Latest news of the domain name industry

Recent Posts

“Stringent” new online censorship law could affect domain companies

Kevin Murphy, April 8, 2019, Domain Policy

Blame Zuck.

The UK government is planning to introduce what it calls “stringent” new laws to tackle abusive behavior online, and there’s a chance it could wind up capturing domain name registries and registrars in its net.

The Department for Culture, Media and Sport this morning published what it calls the Online Harms White Paper, an initial 12-week consultation document that could lead to legislation being drafted at a later date.

The paper calls for the creation of a new independent regulator, charged with overseeing social media companies’ efforts to reduce the availability of content such as incitements to violence, self-harm, suicide, child abuse, “hate crime” and even “fake news”.

It basically would increase the amount of liability that companies have for user-generated content hosted on their services, even when that content is not necessarily illegal but is nevertheless considered “harmful”.

The regulator would have to create a code of conduct for companies the legislation covers to abide by.

When the code is breached, the regulator would have the authority to issue fines — possibly comparable to the 4% of profits that can be fined under GDPR — against not only the companies themselves but also their senior management.

The paper seems to most directly address ongoing tabloid scandals related to Facebook and its ilk, such as the suicide of Molly Russell, a 14-year-old who viewed material related to self-harm on Instagram before her death.

While it does not mention domain names once, the government clearly anticipates casting a wide net. The paper states:

The scope will include companies from a range of sectors, including social media companies, public discussion forums, retailers that allow users to review products online, along with non-profit organisations, file sharing sites and cloud hosting providers.

That’s a broad enough definition such that it could even cover blogs, including this one, that allow users to post comments.

The paper also discusses asking search engines to remove sites from their indexes, and compelling ISPs to block abusive sites as a “last resort” measure.

There’s a short mental hop from ISP blocking to domain name takedowns, in my view.

The paper also discusses steps the regulator could take to ensure companies with no UK legal presence are still covered by the rules.

While the paper, as I say, does not mention the domain name industry once, subsidiary services provided by registrars, such as hosting, could be directly affected.

There’s no guarantee that the paper will become a bill. There’s already a backlash from those who believe it constitutes unacceptable censorship, comparable to regimes such as in China.

There’s also no guarantee such a bill would eventually become law. The UK government is arguably currently the weakest it has ever been, with a propped-up minority in Parliament and many MPs in open revolt over Brexit.

With talk of an early general election incessant recently, it’s also possible the government may not last long enough to bring its plans to fruition.

Still, it’s probably something the domain industry, including ICANN, should probably keep an eye on.

The full 100-page white paper can be found here (pdf) and an executive summary can be read here.

Whois vacuum AppDetex raises $10 million

Kevin Murphy, March 20, 2019, Domain Registrars

Brand protection registrar AppDetex, which counts Facebook as its key customer, has raised $10 million in funding.

It’s the second round of venture capital for the six-year-old Boise, Idaho company. This one was led by First Analysis, with first-round investors EPIC Ventures and Origin Ventures each also taking an extra piece.

AppDetex says it has raised $17.5 million to date.

The company will be best known to registrars and other DI readers for its attempts last year to vacuum up vast amounts of Whois data, post-GDPR, on behalf of mainly Facebook.

The AppDetex WHOIS Requestor System (AWRS) is a semi-automated service that streamlines the process of requesting unredacted Whois records from registrars. I was given a demo last October.

The company came in for criticism for allegedly misrepresenting the results of its initial testing of the system, using the data to lobby ICANN and to market its product.

But AppDetex is apparently not just about the domains. It also offers brand monitoring services for social media platforms, app stores and web sites.

As a registrar, the company had a little over 1,500 gTLD domains under management at the last count, so the new investment is clearly not based upon its prowess as a volume registrar but rather on its value-added managed services.

AppDetex was founded by Faisal Shah (a founder of MarkMonitor) and Chris Bura (previously of AllDomains.com) in 2012.

The company has been closely affiliated with Facebook for some time.

Back in 2016, Facebook acquired RegistrarSEC, a registrar accreditation run by Shah and Bura that at the time was actually doing business under the name “AppDetex”, in order to protect Instagram.com from a Chinese court.

AppDetex has also hired staff from Facebook, and its general counsel is married to Facebook’s head of domain strategy.

According to data Tucows released a month ago, almost two thirds of the Whois requests it received since GDPR came into effect came from Facebook and AppDetex.

Surprise! Most private Whois look-ups come from Facebook

Kevin Murphy, February 20, 2019, Domain Policy

Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.

Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.

But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.

AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.

It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.

Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.

An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.

Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.

Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.

Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.

Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Kevin Murphy, October 21, 2018, Domain Policy

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.

Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.

Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.

They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.

Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.

Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.

The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.

The main sticking point was the extent to which these third parties get a mention in the language.

Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.

The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.

Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.

GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.

It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.

The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.

The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.

While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.

All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.

One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.

Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).

But, yeah, they may have a point.

It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.

They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.

They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.

AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.

The IP crowd and registrars are not the only ones fighting in the corridors, though.

The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.

Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.

I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.

UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.

Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.

AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.

UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.