Latest news of the domain name industry

Recent Posts

Whois “killer” is a recipe for a clusterfuck

Kevin Murphy, June 13, 2014, 18:17:18 (UTC), Domain Policy

An ICANN working group has come up with a proposal to completely replace the current Whois system for all gTLDs.

Outlined in 180 recommendations spread over 166 pages (pdf), it’s designed to settle controversies over Whois that have raged for 15 years or more, in one fell swoop.

But it’s a sprawling, I’d say confusing, mess that could turn domain name registration and the process of figuring out who owns a domain name into an unnecessarily bureaucratic pain in the rear.

That’s if the proposal is ever accepted by the ICANN community, which, while it’s early days, seems like a challenge.

The Expert Working Group, which was controversially convened by ICANN president Fadi Chehade in December 2012, proposes a Registration Data Service that would ultimately replace Whois.

It’s a complex document, which basically proposes rebuilding Whois from the ground up based on ideas first explored by George Orwell, Franz Kafka and Douglas Adams.

Having read it, I’ll do my best in this post to explain what the proposed Registration Data Service seems to entail and why I think it seems like a lot of hard work for very little benefit.

I note in advance as a matter of disclosure that the RDS as proposed would very possibly disenfranchise me professionally, making it harder for me to do my job. I explain why later in this post.

I also apologize in advance for, and will correct if notified of, any errors. It’s taken me a week from its publication to read and digest the proposal and I’m still not sure it’s all sunk in.

Anyway, first:

What’s RDS?

RDS would be a centralized Whois database covering all domains in all gTLDs, new and old, operated by a single entity.

What’s in an RDS record?

Under the hood, RDS records wouldn’t look a heck of a lot different than Whois records look today, in terms of what data they store.

There would be some new optional elements, such as social media user names, but otherwise it’s pretty much the same data as we’re used to seeing in Whois records today.

The big difference is which of these elements would be visible by default to an anonymous internet user doing a regular Whois look-up somewhere.

Some fields would be “public” and some would be “gated” or hidden. Some fields would always be public and some could be toggled between public and gated by the registrant.

Gated fields would not be visible to people doing normal Whois look-ups. To see gated data, you’d need to be accredited to a certain role (cop, trademark owner, etc) and have an RDS account.

By default, much of the data about the “registrant” — including their name, physical address, country, and phone number — would be gated.

No, you’re not reading that wrong — the name of the registrant would be hidden from regular Whois users by default. Their email address, however, would be always be public.

There would also be up to six “Purpose Based Contacts” — an Admin Contact, a Legal Contact, a Technical Contact, an Abuse Contact, a Privacy/Proxy Contact and a Business Contact.

So, for example, a registrant could specify his registrar as his technical PBC and his lawyer as his legal PBC.

The admin, legal, technical and abuse contacts would be mandatory, and would default to the registrant’s own personal contact info.

A newly registered domain would not be activated in the DNS until the mandatory PBCs had been provided.

Each of these four mandatory PBCs would have different levels of disclosure for each data element.

For example, the Admin PBC would be able to hide their mailing address and phone number (both public by default) but not their name, email address or country.

The Legal PBC would not be able to opt out of having their mailing address disclosed, but the Technical and Abuse PBCs would be able to opt out of disclosing pretty much everything including their own name.

Those are just examples. Several tables starting on page 49 of the report (pdf) give all the details about which data fields would be disclosed and which could be hidden.

I think it’s expected by the EWG that most registrants would just accept the defaults and publish the same data in each PBC, in much the same way as they do today.

“This PBC approach preserves simplicity for Registrants with basic contact needs and offers additional granularity for Registrants with more extensive contact needs,” the EWG says.

Who gets the see the hidden stuff?

In order to see the hidden or “gated” elements, you’d have to be an accredited user of the centralized RDS system.

The level of access you got to the hidden data would depend on the role assigned to your RDS account.

The name of the registrant, for example, would be available to anyone with an RDS account.

If you wanted access to the registrant’s mailing address or phone number, you’d need an RDS account that accredited you for one or more of seven defined purposes:

  • Domain Name Control (ie, the registrant herself)
  • Domain Name Certification (ie SSL Certificate Authorities)
  • Business Domain Name Purchase/Sale (anyone who says they might be interested in buying the domain in question)
  • Academic/Public Interest DNS Research
  • Legal Actions (eg lawyers investigating fraud or trademark infringement)
  • Regulatory/Contractual Enforcement (could be ICANN-related, such as UDRP, or unrelated stuff like tax investigations)
  • Criminal Investigation/DNS Abuse Mitigation

Hopefully this all makes sense so far, but it gets more complicated.

