Latest news of the domain name industry

Recent Posts

Privacy risk under new domain transfer policy

Kevin Murphy, November 30, 2016, Domain Registrars

ICANN’s new domain Transfer Policy, which comes into effect tomorrow, creates risks for users of privacy/proxy services, registrars and others haved warned.

The policy could lead to private registrants having their contact information published in the public Whois for 60 days, the GNSO Council expects to formally tell ICANN this week.

“This could threaten privacy for at-risk registrants without clear benefit,” the Council says in a draft letter to the ICANN board.

The revised Transfer Policy was designed to help prevent domain hijacking.

The main change is that whenever there’s a “change of registrant”, the gaining and losing registrants both have to respond to confirmation emails before the change is processed.

However, “change of registrant” is defined in such a way that the confirmation emails would be triggered even if the registrant has not changed.

For example, if you change your last name in your Whois records due to marriage or divorce, or if you change email addresses, that counts as a change of registrant.

It now turns out that ICANN considers turning a privacy service on or off as a change of registrant, even though that only affects the public Whois data and not the underlying customer data held by the registrar.

The GNSO Council’s draft letter states:

ICANN has advised that any change to the public whois records is considered a change of registrant that is subject to the process defined through IRTP-C. Thus, turning a P/P service on or off is, from ICANN’s view, a change of registrant. It requires the CoR [change of registrant] process to be followed and more importantly could result in a registrant exposing his/her information in the public whois for 60 days. This could threaten privacy for at-risk registrants without clear benefit.

My understanding is that the exposure risk outlined here would only be to registrants who attempt to turn on privacy at their registrar then for whatever reason ignore, do not see or do not understand the subsequent confirmation emails.

Depending on implementation, it could lead to customers paying for a privacy service and not actually receiving privacy.

On the other side of the coin, it’s possible that an actual change in registrant might not trigger the CoR process if both gaining and losing registrants both use the same privacy service and therefore have identical Whois records.

The Council letter also warns about a possible increase in spam due to the changes:

many P/P services regularly generate new email addresses for domains in an effort to reduce spam. This procedure would no longer be possible, and registrants may be subject to unwanted messaging. Implementing the CoR for email changes that some providers do as often as every 3-5 days is not feasible.

ICANN has been aware of these issues for months. Its suggested solution is for registrars to make themselves the “Designated Agent” — a middleman permitted to authorize transfers — for all of their customers.

As we reported earlier this week, many large registrars are already doing this.

But registrars and the GNSO Council want ICANN to consider reinterpreting the new policy to exclude privacy/proxy services until a more formal GNSO policy can be created.

While the Policy Development Process that created the revised transfer rules wound up earlier this year, a separate PDP devoted to creating rules of privacy/proxy services is still active.

The Council suggests that this working group, known as PPSAI, could assume the responsibility of clearing up the mess.

In the meantime, registrars are rather keen that they will not get hit with breach notices by ICANN Compliance for failing to properly implement to what seems to be a complex policy.

Transferring domains gets more complex this week

Kevin Murphy, November 28, 2016, Domain Registrars

A new anti-hijacking domain name transfer policy comes into effect this week at all ICANN-accredited registrars, potentially complicating the process of not only selling domains but also updating your own Whois records.

But many registrars have already rewritten their terms of service to make the new rules as hassle-free as possible (and essentially pointless).

From December 1, the old ICANN Inter-Registrar Transfer Policy starts governing inter-registrant transfers too, becoming simply the Transfer Policy.

Now, when you make updates to your Whois records that appear to suggest new ownership, you’ll have to respond to one or two confirmation emails, text messages or phone calls.

The policy change is the latest output of the interminable IRTP work within ICANN’s GNSO, and is designed to help prevent domain hijacking.

But because the changes are likely to be poorly understood by registrants at the outset, it’s possible some friction could be added to domain transfers.

Under the new Transfer Policy, you will have to respond to confirmation emails if you make any of the following:

  • A change to the Registered Name Holder’s name or organization that does not appear to be merely a typographical correction;
  • Any change to the Registered Name Holder’s name or organization that is accompanied by a change of address or phone number;
  • Any change to the Registered Name Holder’s email address.

While registrars have some leeway to define “typographical correction” in their implementation, the notes to the policy seem to envisage single-character transposition and omission errors.

Registrants changing their last names due to marriage or divorce would apparently trigger the confirmation emails, as would transfers between parent and subsidiary companies.

The policy requires both the gaining and losing registrant to verify the “transfer”, so if the registrant hasn’t actually changed they’ll have to respond to two emails to confirm the desired changes.

Making any of the three changes listed above will also cause the unpopular 60-day transfer lock mechanism — which stops people changing registrars — to trigger, unless the registrant has previously opted out.

Registrars are obliged to advise customers that if the change of registrant is a prelude to an inter-registrar transfer, they’d be better off transferring to the new registrar first.

The new policy is not universally popular even among registrars, where complexity can lead to mistakes and therefore support costs.

Fortunately for them, the Transfer Policy introduces the concept of “Designated Agents” — basically middlemen that can approve registrant changes on your behalf.

Some registrars are taking advantage of this exception to basically make the confirmation aspects of the new policy moot.

Calling the confirmation emails an “unnecessary burden”, EuroDNS said last week that it has unilaterally made itself every customer’s Designated Agent by modifying its terms of service.

Many other registrars, including Tucows/OpenSRS, NameCheap and Name.com appear to be doing exactly the same thing.

