Latest news of the domain name industry

Recent Posts

ICANN director Burr leaving Neustar

Kevin Murphy, February 11, 2019, Domain Registries

Neustar is losing its chief privacy officer, Becky Burr, who also sits on ICANN’s board of directors.

Burr, a lawyer, said last week that she’s decided to return to private practice after almost seven years at the registry.

Her last day will be March 1, but she’ll continue to advise the company as outside counsel on issues such as privacy and .us policy.

Lips are sealed on her exact destination, but it’s apparently small, Washington, DC-based, and focused on data protection.

Prior to Neustar, Burr worked for the law firm Wilmer Hale. Prior to that, she was in the US National Telecommunications and Information Administration, where she helped create ICANN 20 years ago.

Despite no longer being directly employed by a registry or registrar, Burr said she’s hoping to be reelected to the ICANN board, where she represents the Contracted Parties House, when her current term expires at the end of the year.

In addition to .us, Neustar runs .co, .biz and acts as back-end for dozens of other TLDs.

Crunch Whois privacy talks kick off

Kevin Murphy, January 16, 2019, Domain Policy

ICANN volunteers are meeting this week to attempt to finalize their recommendations on the future of Whois privacy.

Most members of the Expedited Policy Development Process working group have gathered in Toronto for three days of talks on what will likely become, in May this year, new contractually binding ICANN policy.

Discussions are kicking off pretty much at the same time this article is published and will last until Friday afternoon local time.

The EPDP group is due to publish its final report by February 1, leaving enough time for GNSO consideration, public comments, and an ICANN board of directors vote.

Its initial report, which recommended some big changes to Whois output, was published in November. Public comments on this report will lead to largely modest changes to the policy this week.

The timing is tight because Whois policy is currently governed by a one-year Temporary Specification, created by the ICANN board, which expires May 25.

The bulk of the work today will focus on formalizing the “purposes” of Whois data, something that is needed if ICANN policy is to be compliant with the EU General Data Protection Regulation.

The more controversial stuff, where consensus will be extraordinarily difficult to find, comes tomorrow, when the group discusses policies relating to privileged access to private Whois data.

This is the area where intellectual property and security interests, which want a program that enables them to get access to private data, have been clashing with non-commercial stakeholders, which accuse their opponents of advocating “surveillance”.

It’s not expected that a system of standardized, unified access will be created this week or by February 1. Rather, talks will focus on language committing ICANN to work on (or not) such a system in the near future.

Currently, there’s not even a consensus on what the definition of “consensus” is. It could be slow going.

Gluttons for punishment Observers can tune in to the view/listen-only Adobe Connect room for the meetings here.

Now even parked domains will have GDPR notices

Kevin Murphy, December 18, 2018, Domain Services

Sedo will soon start showing privacy notices and cookie warnings on parked domains using its service.

The company told users today that it has updated its terms of service to comply with the EU’s General Data Protection Regulation. It said:

As a domain owner parking your domains on Sedo’s platform, within the scope of tracking website visitors to monetize your domain(s), Sedo collects and processes personal data on your behalf. The GDPR requires, among other things, that the person responsible, in this case you, the domain owner, display a data protection declaration and a cookie on your parked page. 

Sedo said this is a “complimentary feature”, but that it makes no assurances that the notices it displays on its users’ behalf are actually compliant with the regulation.

The terms have been changed such that the user agrees to be “solely responsible” for their own GDPR compliance. 

Users have two weeks to object to the changes, but if they do it seems Sedo will terminate their service.

The changes come into effect January 1.

First chance to have your say on the future of Whois

Kevin Murphy, November 23, 2018, Domain Policy

RIP: the Whois Admin.

Standard Whois output is set to get slimmed down further under newly published policy proposals.

The community working group looking at post-GDPR Whois has decided that the Admin Contact is no longer necessary, so it’s likely to get scrapped next year.

This is among several recommendations of the Expedited Policy Development Process working group on Whois, which published its initial report for public comment late Wednesday.