Beware of the leopard!

In today’s gTLD environment, Whois records are either stored with the registry or the registrar. You can do Whois lookups on the registrar/y’s site, or via a third-party commercial service.

As a registrant, you need only interact with your registrar. As a Whois user, you don’t need to sign up for an account anywhere, unless you want value-added services from a company such as DomainTools.

Under RDS, a whole lot of other entities start to come into play.

First, there’s RDS itself — a centralized Whois replacement.

It’s basically two databases. One contains contact details, each record containing a unique Contact ID identifier. The other database maps Contact IDs to the PBCs for each gTLD domain name.

It’s unclear who’d manage this service, but it looks like IBM is probably gunning for the contract.

Second, there would be Validators.

A Validator’s job would be to collect and validate contact information from registrants and PBCs.

While registrars and registries could also act as Validators — and the EWG envisages most registrars becoming Validators — this is essentially a new entity/role in the domain name ecosystem.

Third and Fourth, we’ve got newly created Accrediting Bodies and Accreditation Operators.

These entities would be responsible for accrediting users of the RDS system (that is, people who want to do a simple goddamn Whois lookup).

The EWG explains that an Accrediting Body “establishes membership rules, terms of service, and application and enforcement processes, etc., for a given RDS User community.”

An Accreditation Operator would “create and manage RDS User accounts, issue RDS access credentials, authenticate RDS access requests, and provide first-level abuse handling”.

Because it’s not complicated enough already, each industry (lawyers, academics, police, etc) would have their own different combination of Accrediting Bodies and Accreditation Operators.

Who benefits from all this?

The reason the EWG was set up in the first place was to try to resolve the conflict between those who think Whois accuracy should be more strictly enforced (generally law enforcement and IP owners) and those who think there should be greater registrant privacy (generally civil society types).

In the middle you’ve got the registries and registrars, who are generally resistant to anything that adds friction to their shopping carts or causes even moderate implementation costs.

The debate has been raging for years, and the EWG was told to:

1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and 2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.

So the EWG proposal could be seen as successful if a) privacy advocates are happy and b) trademark lawyers and the FBI are happy, c) registrars/ries are happy and d) Whois users are happy.

Are the privacy dudes happy?

No, they’re not.

The EWG only had one full-on privacy advocate: Stephanie Perrin, who’s a bit of a big deal when it comes to data privacy in Canada, having held senior privacy roles in public and private sectors there.

Perrin isn’t happy. Perrin thinks the RDS proposal as it stands won’t protect regular registrants’ privacy.

She wrote a Dissenting Report that seems to have been intended as an addendum to the EWG’s official report, but it was not published by the EWG or ICANN. The EWG report makes only a vague, fleeting reference, in a footnote, to the fact that the was any dissent at all.

Milton Mueller at the Internet Governance Project got his hands on it regardless and put it out there earlier this week.

Perrin disagrees with the recommendation (outlined above) that each domain name must have a Legal Contact (or Legal PBC) who is not permitted to hide their name and mailing address from public view.

She argues, quite reasonably I think, that regular registrants don’t have lawyers they can outsource this function to, which means their own name and mailing address will comprise their publicly visible Legal PBC.

This basically voids any privacy protection they’d get from having these details “gated” in the “registrant” record of the RDS. Perrin wrote:

the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously. Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.

The EWG report envisages the use of privacy/proxy services for people who don’t want their sensitive data published publicly.

But we already have privacy/proxy services today, so I’m unclear what benefit RDS brings to the table in terms of privacy protection.

It’s also worth noting that there are no circumstances under which a registrant’s email address is protected, not even from anonymous RDS queries. So there’s no question of RDS stopping Whois-based spam.

Are the trademark dudes going to be happy?

I don’t know. They do seem to be getting a better deal out of the recommendations than the other side (there were at least three intellectual property advocates on the EWG) but if you’re in the IP community the report still leaves much to be desired.

The RDS proposal would create a great big centralized repository of domain registrant information, which would probably be located in a friendly jurisdiction such as the US.

