Latest news of the domain name industry

Recent Posts

ICANN cancels registrar audit as GDPR headaches loom

Kevin Murphy, April 30, 2018, Domain Registrars

ICANN has decided to call off a scheduled audit of its registrar base, to enable registrars to focus on sorting out compliance with the General Data Protection Regulation.

The biannual audit, carried out by ICANN Compliance, was due to start in May. As you likely know by now, May 25 is GDPR Day, when the EU’s privacy law comes into full effect.

In a letter (pdf) to registrars, senior VP of compliance Jamie Hedlund said: “The April 2018 registrar audit round is on hold.”

He added: “We are reviewing the schedule, resources and risks associated with holding a single, larger audit round in autumn of 2018, as well as considering alternative approaches.”

His letter came in response to a plea (pdf) from Registrar Stakeholder Group chair Graeme Bunton, who said an audit that clashed with GDPR deadline would be an “enormous undertaking” for affected registrars.

The audits, which have been running for a few years, randomly select a subset of registries and registrars to spot-check compliance with their Registrar Accreditation Agreements and Registry Agreements.

The program looks at 20-odd areas of compliance, one of which is Whois provision.

Iceland breaks ranks on Whois, will publish emails

Kevin Murphy, April 30, 2018, Domain Policy

Iceland’s ccTLD has become what I believe is the first registry to state that it will continue to publish email addresses in public Whois records after the General Data Protection Regulation comes into effect.

The move seems to put the registry, ISNIC, in direct conflict with the opinions of European data protection authorities.

The company said in a statement last week that after GDPR comes into effect May 25 it will stop publishing almost all personal information about .is registrants in the public Whois.

However, it broke ranks with other European ccTLDs and the likely ruleset for ICANN-regulated gTLDs, by saying it would not expunge email addresses:

ISNIC will however, at least for the time being, continue to publish email addresses, country and techincal information of all NIC-handles associated with .is domains. Those customers (individuals) who have recorded a personally identifiable email address, and do not want it published, will need to change their .is WHOIS email address to something impersonal.

Registrants will be able to opt in to having their full details published.

ISNIC appears to be taking a principled stand against the Draconian regulation. It said in a statement:

Assuming that GDPR directive applies fully to the “WHOIS” service provided for decades by most ccTLD registries, these new restrictions will lead to less transparency in domain registrations and less trust in the domain registration system in general. ISNIC, as many others, strongly disagrees with the view of the European parlament [sic] in this matter and warns that GDPR, as it is being implemented, will neither lead to better privacy nor a safer network environment.

It’s a surprising decision, given that privacy regulators have indicated that they agree that email addresses are personal data that should not be published.

The Article 29 Working Party told ICANN earlier this month that it “welcomed” a proposal to replace email addresses with anonymized emails or web-based contact forms.

Nominet to charge brands for no-name Whois access

Kevin Murphy, April 23, 2018, Domain Registries

Nominet has become the second major registry to announce that trademark lawyers will have to pay for Whois after the EU General Data Protection Regulation comes into effect next month.

The company said late last week that it will offer the intellectual property community two tiers of Whois access.

First, they can pay for a searchable Whois with a much more limited output.

Nominet said that “users of the existing Searchable WHOIS who are not law enforcement will continue to have access to the service on a charged-for basis however the registrant name and address will be redacted”.

Second, they can request the full Whois record (including historical data) for a specific domain and get a response within one business day for no charge.

Approved law enforcement agencies will continue to get unfettered access to both services — with “enhanced output” for the searchable Whois — for no charge, Nominet said.

These changes were decided upon following a month-long consultation which accepted comments from interested parties.

Other significant changes incoming include:

  • Scrapping UK-presence requirements for second-level registrations.
  • Doing away with the current privacy services framework, offloading GDPR liability to registrars providing such services.
  • Creating a standard opt-in mechanism for registrants who wish for their personal data to be disclosed in public Whois.

Nominet is the second registry I’m aware of to say it will charge brand owners for Whois access, after CoCCA 10 days ago.

CoCCA has since stated that it will sell IP owners a PDF containing the entire unredacted Whois history of a domain for $3, if they declare that they have a legitimate interest in the domain.

It also said they will be able to buy zone file access to the dozens of TLDs running on the CoCCA platform for $88 per TLD.

Now GNSO mulls emergency response to GDPR deadline

Kevin Murphy, April 16, 2018, Domain Policy

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.

With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.

Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.

Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.

CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.

(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)

The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.

A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.

The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.

While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.

It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.

The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.

It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.

If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.

Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.

It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.

UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.

CoCCA to charge trademark owners for Whois access

Kevin Murphy, April 14, 2018, Domain Registries

CoCCA has become the first domain registry to publicly announce that it will charge trademark owners for access to Whois records.

The company said it plans to release an updated version of its software and registry service, containing a range of features for ensuring General Data Protection Regulation compliance, on April 20.

The public Whois records of affected TLDs will have the name, email, phone and physical address of the registrant omitted, but only if the registrant is an EU resident or uses an EU-based registrar or reseller.

There will be ways to opt-out of this, for registrants who want their information public.

The changes will come into effect first at .af, .cx, .gs, .gy, .ht, .hn, .ki, .kn, .sb, .tl, .kn, .ms and .nf, CoCCA said.

But the registry runs almost 40 gTLDs on its shared infrastructure and has almost 20 more running its software. They’re all pretty small zones, mostly ccTLDs.

CoCCA said that it will give access to private data to law enforcement and members of the Secure Domain Foundation, a DNS reputation service provider.

But trademark owners will get hit in the wallet if they want the same privileges. CoCCA said:

intellectual property owners or other entities who have a legitimate interest in redacted data will be able to order historical abstracts online for a nominal fee (provided they sign an attestation).

While the affected TLDs are probably small enough that the IP lobby won’t be overly concerned today, if CoCCA’s policy becomes more widespread in the industry — which it well could — expect an outcry.