In other words, many registrants will not see any changes as a result of the new Transfer Policy.

The truism that there’s no domain name policy that cannot be circumvented with a middleman appears to be holding.

GoDaddy in talks to buy massive registrar Host Europe – report

Kevin Murphy, November 25, 2016, Domain Registrars

GoDaddy is reportedly talking to Host Europe Group, one of Europe’s largest registrars, about an acquisition.

Reuters today reported that the deal, should it go ahead, could be worth as much as $1.8 billion.

GoDaddy has been favored over rival bids from United Internet (owner of United-Domains) and buyout firm Centerbridge, Reuters said.

HEG is the parent company for several registrar brands. Notably, it owns 123-reg and DomainMonster, two of the UK’s largest registrars.

123-reg had over 900,000 gTLD domains on its books at the last count. HEG overall says it manages over seven million domains.

The company was acquired by private equity group Cinven for £438 million ($545 million) in 2013.

It has 1.7 million customers and 1,300 employees spread across eight countries. It primarily operates in the UK and Germany.

HEG had 2015 revenue of €269.8 million ($286.3 million) and made a loss of €55.6 million ($59 million).

For GoDaddy, the acquisition is a chance to shift its revenue mix away from domains and more towards the more profitable hosting market, according to Reuters.

Guess which registrars sell the most gTLDs

Kevin Murphy, October 19, 2016, Domain Registrars

MarkMonitor has become the first accredited registrar to carry over 500 gTLDs.

Inspired by a recent Dynadot press release outlining its passing of the 500-TLD mark, I thought I’d put together a league table of gTLD registrars, ordered by which carries the most.

It will come as little surprise to most that brand protection registrars dominate the top end of the list.

MarkMonitor tops the league, with 504 gTLDs in its stable as of the end of June, up from 499 in May.

It’s closely followed by Ascio and CSC. Indeed, brand-focused registrars occupy many of the top 30 registrars, as you can see from this table.

RegistrargTLDsDUM
MarkMonitor504849,074
Ascio4961,655,320
CSC4871,082,854
101domain487136,412
Com Laude47866,412
Openprovider469234,052
Gandi4651,180,478
Key-Systems463153,603
SafeNames449140,483
Lexsynergy44619,907
Instra443164,189
SafeBrands44029,312
1API440628,558
IP Mirror43943,803
EuroDNS432182,798
OVH4301,961,644
Marcaria.com42729,044
united-domains424652,278
Name.com4181,644,616
eNom41512,108,692
Dynadot413638,676
Tucows4109,782,941
COREhub409217,776
Crazy Domains405631,186
Network Solutions4016,555,354
1&1 Internet4005,845,447
GoDaddy.com39753,948,610
Soluciones Corporativas397128,998
PublicDomainRegistry.com3916,113,121

There’s no real correlation between the number of gTLDs carried and the total domains under management for the registrar.

GoDaddy, with 53 million names, is way down in 28th position, for example.

The list was compiled from the latest gTLD registry reports, which show how many domains were registered to each accredited registrar at the end of June.

The data does not not include ccTLDs, nor does it account for situations where registrars may retail a TLD via a gateway or as a reseller of another registrar.

Registrar accused of pimping prescription penis pills

Kevin Murphy, October 14, 2016, Domain Registrars

ICANN has implicated a Chinese domain name registrar in the online selling of medications, including Viagra and Cialis, without the required prescription.

The organization’s Compliance department filed a contract breach notice with Nanjing Imperiosus, which does business as DomainersChoice.com, today.

The move follows an allegation from pharmacy watchdog LegitScript in the US Congress that DomainersChoice is “rogue internet pharmacy operator”.

Because ICANN has no authority to police online pharmacies, it’s gone after the registrar based on an obscure part of the Registrar Accreditation Agreement.

Section 3.7.7 of the 2013 RAA says that domains must be registered to a third party, unless they’re used by the registrar in the course of providing its registrar services.

According to ICANN, DomainersChoice has refused to provide evidence that many of its domains are not in fact registered to itself and CEO Stefan Hansmann, in violation of this clause.

It cites 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net as examples of domains apparently registered to Hansmann and his company.

Historical Whois records show Hansmann and Nanjing Imperiosus as the registrant of these names until recently.

The domains all refer to erectile dysfunction medicines, which are usually only available in the US with a prescription.

A reverse Whois lookup reveals Hansmann’s name in the records for many more pharmaceuticals-related domains, some of which are for more serious medical conditions.

Several of the domains contain the words “without prescription” or similar, where the drug in question requires a prescription in the US.

Some of the domains do not currently resolve or no longer provide current Whois records and others have been recently transferred, but some resolve to apparently active e-commerce sites.

ICANN’s breach notice (pdf) doesn’t allege any illegal activity.

The same cannot be said for LegitScript CEO John Horton, who lumped DomainersChoice in with a few other registrars he believes are operating “illegal online pharmacies”.

Horton testified (pdf) before Congress last month that the registrar was playing host to 2,300 such sites.

The testimony was filed September 14, the same day ICANN began its compliance investigation.

ICANN’s notice, which alleges a handful of other relatively trivial breaches, asks that Hansmann provide a full list of domains registered in his and his company’s name via DomainersChoice.

It also demands evidence that the domains were either used to provide registrar services or were registered to a third party.

It wants all that by November 2, after which it may start to terminate the company’s RAA.