Latest news of the domain name industry

Recent Posts

Afilias sues India to block $12 million Neustar back-end deal

Kevin Murphy, August 27, 2018, Domain Registries

Afilias has sued the Indian government to prevent it awarding the .in ccTLD back-end registry contract to fierce rival Neustar.

The news emerged in local reports over the weekend and appears to be corroborated by published court documents.

According to Moneycontrol, the National Internet Exchange of India plans to award the technical service provider contract to Neustar, after over a decade under Afilias, but Afilias wants the deal blocked.

The contract would also include some 15 current internationalized domain name ccTLDs, with another seven on the way, in addition to .in.

That’s something Afilias reckons Neustar is not technically capable of, according to reports.

Afilias’ lawsuit reportedly alleges that Neustar “has no experience or technical capability to manage and support IDNs in Indian languages and scripts and neither does it claim to have prior experience in Indian languages”.

Neustar runs plenty of IDN TLDs for its dot-brand customers, but none of them appear to be in Indian scripts.

NIXI’s February request for proposals (pdf) contains the requirement: “Support of IDN TLDs in all twenty two scheduled Indian languages and Indian scripts”.

I suppose it’s debatable what this means. Actual, hands-on, operational experience running Indian-script TLDs at scale would be a hell of a requirement to put in an RFP, essentially locking Afilias into the contract for years to come.

Only Verisign and Public Interest Registry currently run delegated gTLDs that use officially recognized Indian scripts, according to my database. And those TLDs — such as Verisign’s .कॉम (the Devanagari .com) — are basically unused.

Neither Neustar nor Afilias have responded to DI’s requests for comment today.

.in has over 2.2 million domains under management, according to NIXI.

Neustar’s Indian subsidiary undercut its rival with a $0.70 per-domain-year offer, $0.40 cheaper than Afilias’ $1.10, according to Moneycontrol.

That would make the deal worth north of $12 million over five years for Afilias and over $7.7 million for Neustar.

One can’t help but be reminded of the two companies’ battle over Australia’s .au, which Afilias sneaked out from under long-time incumbent Neustar late last year.

That handover, the largest in DNS history, was completed relatively smoothly a couple months ago.

Chaotic scenes as ‘Grumpies’ lose auDA board fight

Three directors of .au registry auDA managed to keep their seats on the board despite losing the “popular vote” of members late last week.

The vote happened at the conclusion of an occasionally chaotic three-hour meeting that saw former AusRegistry chief Adrian Kinderis kicked out of the room barely a minute into proceedings.

The results in each of the three votes to fire directors Suzanne Ewart, Sandra Hook and chair Chris Leptos were 57 or 58 in favor and 51 or 52 against, which would have been a narrow win for the so-called “Grumpies” who originally called for the sackings.

However, auDA rules require, Leptos said, a simple majority of both “Supply” and “Demand” classes of members, and the Supply class (ie, registrars) voted against the motions by 30 to 2 or 31 to 1.

Therefore, all three directors get to keep their jobs.

auDA noted in a statement that a greater proportion of Supply class members (the substantially smaller constituency) turned out to vote compared to Demand class, adding:

It is time now for all members to get behind the reform of auDA as demanded by the federal government.

auDA is not the plaything of a small group of self-interested parties.

It can no longer be run as a club type organisation with a small membership who wield undue influence.

A “club type organization” was pretty much what came across during the meeting, which was audio-only webcast Friday morning. ICANN, auDA ain’t.

I was left with the impression of something a bit like Nominet circa 2010 or my first ICANN meeting back in 1999. Not so much herding cats, as [RACIST JOKE ALERT] herding wallabies.

At times it felt like an ICANN Public Forum, with an infinite number of Paul Foodys lining up at the mic.

At the same time, the meeting was chaired by somebody who, despite never losing his cool, seemed set on limiting criticism from members to the greatest extent possible.

There was controversy from the very outset, with the former CEO of former .au back-end provider AusRegistry (now part of Neustar) getting kicked out in the opening minute.

Kinderis, who no longer works for Neustar and has vowed publicly to be a thorn in auDA’s side, said he was “unlawfully removed” from the meeting by venue security, at the instruction of Leptos.

Leptos disputed Kinderis’ claim that he was there as a proxy for a legit member and said he believed he had acted “entirely appropriately” in ordering his removal.

There was no suggestion of physical force being used. His exit was recorded by chief Grumpy Josh Rowe, who then posted a brief video to Twitter.

