Latest news of the domain name industry

Recent Posts

ICANN slashes millions from its budget

Kevin Murphy, January 22, 2018, Domain Policy

ICANN has cut $5 million from its annual budget, warning the community that difficult decisions have to be made amid a slowing domain name market.

Staff and community members will all be affected by the cuts, whether in the form of less generous pay raises or fewer travel opportunities.

Cuts have also been proposed to international outreach, tech support, contractual compliance and translation services.

The organization at the weekend published for comment its proposed budget for fiscal 2019. That’s the year that begins July 1, 2018.

It would see ICANN spend $138 million, $5 million less than it expects to spend in fiscal 2018.

Four of the five top-line areas ICANN reports expenses will be cut for a total of $12 million in savings, while one of them — personnel — is going up by $7.3 million.

This rounds out to a $5 million cut to the total FY19 ICANN budget. Here’s the breakdown:

  • Personnel costs going up from $69.5 million to $76.8 million, up $7.3 million.
  • Travel and meetings costs are to go down from $17.8 million to $15.6 million, a $2.2 million saving.
  • Professional services costs will go down from $27.7 million to $23.4 million, a $4.3 million saving.
  • Administration and capital costs will go down from $22.5 million to $17.8 million, a $4.7 million saving.
  • The contingency budget is going down from $5.3 million to $4.5 million, a $800,000 saving.

Personnel costs are going up due to a combination of new hires and pay rises, but the average annual pay rise will be halved from 4% to 2%, saving $1.3 million, ICANN documentation states.

Headcount is expected to level out at about 425, up from the current 400, by the end of FY19.

The travel budget is going down due to a combination of cuts to services provided at the three annual meetings and the number of people ICANN reimburses for going to them.

The Fellows program — sometimes criticized for giving people what look like free vacations for little measurable return — is seeing the biggest headcount cut here. ICANN will only pay for 30 Fellows to go its meetings in FY19, half the level of FY18. The Next Gen program, a similar outreach program for yoof participants, goes down to 15 people from 20.

The Governmental Advisory Committee will get its number of funded seats reduced by 10 to 40. The ALAC and the ccNSO also each lose a few seats. Other constituencies are unaffected.

At the meetings themselves, translation is to be scaled back to be provided on an as-requested basis, rather than automatically translating everything into all six UN languages. Key sessions will continue to have live interpretation.

Outside of the three main meetings, ICANN is pulling back on plans to expand its irregular “capacity building” workshops in “under-served” areas of the world.

It’s also slashing the “additional budget request” budget by 50%.

In terms of compliance, a proposed Technical Compliance Monitoring system that was going to be built this year — a way to make sure gTLD registries and registrars are stable and secure — appears to be at risk of being deprioritized.

ICANN said it “will develop an implementation plan in due time, depending on the RFP results and, if needed, work with the Board to identify necessary resources and funds to support implementation of the project.”

The documents published today are now open for public comment until March 8.

The cuts I’ve reported here can be found from page 19 of this document (pdf).

The reason for the cutbacks is that ICANN’s revenue isn’t growing as fast as it once did, due to the slower than expected growth of the domain name industry in general. I’ll get to that a later article.

A new gTLD kills itself off for the second time

Kevin Murphy, January 18, 2018, Domain Registries

British pharmacy chain Boots has applied to ICANN to terminate its dot-brand contract for the second time.

The company asked for its .boots Registry Agreement, signed in 2015, to be ended in December and ICANN opened the request for public comment this week.

What’s weird about the request is that Boots had already asked for self-termination last April, but that request was subsequently withdrawn by the company.

Boots seems to have changed its mind, twice, in a year.

As I noted first time around, .boots was the first example of a dot-brand that also matches a generic class of goods to chose the easy way out.

It’s quite likely the two-year freeze on re-applying for the string, should anyone want to, will be over by the time the next new gTLD application window opens.

.boots only had the contractually mandated placeholder domain nic.boots live.

ICANN blocks 1.5 million domains, including some three-letter names

Kevin Murphy, January 17, 2018, Domain Policy

A million and a half domain names, including many potential valuable three and four-letter strings, have been been given special protection across all gTLDs under a new ICANN policy.

The long-discussed, highly controversial reservation of the names and acronyms of various intergovernmental and non-governmental organizations has become official ICANN Consensus Policy and will be binding on all gTLD registries and registrars from August this year.

The policy gives special protection to (by my count) 1,282 strings in each of the (again, by my count) 1,243 existing gTLDs, as well as future gTLDs. That comes to over 1.5 million domains.

