Recent Posts
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
- Domain universe grows despite .com drag
Facebook lawsuit brings one country’s domain to a screeching halt
Bangladesh’s ccTLD registry has reportedly frozen all registrations and transfers after a cybersquatting lawsuit filed by Facebook.
According to local reports a couple weeks back, Bangladesh Telecommunications Company Ltd has implemented Draconian pre-registration roadblocks to registration, such that only exact-match domain names are available to individuals and organizations.
And Western corporate registrar CSC said today that BTCL has “implemented a temporary suspension to registration and transfer orders due to an ongoing legal matter” and is “diligently working to draft new regulations and procedures for registration orders.”
Registrants can still manage their Whois and DNS settings as normal, CSC said.
Facebook sued the registrant of the domain facebook.com.bd last November, asking for the domain to be cancelled and for $50,000 in damages, dragging BTCL into the case.
According to reports, the domain had been registered in 2008 when the registry used a largely paper-based system, but Facebook only resorted to the courts last year when the registrant listed it for sale for $6 million.
It’s a textbook case of cybersquatting, but .bd evidently does not have the mechanisms — such as UDRP — to handle such malfeasance outside of the courts.
While a Dhaka court reportedly issued an injunction against the domain in question, it’s still resolving and still listed for sale at $6 million.
Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.
Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.
Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:
Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as
, and the other Domain Names at issue in these proceedings. By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.
Employees who click the bogus links are taken to harmless web pages describing how they were duped.
The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.
In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.
He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.
Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).
It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.
Facebook to enter the retail registrar business?
Worryingly perhaps for the retail registrar market, Facebook has revealed it’s due to launch a set of business web-hosting services.
The company said in a blog post last week that it plans to reveal Facebook Hosting Services “over the coming months”.
While very little is known about these services, Facebook appears to be interested in leveraging its popular WhatsApp messaging platform. The company blogged:
Facebook Hosting Services – Businesses have varying technology needs and want choice in the companies they work with to host and manage customer communications, particularly with remote work increasing. Which is why over the coming months, we plan to expand our partnerships with business solution providers we’ve worked with over the last two years. We will also provide a new option for businesses to manage their WhatsApp messages via hosting services that Facebook plans to offer. Providing this option will make it easier for small and medium size businesses to get started, sell products, keep their inventory up to date, and quickly respond to messages they receive – wherever their employees are.
There’s no mention of domains there, but domains almost always go hand in hand with hosting.
The fact that a company with Facebook’s reach is venturing into hosting will surely worry registrars that already make a huge chunk of their revenue from such services.
Facebook URLs are already considered a valid alternative to domain names for many small and micro-businesses, so there’s a question mark next to Facebook’s intention with regards domains.
Facebook already owns at least two ICANN-accredited registrars, RegistrarSEC and RegistrarSafe, but they do not sell domains to third parties.
The two registrars are currently basically an insurance policy against Facebook’s hugely valuable domains being suspended or transferred by third-party registrars in response to court orders.
RegistrarSEC appears to be the preferred registrar for Facebook’s defensive domains. Its domains under management number has been growing by hundreds per month for the last few years. It has over 8,500 names currently.
RegistrarSafe is the sponsoring registrar for about 175 of Facebook’s key domains, such as facebook.com and instagram.com.
Facebook’s UDRP wins seem to usually wind up at law firm Hogan Lovells’ registrar.
Facebook WILL sue more registrars for cybersquatting
Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.
Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.
In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.
In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.
Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.
The complaint is very similar to one filed against OnlineNIC (pdf) in October.
And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.
Speaking at the second public forum at ICANN 67 yesterday, she said:
This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.
Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.
Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.
The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:
We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.
UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.
Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.
Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.
The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.
“Stringent” new online censorship law could affect domain companies
Blame Zuck.
The UK government is planning to introduce what it calls “stringent” new laws to tackle abusive behavior online, and there’s a chance it could wind up capturing domain name registries and registrars in its net.
The Department for Culture, Media and Sport this morning published what it calls the Online Harms White Paper, an initial 12-week consultation document that could lead to legislation being drafted at a later date.
The paper calls for the creation of a new independent regulator, charged with overseeing social media companies’ efforts to reduce the availability of content such as incitements to violence, self-harm, suicide, child abuse, “hate crime” and even “fake news”.
It basically would increase the amount of liability that companies have for user-generated content hosted on their services, even when that content is not necessarily illegal but is nevertheless considered “harmful”.
The regulator would have to create a code of conduct for companies the legislation covers to abide by.
