Recent Posts
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
Revenue dips as Brexit whacks .eu in 2018
.eu saw its registrations sink substantially in 2018, largely due to Brexit, which affected its revenue and profit.
Registry EURid said yesterday that it was managing 3,684,750 .eu domains at the end of the year, down by 130,305 over the year.
It’s .eu’s lowest end-of-year domain count since 2012.
The UK, which voted to leave the EU in 2016 but has yet to follow through, sank from the fourth-largest .eu country to the sixth, now behind less populous countries Poland and Italy.
EURid and the UK government have warned UK-based registrants that they stand to lose their domains after Brexit is actually executed (if it ever is)
As Brits abandoned their .eu names by the tens of thousands, EURid also suspended over 36,000 domains for abuse, which affected its annual total.
The decline hit EURid’s revenue, which was down to €12.7 million, from €13.3 million in 2017. Profit was down from €1.7 million, from €2 million.
The data was published in the registry’s annual report (pdf), published yesterday.
Brexit blamed as .eu hits six-year low
EURid’s .eu top-level domain has hit a six-year low in terms of total registrations, and Brexit is to blame.
The registry has just announced that it had 3,684,750 domains under management at the end of 2018, down 63,129 domains compared to the 3,747,879 it had at the end of September.
That’s the lowest end-of-quarter number since September 2012, when it had 3,665,525 domains.
EURid said in a statement that the decline can be attributed to its “ramped up efforts towards tackling domain name abuse” and “uncertainty surrounding Brexit”.
The registry recently announced that UK-based .eu registrants can expect to lose their names by May, should the country crash out of the EU with no transition deal on March 29.
EU citizens living in the UK could also risk having their names temporarily suspended.
The number of .eu domains registered to the UK addresses dropped from 273,060 at the end of Q3 to 240,887 at the end of Q4, a 32,173 decline.
EURid said it also suspended 36,520 domains for abuse during the period.
Factoring out both of these drops, registrations would have otherwise been up by about 5,000.
Brexit won’t just affect Brits, .eu registry says
European Union citizens living in the UK could find their .eu domain names shut off in the next few months, EURid has said.
In a just-published update to its Brexit guidance, the registry has told Brits that they stand to lose their domains on May 30, should the UK leave the EU with no transition deal.
That would give them just two months to transfer their domains to an entity in one of the remaining 27 member states.
On May 30, affected domains will be removed from the .eu zone file and will stop resolving, technically entering “withdrawn” status.
It will be no longer be possible to renew these domains, nor to transfer any domains to a UK-based registrant.
All affected domains — over 273,000 at the last-published count — will be deleted and released back into the available pool, in batches, following March 30, 2020.
This could be good news for domainers in the EU27, given that the deleted domains may include potentially valuable generics.
But EU27 citizens currently residing in the UK, who for whatever reason are unable to transfer their names to an address in their home country, will be treated at first in the same way as Brits. EURid said:
There may be situations of EU citizens, who at present are residing in the UK and have registered a .eu domain name. These citizens would become ineligible as a result of the UK withdrawal and would, therefore lose their eligibility for a .eu domain name, but might become eligible again when the new .eu regulatory framework comes into force later this year. At present, such individuals will experience a disruption of service from 30 May 2019, as a result of the withdrawal of the name.
The registry said last month that new regulations are coming that would allow EU citizens to register .eu domains no matter in which country they live.
Before these regulations kick in, these EU registrants will find their names unresolvable.
By May 30, starving Brits will be far too preoccupied with beating each other to death in the streets for scraps of the country’s last remaining baguette, trading sexual favors for insulin, and so on, so .eu domains will likely be among the least of their no-deal Brexit concerns.
The situation for registrants if the UK leaves the EU with a deal is less urgent. Their domains will stop functioning March 2, 2021, and from January 1, 2022, will be released back into the pool for registration.
Brits would be able to register new .eu domains all the way through the transition period, until the end of December 2020.
It’s not beyond the bounds of possibility that Brits could be grandfathered in to .eu eligibility, should the UK leave on terms similar to European Economic Area members such as Norway, which are eligible under the existing rules.
