Latest news of the domain name industry

Recent Posts

PwC wants to be your Whois gatekeeper

Kevin Murphy, June 11, 2019, Domain Services

PricewaterhouseCoopers has built a Whois access system that may help domain name companies and intellectual property interests call a truce in their ongoing battle over access to private Whois data.

Its new TieredAccess Platform will enable registries and registrars to “outsource the entire process of providing access to non-public domain registration data”.

That’s according to IP lawyer Bart Lieben, partner at the Belgian law firm ARTES, who devised the system and is working with PwC to develop it.

The offering is designed to give trademark lawyers access to the data they lust after, while also reducing costs and mitigating domain name industry liability under the General Data Protection Regulation.

TieredAccess would make PwC essentially the gatekeeper for all requests for private Whois data (at least, in the registries plugged into the platform) coming from the likes of trademark owners, security researchers, lawyers and law enforcement agencies.

At one end, these requestors would be pre-vetted by PwC, after which they’d be able to ask for unredacted Whois records using PwC as an intermediary.

They’d have to pick from one of 43 pre-written request scenarios (such as cybersquatting investigation, criminal probe or spam prevention) and assert that they will only use the data they obtain for the stated purposes.

At the other end, registries and registrars will have adopted a set of rules that specify how such requests should be responded to.

A ruleset could say that cops get more access to data than security researchers, for example, or that a criminal investigation is more important than a UDRP complaint.

PwC has created a bunch of templates, but registrars and registries would be able to adapt these policies to their own tastes.

Once the rules are put in place, and the up-front implementation work has been done to plug PwC into their Whois servers, they wouldn’t have to worry about dealing with Whois requests manually as most are today. The whole lot would be automated.

Not even PwC would have human eyes on the requests. The private data would only be stored temporarily.

One could argue that there’s the potential for abusive or non-compliant requests making it through, which may give liability-nervous companies pause.

But the requests and response metadata would be logged for audit and compliance, so abusive users could be fingered after the act.

Lieben says the whole system has been checked for GDPR compliance, assuming its prefabricated baseline scenarios and templates are adopted unadulterated.

He said that the PwC brand should give clients on both sides “peace of mind” that they’re not breaking privacy law.

If a registrar requires an affidavit before releasing data, the assertions requestors make to PwC should tick that box, he said.

Given that this is probably a harder sell to the domain name industry side of the equation, it’s perhaps not surprising that it’s the requestors that are likely to shoulder most of the cost burden of using the service.

Lieben said a pricing model has not yet been set, but that it could see fees paid by registrars subsidized by the fees paid by requestors.

There’s a chance registries could wind up paying nothing, he said.

The project has been in the works since September and is currently in the testing phase, with PwC trying to entice registries and registrars onto the platform.

Lieben said some companies have already agreed to test the service, but he could not name them yet.

The service was developed against the backdrop of ongoing community discussions within ICANN in the Expedited Policy Development Working group, which is trying to create a GDPR-compliant policy for access to private Whois records.

ICANN Org has also made it known that it is considering making itself the clearinghouse for Whois queries, to allow its contracted parties to offload some liability.

It’s quite possible that once the policies are in place, ICANN may well decide to outsource the gatekeeper function to the likes of PwC.

That appears to be what Lieben has in mind. After all, it’s what he did with the Trademark Clearinghouse almost a decade ago — building it independently with Deloitte while the new gTLD rules were still being written and then selling the service to ICANN when the time came.

The TieredAccess service is described in some detail here.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.

The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.

Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.

David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.

Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.

Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”

“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”

He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.

The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.

For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.

It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.

The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.

While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.

Two weeks ago it called for comments on three possible Whois models that could be used from May.

That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

Cops tell Nominet to yank 16,000 domains, Nominet complies

Kevin Murphy, November 15, 2017, Domain Registries

Nominet suspended over 16,000 .uk domain names at the request of law enforcement agencies in the last year.

