Latest news of the domain name industry

Recent Posts

GoDaddy and DomainTools scrap over Whois access

Kevin Murphy, January 12, 2018, Domain Registrars

GoDaddy has seriously limited DomainTools’ access to its customers’ Whois records, pissing off DomainTools.

DomainTools CEO Tim Chen this week complained to DI that its access to Whois has been throttled back significantly in recent months, making it very difficult to keep its massive database of domain information up to date.

Chen said that DomainTools is currently only able to access GoDaddy’s Whois over port 43 at about 2% of the rate it had previously.

He said that this has been going on for about six months and that the market-leading registrar has been unresponsive to its requests to have previous levels restored.

“By throttling access to the data by 98% they’re defeating the ability of security practitioners to get data on GoDaddy domains,” Chen said. “It’s particularly troublesome because they [GoDaddy] are such a big part of DNS.”

“We have customers who say the quality of GoDaddy data is just degrading across the board, either through direct look-ups or in some of the DomainTools products themselves,” he said.

DomainTools customers include security professionals trying to hunt down the source of attacks and intellectual property interests trying to locate pirates and cybersquatters.

GoDaddy today confirmed to DI that it has been throttling DomainTools’ Whois access, and said that it’s part of ongoing anti-spam measures.

In recent years there’s been an increase in the amount of spam — usually related to web design, hosting, and SEO — sent to recent domain registrants using email addresses harvested from new Whois records.

GoDaddy, as the market-share leader in retail domain sales, takes a tonne of flak from customers who, unaware of standard Whois practice, think the company is selling their personal information to spammers.

This kind of Twitter exchange is fairly common on GoDaddy’s feed:

While GoDaddy is not saying that DomainTools is directly responsible for this kind of activity, throttling its port 43 traffic is one way the company is trying to counter the problem, VP of policy James Bladel told DI tonight.

“Companies like [DomainTools] present a challenge,” he said. “While we may know these folks, we don’t know who their customers are.”

But that’s just a part of the issue. GoDaddy was also concerned about the amount of resources DomainTools was consuming, and its own future legal responsibilities under the European Union’s forthcoming General Data Protection Regulation.

“When [Chen] says they’re down to a fraction or a percentage of what they had previously, well what they had previously was they were updating and archiving Whois almost in real time,” Bladel said. “And that’s not going to fly.”

“That is not only, we feel, not congruent with our responsibilities to our customers’ data, but it’s also, later on down the road, exactly the kind of thing that GDPR and other regulations are designed to stop,” he said.

GDPR is the EU law that, when it fully kicks in in May, gives European citizens much more rights over the sharing and processing of their private data.

Bladel added that DomainTools is still getting more Whois access than other parties using port 43.

“They have a level of access that is much, much higher than what they would normally have as a registrar,” he said, “but much lower than I think they want, because they want to effectively download and keep current the entirety of the Whois database.”

I’m not getting a sense from GoDaddy that it’s likely to backtrack on its changes.

Indeed, the company also today announced that it from January 25 it will start to “mask” key elements of Whois records when queried over port 43.

GoDaddy told high-value customers such as domainers today that port 43 queries will no longer return the registrant’s first name, last name, email address or phone number.

Bulk Whois users such as registrars (and, I assume, DomainTools) that have been white-listed via the “GoDaddy Port43 Process” will continue to receive full records.

Its web-based Whois, which includes a CAPTCHA gateway to prevent scraping, will continue to function as normal.

Bladel said that these changes are NOT related to GDPR, nor to the fact that ICANN said a couple months back that it would not enforce compliance with Whois provisions of the Registrar Accreditation Agreement, subject to certain conditions.

Big changes at DomainTools as privacy law looms

Kevin Murphy, January 11, 2018, Domain Services

Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.

Professional users such as domain investors are most likely to be impacted by the changes.

The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.

“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.

GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.

Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.

But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.

DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.

The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.

DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.

“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.

“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.

The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..

These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.

“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.

How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.

“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”

ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.

And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.

DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.

It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.

This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.

“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”

“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.

How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.

But Chen suggested that most casual users should not see too much impact.

“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.

“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.

“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.

Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.

.web closer to reality as antitrust probe ends

Kevin Murphy, January 10, 2018, Domain Registries

Verisign has been given the all-clear by the US government to go ahead and run the new gTLD .web, despite competition concerns.

The Department of Justice told the company yesterday that the antitrust investigation it launched almost exactly a year ago is now “closed”.

Verisign’s secret proxy in the 2016 auction, the original .web applicant Nu Dot Co, now plans to try to execute its Registry Agreement with ICANN.

That contract would then be assigned to Verisign through the normal ICANN process.

The .com registry operator today filed this statement with the US Securities and Exchange Commission:

As the Company previously disclosed, on January 18, 2017, the Company received a Civil Investigative Demand from the Antitrust Division of the United States Department of Justice (“DOJ”) requesting certain material related to the Company becoming the registry operator for the .web gTLD. On January 9, 2018, the DOJ notified the Company that this investigation was closed. Verisign previously announced on August 1, 2016, that it had provided funds for Nu Dot Co’s successful bid for the .web gTLD and the Company anticipates that Nu Dot Co will now seek to execute the .web Registry Agreement with ICANN and thereafter assign it to Verisign upon consent from ICANN.

This basically means that Justice disagrees with anyone who thinks Verisign plans to operate .web in a way that just props up its .com market dominance, such as by burying it without a trace.

