Latest news of the domain name industry

Recent Posts

Registrars open floodgate of Whois privacy outrage

Kevin Murphy, June 26, 2015, Domain Policy

A letter-writing campaign orchestrated by the leading domain registrars has resulted in ICANN getting hit with over 8,000 pro-privacy comments in less than a week.

It’s the largest volume of comments received by ICANN on an issue since right-wing Christian activists deluged ICANN with protests about .xxx, back in 2010.

The comments — the vast majority of them unedited template letters — were filed in response to the GNSO Privacy & Proxy Services Accreditation Issues (PPSAI) Working Group Initial Report.

That report attempts to bring privacy and proxy services, currently unregulated by ICANN, under ICANN’s contractual wing.

There are two problematic areas, as far as the registrars are concerned.

The first is the ability of trademark and copyright owners to, under certain circumstances, have the registrant of a privately registered name unmasked.

Upon receiving such a request, privacy services would have 15 days to obtain a response from their customer. They’d then have to make a call as to whether to reveal their contact information to the IP owner or not.

Possibly the most controversial aspect of this is described here:

Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding; nor can refusal to disclose be solely based on the fact that the request is founded on alleged intellectual property infringement in content on a website associated with the domain name.

In other words, the privacy services (in most cases, also the registrar) would be forced make a judgement on whether web site content is illegal, in the absence of a court order, before removing Whois privacy on a domain.

The second problematic area is an “additional statement” on domains used for commercial activity, appended to the PPSAI report, penned by MarkMonitor on behalf of Facebook, LegitScript, DomainTools, IP attorneys Smith, Gambreall & Russell, and itself.

Those companies believe it should be against the rules for anyone who commercially transacts via their web site to use Whois privacy.

Running ads on a blog, say, would be fine. But asking for, for example, credit card details in order to transact would preclude you from using privacy services.

The PPSAI working group didn’t even approach consensus on this topic, and it’s not a formal recommendation in its report.

Regardless, it’s one of the lynchpins of the current registrar letter-writing campaigns.

A page at SaveDomainPrivacy.org — the site backed by dozens of registrars big and small — describes circumstances under which somebody would need privacy even though they engage in e-commerce.

Home-based businesses, shelters for domestic abuse victims that accept donations, and political activists are all offered up as examples.

Visitors to the site are (or were — the site appears to be down right now (UPDATE: it’s back up)) invited to send a comment to ICANN supporting:

The legitimate use of privacy or proxy services to keep personal information private, protect physical safety, and prevent identity theft

The use of privacy services by all, for all legal purposes, regardless of whether the website is “commercial”

That privacy providers should not be forced to reveal my private information without verifiable evidence of wrongdoing

The content of the site was the subject of a sharp disagreement between MarkMonitor and Tucows executives last Saturday during ICANN 53. I’d tell you exactly what was said, but the recording of the relevant part of the GNSO Saturday session has not yet been published by ICANN.

Another site, which seems to be responsible for the majority of the 8,000+ comments received this week, is backed by the registrar NameCheap and the digital civil rights groups the Electronic Frontier Foundation and Fight For The Future.

NameCheap appears to be trying to build on the reputation it started to create for itself when it opposed the Stop Online Piracy Act a few years ago, going to so far as to link the Whois privacy reforms to SOPA on the campaign web site, which says:

Your privacy provider could be forced to publish your contact data in WHOIS or even give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?

We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process. If you agree, it’s time to tell ICANN.

The EFF’s involvement seems to have grabbed the attention of many reporters in the general tech press, generating dozens of headlines this week.

The public comment period on the PPSAI initial report ends July 7.

If it continues to attract attention, it could wind up being ICANN’s most-subscribed comment period ever.

Do geeks care about privacy more than Christians care about porn? We’ll find out in a week and a half.

Group uses FOI to demand entire .nyc Whois database

Former .nyc hopeful Connecting.nyc has requested a dump of the entire .nyc Whois database using freedom of information legislation.

According to a blog post, the group has filed a request under the New York Freedom of Information Law for all 75,000 Whois records.

Connecting.nyc says it wants the data in order to plot every .nyc registrant on a map of the city to see “if the name purchasers were spread evenly over the city or concentrated in a particular neighborhood or borough. And if they were from a particular social or economic strata.”

It says it has spent 10 weeks asking for the data via email but has been rebuffed.

