Get ready for whois verification. Maybe.
Huge changes might be coming to the way you register a domain name, and domain investors need to pay attention.
Negotiations for a new Registrar Accreditation Agreement (RAA), the agreement between registrars and ICANN, are ongoing. Meetings are taking place at ICANN’s meeting in Toronto this week.
I’ve talked to multiple people close to the negotiations, including James Bladel, Senior Director, ICANN Policy and Planning at GoDaddy.com, and reviewed ICANN documents to piece together where negotiations stand and what it means for domain investors.
Timeline: ICANN hopes to get the new RAA wrapped up by the end of the year. This seems feasible, but will require more face-to-face meetings.
Data retention/privacy: Requiring registrars to maintain certain information is still a sticking point. The EU’s Article 29 Data Protection Working Party has already said some provisions of an older draft of the RAA would likely violate laws.
ICANN has discussed some sort of “opt out” provision allowing registrars that believe the data collection/retention would violate local laws to not be subject to them.
Of course, this brings up a host of issues. First, bad actors (which the data retention rules are designed to fight) would just register domains in locations not subject to the rules. Second, a registrar and customer are often in different countries. Data might be stored in a third location. When a EU customer registers a domain at Go Daddy in Arizona, would the data retention rules apply?
Whois verification: Mickey Mouse whois records are a problem. Heck, the last ICANN CEO had bogus whois information on his personal domain.
Law enforcement agencies would like the phone number and email address to be verified. There’s debate over if both should be verified or either/or. There’s also debate on when it should be done: before or after the domain is registered.
You can imagine the cluster involved in verifying whois information before a domain registration is finalized.
Some points here.
1. This sort of verification will certainly increase the costs of registering a domain. There are high economies of scale, so this would hurt smaller registrars more. I imagine a third party service will pop up to do it, but it won’t be free.
2. Let’s face it: verifying this data will do nothing to stop bad actors from registering domains. It’s really easy to bypass these systems with throw away phone numbers and emails.
3. There are some concerns about patents covering this sort of verification. Recall that one company is suing domain registrars for sending email renewal notices, claiming this infringes its patent.
4. Such verification may be an issue for people that live under oppressive regimes. But then again, I suppose they can get around it (see #2 above).
Revocation clause: This is a biggie, and I’m told many on the registrar side of the table say it’s a non-starter. Section 7.3 of the proposed RAA basically gives ICANN an option to blow up the entire accreditation program. ICANN apparently wants this in case there are some bad actors it can’t flush out of its system. But blowing up the entire accreditation system? Even though it seems unlikely to actually happen, having this in there at all makes a lot of people nervous.
RAA Adoption: Because many registrars have an RAA that doesn’t expire for a couple more years, there will (as last time) need to be an incentive to get registrars to adopt the new RAA. In order to be a level playing field most need to adopt it at the same time. Usually there’s a financial incentive such as reduced fees.
One idea being considered this time is requiring registrars to adopt the new RAA before they can sell any new top level domains. But that could create some timing issues and hurt the overall TLD program, so I’m told there’s a push for financial incentives instead.