People clamoring to register .web domains may still have some time to wait, however.

Rival applicant Donuts, via subsidiary Ruby Glen, still has a pending lawsuit against ICANN in California.

Donuts had originally sued to prevent the .web auction going ahead in mid-2016, trying to force Nu Dot Co to reveal who was really pulling its strings.

After the auction, in which Verisign committed to pay ICANN a record-setting $125 million, Donuts sued to have the result overturned.

But in November 2016, a judge ruled that the no-suing covenant that all new gTLD applicants had to sign was valid, throwing out Donuts’ case.

Donuts is now appealing that ruling, however, filing its most-recent brief just a few weeks ago.

Whether that will stop ICANN from signing the .web contract and delegating it to Verisign is an open question. It managed to delegate .africa to ZA Central Registry despite the existence of an ongoing lawsuit by a competing applicant.

If history is any guide, we may see a rival applicant apply for a temporary restraining order against .web’s delegation before long.

How ICANN could spend its $240 million war chest

Kevin Murphy, January 2, 2018, Domain Policy

Schools, pHD students and standards groups could be among the beneficiaries of ICANN’s nearly quarter-billion-dollar new gTLD auction war chest.

But new gTLD registries hoping for to dip into the fund for marketing support are probably shit out of luck.

Those are among the preliminary conclusions of a volunteer working group that has been looking at how ICANN should spend its new gTLD program windfall.

Over 17 new gTLD auctions carried out by ICANN under its “last resort” contention resolution system, the total amount raised to date is $240,590,128.

This number could increase substantially, should still-contested strings such as .music and .gay go to last-resort auction rather than being settled privately.

Prices ranged from $1 for .webs to $135 million for .web.

ICANN has always said that the money would be held separate to its regular funding and eventually given to special projects and worthy causes.

Now, the Cross-Community Working Group on New gTLD Auction Proceeds has published its current, close-to-final preliminary thinking about which such causes should be eligible for the money, and which should not.

In a letter to ICANN (pdf), the CCWG lists 18 (currently hypothetical, yet oddly specific) example proposals for the use of auction funds, 17 of which it considers “consistent” with ICANN’s mission.

A 19th example, which would see money used to promote TLD diversity and “smells too much like marketing” according to some CCWG members, is still open for debate.

While the list of projects that could be approved for funding under the proposed regime is too long to republish here, it would for example include giving scholarships to pHD students researching internet infrastructure, funding internet security education in developing-world primary schools and internet-related disaster-recovery efforts in risk-prone regions.

The only area the CCWG appears to be reluctant to endorse funding is the case of commercial enterprises run by women and under-represented communities.

The full list can be downloaded here (pdf).

The CCWG hopes to publish its initial report for public comment not too long after ICANN 61 in March. Comment would then need to be incorporated into a final report and then ICANN would have to approve its recommendations and implement a process for actually distributing the funds.

Don’t expect any money to change hands in 2018, in other words.

.music and .gay possible in 2018 after probe finds no impropriety

Kevin Murphy, January 2, 2018, Domain Policy

Five more new gTLDs could see the light of day in 2018 after a probe into ICANN’s handling of “community” applications found no wrongdoing.

The long-running investigation, carried out by FTI Consulting on ICANN’s behalf, found no evidence to support suspicions that ICANN staff had been secretly and inappropriately pulling the strings of Community Priority Evaluations.

CPEs, carried out by the Economist Intelligence Unit, were a way for new gTLD applicants purporting to represent genuine communities to avoid expensive auctions with rival applicants.

Some applicants that failed to meet the stringent “community” criteria imposed by the CPE process appealed their adverse decisions and an Independent Review Process complaint filed by Dot Registry led to ICANN getting crucified for a lack of transparency.

While the IRP panel found some hints that ICANN staff had been nudging EIU’s arm when it came to drafting the CPE decisions, the FTI investigation has found:

there is no evidence that ICANN organization had any undue influence on the CPE Provider with respect to the CPE reports issued by the CPE Provider or engaged in any impropriety in the CPE process.

FTI had access to emails between EIU and ICANN, as well as ICANN internal emails, but it did not have access to EIU internal emails, which EIU declined to provide. It did have access to EIU’s internal documents used to draft the reports, however.

Its report states:

Based on FTI’s review of email communications provided by ICANN organization, FTI found no evidence that ICANN organization had any undue influence on the CPE reports or engaged in any impropriety in the CPE process. FTI found that the vast majority of the emails were administrative in nature and did not concern the substance or the content of the CPE results. Of the small number of emails that did discuss substance, none suggested that ICANN acted improperly in the process.

FTI also looked at whether EIU had applied the CPE rules consistently between applications, and found that it did.

It also dug up all the sources of information EIU used (largely Google searches, Wikipedia, and the web pages of relevant community groups) but did not directly cite in its reports.

In short, the FTI reports very probably give ICANN’s board of directors cover to reopen the remaining affected contention sets — .music, .gay, .hotel, .cpa, and .merck — thereby removing a significant barrier to the gTLDs getting auctioned.

If there were to be no further challenges (which, admittedly, seems unlikely), we could see some or all of these strings being sold off and delegated this year.

The probe also covered the CPEs for .llc, .inc and .llp, but these contention sets were resolved with private auctions last September after applicant Dot Registry apparently decided it couldn’t be bothered pursuing the ICANN process any more.

The FTI’s reports can be downloaded from ICANN.