Currently, it’s anyone’s guess whether we’re leaving with a deal or without. The government’s proposed transition plan was defeated earlier this month in an unprecedented revolt by members of parliament, which leaves no-deal enshrined in the statute books as the default option.
The government is currently attempting to talk its MPs into switching sides, but many suspect it’s just attempting to run down the clock to the March 29 Brexit deadline, compelling MPs to vote for the transition at the eleventh hour as the lesser of two evils.
The opposition is currently urging the government to rule out a no-deal scenario, to discourage British businesses from executing potentially irreversible and damaging exit plans, but the government is reluctant to do so, fearing it could weaken its negotiating hand with the EU27.
The far more-sensible option — giving British voters the opportunity to change their minds with a referendum — appears to be gaining support among MPs but still seems like a pipe dream.
There’s some evidence that the UK is now officially a demographically Remain country, simply due to the number of elderly racists who have died, and the number of youthful idealists who have reached voting age, since the original 2016 referendum.
UK tells .eu registrants to lawyer up as no-deal Brexit looms
British .eu registrants have been urged to consider another top-level domain or seek legal advice due to the risk of losing their names if a no-deal Brexit happens.
The Department for Culture, Media and Sport issued guidance shortly before Christmas, encouraging UK individuals and businesses to talk to their registrars about their .eu eligibility after March 29, currently the date we’re scheduled to leave the EU.
“[Y]ou may wish to discuss transferring your registration to another top level domain,” the guidance states. “Examples of other top level domains include .com, .co.uk, .net or .org.”
I’m sure Nominet will be delighted to see the UK government apparently prefers .com to .uk.
The guidance points to the European Commission’s own notice of March 2018, which informs Brits that they won’t be eligible to register or renew .eu domains after Brexit, and that the registry will be able to turn off those names at will.
That’s assuming a no-deal Brexit, it seems. The new UK guidance suggests that a Brexit with a transition plan is likely to give registrants a bit more breathing space, and possible future rights to retain their names.
Even though .eu is not a TLD you’ll typically see on a billboard or TV commercial in the UK — I’m fairly confident I’ve never seen one in the wild here — it seems that Brits are responsible for a big chunk of the namespace.
There were 273,000 .eu domains registered in the UK at the end of the third quarter 2018, according to EURid (pdf), down 10% on the same period 2017, a decline squarely attributed to Brexit.
There were 3.75 million .eu domains in total, with the UK being the fourth-largest source of registrations.
If you haven’t been following the Brexit saga recently, lucky you! I’ll quickly explain what’s going on.
The British parliament is currently on the verge of deciding whether to leave the EU with a negotiated deal that nobody likes — the equivalent of sawing off a perfectly healthy testicle with a rusty blade for no reason — or to leave the EU with no deal — the equivalent of sawing off both perfectly healthy testicles with a rusty blade for no reason.
The option of keeping both testicles intact and attached is unlikely to be put to the British people because two years ago we were all assured that amateur backstreet castration was fricking awesome and we’re now being warned that the almost 52% of the population who believed the horseshit, and are almost certainly too stupid to have changed their minds in the meantime, will riot in the streets rather than recast their votes.
That’s it in a nutshell.
Come April 1, don’t be surprised if DI is being brought to you from a country with fewer idiots. I’m open to suggestions. Somewhere warm, preferably.
.eu domains to be sold to non-residents
In a few years, you’ll no longer have to live in the European Union in order to buy a .eu domain name.
Residency requirements are to be dropped under new regulations approved by the European Parliament, Council and European Commission last week.
When the new rules come into effect — not expected until April 2023 — EU citizens based anywhere in the world will be able register .eu domains.
It’s not entirely clear how EURid, the current registry, will determine eligibility at point of sale, but I guess they have plenty of time to think about it.
Notably, the proposed new Regulation will shift oversight of .eu from one based on EU regulations to one based on a contract between the Commission and the registry operator.
It is hoped that this will give EURid the flexibility to more rapidly change its business model in future, merely having to agree upon a contract change rather than waiting for the EU institutions to chug through their lengthy legislative processes.
