Latest news of the domain name industry

Recent Posts

101domain founder Wolfgang Reile dies at 67

Kevin Murphy, April 14, 2018, Domain Registrars

Wolfgang Reile, founder and former CEO of the registrar 101domain, has died, according to his former business partner and other sources.

He died unexpectedly at 67, April 6, according to Anthony Beltran, who took over the management of 101domain from Reile when Afilias acquired it back in 2015.

Born in Munich, Reile migrated to the US in the early 1990s and founded the registrar in 1999, Beltran said. He told DI:

He was a regular fixture in the ICANN scene, was a fun guy to be around, and was a natural storyteller (once you got used to the authentic German accent)

He was a friend and mentor to many, especially the staff at 101domain, and if you knew him and his straight-forward German fashion — was very opinionated, passionate, and yelling at you only meant he considered you a friend. He brought a passionate and dedicated energy that’s rare these days.

His international business background, including a spell at Disney in Asia, inspired 101domain’s strategy of providing access to the broadest possible range of ccTLDs and gTLDs, Beltran said.

The company currently has close to 140,000 gTLD domains under management and says it has tens of thousands of clients.

After the two men sold 101domain to Afilias, Reile stepped away from the industry to focus on family, travel and other businesses, Beltran said.

He is survived by his wife and three daughters. I gather his funeral will be held in San Diego, California, later today.

ICANN confirms GoDaddy Whois probe

ICANN is looking into claims that GoDaddy is in breach of its registrar accreditation contract.

The organization last week told IP lawyer Brian Winterfeldt that his complaint about the market-leading registrar throttling and censoring Whois queries over port 43 is being looked at by its compliance department.

The brief note (pdf) says that Compliance is “in receipt of the correspondence and will address it under its process”.

Winterfeldt is annoyed that GoDaddy has starting removing contact information from its port 43 Whois responses, in what the company says is an anti-spam measure.

It’s also started throttling port 43 queries, causing no end of problems at companies such as DomainTools.

Winterfeldt wrote last month “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny port 43 Whois access to any particular IP address”.

It’s worth saying that ICANN is not giving any formal credibility to the complaint merely by looking into it.

But while it’s usual for ICANN to publish its responses to correspondence it has received and published, it’s rather less common for it to disclose the existence of a compliance investigation before it has progressed to a formal breach notice.

It could all turn out to be moot anyway, given the damage GDPR is likely to do to Whois across the industry in a matter of weeks.

Registrars will miss GDPR deadline by a mile

Kevin Murphy, March 28, 2018, Domain Registrars

Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.

That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.

While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.

Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.

Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.

And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.

The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.

But the timetable lists many other sources of potential delay too.

Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.

Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.

Likewise, the more granular the controls on the data, the longer the implementation window.

For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.

Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.

The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.

The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).

It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.

But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.

The letter notes that the timetable is an estimate and does not apply to all contracted parties.

As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.

Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.

Privacy could be a million-dollar business for ICANN

Kevin Murphy, March 22, 2018, Domain Registrars

ICANN has set out the fees it plans to charge to officially accredit Whois proxy and privacy services, in the face of resistance from some registrars.

VP of finance Becky Nash told registrars during a session at ICANN 61 last week that they can expect to pay $3,500 for their initial accreditation and $4,000 per year thereafter.

Those are exactly the same fees as ICANN charges under its regular registrar accreditation program.

Registrars that also offer privacy should expect to see their annual ICANN flat fees double, in other words. Per-domain transaction fees would be unaffected.

The up-front application fee would be reduced $2,000 when the privacy service is to be offered by an accredited registrar, but it would stay at $3,500 if the company offering service is merely “affiliated” with the registrar.

Nash said all the fees have been calculated on a per-accreditation basis, independent of the volume of applications ICANN receives.

Director of registrar services Jennifer Gore said that while ICANN has not baked an estimate of the number of accredited providers into its calculations, registrars have previously estimated the number at between 200 and 250 companies.

That would put the upper end of annual accreditation fees at $1 million, with $875,000 up-front for initial applications.

Volker Greimann, general counsel of the registrar Key-Systems, pointed out during the session that many registrars give away privacy services for free or at cost.

“This just adds cost to an already expensive service that does not really make money for a lot of providers,” he said.

