Latest news of the domain name industry

Recent Posts

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.

ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.

The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.

Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.

After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.

Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.

Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.

Registrants would have the right to opt in to having their full record displayed in the public Whois.

Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.

The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.

This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.

The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.

The model would apply to all gTLD domains where there is some connection to the European Economic Area.

If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.

Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.

While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.

The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.

Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.

The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.

Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.

Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.

Domain NameDisplay
Registry Domain IDDisplay
Registrar WHOIS ServerDisplay
Registrar URLDisplay
Updated DateDisplay
Creation DateDisplay
Registry Expiry DataDisplay
Registrar Registration Expiration DateDisplay
RegistrarDisplay
Registrar IANA IDDisplay
Registrar Abuse Contact EmailDisplay
Registrar Abuse Contact PhoneDisplay
ResellerDisplay
Domain StatusDisplay
Domain StatusDisplay
Domain StatusDisplay
Registry Registrant IDDo not display
Registrant NameDo not display
Registrant OrganizationDisplay
Registrant StreetDo not display
Registrant CityDo not display
Registrant State/ProvinceDisplay
Registrant Postal CodeDo not display
Registrant CountryDisplay
Registrant PhoneDo not display
Registrant Phone ExtDo not display
Registrant FaxDo not display
Registrant Fax ExtDo not display
Registrant EmailAnonymized email or web form
Registry Admin IDDo not display
Admin NameDo not display
Admin OrganizationDo not display
Admin StreetDo not display
Admin CityDo not display
Admin State/ProvinceDo not display
Admin Postal CodeDo not display
Admin CountryDo not display
Admin PhoneDo not display
Admin Phone ExtDo not display
Admin FaxDo not display
Admin Fax ExtDo not display
Admin EmailAnonymized email or web form
Registry Tech IDDo not display
Tech NameDo not display
Tech OrganizationDo not display
Tech StreetDo not display
Tech CityDo not display
Tech State/ProvinceDo not display
Tech Postal CodeDo not display
Tech CountryDo not display
Tech PhoneDo not display
Tech Phone ExtDo not display
Tech FaxDo not display
Tech Fax ExtDo not display
Tech EmailAnonymized email or web form
Name ServerDisplay
Name ServerDisplay
DNSSECDisplay
DNSSECDisplay
URL of ICANN Whois Inaccuracy Complaint FormDisplay
>>> Last update of WHOIS databaseDisplay

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.

With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

ICANN would reject call for “diversity” office

Kevin Murphy, February 16, 2018, Domain Policy

ICANN’s board of directors would reject a call for an “Office of Diversity”, due to its current budget crunch.

The board said as much in remarks filed to a public comment period that got its final report this week.

The report of the CCWG-Accountability Work Stream 2 working group had recommended several potential things ICANN could do to improve diversity in the community, largely focused on collecting and publishing data on diversity.

“Diversity” for the purposes of the recommendations does not have the usual racial connotations of the word. Instead it means: geography, language, gender, age, physical disability, skills and stakeholder group.

Some members of the working group had proposed an independent diversity office, to ensure ICANN sticks to diversity commitments, but this did not gain consensus support and was not a formal recommendation.

Some commenters, including (in a personal capacity) a current vice chair of the Governmental Advisory Committee and a former ICANN director, had echoed the call for an office of diversity.

But ICANN’s board said it would not be able to support such a recommendation:

Given the lack of clarity around this office, lack of consensus support within the subgroup (and presumably within the CCWG-Accountability and the broader community), and noting the previously-mentioned budget and funding constraints and considerations, the Board is not in a position to accept this item if it were to be presented as a formal consensus-based recommendation

In general terms, it encouraged the working group to consider ICANN’s “limited funding” when it makes its final recommendations.

It added that it may be difficult for ICANN to collect personal data on community members, in light of the General Data Protection Regulation, the EU privacy law that kicks in this May.

All the comments on the report can be found here.

Why are you doing that Whois search? DENIC wants to know

Kevin Murphy, February 6, 2018, Domain Registries

In a taste of what might be coming under EU privacy legislation, DENIC wants you to jump through some new hoops before it lets you see Whois data.

When doing a Whois query on its web site today, the German ccTLD registry first asks you to answer the question: “How do you justify your legitimate interest in accessing the whois data?”

It’s a multiple-choice question, with an extra field for typing in your reasons for doing the query.

Possible answers include “because you think that the use of the domain raises a legal problem”, which appears to be for trademark lawyers, and “because you want to collect information about the domain holder for business purposes”, which appears to be for domainers.

Denic whois

There’s no wrong answer that will deny you access to the Whois record you want to see, but users are warned that their use of Whois data is only to be for “legitimate purposes”, under pain of legal action.

A DENIC spokesperson told DI that the new system was introduced today “for statistical reasons”

“Its aim is just to get a better idea of the DENIC whois usage pattern and of the extent to which different user groups are utilising the extended service,” she said.

The move should be viewed in the context of the incoming General Data Protection Regulation, an EU privacy law that becomes fully implemented in May this year.

While there’s been a lot of focus on how this will effect ICANN and its harem of contracted gTLDs, it’s easy to forget that it affects ccTLDs just as much.

By conducting this mandatory survey of real Whois users, DENIC will presumably be able to gather some useful data that will inform how it stays GDPR-compliant after May.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.

The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.

Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.

David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.

Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.

Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”

“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”

He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.

The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.

For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.

It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.

The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.

While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.

Two weeks ago it called for comments on three possible Whois models that could be used from May.

That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

DomainTools scraps apps and APIs in war on spam

Kevin Murphy, January 22, 2018, Domain Services

DomainTools is to scrap at least five of its services as it tries to crack down spam.

It’s getting rids of its mobile apps, its APIs, and is to stop showing registrants’ personal information to unauthenticated users.

CEO Tim Chen told us in an email at the weekend:

The Android app is no longer supported.

The iOS app will no longer be supported after February 20th.

The Developer API is no longer supported.

On February 20th, the Bulk Parsed Whois tool available to Personal Members will no longer be supported.

On February 20th, our production Whois API will no longer be available to individual membership levels, an Enterprise relationships will be required.

It’s all part of an effort to make sure DomainTools services are not being abused by spammers, which has lead to a dispute with GoDaddy over bulk access to its registrants’ Whois data.

The longstanding problem of new registrants getting spammed with calls and emails offering web hosting and such has escalated over the last few years. Domain Name Wire detailed the scale of the abuse registrants can experience in a post last week.

While to my knowledge nobody has directly accused DomainTools of facilitating such abuse, the scrapped services are the ones that would be most useful to these spammers.

The company is also going to scale back what guest users can see when they do a Whois lookup, and is to make automated scraping of Whois records more difficult for paying members.

In a blog post, Chen wrote last week:

As of today, unauthenticated users of the DomainTools Whois Lookup tool will not see personally identifiable information for the registrant parsed out in the results, and will be required to submit a CAPTCHA to see the full raw domain name Whois record. Phone numbers in the parsed results have been replaced with image files, much the same way emails have always been rendered

As well as hoping to ease relations with GoDaddy — the source of a very heavy chunk of DomainTools’ data — the moves are also part of the company’s strategy for dealing with the incoming General Data Protection Regulation.

This is the EU law that gives registrants more control over the privacy of their personal data.

Chen told us earlier this month that DomainTools is keen to ensure its enterprise-level suite of security products, which he said are vital for security and intellectual property investigations, continue to operatie under the new regime.

About 80% of DomainTools’ revenue comes from its enterprise-level customers, over 500 companies.