Latest news of the domain name industry

Recent Posts

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.

ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.

The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.

Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.

After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.

Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.

Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.

Registrants would have the right to opt in to having their full record displayed in the public Whois.

Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.

The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.

This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.

The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.

The model would apply to all gTLD domains where there is some connection to the European Economic Area.

If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.

Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.

While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.

The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.

Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.

The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.

Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.

Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.

Domain NameDisplay
Registry Domain IDDisplay
Registrar WHOIS ServerDisplay
Registrar URLDisplay
Updated DateDisplay
Creation DateDisplay
Registry Expiry DataDisplay
Registrar Registration Expiration DateDisplay
RegistrarDisplay
Registrar IANA IDDisplay
Registrar Abuse Contact EmailDisplay
Registrar Abuse Contact PhoneDisplay
ResellerDisplay
Domain StatusDisplay
Domain StatusDisplay
Domain StatusDisplay
Registry Registrant IDDo not display
Registrant NameDo not display
Registrant OrganizationDisplay
Registrant StreetDo not display
Registrant CityDo not display
Registrant State/ProvinceDisplay
Registrant Postal CodeDo not display
Registrant CountryDisplay
Registrant PhoneDo not display
Registrant Phone ExtDo not display
Registrant FaxDo not display
Registrant Fax ExtDo not display
Registrant EmailAnonymized email or web form
Registry Admin IDDo not display
Admin NameDo not display
Admin OrganizationDo not display
Admin StreetDo not display
Admin CityDo not display
Admin State/ProvinceDo not display
Admin Postal CodeDo not display
Admin CountryDo not display
Admin PhoneDo not display
Admin Phone ExtDo not display
Admin FaxDo not display
Admin Fax ExtDo not display
Admin EmailAnonymized email or web form
Registry Tech IDDo not display
Tech NameDo not display
Tech OrganizationDo not display
Tech StreetDo not display
Tech CityDo not display
Tech State/ProvinceDo not display
Tech Postal CodeDo not display
Tech CountryDo not display
Tech PhoneDo not display
Tech Phone ExtDo not display
Tech FaxDo not display
Tech Fax ExtDo not display
Tech EmailAnonymized email or web form
Name ServerDisplay
Name ServerDisplay
DNSSECDisplay
DNSSECDisplay
URL of ICANN Whois Inaccuracy Complaint FormDisplay
>>> Last update of WHOIS databaseDisplay

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.

With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

ICANN chief to lead talks over blocked .amazon gTLD

Kevin Murphy, February 14, 2018, Domain Policy

ICANN CEO Goran Marby has been asked to help Amazon come to terms with several South American governments over its controversial bid for the .amazon gTLD.

The organization’s board of directors passed a resolution last week accepting the suggestion, which came from the Governmental Advisory Committee. The board said:

The ICANN Board accepts the GAC advice and has asked the ICANN org President and CEO to facilitate negotiations between the Amazon Cooperation Treaty Organization’s (ACTO) member states and the Amazon corporation

Governments, prominently Peru and Brazil, have strongly objected to .amazon on the grounds that the “Amazon” river and rain-forest region, known locally as “Amazonas” should be a protected geographic term.

Amazon’s applications for .amazon and two Asian-script translations were rejected a few years ago after the GAC sided with its South American members and filed advice objecting to the gTLDs.

A subsequent Independent Review Process panel last year found that ICANN had given far too much deference to the GAC advice, which came with little to no evidence-based justification.

The panel told ICANN to “promptly” take another look at the applications and “make an objective and independent judgment regarding whether there are, in fact, well-founded, merits-based public policy reasons for denying Amazon’s applications”.

Despite this, the .amazon application is still classified as “Will Not Proceed” on ICANN’s web site. That’s basically another way of saying “rejected” or “denied”.

Amazon the company has promised to protect key domains, such as “rainforest.amazon”, if it gets to run the gTLDs. Governments would get to help create a list of reserved, sensitive domains.

It’s also promised to actively support any future bids for .amazonas supported by the governments concerned.

.amazon would be a dot-brand, so only Amazon would be able to register names there.

