Latest news of the domain name industry

Recent Posts

All Cyrillic .eu domains to be deleted

Eurid has announced that Cyrillic domain names in .eu will be deleted a year from now.

The registry said that it’s doing so to comply with the “no script mixing” recommendations for internationalized domain names, which are designed to limit the risk of homograph phishing attacks.

The deletions will kick in May 31, 2019, and only apply to names that have Cyrillic before the dot and Latin .eu after.

Cyrillic names in Eurid’s Cyrillic ccTLD .ею will not be affected.

The plan has been in place since Eurid adopted the IDNA2008 standard three years ago, but evidently not all registrants have dropped their affected names yet.

Bulgaria is the only EU member state to use Cyrillic in its national language.

How all 33 European ccTLDs are handling GDPR

Kevin Murphy, May 25, 2018, Domain Policy

Happy GDPR Day everyone!

Today’s the day that the European Union’s not-quite-long-enough-awaited General Data Protection Regulation comes into effect, giving registries and registrars the world over the prospect of scary fines if they don’t keep their registrants’ Whois data private.

So I thought today would be the perfect day to summarize what each EU or European Economic Area ccTLD has said they are doing about GDPR as it pertains to Whois.

There are 33 such ccTLDs, arguably, and I’ve checked the public statements and web sites of each to hit the key changes they’ve announced.

Because ccTLDs are not governed by ICANN contracts, they had to figure out GDPR compliance for themselves (though some did take note of ICANN guidance).

So I’ve found there are differing interpretations of key points such as whether it’s kosher to continue to publish contact email addresses, and where the line between “natural persons” (ie humans) and “legal persons” (ie companies and other organizations) should be drawn.

Some have also been quite specific about when they will release private data to third parties with so-called “legitimate purposes”; others are more vague.

Note that some of the 33 do not appear to have published anything about GDPR. It’s possible this is because they didn’t need to make any changes. It’s also possible that I simply could not find the information because I’m rubbish.

I should also note that I did the majority of this research yesterday, so additional statements may have been made in the meantime.

Anyway, here’s the list, in alphabetical order.

Austria (.at)

In Austria, from last week public Whois records only show the domain name and technical information when the domain is owned by natural persons. Company-owned domains are unchanged. Any registrant can opt in to having their data published. Only verified “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed” are allowed to access full records.

Belgium (.be)

DNS.be has not been publishing personal info of natural person registrants, other than their email address, since 2000. As of last week, email addresses are not being published either. It’s also removed the contact name (though not the organization) for domains owned by legal persons. A web form is available to contact anonymized registrants.

Bulgaria (.bg)

There’s not currently any information on the registry web site to indicate any GDPR-related changes, at least in English, that I could find.

Croatia (.hr)

No info on GDPR to be found here either.

Cyprus (.cy)

Ditto.

Czechia/Czech Republic (.cz)

Nic.cz has new rules (pdf) coming in tomorrow that specify which Whois fields will or may be “hidden”, but the English version of the document is too confusing for me to follow. It appears as if plenty of contact information will be masked, and that the registry will only make it available to those who contact it directly with a good enough reason (and it may charge for access). It may also release historical records to those with legitimate purposes.

Denmark (.dk)

Remarkably, there will be NO CHANGE to Whois in .dk after tomorrow, according to an article published on the registry’s web site today. DIFO, the registry, is subject to a Danish law that makes publication of Whois mandatory so, the company said, “we will continue to publish the information – for the benefit of those who need to know who is behind a given domain name. Regardless of whether it is because you want to protect your brand, investigate a crime, do research or just satisfy your curiosity.” Wow!

European Union (.eu)

Eurid’s current Whois policy (pdf) states that only the email address of natural persons will be published publicly. Registrants get the option from their registrars to have this address anonymized. Private data can be released to those who show they have a legitimate interest in accessing it.

Estonia (.ee)

The Estonian Internet Foundation Council approved its GDPR changes (pdf) back in March. They say that no personal information on natural persons will be published, though it appears there will be a way to get in contact with them via the registry itself.

Finland (.fi)

The Finnish registry, FICORA, is a governmental entity that has published remarkably little about GDPR on its site. Its Whois shows the name of the registrant, even when they’re a natural person. Registrants can also opt in to reveal more information about themselves.

France (.fr)

Afnic didn’t have to do much to comply with RGPD (tut!) as it has been hiding the personal info of natural-person registrants since it started allowing them to register .fr names back in 2006. Likewise, it already has a procedure to enable the likes of trademark owners to get their hands on contact info in the event of a dispute, which involves filling out a form (pdf) and promising to only use the data acquired for the purposes specified.

