Latest news of the domain name industry

Recent Posts

Almost half of ccTLDs may block some Whois data

Kevin Murphy, November 20, 2017, Domain Services

Almost half of ccTLDs are planning to hide parts of Whois results from public view in response to incoming European Union law.

That’s according to a recent informal survey of the members of CENTR, the Council of European National Top Level Domain Registries, detailed in a letter to ICANN (pdf) last week.

According to the survey of 28 ccTLDs, 13 of them (46.4%) said they plan to “hide certain data fields” in response to the requirements of the General Data Protection Regulation.

GDPR forces companies to give EU citizens more rights to control how their data is used, which includes the publication of Whois data.

While the sample size is small, the results are probably indicative of the direction of the industry.

The industry and community is still struggling to reconcile longstanding Whois practices and contractual requirements with the new law, but a consensus seems to be forming that Whois as we know it is not going to survive.

Hiding data fields such as contact information to general Whois users, while making it available to verified law enforcement, may be one part of becoming GDPR-compliant. It’s what two Dutch gTLD registries are already doing.

The CENTR survey also found that smaller numbers of registries are planning to throttle Whois queries and revise their agreements in response to GDPR, which comes into full effect next May.

The survey was carried out in June. Given the speed at which discussions in the community are progressing, I would not be surprised if the same survey carried out today would produce different results.

ICANN chief tells industry to lawyer up as privacy law looms

Kevin Murphy, November 10, 2017, Domain Services

The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.

That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.

The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.

“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.

“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.

GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.

For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.

But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.

The latest official line from ICANN is:

At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.

A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).

Even after this report, Marby said ICANN is still in “discovery” mode.

Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.

He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.

Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.

It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.

Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.

ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.

The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.

General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.

“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.

Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.

ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.

CentralNic and .CLUB reveal premium sales

Kevin Murphy, November 8, 2017, Domain Services

CentralNic and .CLUB Domains have both revealed sales of premium domain names over the last several days.

CentralNic said yesterday that it has sold “a number” of premiums for $3.4 million.

The names are believed to be from its own portfolio, rather than registry-reserved names in any of the TLDs it manages. The company did not disclose which names, in which TLDs, it had sold.

The sale smooths out potential lumpiness in CentralNic’s revenue, and the company noted that the sales means that recurring revenue from its registrar and registry business will become an increasing proportion of its revenue as its premium portfolio diminishes.

Last week, .CLUB announced that it sold $380,793 of premium .club domains in the third quarter. That was spread over 452 domains.

The big-ticket domains were porn.club and basketball.club, sold by the registry for $85,000 together.

The Q3 headline number was a sharp decline from the Q2 spike of $2.7 million, which was boosted by auctions in China.

The company published a lot more data on its sales on its blog, here.

ICANN reveals $500 million gTLD buyback program

Kevin Murphy, April 1, 2017, Domain Services

ICANN is to spend its half-billion dollar auction war chest on a buyback program for failing new gTLDs, DI can reveal.

Inspired by the “Cash for Clunkers” program that provided stimulus during the economic downturn in the US a decade ago, the new program will see ICANN offer $1 million per gTLD to any registry whose heart simply isn’t in it any more.

The scheme will work rather like a stock buyback, ICANN explained in a 489-page document (PDF).

Registries opting to sell back their gTLDs will see their strings abruptly removed from the DNS root and their contracts torn up and burned on a great big bonfire.

Any domains registered in these gTLDs will stop resolving to parking pages immediately.

“We believe this program offers the most equitable distribution of auction funds and the fairest way to ensure new gTLD program participants see a return on their investment,” ICANN chair Steve Crocker said in a statement.

Portfolio registries including Donuts, Uniregistry, MMX, Radix and XYZ.com are already believed to have expressed an interest in the scheme, and were already forming a disorderly queue outside ICANN’s Los Angeles headquarters last night.

While Verisign also qualifies for the program, much of the funding will be provided by the $130 million it spent at the .web auction.

The company said it welcomed the deal and plans to sell .web back to ICANN as soon as possible. It added that it will cover the $129 million loss by fueling its data center generators with ten-dollar bills, rather than twenties, for the first three weeks of April.

But registrant groups were outraged by the proposal, which will see millions of domain names erased from the internet.

Dr General President Colonel Lucky Mfwamba (Esq), chair of the New gTLD Registrants Association, said he expects the bottom to fall out of the penis enlargement market overnight.

And in China, thousands of domain investors flocked to forums to complain that the randomly generated domains they bought at $0.20 each and hoped to sell to other investors for $0.30 each are suddenly worthless.

Hacked ICANN data for sale on black market

Kevin Murphy, February 22, 2017, Domain Services

If you were a user of ICANN’s Centralized Zone Data Service back in 2014 you may wish to think about changing some passwords today.

ICANN has confirmed that a bunch of user names and hashed passwords that were stolen in November 2014 have turned up for sale on the black market.

The batch reportedly contains credentials for over 8,000 users.

ICANN said yesterday:

ICANN recently became aware that some information obtained in the spear phishing incident we announced in 2014 is being offered for sale on underground forums. Our initial assessment is that it is old data and that no new breach of our systems has occurred. The data accessed in the 2014 incident breach included usernames and hashed passwords for our Centralized Zone Data System (CZDS). Once the theft was discovered, we reset all user passwords, and urged users to do the same for any other accounts where they used the same passwords.

While CZDS users have all presumably already changed their CZDS passwords, if they are still using that same password for a non-CZDS web site they may want to think about changing it.

ICANN first announced the hack back in December 2014.

It said at the time that the Government Advisory Committee’s wiki, and a selection of other less interesting pages, had also been compromised.

The attackers got in after a number of ICANN staffers fell for a spear-phishing attack — a narrowly targeted form of phishing that was specifically aimed at them.

If you email with ICANN staff with any regularity you will have noticed that for the last several months your email subject lines get prefixed [EXTERNAL] before the staffer receives them.

That’s to help avoid this kind of attack being successful again.