New Trump appointee slams ICANN after security group shutdown

Kevin Murphy, December 19, 2017, Domain Policy

Not even a month into the job, the US official with most direct responsibility over domain name policy has criticized ICANN for shutting down a security working group.

David Redl, the new assistant secretary at the National Telecommunications and Information Administration, wrote to ICANN (pdf) last week to complain about its board unilaterally shutting down, temporarily, its supposedly independent Security, Stability and Resiliency of the DNS Review team.

He wrote that the action “calls into question” ICANN’s commitment to transparency and accountability, writing:

Everything documented to date about these reviews stresses the importance of openness, transparency and community consultation. Unfortunately, it seems that with the October 28th action, the ICANN Board violated these principles by substituting its judgement for that of the community.

SSR-2, as it is known, is one of the reviews previously mandated by ICANN’s Affirmation of Commitments with the US government (via the NTIA) but which can now be found instead embedded in its bylaws.

The ICANN board of directors temporarily suspended it in October, something like a soft reboot, after growing concerned that it was stepping outside of its mandate and that its members lacked expertise.

The move attracted broad criticism and it would be disingenuous of me to suggest that Redl’s position is a controversial one — you’d be hard pressed to find any section of the community that wholeheartedly supports the board’s action.

Indeed, the US representative to the Governmental Advisory Committee voiced similar concerns at the ICANN meeting in Abu Dhabi in late October, prior to Redl’s confirmation to the NTIA job.

Redl took the post November 21, having been nominated by Donald Trump back in May, replacing Obama appointee Larry Strickling, who left the agency in January.

He’s the first NTIA chief since ICANN’s inception not to enjoy the special position of power over ICANN granted by the old IANA contract, which was scrapped in September 2016.

Concern as ICANN shuts down “independent” security review

Kevin Murphy, October 31, 2017, Domain Policy

Just a year after gaining its independence from the US government, ICANN has come under scrutiny over concerns that its board of directors may have overstepped its powers.

The board has come in for criticism from almost everyone expressing an opinion at the ICANN 60 meeting in Abu Dhabi this week, after it temporarily suspended a supposedly independent security review.

The Security, Stability and Resiliency of the DNS Review, known as SSR-2, is one of the mandatory reviews that got transferred into ICANN’s bylaws after the Affirmation of Commitments with the US wound up last year.

The review is supposed to look at ICANN’s “execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet’s system of unique identifiers that ICANN coordinates”.

The 14 to 16 volunteer members have been working for about eight months, but at the weekend the ICANN board pulled the plug, saying in a letter to the review team that it had decided “to suspend the review team’s work” and said its work “should be paused”.

Chair Steve Crocker clarified in sessions over the weekend and yesterday that it was a direction, not a request, but that the pause was merely “a moment to take stock and then get started again”.

Incoming chair Cherine Chalaby said in various sessions today and yesterday that the community — which I take to mean the leaders of the various interest groups — is now tasked with un-pausing the work.

Incoming vice-chair Chris Disspain told community leaders in an email (pdf) yesterday:

The Board has not usurped the community’s authority with respect to this review. Rather, we are asking the SOs and ACs to consider the concerns we have heard and determine whether or not adjustments are needed. We believe that a temporary pause in the SSR2 work while this consideration is under way is a sensible approach designed to ensure stakeholders can reach a common understanding on the appropriate scope and work plan

Confusion has nevertheless arise among community members, and some serious concerns and criticisms have been raised by commercial and non-commercial interests — including governments — over the last few days in Abu Dhabi.

But the board’s concerns with the work of SSR-2 seem to date back a few months, to the Johannesburg meeting in June, at which Crocker said “dangerous signals” were observed.

It’s not clear what he was referring to there, but the first serious push-back by ICANN came earlier this month, when board liaison Kaveh Ranjbar, apparently only appointed to that role in June, emailed the group to say it was over-stepping its mandate.

Basically, the SSR-2 group’s plan to carry out a detailed audit of ICANN’s internal security profile seems to have put the willies up the ICANN organization and board.

Ranjbar wrote:

The areas the Board is concerned with are areas that indeed raise important organizational information security and organizational oversight questions. However, these are also areas that are not segregated for community review, and are the responsibility of the ICANN Organization (through the CEO) to perform under the oversight of the ICANN Board.

