Latest news of the domain name industry

Recent Posts

Big changes at DomainTools as privacy law looms

Kevin Murphy, January 11, 2018, Domain Services

Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.

Professional users such as domain investors are most likely to be impacted by the changes.

The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.

“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.

GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.

Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.

But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.

DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.

The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.

DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.

“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.

“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.

The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..

These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.

“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.

How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.

“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”

ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.

And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.

DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.

It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.

This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.

“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”

“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.

How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.

But Chen suggested that most casual users should not see too much impact.

“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.

“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.

“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.

Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.

Get a free ticket to NamesCon here

Kevin Murphy, January 5, 2018, Domain Services

NamesCon, the annual domain name industry conference, runs in Las Vegas at the end of the month, and DI has five free tickets to give away to readers.

The catch: only people who have never been to NamesCon before are eligible. It’s a strictly n00bs-only giveaway.

NamesCon starts January 28 and runs for three days at the Tropicana Hotel in Las Vegas.

Kicking off the show, in surely one of life’s “together at last” moments, Andrew Allemann of Domain Name Wire will sit down for a live interview with David Ellefson, founder of the metal band Megadeth. It’s probably going to be one of those “you had to be there” experiences.

There’s a strong focus on blockchain and cryptocurrency this year, given the interest many domainers are showing in this area as a new investment opportunity.

But the agenda is made up of the usual mix of industry experts discussing themes such as domain investment, web site development, branding, intellectual property and the like.

There’s even a Women In Domaining Dinner, where women can discuss whether it’s worth investing in .makeup and .horse domains, and a Christian Domainers’ Breakfast, where followers of Our Lord can eat bacon in peace and prevaricate on why greed is definitely not as bad as the Bible unambiguously states it is.

It’s usually a pretty good show with a good turn-out. The networking opportunities alone make it worth a trip.

To claim one of the five complimentary conference passes, simply leave a comment on this blog post stating clearly that you want one, and complete this sentence in 10,000 words or fewer:

I want to spend three nights away from my partner in Las Vegas because…

Use a functioning email address or I won’t be able to send you the ticket details.

The first five people to leave a qualifying comment get a ticket each.

It should go without saying that this ticket only gets you into the conference itself. How you get to Vegas and where you sleep when you get there is your problem.

Again, and I can’t stress this enough, if you’ve been to NamesCon before you’re not eligible for this competition. That’s NamesCon’s rule, not mine, so no arguing.

In the unlikely event that all five tickets have gone by the time you read this post, you may want to check out some of my co-conspirators at other domain community blogs, several of which I gather also have tickets to give away today.

Almost half of ccTLDs may block some Whois data

Kevin Murphy, November 20, 2017, Domain Services

Almost half of ccTLDs are planning to hide parts of Whois results from public view in response to incoming European Union law.

That’s according to a recent informal survey of the members of CENTR, the Council of European National Top Level Domain Registries, detailed in a letter to ICANN (pdf) last week.

According to the survey of 28 ccTLDs, 13 of them (46.4%) said they plan to “hide certain data fields” in response to the requirements of the General Data Protection Regulation.

GDPR forces companies to give EU citizens more rights to control how their data is used, which includes the publication of Whois data.

While the sample size is small, the results are probably indicative of the direction of the industry.

The industry and community is still struggling to reconcile longstanding Whois practices and contractual requirements with the new law, but a consensus seems to be forming that Whois as we know it is not going to survive.

Hiding data fields such as contact information to general Whois users, while making it available to verified law enforcement, may be one part of becoming GDPR-compliant. It’s what two Dutch gTLD registries are already doing.

The CENTR survey also found that smaller numbers of registries are planning to throttle Whois queries and revise their agreements in response to GDPR, which comes into full effect next May.

The survey was carried out in June. Given the speed at which discussions in the community are progressing, I would not be surprised if the same survey carried out today would produce different results.

ICANN chief tells industry to lawyer up as privacy law looms

Kevin Murphy, November 10, 2017, Domain Services

The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.

That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.

The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.

“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.

“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.

GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.

For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.

But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.

The latest official line from ICANN is:

At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.

A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).

Even after this report, Marby said ICANN is still in “discovery” mode.

Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.

He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.

Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.

It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.

Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.

ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.

The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.

General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.

“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.

Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.

ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.

CentralNic and .CLUB reveal premium sales

Kevin Murphy, November 8, 2017, Domain Services

CentralNic and .CLUB Domains have both revealed sales of premium domain names over the last several days.

CentralNic said yesterday that it has sold “a number” of premiums for $3.4 million.

The names are believed to be from its own portfolio, rather than registry-reserved names in any of the TLDs it manages. The company did not disclose which names, in which TLDs, it had sold.

The sale smooths out potential lumpiness in CentralNic’s revenue, and the company noted that the sales means that recurring revenue from its registrar and registry business will become an increasing proportion of its revenue as its premium portfolio diminishes.

Last week, .CLUB announced that it sold $380,793 of premium .club domains in the third quarter. That was spread over 452 domains.

The big-ticket domains were porn.club and basketball.club, sold by the registry for $85,000 together.

The Q3 headline number was a sharp decline from the Q2 spike of $2.7 million, which was boosted by auctions in China.

The company published a lot more data on its sales on its blog, here.