Radix’s net profit also grew by 45.6% in comparison to last year.

One of the biggest challenges for the new domains industry still remains to be the mindset within the domain industry. While there has been a gradual but definite shift in the perception of nTLDs within the domain industry, I think for many folks, an inherent conflict of interest leads to skepticism. Such biases need to be checked given the success of so many good nTLDs and plenty of use cases that continue to thrive.

DP: GDPR – good, bad and/or indifferent to you and the wider industry and why?

KJ: Much like others within the domains industry as well as other industries across the globe, the exercise to implement these changes in processes was challenging, and often confusing. Although, I don’t think we could classify it as good or bad. Instead of a binary judgment, we should look at it as a welcome change as far as the protection of private data is concerned.

On one hand, the domain industry seems to have coped well with the regulations that came into effect last year. On the other hand, DNS security agencies and counter abuse efforts have suffered a setback with redacted WHOIS information. The one positive effect of GDPR has been that data privacy discussions have spawned in other developing nations leading to the formation of local data privacy laws.

DP: What are you looking forward to in 2019?

KJ: As Radix, we are looking forward to becoming the biggest nTLD operator globally, and at the current growth pace, that could happen soon! We are already the only nTLD portfolio registry that has two of its TLDs with over 1 million domain registrations each.

We are also excited about the increasing number of startups that are investing in and using new gTLDs. Owing to the booming startup ecosystem globally, we can expect a lot of room for growth in new gTLDs in 2019. Our Startup League initiative now has 300+ startups that we are actively supporting.

As top nTLDs get more mainstream, their usage and acceptance would steadily increase, and so will the value of premium domains on nTLDs. We expect to make some big-ticket sales in 2019 and beyond.

DP: What challenges and opportunities do you see for the year ahead?

KJ: Registries should be deploying a long-term strategy now and keep away from the practice of trying to sell as many names as possible and instead focus on sustainable growth and usage.

A big positive for this industry is that partners such as domain marketplaces, brokerages, etc. are building more products and allocating time and resources towards marketing and selling new TLDs. Site builder SaaS platforms of all sizes are also starting to enhance their domains play and are understanding the importance of domain names as the gateway to more sales of their products.

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

KJ: Most extensions have been active for 2-4 years now and there is adequate channel and customer feedback on various aspects such as market segmentation, geographies, pricing etc. There has been considerable consolidation in the industry and many extensions that shouldn’t have existed in the first place are either declining in registrations or have ceased to exist, while meaningful extensions that offer customers genuine value have continued to grow.

Customer awareness and acceptance continues to be a challenge and an opportunity. We will continue to see a growing number of new domains spotted ‘in the wild’. We have a high decibel digital marketing campaign targeting end consumers running through various media channels for our flagship generic TLD, .ONLINE. We did similar campaigns for .STORE and .TECH last year and we can see their impact on the business.

I feel registries should be doing as much as possible to increase the pace of building awareness by communicating their value proposition.

DP: Are domain names as relevant now for consumers – business, government, and individuals – as they have been in the past?

KJ: I think domain names are more relevant now than ever. Trust between social media and consumers was shaken many times in the last couple of years and businesses realise that they need to ‘own their property’ i.e. their touchpoint with their customers or followers. If they only rely and build upon the property of someone else, they will always risk losing control of that relationship. Such dependence on social media has impaired many businesses which relied heavily on them for revenue or growth of the community. A good domain is an investment into your own brand and thus the best names will continue seeing higher valuations and interest in the coming years.

Previous Q&As in this series were with:

  • EURid, manager of the .eu top level domain (available here)
  • Katrin Ohlmer, CEO and founder of DOTZON GmbH (here)
  • Afilias’ Roland LaPlante (here)
  • DotBERLIN’s Dirk Krischenowski (here)
  • DENIC (here)
  • Internet.bs’ Marc McCutcheon (here)
  • nic.at’s Richard Wein (here)
  • Neustar’s George Pongas (here)
  • CentralNic’s Ben Crawford (here)
  • CIRA’s David Fowler (here)
  • Jovenet Consulting’s Jean Guillon (here)
  • GGRG’s Giuseppe Graziano (here)
  • Blacknight Solutions’ Michele Neylon (here)
  • Public Interest Registry’s President and CEO Jon Nevett (here)
  • ICANN board member and founding auDA CEO Chris Disspain (here)
  • InternetNZ’s Chief Executive Jordan Carter (here).

