Latest news of the domain name industry

Recent Posts

Registrars given six months to deploy Whois killer

Kevin Murphy, March 1, 2019, Domain Policy

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.

gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.

Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.

ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.

The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.

It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.

Expect more Whois accuracy emails under new ICANN policy

Kevin Murphy, February 25, 2019, Domain Policy

Registrars will be obliged to send out even more Whois accuracy emails, under a set of recommendations being considered in ICANN.

Assuming recent recommendations out of the Whois policy working group are accepted, every registrant of a gTLD domain with something listed in the “Organization” field will receive a one-off mail from their registrar asking them to confirm its accuracy.

It’s Recommendation 12 of the EPDP Team Final Report, which was published last week (pdf) by ICANN’s first Expedited Policy Development Process working group.

In general, the Organization field would be redacted in the public Whois under the proposed policy, but registrants will be proactively asked if they want to opt in to having it published.

While registrars can pick their own methods to conduct this outreach, email seem like the most likely medium in the vast majority of cases.

These mails would be sent out the registrants of the over 192 million gTLD domains (if they have something in their Org field) at some point between May 2019, when ICANN is likely to formally adopt the policy, and February 29, 2020, which is EPDP group’s recommended implementation deadline.

In theory, the Org field is perhaps the main indicator of whether a domain is registered to a natural person (and therefore subject to the General Data Protection Regulation) or a legal person (and therefore not).

But it’s not uncommon for registrants or registrars to simply populate the field with the name of the natural-person registrant, even when there’s no actual organization involved.

That’s a GDPR problem, as it means personally identifiable information could leak into the public Whois.

Under the EPDP’s recommendation, registrars would be obliged to reach out to their customers to confirm whether the contents of their Org field are correct, and to ask whether they want that information to be made public.

Opting in would mean the registrar would begin to publish Org data in the public Whois. Ignoring the email or actively refusing publication would mean your registrar would redact or delete this field.

After this mass outreach has finished, registrars would stop redacting the Org field, unless the registrant has not consented to its publication.

For new registrations, registrars would have to show you a prominent warning that the Org data will be published and get your consent for it to do so.

The recommendation is among 29 that were arrived at following over six months of intensive discussions in the EPDP group.

Others we’ve previously reported on include the total elimination of the Admin Contact, making the Technical Contact both smaller and completely optional, and the mandatory introduction of an anonymous means for Whois users to contact registrants.

The recommendations have been submitted to the GNSO Council, which will vote on them March 4.

The EPDP report will then be opened for 30 days of public comment, before being sent to the ICANN board of directors for a full, final vote.

The policy will replace the current Temporary Specification governing Whois, which the board rushed through on an emergency basis last May in order to make the DNS ecosystem as GDPR-compliant as possible when the EU law came into effect.

The EPDP group is expected to shortly enter “phase two” of its work, which will look at whether there should be a unified access mechanism for security and intellectual property interests to snoop on otherwise private Whois data.

Pritz quits Whois privacy group as work enters impossible second phase

Kevin Murphy, February 22, 2019, Domain Policy

Kurt Pritz has quit as chair of the ICANN group working on Whois policy for the GDPR era.

He informed the Whois Expedited Policy Development Process working group in a notice to its mailing list today, saying he was leaving for “a set of personal and professional reasons”.

He said he will stick around until his replacement is selected.

I understand three people had put themselves forward for the role when Pritz was originally selected last July, so there may be a couple of alternates already waiting in the wings.

The announcement comes at a pivotal time for the EPDP, and whoever takes over is going to have to have some seriously masochistic tendencies.

The 30-odd member group just this week put the finishing touches to its “phase one” initial report, which primarily sets out the formal legal purposes for which Whois data is collected and processed across the domain name ecosystem.

That’s going to be voted on by the GNSO Council in a vote delayed from this week to March 4 at the request of the Intellectual Property Constituency and Business Constituency, which want more time to review and comment on it.

For the EPDP WG, it’s soon time to move on to phase two, which will cover the creation (or not) of a unified access mechanism that trademark owners and the like could use to snoop on redacted Whois data.

Even the relatively easy tasks in phase one have been absolute murder on the volunteers and ICANN staff, who have been putting in four or more hours of teleconferences per week since August.

I’ve just been dipping in and out of the mailing list and listening to the odd teleconference, and the level of nitpicking over language has been agonizing to listen to.

Essentially, virtually every debate comes down to a face-off between the IP interests who want to insert as much language concerning access as possible, and those, such as non-commercial users, who oppose them. It sometimes comes across like a proxy war between Facebook and the Internet Governance Project.

More than once, naturally mild-mannered Pritz has had to delegate control to firm-handed mediators drafted in from a specialist outside agency.

Whoever takes over as chair has got his or her work cut out.

Surprise! Most private Whois look-ups come from Facebook

Kevin Murphy, February 20, 2019, Domain Policy

Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.

Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.

But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.

AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.

It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.

Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.

An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.

Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.

Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.

Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.

Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.

Crunch Whois privacy talks kick off

Kevin Murphy, January 16, 2019, Domain Policy

ICANN volunteers are meeting this week to attempt to finalize their recommendations on the future of Whois privacy.

Most members of the Expedited Policy Development Process working group have gathered in Toronto for three days of talks on what will likely become, in May this year, new contractually binding ICANN policy.

Discussions are kicking off pretty much at the same time this article is published and will last until Friday afternoon local time.

The EPDP group is due to publish its final report by February 1, leaving enough time for GNSO consideration, public comments, and an ICANN board of directors vote.

Its initial report, which recommended some big changes to Whois output, was published in November. Public comments on this report will lead to largely modest changes to the policy this week.

The timing is tight because Whois policy is currently governed by a one-year Temporary Specification, created by the ICANN board, which expires May 25.

The bulk of the work today will focus on formalizing the “purposes” of Whois data, something that is needed if ICANN policy is to be compliant with the EU General Data Protection Regulation.

The more controversial stuff, where consensus will be extraordinarily difficult to find, comes tomorrow, when the group discusses policies relating to privileged access to private Whois data.

This is the area where intellectual property and security interests, which want a program that enables them to get access to private data, have been clashing with non-commercial stakeholders, which accuse their opponents of advocating “surveillance”.

It’s not expected that a system of standardized, unified access will be created this week or by February 1. Rather, talks will focus on language committing ICANN to work on (or not) such a system in the near future.

Currently, there’s not even a consensus on what the definition of “consensus” is. It could be slow going.

Gluttons for punishment Observers can tune in to the view/listen-only Adobe Connect room for the meetings here.