Germany (.de)

DENIC, Europe’s largest ccTLD registry said a few months back that it would expunge personal data from its public Whois and implement a semi-automated system for requesting full records. It’s also adding two “non-personalized” contact email addresses for general and technical inquiries, which will be managed by the registrar in question.

Greece (.gr)

I couldn’t find any GDPR-related information on the registry web site, but its Whois appears to not output contact details for any registrant anyway.

Hungary (.hu)

Currently outputs “private registrant” as the registrant’s name when they’re a natural person, along with a technical contact email and no other personal information. Legal persons get their full contact info published. It’s not entirely clear how recent this policy is.

Iceland (.is)

Iceland’s ISNIC is one of the ccTLD registries to announce that it will continue to publish registrants’ email addresses, though no other contact info, until it is told to stop. In a somewhat defiant post last month, the registry said that GDPR as applied to Whois “will lead to less transparency in domain registrations and less trust in the domain registration system in general”.

Ireland (.ie)

IEDR will not publish contact information for any registrant, though it will publish their name if they’re a legal person. It will only disclose personal information to law enforcement, under court order, for technical matters, or to help a dispute resolution partner resolve a cybersquatting claim.

Italy (.it)

The current version of Registro.it’s Whois policy, dated September 2016, says it will publish all contact information over port 43 and a subset of some contact info (including phone and email) over the web query tool. There’s no mention I could find on its site of GDPR-related changes, though its 2016 policy acknowledges some might be needed.

Latvia (.lv)

Under its post-GDPR policy (pdf), Nic.lv will not publish any personal info about natural persons in its public Whois, and only law enforcement and the government can request the records. Legal-person registrants continue to have their full contact data published.

Liechtenstein (.li)

Liechtenstein is managed by Switzerland’s SWITCH and appears to have the same policies.

Lithuania (.lt)

DomReg’s new privacy policy (pdf) gives natural persons an opt-in to have their personal data published, but otherwise it will all be private. There’s an email-forwarding option. Lawyers with claims against registrants can pay the registry for the Whois record if the registrant has not responded to their forwarded emails within 15 days.

Luxembourg (.lu)

.lu registry RESTENA Foundation said it will cut all personal information for natural-person registrants and make a web-based form available for contact purposes. There will be an opt-in for those who want their data published at a later date. Legal persons continue to have their data published. The registry will make current and historical records available for those with legit purposes, and will create automated blanket access system for national authorities that require regular access.

Malta (.mt)

NIC(Malta)’s current Whois policy, which is only six months old, allows any registrant to opt out of having their personal data published in Whois, but appears to require than a “Administrative Agent” be appointed to take their place in the public database. There’s no info on its web site about any upcoming changes due to GDPR.

Netherlands (.nl)

SIDN explains in a recent paper (pdf) that it didn’t have to make many changes to its Whois service because personal information was already pretty much redacted. The biggest change appears to be more throttling of Whois queries applied to registrars when they’re querying domains they don’t already sponsor.

Norway (.no)

Norid said this week that it will publish the email address of private individual registrants, and full contact info for companies. It’s also the only European ccTLD I’m aware of to have a third class of registrant, the sole proprietorship, which will also see their organization names and numbers published. There does not appear to be an in-house email anonymization or forwarding service, for which Norid encourages registrants to look elsewhere.

Poland (.pl)

NASK has no GDPR related info on its web site, but its evidently quite old Whois policy states that the private information of individuals is not published.

Portugal (.pt)

DNS.pt has a comprehensive set of documents on its site explaining its pre- and post-GDPR policies. From today, natural-person registrants are given the option to provide their “informed, willing, and express consent” to having their data published. If they don’t give consent, it will be redacted from public records and email addresses may be replaced with an anonymized address. This is not available to legal entities. ARBITRARE, a local arbitration center tasked with handle IP disputes, will be able to have access to full records.

Romania (.ro)

RoTLD said yesterday that it would no longer publish private information of individuals, but that it may release such data to “carefully verified” third parties with legitimate interests. It also encouraged registrants to use non-personally-indentifying email addresses if they wish to have a further degree of privacy.

Slovakia (.sk)

SKNIC, now owned by UK-based CentralNic, has an interesting definition of the type of natural person you have to be to have your data protected — a “natural person non-enterpreneur” — according to its helpfully redlined policy update (pdf), suggesting that offering commercial services might void your right to natural-person status. (UPDATE: SKNIC tells me that “natural person–entrepreneur is a legal definition of a specific version of legal person” in Slovakia). There’s a carve-out that allows the registry to provide private data to third parties with legal claims, or to its cybersquatting dispute handler.

Slovenia (.si)

Register.si said this week that it will shortly publish its post-GDPR privacy policy, but it does not appear to have yet done so.

Spain (.es)

I could find no GDPR-related information on the Dominios.es site.

