Latest news of the domain name industry

Recent Posts

Registrars still not responding to private Whois requests

Kevin Murphy, October 18, 2018, 13:02:14 (UTC), Domain Policy

Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.

AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.

Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.

You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.

Then, only one registrar complied to AppDetex’s satisfaction.

Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.

He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.

AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.

Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.

The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.

The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.

The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.

Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.

Tagged: , , , , , , ,

Comments (8)

  1. What a load of crock! The reason they are not getting full whois details in response – and they know that full well, since we told them numerous times – is because their requests are beyond deficient.

    We would be happy to send them the complete details, but the reality is that it is them who do not respond.

    The actual situation looks like this:
    1) The send us dozens of complaints at a time
    2) we respond to each complaint, detailing the steps that they need to take in order to get the details.
    3) Nothing! No response to any single tickets.

    The only way to get any communication going is to contact their staff independently and tell them what we need and then they … don’t make the necessary changes but keep sending complaints.

    If one were to assume bad intentions, one could assume that this entire exercise is not actually intended to get whois details but rather to show that the Temp Spec is not working. Which it actually is, at least in regard to whois data inquiries. At least for requesters who can provide actual legitimate interest and fulfill the legal requirements for data transfer.

    If one were to assume bad intentions, one would call their entire operation a sham. Which I am not – at least not yet…

    • Same over here. They send out requests in bulk and are too lazy to fill out a form. We simply don’t receive any response from them once we have sent them our whois data disclosure form.

      Maybe we should also put out a press release: “Almost 90% of all data disclosure forms are never returned”. Kevin, would you pick that up?

    • Lisa J says:

      Im not sure if its even legal to send personal information of clients to a random phishing robot who refuses to identify himself.

  2. Richard Funden says:

    If only 3% of all registrars respond to their requests, maybe – just maybe – it is their requests that are shitty?

  3. John Berryhill says:

    Having abused access to the personal data of their own users, Facebook is now pitching a tantrum that they are not being supplied with personal data of non-users.

    No one trusts Facebook with personal data, and for good reason. They are not a company that can be trusted to handle it responsibly, as they continue to demonstrate.

  4. Steve Gobin says:

    I haven’t seen AppDetex’s requested submitted on behalf of facebook and it is possible that these requests are questionable.

    However I sometimes have to contact registrars on behalf of my company’s customers and although the requests I sent include all necessary information (who we are, who we represent, what our clients’ prior rights are, why we want the data. To summarize, the same data as what I usually include on a ccTLD operator’s disclosure request form). Unfortunately, it is very seldom that a registrar accepts to disclose the full whois data. Either the request is ignored or I get the typical US response that I should obtain a subpoena if I needed the full data.

Add Your Comment