That would make tracking down miscreants a bit easier than in today’s distributed Whois environment.

RDS would also include a WhoWas service, so users can see who has historically owned domain names, and a Reverse Query service, so that users can pull up a list of all the other domains that share the same contact field(s).

Both services (commercially available via the likes of DomainTools already) would prove valuable when collating data for a UDRP complaint or cybersquatting lawsuit.

But it’s important to note that while the EWG report says all contact information should be validated, it stops short of saying that it should be authenticated.

That’s a big difference. Validation would reveal whether a mailing address actually exists, but not whether the registrant actually lives there.

You’d need authentication — something law enforcement and IP interests have been pushing for but do not seem to have received with the EWG proposal — for that.

The EWG suggests that giving registrants more control over which bits of their data are public will discourage them from providing phony contact information for Whois/RDS.

The RDS proposes a lot more carrot than stick on this count.

But if Perrin is correct that it’s a false comfort (given that your name and address will be published as Legal PBC anyway) then wouldn’t a registrant be just as motivated to call themselves Daffy Duck, or use a proxy/privacy service, as they are today?

Are the registrar dudes going to be happy?

If the EWG’s recommendations become a reality registrars could get increased friction in their sales path, depending on how disruptive it is to create a “Contact ID” and populate all the different PBCs.

I think it’s certainly going to increase demand on support channels, as customers try to figure out the new regime.

Remember, the simple requirement to click on a link in an email is causing registrants and registrars all kinds of bother, including suspended domains, under recently introduced rules.

And there’s obviously going to be a bunch of (potentially costly) up-front implementation work registrars will need to do to hook themselves into RDS and the other new entities the system relies on.

I doubt the registrars are going to wholeheartedly embrace the proposal en masse, in other words.

Is Kevin Murphy happy?

No, I’m not happy.

It bugs me, personally, that the EWG completely ignored the needs of the media in its report. It strikes me as a bit of a slap in the face.

The “media” and “bloggers” (I’m definitely in one of those categories) would be given the same rights to gated RDS data as the “general public”, under the EWG proposal.

In other words, no special privileges and no ability to access the registrant name and address fields of an RDS record.

RDS may well give somebody who owns a trademark (such as a reverse domain name hijacker or a sunrise gamer) more rights to Whois records than the New York Times or The Guardian.

That can’t be cool, can it?

Murphy, brah, why you gotta cuss in your headline?

Good question. I do use swearwords on DI occasionally, but only to annoy people who don’t like them, and usually only in posts dated April 1 or in stories that seem to deserve it.

This post is dated June 13.

I think I’ve established that the EWG’s proposal as it stands today is a pretty big overhaul of the current system and that it’s not immediately obvious how the benefits to all sides warrant the massive effort that will have to be undertaken to get RDS to replace Whois.

But the clusterfuckery is going to begin not with the implementation of the proposal, but with the attempt to pass it through the ICANN process.

The proposal has to pass through the ICANN community before becoming a reality.

The Expert Working Group has no power under the ICANN bylaws.

It was created by Chehade while he was still relatively new to the CEO’s job and did not yet appreciate how seriously community members take their established procedures for creating policy.

I think it was a pretty decent idea — getting a bunch of people in a room and persuading them to think outside the box, in an effort to find radical solutions to a a long-stagnant debate.

But that doesn’t change the fact that the EWG’s proposals don’t become law until they’ve been subject to the Generic Names Supporting Organization’s lengthy Policy Development Process.

Some GNSO members were not happy when the EWG was first announced — they thought their sovereignty was being usurped by the uppity new CEO — and they’re probably not going to be happy about some of the language the EWG has chosen to use in its final report.

The EWG said:

The proposed RDS, while not perfect, reflects carefully crafted and balanced compromises with interdependent elements that should not be separated.

The RDS should be adopted as a whole. Adopting some but not all of the design principles recommended herein undermines benefits for the entire ecosystem.

It’s actually quite an audacious turn of phrase for a working group with no actual authority under ICANN bylaws.

It sounds a bit like “take it or leave it”.

But there’s no chance whatsoever of the report being adopted wholesale.

It’s going into the GNSO process, where the same vested interests (IP, LEA, registry, registrar, civil society) that have kept the debate stagnant for the duration of ICANN’s existence will continue to try (and probably fail) to come to an agreement about how Whois should evolve.