Under ICANN Registry Agreements, registries are under no obligation to offer bulk Whois access. Registrars are supposed to allow it under their accreditation agreements, but are allowed to charge huge sums.

The .nyc space does not allow private registrations. Its Whois data is all publicly accessible and could conceivably be mined via sequential queries.

The new gTLD is managed by Neustar but assigned to the City of New York, making it essentially government-owned.

It will be interesting to see whether Whois access falls under FOI law. Many other geographic gTLDs have government links and may fall under their own respective FOI legislation.

Connecting.nyc once intended to apply for .nyc itself, but is now a sort of self-appointed community watchdog for the gTLD. It’s an At-Large structure within ICANN.

Whois privacy reforms incoming

Kevin Murphy, May 6, 2015, Domain Policy

Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.

A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.

The report says that P/P services should be accredited by ICANN much like registrars are today.

Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.

A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.

Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.

So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.

Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.

There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.

The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.

There are a lot of gaps in the report. Work, it seems, still needs to be done.

For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.

The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.

There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.

One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.

Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.

There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.

Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.

There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.

Google leaks 282,000 private Whois records

Kevin Murphy, March 13, 2015, Domain Registrars

Google has accidentally revealed registrant contact information for 282,867 domain names that were supposed to be protected by a privacy service.

The bug reportedly affected 94% of the 305,925 domains registered via Google Apps, an eNom reseller.

The glitch was discovered by Cisco and reported to Google February 19. It has since been fixed and customers were notified yesterday.

Google acknowledged in an email to customers that the problem was caused by a “software defect in the Google Apps domain renewal system”.

It seems that anyone who acquired a domain with privacy through Google Apps since mid-2013 and has since renewed the registration will have had their identities unmasked in Whois upon renewal.

Names, addresses, emails and phone numbers were revealed.

Due to services such as DomainTools, which cache Whois records, there’s no putting the genie back in the bottle. The information is out there for good now.

It’s a pretty major embarrassment for Google, which recently launched its own registrar.

Nominet to give nod to .uk privacy services

Kevin Murphy, March 12, 2015, Domain Registries

Nominet plans to start accrediting proxy/privacy services in .uk domain names, and to make it easier to opt-out of having your full contact details published in Whois.

The proposed policy changes are outlined in a consultation opened this morning.

“We’ve never recognized privacy services,” director of policy Eleanor Bradley told DI. “If you’ve registered a .uk with a privacy service, we consider the privacy service to be the registrant of that domain name.”

“We’ve been pretending almost that they didn’t exist,” she said.

Under the proposed new regime, registrars would submit a customer’s full contact details to Nominet, but Nominet would publish the privacy service’s information in the domain’s Whois output.

Nominet, getting its hands on the customer data for the first time, would therefore start treating the end customer as the true registrant of the domain.

The company says that introducing the service would require minimal work and that it does not intend to charge registrars an additional fee.

Currently, use of privacy services in .uk is pretty low — just 0.7% of its domains, up from 0.09% a year ago.

Bradley said such services are becoming increasingly popular due to some large UK registrars beginning to offer them.

One of the reasons for low penetration is that quite a lot of privacy is already baked in to the .uk Whois database.

If you’re an individual, as opposed to a “trading” business, you’re allowed to opt-out of having any personal details other than your name published in Whois.

A second proposed reform would make that opt-out available to a broader spectrum of registrants, Nominet says.

“We’ve found over the last few years that it’s quite a hard distinction to draw,” Bradley said. “We’ve had some criticisms for our overly strict application of that.”

In future, the opt-out would be available according to these criteria:

i. The registrant must be an individual; and,
ii. The domain name must not be used:
a) to transact with customers (merchant websites);
b) to collect personal data from subjects (ie data controllers as defined in the Data Protection Act);
c) to primarily advertise or promote goods, services, or facilities.

The changes would allow an individual blogger to monetize her site with advertising without being considered a “trading” entity, according to Nominet.

But a line would be drawn where an individual collected personal data on users, such as email addresses for a mailing list, Bradley said.

Nominet says in its consultation documents:

Our continued commitment to Nominet’s role as the central register of data will enable us to properly protect registrants’ rights, release contact data where necessary under the existing exemptions, and maintain public confidence in the register. It acknowledges that some registrants may desire privacy, whilst prioritising the core function of the registry in holding accurate records.

The proposals are open for comments until June 3, which means they could potentially become policy later this year.