While we support the community in receiving information necessary to perform a full and meaningful review over ICANN’s SSR commitments, there are portions of the more detailed “audit” plan that do not seem appropriate for in-depth investigation by the subgroup. Maintaining a plan to proceed with detailed assessments of these areas is likely to result in recommendations that are not tethered to the scope of the SSR review, and as such, may not be appropriate for Board acceptance when recommendations are issued. This also can expand the time and resources needed to perform this part of the review.

This does not seem hugely unreasonable to me. This kind of audit could be expensive, time-consuming and — knowing ICANN’s history of “glitches” — could have easily exposed all kinds of embarrassing vulnerabilities to the public domain.

Ranjbar’s letter was followed up a day later with a missive (pdf) from the chair of ICANN’s Security and Stability Advisory Committee, which said the SSR-2’s work was doomed to fail.

Patrick Falstrom recommended a “temporarily halt” to the group’s work. He wrote:

One basic problem with the SSR2 work is that the review team seems neither to have sufficient external instruction about what to study nor to have been able to formulate a clear direction for itself. Whatever the case, the Review Team has spent hundreds of hours engaged in procedural matters and almost no progress has been made on substantive matters, which in turn has damaged the goodwill and forbearance of its members, some of whom are SSAC members. We are concerned that, left to its own devices, SSR2 is on a path to almost certain failure bringing a consequential loss of credibility in the accountability processes of ICANN and its community.

Now that ICANN has actually acted upon that recommendation, there’s concern that it sets a disturbing precedent for the board taking “unilateral” action to scupper supposedly independent accountability mechanisms.

The US government itself expressed concern, during a session between the board and the Governmental Advisory Committee in Abu Dhabi today.

“This is unprecedented,” US GAC rep Ashley Heineman said. “I just don’t believe it was ever an expectation that the ICANN board would unilaterally make a decision to pause or suspend this action. And that is a matter of concern for us.”

“It would be one thing if it was the community that specifically asked for a pause or if it was a review team that says ‘Hey, we’re having issues, we need a pause.’ What’s of concern here is that ICANN asked for this pause,” she said.

UK GACer Mark Carvell added that governments have been “receiving expressions of grave concern” about the move and urged “maximum transparency” as the SSR-2 gets back on track.

Jonathan Zuck of the Innovators Network Foundation, one of the volunteers who worked on ICANN’s transition from US government oversight, also expressed concern during the public forum session yesterday.

“I think having a fundamental accountability mechanism unilaterally put on hold is something that we should be concerned about in terms of process,” he said. “I’m not convinced that it was the only way to proceed and that from a precedential standpoint it’s not best way to proceed.”

Similar concerns were voiced by many other parts of the community as they met with the ICANN board throughout today and yesterday.

The problem now is that the bylaws do not account for a board-mandated “pause” in a review team’s work, so there’s no process to “unpause” it.

ICANN seems to have got itself tangled up in a procedural quagmire — again — but sessions later in the week have been scheduled in order for the community to begin to untangle the situation.

It doubt we’ll see a resolution this week. This is likely to run for a while.

Egyptian elected new GAC chair

Kevin Murphy, October 31, 2017, Domain Policy

Manal Ismail, Egypt’s representative to ICANN’s Governmental Advisory Committee, has been elected its new chair.

She will replace outgoing chair Thomas Schneider, a Swiss official, after the current ICANN 60 public meeting in Abu Dhabi wraps up later this week.

Ismail is director of international technical coordination at Egypt’s National Telecom Regulatory Authority, NTRA.

Schneider said he was stepping down from the GAC earlier this year, having received a promotion back home that will limit his availability for ICANN work.

The handover means that both the GAC and the ICANN board of directors will, from this Thursday, be chaired by Egyptians.

The ICANN board will on Thursday formally elect current vice chair Cherine Chalaby as Steve Crocker’s replacement.

Chalaby was born in Egypt, also holds British citizenship, and lives in the United States.

I believe it’s the first time both chair roles have been held by people of the same nationality.