All Cyrillic .eu domains to be deleted
Eurid has announced that Cyrillic domain names in .eu will be deleted a year from now.
The registry said that it’s doing so to comply with the “no script mixing” recommendations for internationalized domain names, which are designed to limit the risk of homograph phishing attacks.
The deletions will kick in May 31, 2019, and only apply to names that have Cyrillic before the dot and Latin .eu after.
Cyrillic names in Eurid’s Cyrillic ccTLD .ею will not be affected.
The plan has been in place since Eurid adopted the IDNA2008 standard three years ago, but evidently not all registrants have dropped their affected names yet.
Bulgaria is the only EU member state to use Cyrillic in its national language.
How all 33 European ccTLDs are handling GDPR
Happy GDPR Day everyone!
Today’s the day that the European Union’s not-quite-long-enough-awaited General Data Protection Regulation comes into effect, giving registries and registrars the world over the prospect of scary fines if they don’t keep their registrants’ Whois data private.
So I thought today would be the perfect day to summarize what each EU or European Economic Area ccTLD has said they are doing about GDPR as it pertains to Whois.
There are 33 such ccTLDs, arguably, and I’ve checked the public statements and web sites of each to hit the key changes they’ve announced.
Because ccTLDs are not governed by ICANN contracts, they had to figure out GDPR compliance for themselves (though some did take note of ICANN guidance).
So I’ve found there are differing interpretations of key points such as whether it’s kosher to continue to publish contact email addresses, and where the line between “natural persons” (ie humans) and “legal persons” (ie companies and other organizations) should be drawn.
Some have also been quite specific about when they will release private data to third parties with so-called “legitimate purposes”; others are more vague.
Note that some of the 33 do not appear to have published anything about GDPR. It’s possible this is because they didn’t need to make any changes. It’s also possible that I simply could not find the information because I’m rubbish.
I should also note that I did the majority of this research yesterday, so additional statements may have been made in the meantime.
Anyway, here’s the list, in alphabetical order.
Austria (.at)
In Austria, from last week public Whois records only show the domain name and technical information when the domain is owned by natural persons. Company-owned domains are unchanged. Any registrant can opt in to having their data published. Only verified “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and who can prove that their rights have been infringed” are allowed to access full records.
Belgium (.be)
DNS.be has not been publishing personal info of natural person registrants, other than their email address, since 2000. As of last week, email addresses are not being published either. It’s also removed the contact name (though not the organization) for domains owned by legal persons. A web form is available to contact anonymized registrants.
Bulgaria (.bg)
There’s not currently any information on the registry web site to indicate any GDPR-related changes, at least in English, that I could find.
Croatia (.hr)
No info on GDPR to be found here either.
Cyprus (.cy)
Ditto.
Czechia/Czech Republic (.cz)
Nic.cz has new rules (pdf) coming in tomorrow that specify which Whois fields will or may be “hidden”, but the English version of the document is too confusing for me to follow. It appears as if plenty of contact information will be masked, and that the registry will only make it available to those who contact it directly with a good enough reason (and it may charge for access). It may also release historical records to those with legitimate purposes.
Denmark (.dk)
Remarkably, there will be NO CHANGE to Whois in .dk after tomorrow, according to an article published on the registry’s web site today. DIFO, the registry, is subject to a Danish law that makes publication of Whois mandatory so, the company said, “we will continue to publish the information – for the benefit of those who need to know who is behind a given domain name. Regardless of whether it is because you want to protect your brand, investigate a crime, do research or just satisfy your curiosity.” Wow!
European Union (.eu)
Eurid’s current Whois policy (pdf) states that only the email address of natural persons will be published publicly. Registrants get the option from their registrars to have this address anonymized. Private data can be released to those who show they have a legitimate interest in accessing it.
Estonia (.ee)
The Estonian Internet Foundation Council approved its GDPR changes (pdf) back in March. They say that no personal information on natural persons will be published, though it appears there will be a way to get in contact with them via the registry itself.
Finland (.fi)
The Finnish registry, FICORA, is a governmental entity that has published remarkably little about GDPR on its site. Its Whois shows the name of the registrant, even when they’re a natural person. Registrants can also opt in to reveal more information about themselves.