When the code is breached, the regulator would have the authority to issue fines — possibly comparable to the 4% of profits that can be fined under GDPR — against not only the companies themselves but also their senior management.
The paper seems to most directly address ongoing tabloid scandals related to Facebook and its ilk, such as the suicide of Molly Russell, a 14-year-old who viewed material related to self-harm on Instagram before her death.
While it does not mention domain names once, the government clearly anticipates casting a wide net. The paper states:
The scope will include companies from a range of sectors, including social media companies, public discussion forums, retailers that allow users to review products online, along with non-profit organisations, file sharing sites and cloud hosting providers.
That’s a broad enough definition such that it could even cover blogs, including this one, that allow users to post comments.
The paper also discusses asking search engines to remove sites from their indexes, and compelling ISPs to block abusive sites as a “last resort” measure.
There’s a short mental hop from ISP blocking to domain name takedowns, in my view.
The paper also discusses steps the regulator could take to ensure companies with no UK legal presence are still covered by the rules.
While the paper, as I say, does not mention the domain name industry once, subsidiary services provided by registrars, such as hosting, could be directly affected.
There’s no guarantee that the paper will become a bill. There’s already a backlash from those who believe it constitutes unacceptable censorship, comparable to regimes such as in China.
There’s also no guarantee such a bill would eventually become law. The UK government is arguably currently the weakest it has ever been, with a propped-up minority in Parliament and many MPs in open revolt over Brexit.
With talk of an early general election incessant recently, it’s also possible the government may not last long enough to bring its plans to fruition.
Still, it’s probably something the domain industry, including ICANN, should probably keep an eye on.
The full 100-page white paper can be found here (pdf) and an executive summary can be read here.
Whois vacuum AppDetex raises $10 million
Brand protection registrar AppDetex, which counts Facebook as its key customer, has raised $10 million in funding.
It’s the second round of venture capital for the six-year-old Boise, Idaho company. This one was led by First Analysis, with first-round investors EPIC Ventures and Origin Ventures each also taking an extra piece.
AppDetex says it has raised $17.5 million to date.
The company will be best known to registrars and other DI readers for its attempts last year to vacuum up vast amounts of Whois data, post-GDPR, on behalf of mainly Facebook.
The AppDetex WHOIS Requestor System (AWRS) is a semi-automated service that streamlines the process of requesting unredacted Whois records from registrars. I was given a demo last October.
The company came in for criticism for allegedly misrepresenting the results of its initial testing of the system, using the data to lobby ICANN and to market its product.
But AppDetex is apparently not just about the domains. It also offers brand monitoring services for social media platforms, app stores and web sites.
As a registrar, the company had a little over 1,500 gTLD domains under management at the last count, so the new investment is clearly not based upon its prowess as a volume registrar but rather on its value-added managed services.
AppDetex was founded by Faisal Shah (a founder of MarkMonitor) and Chris Bura (previously of AllDomains.com) in 2012.
The company has been closely affiliated with Facebook for some time.
Back in 2016, Facebook acquired RegistrarSEC, a registrar accreditation run by Shah and Bura that at the time was actually doing business under the name “AppDetex”, in order to protect Instagram.com from a Chinese court.
AppDetex has also hired staff from Facebook, and its general counsel is married to Facebook’s head of domain strategy.
According to data Tucows released a month ago, almost two thirds of the Whois requests it received since GDPR came into effect came from Facebook and AppDetex.
Surprise! Most private Whois look-ups come from Facebook
Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.
Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.
But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.
AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.
It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.
Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.
An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.
Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.
Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.
Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.
Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.
This is how AppDetex works
A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.
AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.
Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.
In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.
First off, Whois Requester appears to be only partially automated.
Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.
“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.
“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.
But, according to AppDetex, these assumptions are not correct.
Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.
AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.
It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.
Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.
The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.
Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.
At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.
If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.
The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.
Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.
Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.
As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.
Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.
Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.
This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.
The fact that human review is required before requests are sent out “just makes it worse”, they also said.
ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off
Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.
Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.
Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.
They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.
Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.
Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.
The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.
The main sticking point was the extent to which these third parties get a mention in the language.
Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.
The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.
Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.
GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.
It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.
The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.
The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.
While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.
All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.
One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.
Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).
But, yeah, they may have a point.
It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.
They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.
They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.
AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.
The IP crowd and registrars are not the only ones fighting in the corridors, though.
The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.
Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.
I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.
UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.
Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.
AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.
UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.
Registrars still not responding to private Whois requests
Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.
AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.
Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.
You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.
Then, only one registrar complied to AppDetex’s satisfaction.
Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.
He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.
AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.
Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.
The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.
The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.
The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.
Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.
Recent Comments