Latest news of the domain name industry

Recent Posts

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.

ICANN denies it’s in bed with trademark lawyers

Kevin Murphy, October 21, 2018, Domain Policy

ICANN chair Cherine Chalaby has strongly denied claims from non-commercial stakeholders that its attitude to Whois reform is “biased” in favour of “special interests” such as trademark lawyers.

In a remarkably fast reply (pdf) to a scathing October 17 letter (pdf) from the current and incoming chairs of the Non-Commercial Stakeholders Group, Chalaby dismissed several of the NCSG’s claims of bias as “not true”.

The NCSG letter paints ICANN’s efforts to bring Whois policy into line with the General Data Protection Regulation as rather an effort to allow IP owners to avoid GDPR altogether.

It even suggests that ICANN may be veering into content regulation — something it has repeatedly and specifically disavowed — by referring to how Whois may be used to combat “fake news”.

The “demonstrated intention of ICANN org has been to ensure the unrestrained and unlawful access to personal data demanded by special interest groups”, the NCSG claimed.

It believes this primarily due to ICANN’s efforts to support the idea of a “unified access model” — a way for third parties with “legitimate interests” to get access to private Whois data.

ICANN has produced a couple of high-level framework documents for such a model, and CEO Goran Marby has posted articles playing up the negative effects of an inaccessible Whois.

But Marby has since insisted that a unified access model is still very much an “if”, entirely dependent on whether the community, in the form of the Whois EPDP working group, decides there should be one.

That message was reiterated in Chalaby’s new letter to the NCSG.

The conversation on whether to adopt such a model must continue, but the outcomes of those discussions are for the community to decide. We expect that the community, using the bottom-up multistakeholder model, will take into account all stakeholders’ views and concerns.

He denied that coordinating Whois data is equivalent to content regulation, saying it falls squarely within ICANN’s mandate.

“ICANN’s mission related to ‘access to’ this data has always encompassed lawful third-party access and use, including for purposes that may not fall within ICANN’s mission,” he wrote.

The exchange of letters comes as parties on the other side of the Whois debate also lobby ICANN and its governmental advisors over the need for Whois access.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Kevin Murphy, October 21, 2018, Domain Policy

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.

Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.

Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.

They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.

Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.

Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.

The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.

The main sticking point was the extent to which these third parties get a mention in the language.

Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.

The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.

Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.

GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.

It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.

The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.

The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.

While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.

All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.

One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.

Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).

But, yeah, they may have a point.

It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.

They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.

They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.

AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.

The IP crowd and registrars are not the only ones fighting in the corridors, though.

The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.

Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.

I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.

UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.

Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.

AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.

UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.

Registrars still not responding to private Whois requests

Kevin Murphy, October 18, 2018, Domain Policy

Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.

AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.

Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.

You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.

Then, only one registrar complied to AppDetex’s satisfaction.

Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.

He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.

AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.

Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.

The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.

The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.

The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.

Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.

Here’s what ICANN’s boss is saying about Whois access now

Kevin Murphy, October 4, 2018, Domain Policy

Should ICANN become the sole source for looking up private domain registrant data? That’s one of the options for the post-GDPR world of Whois currently being mulled over on Waterfront Drive.

ICANN CEO Goran Marby laid out some of ICANN’s current thinking on the future of Whois last week at an occasionally combative meeting in Los Angeles.

One idea would see ICANN act as a centralized gatekeeper for all Whois data. Another could risk ICANN becoming much more tightly controlled by governments.

I’ve listened to the recordings, read the transcripts, chatted to participants, and I’m going to attempt to summarize what I believe is the current state of play.

As regular DI readers know, post-GDPR Whois policy is currently being debated to a tight deadline by an Expedited Policy Development Process working group.

The work has been a tough slog, and there seems to be little hope of the EPDP closing all of its outstanding issues before its first conclusions are due under three weeks from now.

One of the outstanding issues not yet addressed in any depth by the group is the potential creation of a “unified access model” — a standardized way cops, trademark owners, cybersecurity professionals and others could look at the same Whois data they could look at just a few months ago.

While the EPDP has carried on deferring discussion of such a model, ICANN Org has in parallel been beavering away trying to figure out whether it’s even going to be legally possible under the new European privacy law to open up Whois data to the people who want to see it, and it’s come up with some potentially game-changing ideas.

After weeks of conference calls, the EPDP working group — made up of 30-odd volunteers from all sections of the ICANN community — met in LA for three days last week to get down to some intensive face-to-face arguments.

I gather the meeting was somewhat productive, but it was jolted by the publication of an ICANN blog post in which Marby attempted to update the community on ICANN’s latest efforts to get clarity on how GDPR legally interacts with Whois.

Marby wrote that ICANN “wants to understand whether there are opportunities for ICANN, beyond its role as one of the ‘controllers’ with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.”

What did ICANN mean by this? While “controller” is a term of art defined in mind-numbing detail by the GDPR, “coordinating authority” is not. So ICANN’s blog post was open to interpretation.

It turns out I was not the only person confused by the post, and on Tuesday afternoon last week somebody from the EPDP team collared Marby in the corridor at ICANN HQ and dragged him into the meeting room to explain himself.

He talked with them for about an hour, but some attendees were still nonplussed — some sounded downright angry — after he left the room.

This is what I gleaned from his words.

No End-Runs

First off, Marby was at pains to point out, repeatedly, that ICANN is not trying to bypass the community’s Whois work.

It’s up to the community — currently the EPDP working group, and in a few weeks the rest of you — to decide whether there should be a unified access model for Whois, he explained.

What ICANN Org is doing is trying to figure out is whether a unified access model would even be legal under GDPR and how it could be implemented if it is legal, he said.