The registry yanked 16,632 domains in the 12 months to October 31, more than double the 8,049 it suspended in the year-earlier period.

The 2016 number was in turn more than double the 2015 number. The 2017 total is more than 16 times the number of suspended domains in 2014, the first year in which Nominet established this cozy relationship with the police.

The large majority of names — 13,616 — were suspended at the request of the Police Intellectual Property Crime Unit. Another 2,781 were taken down on the instruction of National Fraud Intelligence Bureau.

Nominet has over 12 million .uk domains under management, so 16,000 names is barely a blip on the radar overall.

But the fact that police can have domains taken down in .uk with barely any friction does not appear to be acting as a deterrent to bad actors when they choose their TLD.

The registry said that just 15 suspensions were reversed — which requires the consent of the reporting law enforcement agency — during the period. That’s basically flat on 2016.

“A suspension is reversed if the offending behavior has stopped and the enforcing agency has since confirmed that the suspension can be lifted,” the company said.

The company does not publish data on how many registrants requested a reversal and didn’t get one, nor does it publish any of the affected domains, so we have no way of knowing whether there’s any ambiguity or overreach in the types of domains the police more or less unilaterally have taken down.

It seems that the only reasons suspension requests do not result in suspensions are when domains have already been suspended or have already been transferred to an IP rights holder by court order. There were 32 of those in the last 12 months, half 2016 levels.

The separate, ludicrously onerous preemptive ban on domains that appear to encourage sexual violence resulted in just two suspensions in the last year, bringing the total new domains suspended under the rule since 2014 to just six.

Some poor bugger at Nominet had to trawl through 3,410 new registrations containing strings such as “rape” in 2017 to achieve that result, up from 2,407 last year.

ICANN loosens Whois privacy rules for registrars

Kevin Murphy, April 20, 2017, Domain Policy

ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.

From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.

Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.

In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.

The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.

European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.

ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.

Dozens of European registrars have applied for and obtained this RAA opt-out.

Registrants guilty until proven innocent, say UK cops

Kevin Murphy, August 19, 2015, Domain Registrars

UK police have stated an eyebrow-raising “guilty until proven innocent” point of view when it comes to domain name registrations, in comments filed recently with ICANN.

In a Governmental Advisory Committee submission (pdf) to a review of the Whois accuracy rules in the Registrar Accreditation Agreement, unspecified “UK law enforcement” wrote:

Internet governance efforts by Industry, most notably the ICANN 2013 RAA agreement have seen a paradigm shift in Industry in the way a domain name is viewed as “suspicious” before being validated as “good” within the 15 day period of review.

UK law enforcement’s view is that a 45 day period would revert Industry back to a culture of viewing domains “good” until they are proven “bad” therefore allowing crime to propagate and increase harm online.

The GAC submission was made August 13 to a public comment period that closed July 3.

The Whois Accuracy Program Specification Review had proposed a number of measures to bring more clarity to registrars under the 2013 RAA.

One such measure, proposed by the registrars, was to change the rules so that registrars have an extra 30 days — 45 instead of 15 — to validate registrants’ contact information before suspending the domain.

That’s what the UK cops — and the GAC as a whole — don’t like.

They have a point, of course. Criminals often register domains with bogus contact information with the expectation that the domains will not have a long shelf life. Fifteen days is actually quite generous if you want to stop phishing attacks, say.

The Anti-Phishing Working Group says phishing attacks have an average up-time of 29 hours.

Clearly, ICANN’s Whois accuracy program is doing little to prevent phishing as it is; a switch to 45 days would presumably have little impact.

But the number of domains suspended for lack of accuracy at any given time is estimated to be in the hundreds of thousands, and registrars say it’s mostly innocent registrants who are affected.

Verisign said this March that .com domains “on hold” grew from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.

In June 2014, registrars claimed that over 800,000 domains had been suspended for want of Whois accuracy in the first six months the policy was in place.