France (.fr)
Afnic didn’t have to do much to comply with RGPD (tut!) as it has been hiding the personal info of natural-person registrants since it started allowing them to register .fr names back in 2006. Likewise, it already has a procedure to enable the likes of trademark owners to get their hands on contact info in the event of a dispute, which involves filling out a form (pdf) and promising to only use the data acquired for the purposes specified.
Germany (.de)
DENIC, Europe’s largest ccTLD registry said a few months back that it would expunge personal data from its public Whois and implement a semi-automated system for requesting full records. It’s also adding two “non-personalized” contact email addresses for general and technical inquiries, which will be managed by the registrar in question.
Greece (.gr)
I couldn’t find any GDPR-related information on the registry web site, but its Whois appears to not output contact details for any registrant anyway.
Hungary (.hu)
Currently outputs “private registrant” as the registrant’s name when they’re a natural person, along with a technical contact email and no other personal information. Legal persons get their full contact info published. It’s not entirely clear how recent this policy is.
Iceland (.is)
Iceland’s ISNIC is one of the ccTLD registries to announce that it will continue to publish registrants’ email addresses, though no other contact info, until it is told to stop. In a somewhat defiant post last month, the registry said that GDPR as applied to Whois “will lead to less transparency in domain registrations and less trust in the domain registration system in general”.
Ireland (.ie)
IEDR will not publish contact information for any registrant, though it will publish their name if they’re a legal person. It will only disclose personal information to law enforcement, under court order, for technical matters, or to help a dispute resolution partner resolve a cybersquatting claim.
Italy (.it)
The current version of Registro.it’s Whois policy, dated September 2016, says it will publish all contact information over port 43 and a subset of some contact info (including phone and email) over the web query tool. There’s no mention I could find on its site of GDPR-related changes, though its 2016 policy acknowledges some might be needed.
Latvia (.lv)
Under its post-GDPR policy (pdf), Nic.lv will not publish any personal info about natural persons in its public Whois, and only law enforcement and the government can request the records. Legal-person registrants continue to have their full contact data published.
Liechtenstein (.li)
Liechtenstein is managed by Switzerland’s SWITCH and appears to have the same policies.
Lithuania (.lt)
DomReg’s new privacy policy (pdf) gives natural persons an opt-in to have their personal data published, but otherwise it will all be private. There’s an email-forwarding option. Lawyers with claims against registrants can pay the registry for the Whois record if the registrant has not responded to their forwarded emails within 15 days.
Luxembourg (.lu)
.lu registry RESTENA Foundation said it will cut all personal information for natural-person registrants and make a web-based form available for contact purposes. There will be an opt-in for those who want their data published at a later date. Legal persons continue to have their data published. The registry will make current and historical records available for those with legit purposes, and will create automated blanket access system for national authorities that require regular access.
Malta (.mt)
NIC(Malta)’s current Whois policy, which is only six months old, allows any registrant to opt out of having their personal data published in Whois, but appears to require than a “Administrative Agent” be appointed to take their place in the public database. There’s no info on its web site about any upcoming changes due to GDPR.
Netherlands (.nl)
SIDN explains in a recent paper (pdf) that it didn’t have to make many changes to its Whois service because personal information was already pretty much redacted. The biggest change appears to be more throttling of Whois queries applied to registrars when they’re querying domains they don’t already sponsor.
Norway (.no)
Norid said this week that it will publish the email address of private individual registrants, and full contact info for companies. It’s also the only European ccTLD I’m aware of to have a third class of registrant, the sole proprietorship, which will also see their organization names and numbers published. There does not appear to be an in-house email anonymization or forwarding service, for which Norid encourages registrants to look elsewhere.
Poland (.pl)
NASK has no GDPR related info on its web site, but its evidently quite old Whois policy states that the private information of individuals is not published.
Portugal (.pt)
DNS.pt has a comprehensive set of documents on its site explaining its pre- and post-GDPR policies. From today, natural-person registrants are given the option to provide their “informed, willing, and express consent” to having their data published. If they don’t give consent, it will be redacted from public records and email addresses may be replaced with an anonymized address. This is not available to legal entities. ARBITRARE, a local arbitration center tasked with handle IP disputes, will be able to have access to full records.