Leptos then threatened to throw out fellow Grumpy Jim Stewart, who was protesting Kinderis’ removal, before warning non-member attendees that they would not be permitted to ask questions.

Forty-five minutes later, he repeatedly threatened to kick out Stewart for live-streaming video of the meeting from his phone, having apparently received complaints from other members.

Fifteen minutes later, the threats returned after Stewart and another member attempted to engage Leptos in an argument about auDA’s member recruitment policy.

The words “take a seat Mr…” were a recurring meme throughout the meeting.

The original reasons for the call for the directors to be fired were myriad, ranging from lack of transparency to projects such as the Neustar-Afilias registry transition and auDA’s desire to start selling direct second-level .au domains.

But the bulk of the meeting was taken up with discussions, and attempted discussions, about auDA’s recent membership spike.

The Grumpies have audited the new member list — which has grown from 300-odd to 1,345 in just a few weeks — and found that the vast majority of new members are employees of just three registrars and one registry (Afilias, the new back-end).

They reckon these new members, many of whom do not live in Australia, represent an attempt by auDA leadership to capture the voting community, and that foreigners are not technically members of the “Australian internet community” that auDA is supposed to represent.

Leptos responded to such criticisms by saying that employees of Australia-focused registrars are indeed members of the Australian internet community, regardless of their country of residence.

He added that auDA is under the instruction of the Australian government to diversify its membership — he said that registrars have no board representation currently — and that the recently added members are a first step on that path.

The Grumpies had shortly before the meeting started making accusations that the membership influx amounts to “potential cartel behaviour”.

Leptos addressed this directly during the meeting, saying they had “accused the CEO of criminal conduct” and categorically denying any wrongdoing.

auDA later issued a statement saying:

This is a very serious allegation to have been made and auDA strongly disagrees that by encouraging others to join the auDA membership, or by approving membership applications which satisfy its constitutional requirements, auDA or its officers have engaged in cartel behaviour or otherwise acted improperly.

All Cyrillic .eu domains to be deleted

Eurid has announced that Cyrillic domain names in .eu will be deleted a year from now.

The registry said that it’s doing so to comply with the “no script mixing” recommendations for internationalized domain names, which are designed to limit the risk of homograph phishing attacks.

The deletions will kick in May 31, 2019, and only apply to names that have Cyrillic before the dot and Latin .eu after.

Cyrillic names in Eurid’s Cyrillic ccTLD .ею will not be affected.

The plan has been in place since Eurid adopted the IDNA2008 standard three years ago, but evidently not all registrants have dropped their affected names yet.

Bulgaria is the only EU member state to use Cyrillic in its national language.

How all 33 European ccTLDs are handling GDPR

Kevin Murphy, May 25, 2018, Domain Policy

Happy GDPR Day everyone!

Today’s the day that the European Union’s not-quite-long-enough-awaited General Data Protection Regulation comes into effect, giving registries and registrars the world over the prospect of scary fines if they don’t keep their registrants’ Whois data private.

So I thought today would be the perfect day to summarize what each EU or European Economic Area ccTLD has said they are doing about GDPR as it pertains to Whois.

There are 33 such ccTLDs, arguably, and I’ve checked the public statements and web sites of each to hit the key changes they’ve announced.

Because ccTLDs are not governed by ICANN contracts, they had to figure out GDPR compliance for themselves (though some did take note of ICANN guidance).

So I’ve found there are differing interpretations of key points such as whether it’s kosher to continue to publish contact email addresses, and where the line between “natural persons” (ie humans) and “legal persons” (ie companies and other organizations) should be drawn.

Some have also been quite specific about when they will release private data to third parties with so-called “legitimate purposes”; others are more vague.

Note that some of the 33 do not appear to have published anything about GDPR. It’s possible this is because they didn’t need to make any changes. It’s also possible that I simply could not find the information because I’m rubbish.

I should also note that I did the majority of this research yesterday, so additional statements may have been made in the meantime.

Anyway, here’s the list, in alphabetical order.

Austria (.at)

In Austria, from last week public Whois records only show the domain name and technical information when the domain is owned by natural persons. Company-owned domains are unchanged. Any registrant can opt in to having their data published. Only verified “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed” are allowed to access full records.

Belgium (.be)

DNS.be has not been publishing personal info of natural person registrants, other than their email address, since 2000. As of last week, email addresses are not being published either. It’s also removed the contact name (though not the organization) for domains owned by legal persons. A web form is available to contact anonymized registrants.