“If the community decides we should have a policy about a unified access model, that’s your decision,” he told the group. “We are trying to figure out the legal avenues if it’s actually possible.”

He talked about this to persons unknown at the European Commission in Brussels last month.

Whatever ICANN comes up with would merely be one input to the community’s work, he said. If it discovers that a unified access model would be totally illegal, it will tell the community as much.

Marby said ICANN is looking for “a legal framework for how can we diminish the contracted parties’ legal responsibility” when it comes to GDPR.

So far, it’s come up with three broad ideas about how this could happen.

The Certification Body Idea

GDPR sections 40 to 43 talk about the concepts of “codes of conduct” and “certification bodies”.

It’s possible that ICANN was referring to the possibility of itself becoming a certification body when it blogged about being a “coordinating authority”. Marby, during the EPDP meeting, unhelpfully used the term “accreditation house”.

These hypothetical entities (as far as I know none yet exist) would be approved by either national data protection authorities or the pan-EU European Data Protection Board to administer certification schemes for companies that broadly fall into the same category of data processing businesses.

It seems to be tailor-made for ICANN (though it wasn’t), which already has accreditation of registries and registrars as one of its primary activities.

But this legal avenue does not appear to be a slam-dunk. ICANN would presumably have to persuade a DPA or two, or the EDPB, that giving third parties managed access to citizens’ private data is a good thing.

You’d think that DPAs would be dead against such an idea, but the EU members of ICANN’s Governmental Advisory Committee have put their names to advice stating that Whois should remain accessible under certain circumstances, so it’s not impossible they could see it ICANN’s way.

The C.R.A.P. Idea

Marby’s second idea for taking some of the GDPR burden off the shoulders of contracted parties is to basically make ICANN a proxy, or man-in-the-middle, for Whois queries.

“What would happen if ICANN Org legally is the only place you can ask a question through?” he said. “And the only ones that the contracted parties actually can answer a question to would be ICANN Org? Would that move the legal responsibility away from the contracted parties to ICANN Org?”

In many ways, this is typical domain industry tactics — if there’s a rule you don’t want to follow, pass it off to a proxy.

This model was referred to during the session by EPDP members as the “hub and spoke” or “starfish”. I think the starfish reference might have been a joke.

Marby, in a jocular callback to the “Calzone” and “Cannoli” Whois proposals briefly debated in the community earlier this year, said that this model had a secret ICANN-internal code-name that is “something to do with food”.

Because whenever I’ve tried to coin a phrase in the past it has never stuck, I figure this time I may as well go balls-out and call it the “Cuisine-Related Access Plan” for now, if for no other reason than the acronym will briefly annoy some readers.

Despite the name I’ve given it, I don’t necessarily dislike the idea.

It seems to be inspired by, or at least informed by, side-channel communications between Marby and the Intellectual Property Constituency and Business Constituency, which are both no doubt mightily pissed off that the EPDP has so far proven surprisingly resilient to their attempts to get Whois access into the policy discussions as early as possible.

Two months ago, a few influential IP lawyers proposed to Marby (pdf) a centralized Whois model in which registrars collect data from registrants then pass it off to ICANN, which would be responsible for deciding who gets to see it.

Forget “thin” versus “thick” Whois — this one would be positively, arguably dangerously, obese. Contracted parties would be relegated to “processors” of private data under GDPR, with ICANN the sole “controller”.

Benefits of this would include, these lawyers said, reducing contracted parties’ exposure to GDPR.

It’s pretty obvious why the IP lobby would prefer this — ICANN is generally much more amenable to its demands than your typical registry or registrar, and it would very probably be easier to squeeze data out of ICANN.

While Marby specifically acknowledged that ICANN has taken this suggestion as one of its inputs — and has run it by the DPAs — he stopped well short of fully endorsing it during last week’s meeting in LA.

He seemed to instead describe a system whereby ICANN acts as the gatekeeper to the data, but the data is still stored and controlled at the registry or registrar, saying: “We open a window for access to the data so the data is still at the contracted parties because they use that data for other reasons as well”.

The Insane Idea

The third option, which Marby seemed to characterize as the least “sane” of the three, would be to have Whois access recognized by law as a public interest, enabling the Whois ecosystem to basically ignore GDPR.

Remember, back on on GDPR Day, I told you about how the .dk ccTLD registry is carrying on publishing Whois as normal because a Danish law specifically forces it to?

Marby’s third option seems to be a little along those lines. He specifically referred to Denmark and Finland (which appears to have a similar rule in place) during the LA session.

If I understand correctly, it seems there’d have to be some kind of “legal action” in the EU — either legislation in a member state, or perhaps something a little less weighty — that specifically permitted or mandated the publication of otherwise private Whois data in gTLD domains.

Marby offered trademark databases and telephone directories as examples of data sets that appear to be exempt from GDPR protection due to preexisting legislation.

One problem with this third idea, some say, is that it could bring ICANN policy under the direct jurisdiction of a single nation state, something that it had with the US government for the best part of two decades and fought hard to shake off.

If ICANN was given carte blanche to evade GDPR by a piece of legislation in, say, Lithuania, would not ICANN and its global stakeholders forever be slaves to the whims of the Lithuanian legislature?

And what if that US bill granting IP interests their Whois wet dream passes onto the statute books and ICANN finds itself trapped in a jurisdictional clusterfuck?

Oh, my.

Fatuous Conclusion For The Lovely People Who Generously Bothered To Read To The End

I’m not a lawyer, so I don’t pretend to have a comprehensive understanding of any of this, but to be honest I’m not convinced the lawyers do either.

If you think you do, call me. I want to hear from you. I’m “domainincite” on Skype. Cheers.