Romania (.ro)
RoTLD said yesterday that it would no longer publish private information of individuals, but that it may release such data to “carefully verified” third parties with legitimate interests. It also encouraged registrants to use non-personally-indentifying email addresses if they wish to have a further degree of privacy.
Slovakia (.sk)
SKNIC, now owned by UK-based CentralNic, has an interesting definition of the type of natural person you have to be to have your data protected — a “natural person non-enterpreneur” — according to its helpfully redlined policy update (pdf), suggesting that offering commercial services might void your right to natural-person status. (UPDATE: SKNIC tells me that “natural person–entrepreneur is a legal definition of a specific version of legal person” in Slovakia). There’s a carve-out that allows the registry to provide private data to third parties with legal claims, or to its cybersquatting dispute handler.
Slovenia (.si)
Register.si said this week that it will shortly publish its post-GDPR privacy policy, but it does not appear to have yet done so.
Spain (.es)
I could find no GDPR-related information on the Dominios.es site.
Sweden (.se)
IIS has not published the private fields of Whois records for natural persons since 2013. From today, it will also redact the contact name and email address from the records of legal-person registrants, as it may be considered “personal” data under the law.
Switzerland (.ch)
I don’t think GDPR actually applies to Switzerland, which is not an EEA member, but the .ch registry, SWITCH, also runs Liechtenstein’s .li, so I’m including it here. SWITCH says on both of its sites that it is required by Swiss law to publish Whois records, though they’re subject to an acceptable use policy that includes throttling. When I attempted to do a single Whois query via the SWITCH site today I was told I had already exceeded my quota. Shrug.
United Kingdom (.uk)
UK registry Nominet has long had a two-tier Whois, where private individuals do not have their contact information published in the public Whois. But as of this week it has started redacting all registrant contact information. It’s also going to be offering a paid-for searchable Whois service and a free data request service with a one-day turnaround.
ICANN approves messy, unfinished Whois policy
With a week left on the GDPR compliance clock, ICANN has formally approved a new Whois policy that will hit all gTLD registries and registrars next Friday.
The Temporary Specification for gTLD Registration Data represents the first time in its history ICANN has invoked contractual clauses that allow it to create binding policy in a top-down fashion, eschewing the usual community processes.
The policy, ICANN acknowledges, is not finished and needs some work. I would argue that it’s also still sufficiently vague that implementation in the wild is likely to be patchy.
What’s in public Whois?
The policy is clearest, and mostly unchanged compared to previous drafts, when it comes to describing which data may be published in public Whois and which data must be redacted.
If you do a Whois query on a gTLD domain from next week, you will no longer see the name, address, phone/fax number or email address of the registrant, admin or tech contacts.
You will continue to see the registrant’s organization, if there is one, and the country in which they are based, as well as some information about the registrar and name servers.
In future, public RDAP-based Whois databases will have to output “REDACTED FOR PRIVACY” in these fields, but for now they can just be blank.
While the GDPR is only designed to protect the privacy of humans, rather than companies, and only those connected to the European Union, the ICANN policy generally assumes that all registrants will be treated the same.
It will be possible for any registrant to opt out of having their data redacted, if being contactable is more important to them than their privacy.
What about privacy services?
Since the May 14 draft policy, ICANN has added a carve-out for domains that are already registered using commercial privacy/proxy services.
Whois records for those domains are NOT going to change under the new policy, which now has the text:
in the case of a domain name registration where a privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar MUST return in response to any query full WHOIS data, including the existing proxy/proxy pseudonymized email.
In the near term, this will presumably require registries/registrars to keep track of known privacy services. ICANN is working on a privacy/proxy accreditation program, but it’s not yet live.
So how do you contact registrants?
The policy begins to get more complicated when it addresses the ability to actually contact registrants.
In place of the registrant’s email address in public Whois, registries/registrars will now have to publish an anonymized email address or link to a web-based contact form.