Bulgaria (.bg)

There’s not currently any information on the registry web site to indicate any GDPR-related changes, at least in English, that I could find.

Croatia (.hr)

No info on GDPR to be found here either.

Cyprus (.cy)

Ditto.

Czechia/Czech Republic (.cz)

Nic.cz has new rules (pdf) coming in tomorrow that specify which Whois fields will or may be “hidden”, but the English version of the document is too confusing for me to follow. It appears as if plenty of contact information will be masked, and that the registry will only make it available to those who contact it directly with a good enough reason (and it may charge for access). It may also release historical records to those with legitimate purposes.

Denmark (.dk)

Remarkably, there will be NO CHANGE to Whois in .dk after tomorrow, according to an article published on the registry’s web site today. DIFO, the registry, is subject to a Danish law that makes publication of Whois mandatory so, the company said, “we will continue to publish the information – for the benefit of those who need to know who is behind a given domain name. Regardless of whether it is because you want to protect your brand, investigate a crime, do research or just satisfy your curiosity.” Wow!

European Union (.eu)

Eurid’s current Whois policy (pdf) states that only the email address of natural persons will be published publicly. Registrants get the option from their registrars to have this address anonymized. Private data can be released to those who show they have a legitimate interest in accessing it.

Estonia (.ee)

The Estonian Internet Foundation Council approved its GDPR changes (pdf) back in March. They say that no personal information on natural persons will be published, though it appears there will be a way to get in contact with them via the registry itself.

Finland (.fi)

The Finnish registry, FICORA, is a governmental entity that has published remarkably little about GDPR on its site. Its Whois shows the name of the registrant, even when they’re a natural person. Registrants can also opt in to reveal more information about themselves.

France (.fr)

Afnic didn’t have to do much to comply with RGPD (tut!) as it has been hiding the personal info of natural-person registrants since it started allowing them to register .fr names back in 2006. Likewise, it already has a procedure to enable the likes of trademark owners to get their hands on contact info in the event of a dispute, which involves filling out a form (pdf) and promising to only use the data acquired for the purposes specified.

Germany (.de)

DENIC, Europe’s largest ccTLD registry said a few months back that it would expunge personal data from its public Whois and implement a semi-automated system for requesting full records. It’s also adding two “non-personalized” contact email addresses for general and technical inquiries, which will be managed by the registrar in question.

Greece (.gr)

I couldn’t find any GDPR-related information on the registry web site, but its Whois appears to not output contact details for any registrant anyway.

Hungary (.hu)

Currently outputs “private registrant” as the registrant’s name when they’re a natural person, along with a technical contact email and no other personal information. Legal persons get their full contact info published. It’s not entirely clear how recent this policy is.

Iceland (.is)

Iceland’s ISNIC is one of the ccTLD registries to announce that it will continue to publish registrants’ email addresses, though no other contact info, until it is told to stop. In a somewhat defiant post last month, the registry said that GDPR as applied to Whois “will lead to less transparency in domain registrations and less trust in the domain registration system in general”.

Ireland (.ie)

IEDR will not publish contact information for any registrant, though it will publish their name if they’re a legal person. It will only disclose personal information to law enforcement, under court order, for technical matters, or to help a dispute resolution partner resolve a cybersquatting claim.

Italy (.it)

The current version of Registro.it’s Whois policy, dated September 2016, says it will publish all contact information over port 43 and a subset of some contact info (including phone and email) over the web query tool. There’s no mention I could find on its site of GDPR-related changes, though its 2016 policy acknowledges some might be needed.

Latvia (.lv)

Under its post-GDPR policy (pdf), Nic.lv will not publish any personal info about natural persons in its public Whois, and only law enforcement and the government can request the records. Legal-person registrants continue to have their full contact data published.

Liechtenstein (.li)

Liechtenstein is managed by Switzerland’s SWITCH and appears to have the same policies.

Lithuania (.lt)

DomReg’s new privacy policy (pdf) gives natural persons an opt-in to have their personal data published, but otherwise it will all be private. There’s an email-forwarding option. Lawyers with claims against registrants can pay the registry for the Whois record if the registrant has not responded to their forwarded emails within 15 days.

