Latest news of the domain name industry

Recent Posts

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Kevin Murphy, October 21, 2018, Domain Policy

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.

Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.

Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.

They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.

Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.

Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.

The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.

The main sticking point was the extent to which these third parties get a mention in the language.

Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.

The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.

Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.

GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.

It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.

The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.

The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.

While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.

All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.

One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.

Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).

But, yeah, they may have a point.

It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.

They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.

They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.

AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.

The IP crowd and registrars are not the only ones fighting in the corridors, though.

The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.

Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.

I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.

UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.

Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.

AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.

UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.

Registrars still not responding to private Whois requests

Kevin Murphy, October 18, 2018, Domain Policy

Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.

AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.

Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.

You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.

Then, only one registrar complied to AppDetex’s satisfaction.

Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.

He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.

AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.

Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.

The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.

The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.

The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.

Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.

Facebook clashes with registrars after massive private data request

Kevin Murphy, July 26, 2018, Domain Policy

Facebook is on the warpath, testing the limits of personal data disclosure in the post-GDPR world.

Via an intermediary called AppDetex, the company recently filed 500 requests for non-public Whois contact information with various registrars, covering potentially thousands of domains, and is now complaining to ICANN that almost all of the replies it received were “non-responsive”.

DI has learned that Facebook is not only asking registrars for Whois data on specific domains it believes infringe its trademarks, however. It’s also asking them to provide complete lists of domains owned by the same registrant, along with the Whois data for those domains, something registrars have never been obliged to provide, even pre-GDPR.

It’s now pissed that almost all of its requests were blown off, with registrars giving various reasons they could not provide the data.

AppDetex is a brand protection services firm and ICANN-accredited registrar. It’s built an automated system for generating Whois disclosure requests and sending them to registrars.

Ben Milam, its general counsel, wrote to ICANN last week to urge the organization to come up with, and more importantly enforce, a framework for brand owners to request private Whois data.

The company has stopped short of filing formal complaints against the registrars with ICANN’s compliance division, but Milam said it will in future:

we do plan to file complaints in the future, but not until ICANN has (i) established proper disclosure guidelines for non-public WHOIS requests for the registrar base to follow, and (ii) implemented an enforcement process that will ensure that brand holder requests are being satisfied.

The letter says that only one registrar responded adequately, to three of its disclosure requests. That was FBS Inc, which I believe is Turkey’s largest registrar. Turkey is not in the EU.

One registrar on Facebook’s naughty list is Ireland-based Blacknight Solutions, which received three disclosure requests but did not provide AppDetex with the information it wanted.

Blacknight CEO Michele Neylon shared a copy of one of these requests, which he said was received via email July 2, with DI.

In my view, the request is clearly automated, giving the registrar a deadline to respond 48 hours in the future accurate to the second. It cites five Facebook trademarks — Facebook, FB, Instagram, Oculous and WhatsApp.

At Blacknight’s request, I won’t disclose the domain here, but it begins with the string “insta”. At first glance it’s not an clear-cut case of cybersquatting the Instagram trademark. It’s currently parked, displaying ad links unrelated to Instagram.

The email asks the registrar to turn over the full non-public Whois contact information for the registrant, technical contact and administrative contact, but it goes on to also ask for:

4. All other domain names registered under this registrant’s account or email address

5. All information in requests 1, 2, and 3 for all domains provided in response to request 4

This would increase the volume of Whois records requested by Facebook from 500 to, very probably, thousands.

This reverse-Whois data was not previously available via vanilla registrar-provided Whois, though it may be under successor protocol RDAP. Brand owners would have to use a commercial third-party service such as DomainTools in order to connect a registrant to the rest of his portfolio.

It’s debatable whether registrars will be obliged to provide this reverse-Whois capability on non-public data to brand owners even after RDAP becomes the norm.

The request says Facebook needs the data in order “to investigate and prevent intellectual property infringement and contact infringing parties and relevant service providers” and “to facilitate legal action against the registrant”.

Facebook says it’s entitled to the data under Article 6(1)(f) of the GDPR as it’s “necessary for the purposes of our legitimate interests, namely (1) identifying the registered holder of a domain name and their contact information to investigate and respond to potential trademark infringement and (2) enforcing legal claims.”

Currently, registrars are governed by ICANN’s Temporary Specification for Whois, a GDPR-related Band-Aid designed to last until the ICANN community can create a formal policy.

Access to non-public Whois data is governed by section 4 of the Temp Spec, which reads in part:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

In the absence of a formal ICANN policy, legal precedent, or specific guidance from data protection authorities, it’s not abundantly clear how registrars are supposed to comply with this clause of the spec, which may explain why Facebook is getting different responses from different registrars.

Neylon said that Blacknight responded to the disclosure requests by asking Facebook to produce an Irish court order.

He said the requests were overly broad, did not provide any contact information for the requester, did not provide a specific complaint against the registrants, and did not specify what privacy safeguards Facebook planned to subject the data to once it was handed over.

It seems Blacknight was not alone. According to AppDetex’s letter to ICANN, at least six other registrars replied denying the requests and saying:

complainant (Facebook) must utilize legal process of a subpoena or court order; complainant must file a UDRP action; complainant must file an action with WIPO; complainant must contact WIPO; and/or complainant’s request has been forwarded to the domain owner.

Milam said (pdf) that he expects the volume of requests to increase and that registrars’ responses will be forwarded to ICANN Compliance to help create a normalized framework for dealing with such requests.