Neither one of these options should be especially complex to implement — mail forwarding is a staple service at most registrars — but they will take time and effort to put in place.
ICANN indicated earlier this week that it may give contracted parties some breathing room to get this part of the policy done.
Who gets to see the private data?
The policy begins to fall apart when it describes granting access to full, unexpurgated, thick Whois records to third parties.
It seems to do a fairly good job of specifying that known quantities such as URS/UDRP providers, escrow providers, law enforcement, and ICANN itself continue to get access.
But it’s fuzzier when it comes to entities that really would like to continue to access Whois data, such as trademark lawyers, security service providers and consumer protection concerns.
While ICANN is adamant that third parties with “legitimate interests” should get access, the new policy does not enumerate with any specificity who these third parties are and the mechanism(s) contracted parties must use to grant such access.
This is what the policy says:
Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject
This appears to give contracted parties the responsibility to make legal judgment calls — balancing the GDPR-based privacy rights of the registrant against the “legitimate interests” of the requester — every time they get a thick Whois request.
The policy goes on to say that when European privacy regulators, the courts, or other legislation or regulation has specifically approved a certain class of requester, ICANN will relay this news to the industry and it will have 90 days to make sure that class gets full Whois access.
But the policy does not specify any formal mechanism by which anyone goes about requesting a thick record.
Do they just phone up the registrar and ask? Does the registrar have to publish a contact address for this purpose? How does the registrar go about confirming the requester is who they say they are? Should they keep white-lists of approved requesters, or approve each request on a domain-by-domain basis? When does the right of a trademark owner outweigh the privacy right of an individual?
None of these questions are answered by the policy, but in a non-binding annex ICANN points to ongoing community work to create an “accreditation and access model”.
That work appears to be progressing at a fair rapid clip, but I suspect that’s largely because the trademarks lawyers are holding the pens and discussions are not following ICANN’s usual consensus-building policy development rules.
When the work is absorbed into the ICANN process, we could be looking at a year or more before something gets finalized.
How will transfers work?
Because Whois is used during the inter-registrar transfer process, ICANN has also had to tweak its Inter-Registrar Transfer Policy to take account of instances where registrars can’t access each other’s databases.
Basically, it’s scrapping the requirement for gaining registrars to obtain a Form of Authorization from the Whois-listed registrant before they start an inbound transfer.
This will remove one hoop registrants have to jump through when they switch registrars (though losing registrars still have to obtain an FOA from them) at the cost of making it marginally easier for domain theft to occur.
What happens next?
ICANN acknowledges, in seven bullet points appended to the policy, that the community has more work to do, mainly on the access/accreditation program.
Its board resolution “acknowledges that there are other implementation items that require further community conversation and that the Board encourages the community to resolve as quickly as possible”.
The board has also asked ICANN staff to produce more explanatory materials covering the policy.
It also temporarily called off its Governmental Advisory Committee consultation, which I wrote about here, after receiving a letter from the GAC.
But the big next step is turning this Temporary Policy into an actual Consensus Policy.
The Temporary Policy mechanism, which has never been used before, is set up such that it has to be renewed by the board every 90 days, up to a maximum of one year.
This gives the GNSO until May 25 next year to complete a formal Policy Development Process. In fact, it will be a so-called “Expedited” PDP or EPDP, that cuts out some of the usual community outreach in order to provide a speedier result.
This, too, will be an unprecedented test of an ICANN policy-making mechanism.
The GNSO will have the Temporary Policy baseline to work from, but the Temporary Policy is also subject to board-level changes so the goalposts may move while the game is being played.
It’s going to be a big old challenge, and no mistake.
Panic stations as Europe plays hardball on Whois privacy
Hopes that Whois records will continue to be available to broad sections of the internet community appeared dashed this week as European data protection heads ripped holes in ICANN’s plan for the industry to comply with the General Data Protection Regulation.
ICANN CEO Goran Marby warned that Whois faces imminent fragmentation and expressed disappointment that authorities have basically ignored his repeated requests for a moratorium on GDPR enforcement.