Luxembourg (.lu)

.lu registry RESTENA Foundation said it will cut all personal information for natural-person registrants and make a web-based form available for contact purposes. There will be an opt-in for those who want their data published at a later date. Legal persons continue to have their data published. The registry will make current and historical records available for those with legit purposes, and will create automated blanket access system for national authorities that require regular access.

Malta (.mt)

NIC(Malta)’s current Whois policy, which is only six months old, allows any registrant to opt out of having their personal data published in Whois, but appears to require than a “Administrative Agent” be appointed to take their place in the public database. There’s no info on its web site about any upcoming changes due to GDPR.

Netherlands (.nl)

SIDN explains in a recent paper (pdf) that it didn’t have to make many changes to its Whois service because personal information was already pretty much redacted. The biggest change appears to be more throttling of Whois queries applied to registrars when they’re querying domains they don’t already sponsor.

Norway (.no)

Norid said this week that it will publish the email address of private individual registrants, and full contact info for companies. It’s also the only European ccTLD I’m aware of to have a third class of registrant, the sole proprietorship, which will also see their organization names and numbers published. There does not appear to be an in-house email anonymization or forwarding service, for which Norid encourages registrants to look elsewhere.

Poland (.pl)

NASK has no GDPR related info on its web site, but its evidently quite old Whois policy states that the private information of individuals is not published.

Portugal (.pt)

DNS.pt has a comprehensive set of documents on its site explaining its pre- and post-GDPR policies. From today, natural-person registrants are given the option to provide their “informed, willing, and express consent” to having their data published. If they don’t give consent, it will be redacted from public records and email addresses may be replaced with an anonymized address. This is not available to legal entities. ARBITRARE, a local arbitration center tasked with handle IP disputes, will be able to have access to full records.

Romania (.ro)

RoTLD said yesterday that it would no longer publish private information of individuals, but that it may release such data to “carefully verified” third parties with legitimate interests. It also encouraged registrants to use non-personally-indentifying email addresses if they wish to have a further degree of privacy.

Slovakia (.sk)

SKNIC, now owned by UK-based CentralNic, has an interesting definition of the type of natural person you have to be to have your data protected — a “natural person non-enterpreneur” — according to its helpfully redlined policy update (pdf), suggesting that offering commercial services might void your right to natural-person status. (UPDATE: SKNIC tells me that “natural person–entrepreneur is a legal definition of a specific version of legal person” in Slovakia). There’s a carve-out that allows the registry to provide private data to third parties with legal claims, or to its cybersquatting dispute handler.

Slovenia (.si)

Register.si said this week that it will shortly publish its post-GDPR privacy policy, but it does not appear to have yet done so.

Spain (.es)

I could find no GDPR-related information on the Dominios.es site.

Sweden (.se)

IIS has not published the private fields of Whois records for natural persons since 2013. From today, it will also redact the contact name and email address from the records of legal-person registrants, as it may be considered “personal” data under the law.

Switzerland (.ch)

I don’t think GDPR actually applies to Switzerland, which is not an EEA member, but the .ch registry, SWITCH, also runs Liechtenstein’s .li, so I’m including it here. SWITCH says on both of its sites that it is required by Swiss law to publish Whois records, though they’re subject to an acceptable use policy that includes throttling. When I attempted to do a single Whois query via the SWITCH site today I was told I had already exceeded my quota. Shrug.

United Kingdom (.uk)

UK registry Nominet has long had a two-tier Whois, where private individuals do not have their contact information published in the public Whois. But as of this week it has started redacting all registrant contact information. It’s also going to be offering a paid-for searchable Whois service and a free data request service with a one-day turnaround.

Domainers not welcome in this Whois database

Inquiries from domain investors are specifically barred under one registry’s take on GDPR compliance.

The Austrian ccTLD registry, nic.at, yesterday stopped publishing the personal information of human registrants in its public Whois database, unless the registrant has opted to have their data public.

The company said it will provide thick Whois records only to “people who provide proof of identity and are able to prove a legitimate interest for finding out who the domain holder is”.

But this specifically excludes people who are trying to buy the domain in question.

“A buying interest or the wish to contact the domain holder is definitely no legitimate interest,” the company said in a statement.

It quotes its head of legal, Barbara Schlossbauer, saying: “I am also not able to investigate a car driver’s address over his license number just because I like his car and want to buy it.”

She said that those able to access records include “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed”.

While nic.at is bound by GDPR, as a ccTLD registry it is not bound by the new GDPR-compliant Whois policy announced by ICANN overnight, where who will be able to request thick Whois records is still an open question.