If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs. Continue reading ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

SIDN Sets Up Privacy Portal and Legal Help Desk To Assist Registrars Comply With GDPR

To assist their registrars comply with the European Union’s General Data Protection Regulation, SIDN, the .nl ccTLD manager, has set up a Privacy Portal and a Legal Help Desk. SIDN acknowledges that for registrars, bringing their operations into line with the GDPR — and making sure they stay that way — can be a challenge.

In a blog post on the SIDN website by RA CEO Margreth Verhulst and SIDN’s Key Account Manager Sebastiaan Assink discuss the Privacy Portal and Legal Help Desk now available to registrars.

“At the start of the year, SIDN organised a webinar on the implications of the GDPR for domain name registration. Participants were asked whether they had set up a data processing register, as required under the new legislation. And no fewer than 66 per cent of the registrars responded by saying that they hadn’t yet set one up. A broadly similar picture emerged when the RA surveyed its members to find out how many were GDPR-compliant. From the survey feedback, it was also clear that registrars would welcome support bringing their activities into line with the directive. The RA and SIDN therefore linked up with the ICTRecht legal consultancy to create the Privacy Portal, which opened for business on 27 September 2018. The Portal is intended to advise registrars on recording and protecting sensitive information and other privacy-related issues. “The Privacy Portal offers registrars free guidance on all aspects of privacy management,” explains Sebastiaan. “You can get answers to legal questions, or help with data processing agreements and other documents.” Dozens of registrars have already turned to the Portal for assistance.

A registrar’s first contact the Privacy Portal sees them being asked a few general questions. Answers are used to build up a profile and then a customised account can be established. Through the account, tailored advice is made available and appropriate measures are suggested. Facilities are also available for organising your enquiries and documents. “The intake privacy scan provides an immediate impression of what you’ve got under control and what still needs attention,” adds Margreth.

“The Portal also features a tool that can be used to set up and maintain a data processing register, another of the GDPR’s new requirements. There’s a privacy statement generator as well, and a utility for checking the adequacy of your technical data protection measures. Another feature of the Privacy Portal is its data breach registration functionality, which you can use to comply with the GDPR’s requirement that details of all breaches must be recorded. Finally, there’s a tool for generating appropriate data processing agreements to regulate your relationships with any data processors that handle data on your behalf. In other words, the Privacy Portal offers all kinds of assistance with GDPR-compliance.”

“Registrars process a great deal of personal data and cooperate with other actors, including suppliers and partners. They collect registrants’ personal details, for example, and forward the information to us on the registrants’ behalf. That’s how a domain name is registered. Naturally, it’s primarily the registrars’ responsibility to make sure that their data processing complies with the law. However, it’s also very much in our interests to see that registration data is processed and exchanged securely,” continues Sebastiaan. As Margreth points out, registrars have a lot on their plates, even without the GDPR. “Their core business is domain name registration, and compliance with the many rules and regulations that apply to the industry sometimes gets sidelined. So the Portal has been created with the aim of relieving some of the burden and making compliance easier for registrars. For any registrar who sees GDPR compliance as a dauntingly high mountain, the Privacy Portal will act like a Sherpa. You’ve still got to get up the mountain yourself, but the Portal is there to shoulder some of the load.”

“The Privacy Portal is just one of the ways that the RA and SIDN are working together to support and invest in the registrar community. It is a spin-off from the Legal Help Desk opened earlier in the year. Via the Help Desk, all 1250 or so .nl registrars can get free legal advice regarding issues involving contracts, ICT, terms and conditions and the like. Questions are simply submitted to the Help Desk using a standard form. Another product of cooperation between SIDN and the RA is the SIDN Academy.”

“So far, we’ve run three SIDN Academy sessions for registrars. The one-day sessions are intended for sharing knowledge on particular topics,” said Assink. “The first round of sessions was devoted to e-mail security, for example.”

Looking forward, the post notes Margreth and Sebastiaan have no preconceptions about how the Help Desk and Portal should develop from here. Both are really still pilot services. “We’ll evaluate the situation after twelve months,” says Margreth. “The future direction of the projects will depend on how registrars use these facilities in practice. A positive response and high levels of use will encourage us to continue and extend the services.”

The full version of this post originally appeared on the SIDN website here. SIDN is the country code top level domain (ccTLD) manager for .nl (Netherlands).

ICANN: German Regional Court to Revisit Ruling in Injunction Proceedings on Request to Preserve WHOIS data

ICANN was informed Thursday that the Regional Court in Bonn, Germany, has decided to revisit its ruling in the injunction proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group.