The strings match the names, and sometimes the acronyms and abbreviations, of recognized Intergovernmental Organizations (IGOs) and International Non-Governmental Organizations (INGOs) as well as the International Olympic Committee, Red Cross, Red Crescent and related movements.

These are all organizations whose names are protected by international law but not necessarily by trademarks.

Protected strings run from obscurities such as “europeanbankforreconstructionanddevelopment” and “internationalunionfortheprotectionofnewvarietiesofplants” to “can”, “eco” and “fao”.

All gTLDs, including legacy TLDs such as .com, are affected by the policy.

The full list of protected strings can be found here.

Any of the Red Cross, IOC and IGO strings already registered will remain registered, and registries are obliged to honor renewal and transfer requests. Nobody’s losing their domains, in other words. But if any are deleted, they must be clawed back and reserved by the registry.

The protected organizations must be given the ability to register their reserved matching names should they wish to, the policy states.

Registries will be able to sell the acronyms of protected INGOs, but will have to offer an “INGO Claims Service”, which mirrors the existing Trademark Claims service, in gTLDs that go live in future.

The policy was developed by ICANN’s Generic Names Supporting Organization and approved by the ICANN board of directors all the way back in April 2014 and has been in implementation talks ever since.

It’s the 14th Consensus Policy to be added to ICANN’s statute book since the organization was formed 20 year ago.

Registries and registrars have until August 1 to make sure they’re compliant. Consensus Policies are basically incorporated into their contracts by reference.

Work on IGO/INGO protections is actually still ongoing. There’s a GNSO Policy Development Process on “curative” rights for IGOs and INGOs (think: UDRP) that is fairly close to finishing its work but is currently mired in a mind-numbing process debate.

UPDATE: This post was updated January 17, 2018 to correct the number of reserved strings and to clarify how INGO names are treated by the policy.

Three ways ICANN could gut Whois

Kevin Murphy, January 15, 2018, Domain Policy

ICANN has published three possible models of how Whois could be altered beyond recognition after European privacy law kicks in this May.

Under each model, casual Whois users would no longer have access to the wealth of contact information they do under the current system.

There may also be a new certification program that would grant access to full Whois records to law enforcement, consumer protection agencies and intellectual property interests.

The three models are each intended to address the General Data Protection Regulation, EU law that could see companies fined millions if they fail to protect the personal data of European citizens.

While GDPR affects all data collection on private citizens, for the domain name industry it’s particularly relevant to Whois, where privacy has always been an afterthought.

The three ICANN models, which are now subject to a short public comment period, differ from each other in three key areas: who has their privacy protected, which fields appear in public Whois by default, and how third parties such as law enforcement access the full records.

Model 1 is the most similar to the current system, allowing for the publication of the most data.

Under this model the name and postal address of the registrant would continue to be displayed in the public Whois databases.

Their email address and phone number would be protected, but the email and phone of the administrative and technical contacts — often the same person as the registrant — would be published.

If the registrant were a legal entity, rather than a person, all data fields would continue to be displayed as normal.

The other two models call for more restricted, or at least different, public output.

Under Model 2, the email addresses of the administrative and technical contacts would be published, but all other contact information, including the name of the registrant, would be redacted.

Model 3 proposes a crazy-sounding system whereby everything would be published unless the registrar/registry decided, on a domain-by-domain basis, that the field contained personal information.

This would require manual vetting of each Whois record and is likely to gather no support from the industry.

The three models also differ in how third parties with legitimate interests would access full Whois records.

Model 1 proposes a system similar to how zone files are published via ICANN’s Centralized Zone Data Service.

Under this model, users would self-certify that they have a legit right to the data (if they’re a cop or an IP lawyer, for example) and it would be up to the registry or registrar to approve or decline their request.

Model 2 envisages a more structured, formal, centralized system of certification for Whois users, developed with the Governmental Advisory Committee and presumably administered by ICANN.

Model 3 would require Whois users to supply a subpoena or court order in order to access records, which is sure to make it unpopular among the IP lobby and governments.

Each of the three models also differs in terms of the circumstances under which privacy is provided.

The models range from protecting records only when the registrant, registry, registrar or any other entity involved in the data processing has a presence in the European Economic Area to protecting records of all registrants everywhere regardless of whether they’re a person or a company.

Each model has different data retention policies, ranging from six month to two years after a registration expires.

None of the three models screw with registrars’ ability to pass data to thick-Whois registries, nor to their data escrow providers.

ICANN said it’s created these models based on the legal analyses it commissioned from the Hamilton law firm, as well as submissions from community members.

One such submission, penned by the German trade associated Eco, has received broad industry support.