He suggested that the prices could lead to unexpected negative consequences.

“Pricing this in this region will just lead to a lot of unaccredited providers that will switch names every couple months, an underground that we don’t really want,” he said. “We want to have as many people on board as possible and the way to do that is to keep costs low.”

“Pricing them out of the market is not the way to attract providers to join this scheme,” he said.

Nash responded that registrars are forbidden under the incoming privacy/proxy policy from accepting registrations from unaccredited services.

She added that the fees have been calculated on a “cost-recovery” basis. Costs include the initial background checks, outreach, contract admin, compliance, billing and so on.

But some registrars expressed skepticism that the proposed fees could be justified, given that ICANN does not plan to staff up to administer the program.

Another big question is whether proxy/privacy services are going to continue to have value after May this year, when the European Union’s General Data Protection Regulation kicks in.

The current ICANN plan for GDPR compliance would see individual registrants have all of their private information removed from the public Whois.

It’s not currently clear how many people and what kinds of people will continue to have access to unmasked Whois, so there are likely still plenty of cases where individuals might feel they need an extra layer of protection — if they live in a dictatorship and are engaged in rebellious political speech, for example.

There could also be cases where companies wish to mask their details ahead of, say, a product launch.

And, let’s face it, bad actors will continue to want to use privacy services on domains they intend to misuse.

The proxy/privacy policy came up through the formal GNSO Policy Development Process and was approved two years ago. It’s currently in the implementation phase.

According to a presentation from the ICANN 61 session, ICANN hopes to put the final implementation plan out for public comment by the end of the month.

Lawyer: GoDaddy Whois changes a “critical” contract breach

Kevin Murphy, March 13, 2018, Domain Registrars

GoDaddy is in violation of its ICANN registrar contract by throttling access to its Whois database, according to a leading industry lawyer.

Brian Winterfeldt of the Winterfeldt IP Group has written to ICANN to demand its compliance team enforces what he calls a “very serious contractual breach”.

At issue is GoDaddy’s recent practice, introduced in January, of masking key fields of Whois when accessed in an automated fashion over port 43.

The company no longer shows the name, email address or phone number of its registrants over port 43. Web-based Whois, which has CAPTCHA protection, is unaffected.

It’s been presented as an anti-spam measure. In recent years, GoDaddy has been increasingly accused (wrongly) of selling customer details to spammers pitching web hosting and SEO services, whereas in fact those details have been obtained from public Whois.

But many in the industry are livid about the changes.

Back in January, DomainTools CEO Tim Chen told us that, even as a white-listed known quantity, its port 43 access was about 2% of its former levels.

And last week competing registrar Namecheap publicly complained that Whois throttling was hindering inbound transfers from GoDaddy.

Winterfeldt wrote (pdf) that “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny
port 43 Whois access to any particular IP address”, adding:

The GoDaddy whitelist program has created a dire situation where businesses dependent upon unmasked and robust port 43 Whois access are forced to negotiate wholly subjective terms for access, and are fearful of filing complaints with ICANN because they are reticent to publicize any disruption in service, or because they fear retaliation from GoDaddy…

This is a very serious contractual breach, which threatens to undermine the stability and security of the Internet, as well as embolden other registrars to make similar unilateral changes to their own port 43 Whois services. It has persisted for far too long, having been officially implemented on January 25, 2018. The tools our communities use to do our jobs are broken. Cybersecurity teams are flying blind without port 43 Whois data. And illegal activity will proliferate online, all ostensibly in order to protect GoDaddy customers from spam emails. That is completely disproportionate and unacceptable

He did not disclose which client, if any, he was writing on behalf of, presumably due to fear of reprisals.

He added that his initial outreaches to ICANN Compliance have not proved fruitful.

ICANN said last November that it would not prosecute registrar breaches of the Whois provisions of the Registrar Accreditation Agreements, subject to certain limits, as the industry focuses on becoming compliant with the General Data Protection Regulation.

But GoDaddy has told us that the port 43 throttling is unrelated to GDPR and to the compliance waiver.

Masking Whois data, whether over port 43 or not, is likely to soon become a fact of life anyway. ICANN’s current proposal for GDPR compliance would see public Whois records gutted, with only accredited users (such as law enforcement) getting access to full records.