Tagged: , , , , , ,

Comments (9)

  1. JS says:

    good piece Kevin.

    does the report mention costs at all. If everything is centralized as proposed and an outfit like IBM runs it, a lookup for any kind of meanful whois information won’t be free, can it ?

  2. Kevin, I have been busy and have not had an opportunity to read the report, so I appreciate the summary.

    One question I have, and maybe I missed in in parsing… “Who watches the watchmen?” Did you see where the contact made aware of the request, the requestor and scope of lookups they were included in?

    That’s got to be present… it would reduce ‘whois stalkers’ due to the transparency and accountability it would carry.

    This would, for example, help a contact understand that domain registry of america had harvested their contact info for marketing an expensive transfer on a name. Better example might be free speech constraint protection or a political candidate seeing when an opposition lobby looks up their skirt.

    It would seem patently irresponsible to leave such a balancing factor out.

  3. I’ve not read the report yet, but I’m sure that the so-called “experts” ignored the public, who overwhelmingly (in the first set of public comments) saw through ICANN’s attempts to monetize WHOIS, and accurately called it a “cash grab.”

    The Affirmation of Commitments (AoC), section 9.3.1, clearly states:

    ” ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.”

    ICANN is proposing to privatize the WHOIS (in order to ca$h in on access), and to *restrict* data elements from the public, which is contrary to the AoC.

    ICANN couldn’t even run the zone file program in a secure manner, having to take it down, etc. Creating another centralized single point of failure is not a rational option.

  4. theo says:

    i read the entire thing, it is complex.

    It shows how things should be.

    It also tells us that alot of things should be sorted out if this go through.

    This is a start imo.

    ALOT of things will require more input, but it is a start.

    pages 81-89 define a basic baseline when it comes to data protection

  5. Volker Greimann says:

    I am sure that the GNSO will take all the time needed to analyze this proposal and ensure that whatever comes out of the Working Group tasked with turning this into actual policy will be a product of community consensus.

    Where this means only parts of this proposal will survive the process or it will be adopted wholesale will have to be seen.

    At least it is a start to try something different. And that can’t be all bad…

  6. Volker Greimann says:

    I have not had time to read the whole thing, but some things I will expect as minimum requirements under such a system:

    – Developed and maintained independent of ICANN. No glitches, RADAR intrusions, lost links, etc.

    – Data subjects to be informed of when and who looked at what part of their data, and why.

    – Cost neutral to registrants, i.e. paid out of current ICANN fees or by requestors (a subscription model perhaps).

    – Storage outside the US, the UK or France. Ideally in other EU countries than the two mentioned.

    – Access by law enforcement limited exclusively to data subjects in their own jurisdiction.

    – Opt-in to publication of certain data elements, not opt-out.

    – I agree with Mrs. Perrin. The legal contact is nothing a normal registrant would have access to. Turn it into a trustee contact perhaps. Like current whois privacy services?

    – Two strikes and you are out: Like with URS, data access without proper justification should be punished by banning access to the data user.

    – The public email suggestion will have to be looked at as well: Can anyone spell spam-magnet?

  7. Louise says:

    What do the operators of DomainTools have to say?

  8. Bill Stewart says:

    ICANN has always worked for the Trademark Police, not for the Internet users. Occasionally they’ll also do favors for other parts of the Intellectual Property Mafia.

    They’ve been trying to block whois privacy for years, and make sure that anybody who has a dispute about a web site can find the owner’s True Address to serve court papers on, regardless of any issues about freedom of speech.

    If this goes through, it sounds like a private domain registration will cost you an extra $100 a year, or whatever the going rate is these days to register a Delaware Corporation, because corporations don’t have to provide the addresses of real people to do their registration.

  9. Christopher Ambler says:

    When I was at eNom, back in 2005 or so, I proposed a new WHOIS solution. It was called WIRE (I forget how I backed into that acronym) and was a centralized, thick WHOIS registry that could be run by a single entity, had all of the data protection needed, and actually simplified things.

    No political component involved.

    We actually had many registrars interested in implementing it, mostly because it made domain transfers much easier – it contemplated a simple XML-based communication channel between registrars for that purpose.

    It was quickly squashed by the expected special interests for the expected reasons.

    It joined a big, long, list of interesting things I’ve developed that have either been killed or outright stolen.

    But hey, I’m not bitter ;)

    (Okay, maybe I am)

Add Your Comment