 

On 13 June 2018, ICANN appealed the Regional Court’s initial decision to reject ICANN‘s application for an injunction, in which ICANN sought a court order requiring EPAG to reinstate collection of administrative and technical contact data for new domain name registrations.

Upon receipt of an appeal, the Regional Court has the option to re-evaluate its decision that is being appealed, or affirm its decision and immediately forward the matter to the Higher Regional Court for consideration of the appeal.

In this instance, the Regional Court has decided to revisit its initial decision and has asked EPAG to comment on ICANN‘s appellate papers within two weeks.

ICANN is pursuing this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system. To that end, ICANN continues to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the European Union’s General Data Protection Regulation (GDPR).

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties that demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018, it would no longer collect administrative and technical contact information when it sells new domain name registrations. EPAG believes collection of that particular data would violate the GDPR. ICANN‘s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Regional Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement, or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

On 13 June 2018, ICANN appealed the Regional Court’s ruling to the Higher Regional Court of Cologne, Germany, and again asked for an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-3-2018-06-21-en

ICANN Finally Approves Temporary Specification To Comply With EU’s GDPR, With 7 Days To Spare

It was adopted on 14 April 2016 and after a 2-year transition period it becomes enforceable on 25 May 2018. Yet despite this timeframe, ICANN only approved a Temporary Specification for gTLD Registration Data to comply with the European Union’s General Data Protection Regulation on 17 May, with a draft published on 11 May. But it only gives registries and registrars 7 days to finalise and implement changes to their systems, or 14 days if they started when the draft was published. That is if they waited for ICANN’s snail-like process to take place.

The GDPR has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.

ICANN’s approval of a Temporary Specification [pdf] is the result of 12 months of consultation with the community and “is an important step towards bringing ICANN and its contracted parties into compliance with GDPR,” said ICANN’s Chair Cherine Chalaby. “While there are elements remaining to be finalised, the adoption of this Temporary Specification sets us on the right path to maintaining WHOIS in the public interest, while complying with GDPR before its 25 May enforcement deadline.”

One can’t help but feel it’s an extraordinary failure by ICANN and the community given the time they’ve had to develop a solution. The Temporary Specification will be revisited by the ICANN Board in 90 days, if required, to reaffirm its adoption. And whether the Temporary Specification meets European Commission’s requirements remains to be seen. In early April the EC’s Article 29 Data Protection Working Party wrote to ICANN [pdf] noting they weren’t satisfied with what ICANN had then proposed.

So what will happen on 25 May? Registry Operators and Registrars will still be required to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.

The changes are not unlike those being implemented by several European country code top level domain (ccTLD) registries. And while quite a few Registries and Registrars will have been waiting (or rather sweating) on ICANN’s announcement this week, some decided they couldn’t wait and have been developing solutions on what they believed ICANN’s response would have been.

Within Europe, some ccTLDs, such as the Austrian registry nic.at have implemented a “thin” model for individuals registering domain names, but legal entities or businesses will continue to have “thick” WHOIS data published. Others such as DENIC, the German ccTLD registry, will only record the contact details of the domain name registrant, two additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data, which is similar to the ICANN model.

Registrars are frustrated. One, the German EPAG, which is part of the Tucows group, spoke of their frustrations to Domain Pulse at the Domain Pulse conference (unrelated) in Munich in February.

“We wish that ICANN had started work on this a year ago,” said Ashley La Bolle, Managing Director of EPAG Domainservices GmbH. “Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”

“The domain industry has been really late to the game on GDPR implementation,” La Bolle went on to say. She noted how frustrating it was that the entire industry was slow to develop solutions and that solutions were only beginning to be finalised back then. The changes require significant resources to be thrown at implementing changes. In an industry that operates on razor-thin margins, it’s not an ideal situation.

“The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.”

It has also been claimed that the changes will be a boon for cybercriminals. While Krebs on Security admit that while “cybercriminals don’t use their real information in WHOIS registrations … ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” And while some cybercriminals do take advantage of privacy protection services, “based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services.”

Krebs also notes that while “it is true that the European privacy regulations as they relate to WHOIS records do not apply to businesses registering domain names … the domain registrar industry — … operates on razor-thin profit margins and which has long sought to be free from any WHOIS requirements or accountability whatsoever. Krebs believes they “won’t exactly be tripping over themselves to add more complexity to their WHOIS efforts just to make a distinction between businesses and individuals.”

“As a result, registrars simply won’t make that distinction because there is no mandate that they must. They’ll just adopt the same WHOIS data collection and display polices across the board, regardless of whether the WHOIS details for a given domain suggest that the registrant is a business or an individual.”