It would provide blanket protection to all registrants regardless of legal status or location, and would see all personally identifiable information stripped from public Whois output.

Upon carrying out a Whois query, users would see only information about the domain, not the registrant.

There would be an option to request more information, but this would be limited to an anonymized email address or web form for most users.

Special users, such as validated law enforcement or IP interests, would be able to access the full records via a new, centralized Trusted Data Clearinghouse, which ICANN would presumably be responsible for setting up.

It’s most similar to ICANN’s Model 2.

It has been signed off by registries and registrars together responsible for the majority of the internet’s domain registrations: Afilias, dotBERLIN, CentralNic, Donuts, Neustar, Nominet, Public Interest Registry (PIR), Verisign, 1&1, Arsys, Blacknight, GoDaddy, Strato/Cronon, Tucows and United Domains.

ICANN said in a blog post that its three models are now open for public comment until January 29.

If you have strong opinions on any of the proposals, it might be a good idea to get them in as soon as possible, because ICANN plans to identify one of the models as the basis for the official model within 48 hours of the comment period closing.

GoDaddy and DomainTools scrap over Whois access

Kevin Murphy, January 12, 2018, Domain Registrars

GoDaddy has seriously limited DomainTools’ access to its customers’ Whois records, pissing off DomainTools.

DomainTools CEO Tim Chen this week complained to DI that its access to Whois has been throttled back significantly in recent months, making it very difficult to keep its massive database of domain information up to date.

Chen said that DomainTools is currently only able to access GoDaddy’s Whois over port 43 at about 2% of the rate it had previously.

He said that this has been going on for about six months and that the market-leading registrar has been unresponsive to its requests to have previous levels restored.

“By throttling access to the data by 98% they’re defeating the ability of security practitioners to get data on GoDaddy domains,” Chen said. “It’s particularly troublesome because they [GoDaddy] are such a big part of DNS.”

“We have customers who say the quality of GoDaddy data is just degrading across the board, either through direct look-ups or in some of the DomainTools products themselves,” he said.

DomainTools customers include security professionals trying to hunt down the source of attacks and intellectual property interests trying to locate pirates and cybersquatters.

GoDaddy today confirmed to DI that it has been throttling DomainTools’ Whois access, and said that it’s part of ongoing anti-spam measures.

In recent years there’s been an increase in the amount of spam — usually related to web design, hosting, and SEO — sent to recent domain registrants using email addresses harvested from new Whois records.

GoDaddy, as the market-share leader in retail domain sales, takes a tonne of flak from customers who, unaware of standard Whois practice, think the company is selling their personal information to spammers.

This kind of Twitter exchange is fairly common on GoDaddy’s feed:

While GoDaddy is not saying that DomainTools is directly responsible for this kind of activity, throttling its port 43 traffic is one way the company is trying to counter the problem, VP of policy James Bladel told DI tonight.

“Companies like [DomainTools] present a challenge,” he said. “While we may know these folks, we don’t know who their customers are.”

But that’s just a part of the issue. GoDaddy was also concerned about the amount of resources DomainTools was consuming, and its own future legal responsibilities under the European Union’s forthcoming General Data Protection Regulation.

“When [Chen] says they’re down to a fraction or a percentage of what they had previously, well what they had previously was they were updating and archiving Whois almost in real time,” Bladel said. “And that’s not going to fly.”

“That is not only, we feel, not congruent with our responsibilities to our customers’ data, but it’s also, later on down the road, exactly the kind of thing that GDPR and other regulations are designed to stop,” he said.

GDPR is the EU law that, when it fully kicks in in May, gives European citizens much more rights over the sharing and processing of their private data.

Bladel added that DomainTools is still getting more Whois access than other parties using port 43.

“They have a level of access that is much, much higher than what they would normally have as a registrar,” he said, “but much lower than I think they want, because they want to effectively download and keep current the entirety of the Whois database.”

I’m not getting a sense from GoDaddy that it’s likely to backtrack on its changes.

Indeed, the company also today announced that it from January 25 it will start to “mask” key elements of Whois records when queried over port 43.

GoDaddy told high-value customers such as domainers today that port 43 queries will no longer return the registrant’s first name, last name, email address or phone number.

Bulk Whois users such as registrars (and, I assume, DomainTools) that have been white-listed via the “GoDaddy Port43 Process” will continue to receive full records.

Its web-based Whois, which includes a CAPTCHA gateway to prevent scraping, will continue to function as normal.

Bladel said that these changes are NOT related to GDPR, nor to the fact that ICANN said a couple months back that it would not enforce compliance with Whois provisions of the Registrar Accreditation Agreement, subject to certain conditions.