The Article 29 Working Party, made up of the heads of data protection authorities of EU member states, told ICANN this week that its so-called “Cookbook” compliance plan is nowhere near detailed enough.
In a letter (pdf), it also strongly hinted that intellectual property interests have little hope of retaining access to Whois contact information after GDPR comes into effect next month.
Any notion that WP29 might tell ICANN that the Cookbook was an over-reaction to GDPR, eschewing too many data elements from public records, was firmly put to bed.
Instead, the group explicitly supported ICANN’s plan to replace email addresses in the public Whois with anonymized addresses or a web-based registrant contact form.
It said it “welcomes the proposal to significantly reduce the types of personal data that shall be made publically [sic] available, as well as its proposal [to] introduce alternative methods to contact registrants”.
It also approved of the plan for a “layered” access plan, under which some entities — law enforcement in particular — would be able to access private contact information under an accreditation program.
But WP29 pooh-poohed the idea, put forward by some in the trademark community, that access to Whois could be restricted merely with the use of an IP address white-list.
It warned that the purposes for such access should be explicitly defined and said that what can be accessed should be tightly controlled.
WP29 does not appear to be a fan of anyone, even accredited users, getting bulk access to private Whois data.
While the group endorsed the idea that law enforcement agencies should be able to access Whois, it failed to provide similar comfort to IP interests, security researchers and other groups with self-declared “legitimate interests” in the data.
In what I’m reading as a veiled attack on the IP lobby, the WP29 letter says:
ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.
While it would be fairly easy to argue that giving access to security researchers contributes to “stable operation of the Internet’s unique identifier systems”, I think it would be considerably harder to argue that giving trademark owners an easy way to pursue suspected cybersquatters does the same.
In short, the letter clarifies that, rather than complying too much, ICANN has not gone far enough.
WP29 also roundly ignored ICANN’s request for an enforcement moratorium to give the community enough time to come up with a compliance policy and the industry enough time to implement it, irking ICANN into threatening legal action.
Marby said in a blog post yesterday:
Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.
He said that the WP29 statement puts ICANN at odds with the consensus advice of its Governmental Advisory Committee — which, it should be noted, includes the European Commission and most of the EU member states.
The GAC has told ICANN to “Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible” and to reconsider its plan to remove registrant email addresses from public records.
That’s how stupid the situation has become — the same governments telling ICANN to retain email addresses is also telling it to remove them.
Outside of Europe, the United States government has been explicit that it wants Whois access to remain available.
Marby said that an ICANN delegation will attend a meeting of the WP29 Technology Subgroup in Brussels on April 23 to further discuss the outstanding issues.
In a quick response (pdf) to the WP29 letter, he warned that a fragmented Whois and the absence of a moratorium could spell doom for the smooth functioning of the internet.
We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.
Reaction from elsewhere in the community has so far comprised variations of “told you so” and hand-wringing about the impact after May 25.
Michele Neylon, head of the registrar Blacknight, blogged that the letter signaled “game over” for the public Whois.
“Come the end of May, public whois as we know it will be dead,” he wrote.
Academic Farzaneh Badii, executive director of the Internet Governance Project and a leading figure in ICANN’s non-commercial users community, blamed several factors for the current 11th-hour predicament, but mainly the fact that her constituency’s lobbying was ignored for so long.
“The Noncommercial Stakeholders Group was the broken record that everyone perceived as not worth paying attention to. But GDPR got real and ICANN has to deal with it,” she wrote.
Matt Serlin of the IP-centric registrar Brandsight, wrote that the letter was “predictable” and said:
The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.
Serlin held out some hope that the unspecified legal action Marby has floated may go some way to extend the May 25 GDPR enforcement date.
The community awaits Marby’s next update with bated breath.
Big changes at DomainTools as privacy law looms
Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.
Professional users such as domain investors are most likely to be impacted by the changes.
The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.
“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.
GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.
Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.
But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.
DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.
The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.
DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.
“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.
“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.
The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..
These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.
“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.
How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.
“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”
ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.
And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.
DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.
It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.
This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.
“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”
“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.
How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.
But Chen suggested that most casual users should not see too much impact.
“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.
“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.
“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.
Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.
Recent Comments