Sweden (.se)

IIS has not published the private fields of Whois records for natural persons since 2013. From today, it will also redact the contact name and email address from the records of legal-person registrants, as it may be considered “personal” data under the law.

Switzerland (.ch)

I don’t think GDPR actually applies to Switzerland, which is not an EEA member, but the .ch registry, SWITCH, also runs Liechtenstein’s .li, so I’m including it here. SWITCH says on both of its sites that it is required by Swiss law to publish Whois records, though they’re subject to an acceptable use policy that includes throttling. When I attempted to do a single Whois query via the SWITCH site today I was told I had already exceeded my quota. Shrug.

United Kingdom (.uk)

UK registry Nominet has long had a two-tier Whois, where private individuals do not have their contact information published in the public Whois. But as of this week it has started redacting all registrant contact information. It’s also going to be offering a paid-for searchable Whois service and a free data request service with a one-day turnaround.

Domainers not welcome in this Whois database

Inquiries from domain investors are specifically barred under one registry’s take on GDPR compliance.

The Austrian ccTLD registry, nic.at, yesterday stopped publishing the personal information of human registrants in its public Whois database, unless the registrant has opted to have their data public.

The company said it will provide thick Whois records only to “people who provide proof of identity and are able to prove a legitimate interest for finding out who the domain holder is”.

But this specifically excludes people who are trying to buy the domain in question.

“A buying interest or the wish to contact the domain holder is definitely no legitimate interest,” the company said in a statement.

It quotes its head of legal, Barbara Schlossbauer, saying: “I am also not able to investigate a car driver’s address over his license number just because I like his car and want to buy it.”

She said that those able to access records include “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed”.

While nic.at is bound by GDPR, as a ccTLD registry it is not bound by the new GDPR-compliant Whois policy announced by ICANN overnight, where who will be able to request thick Whois records is still an open question.

Now South Africa looks to second-level domain sales

Kevin Murphy, March 13, 2018, Domain Registries

South Africa looks to be the next country to start letting people register domains directly at the second level of its ccTLD.

Local registry authority ZADNA this week opened a policy consultation on allowing registrants access to direct, second-level .za names.

Currently, if you want a .za you have to register at the third level under the likes of .co.za or .net.za.

But ZADNA says second-level names will help it continue to compete in a market now populated by hundreds of new gTLDs.

The company said it has been “inundated” by calls for such a move.

The policy shift would see South Africa follow the the path beaten in recent years by UK, New Zealand, Kenya and (probably) Australia, which have all changed policy to allow second-level names.

But these things are never without controversy.

Domain investors are typically resistant to such moves, fearing dilution and the possible devaluing of their portfolios.

There are often also intellectual property concerns, and concerns about priority “grandfathering” rights when matching .co.za and .org.za names, for example, have different owners.

ZADNA is floating the possibility of auctions to resolve these kinds of conflicts.

The proposal (pdf) is open for comment until April 16.

Domain universe grows almost 1% in 2017 despite new gTLD slump

Kevin Murphy, February 16, 2018, Domain Registries

The total number of registered domain names in all TLDs was up 0.9% in 2017, despite a third-quarter dip, according to the latest data compiled by Verisign.

The latest Domain Name Industry Brief, published yesterday, shows that there were 332.4 million domains registered at the end of the year.

That’s up by 1.7 million names (0.5%) on the third quarter and up 3.1 million names (0.9%) on 2016.

Growth is growth, but when you consider that 2015-2016 growth was 6.8%, under 1% appears feeble.

The drag factors in 2017 were of course the 2012-round new gTLDs and Verisign’s own .net, offset by increases in .com and ccTLDs.

New gTLD domains were 20.6 million at the end of the year, down by about 500,000 compared to the third quarter and five million names compared to 2016.

As a percentage of overall registrations, new gTLDs dropped from 7.8% at the end of 2016 to 6.2%.

The top 10 new gTLDs now account for under 50% of new gTLD regs for the first time.

The numbers were primarily affected by big declines in high-volume spaces such as .xyz, which caused the domain universe to actually shrink in Q3.

Verisign’s own .com fared better, as usual, with .net suffering a decline.

The year ended with 131.9 million .com names, up by five million names on the year, exactly offsetting the shrinkage in new gTLDs.

But .net ended up with 14.5 million names, a 800,000 drop on 2016.

In the ccTLD world, total regs were up 1.4 million (1%) quarterly and 3.4 million (2.4%) annually.

Excluding wild-card ccTLD .tk, which never deletes domains and for which data for 2017 was not available to Verisign, the growth was a more modest 0.7 million (0.5%) quarterly and 2.3 million (1.8%) annually.

The DNIB report for Q4 2017 can be downloaded here (pdf).