As expected, the report stops short of addressing the key question of how third-parties such as intellectual property interests, domain investors, security researchers and the media could get streamlined access to private Whois data.

Indeed, despite over 5,000 person-hours of teleconferences and face-to-face meetings and about 1,000 mailing list messages since work began in early August, the EPDP’s 50 members have yet to reach consensus on many areas of debate.

What they have reached is “tentative agreement” on 22 recommendations on how to bring current ICANN Whois policy into line with EU privacy law, the General Data Protection Regulation.

The work is designed to replace the current Temporary Specification, a Band-Aid imposed by the ICANN board of directors, which is due to expire next May.

The EPDP initial report proposes a few significant changes to what data is collected and publicly displayed by the Whois system.

The most notable change is the complete elimination of the Admin Contact fields.

Currently, Whois contains contact information for the registrant, admin contact and technical contact. It’s often the same data replicated across all three records, and under the Temp Spec the large majority of the data is redacted.

Under the EPDP’s proposal, the Admin Contact is superfluous and should be abandoned altogether. Not only would it not be displayed, but registrars would not even collect the data.

The Tech Contact is also getting a haircut. Registrars would now only be able to collect name, phone and email address, and it would be optional for the registrant whether to provide this data at all. In any event, all three fields would be redacted from public Whois output.

For the registrant, all contact information except state/province and country would be redacted.

There’s no agreement yet on whether the optional “organization” field would be redacted, but the group has agreed that registrars should provide better guidance to registrants about whether they need to provide that data.

While data on legal persons such as companies is not protected by GDPR, some fear that natural person registrants may just naively type their own name into that box when registering a name, inadvertently revealing their identities to the public.

Those providing Whois output would be obliged, as they are under the Temp Spec, to publish an anonymized email address or web-based contact form to allow users to contact registrants without personal information being disclosed.

That German lawsuit

The recommendation to slash what data is collected could have an impact on ICANN’s lawsuit against Tucows’ German subsidiary, EPAG.

ICANN is suing EPAG after the registrar decided that collecting admin and tech contact info was not compliant with GPDR. It’s been looking, unsuccessfully, for a ruling forcing the company to carry on collecting this data.

Tucows is of the view that if the admin and tech contacts are third parties to the registration agreement, it has no right to collect data about them under the GDPR.

If ICANN’s own community policy development process is siding with Tucows, this could guide ICANN’s future legal strategy, but not, it appears, until it becomes firm consensus policy.

I asked ICANN general counsel John Jeffrey about whether the EPDP’s work could affect the lawsuit during an interview October 5, shortly after it became clear that the admin/tech contact days might be numbered.

“Maybe,” he said. “If it becomes part of the policy we’ll have to assess that. Until there’s a new policy though, what we’re working with is the Temp Spec. The Temp Spec we believe is enforceable, we believe have the legal support for that, and we’ll continue down that path.”

(It might be worth noting that Thomas Rickert, whose law firm represents EPAG in this case, is on the EPDP working group in his capacity of head of domains for German trade group eco. He is, of course, just one of the 31 EPDP members developing these recommendations at any given time.)

IP wheel-spinning

The main reason it’s taken the EPDP so long to reach the initial report stage — the report was originally due during the ICANN 63 Barcelona meeting a month ago — has been the incessant bickering between those advocating for, and opposing, the rights of intellectual property interests to access private Whois data.

EPDP members from the IP Constituency and Business Constituency have been attempting to future-proof the work by getting as many references to IP issues inserted into the recommendations as they can, before the group has turned its attention to addressing them specifically.

But they’ve been opposed every step of the way by the Non-Commercial Stakeholders Group, which is concerned the IP lobby is trying to policy its way around GDPR as it relates to Whois.

Many hours have been consumed by these often-heated debates.

My feeling is that the NCSG has been generally winning, but probably mainly because the working group’s charter forbade discussion about access until other issues had been addressed.

As it stands today, the initial report contains this language in Recommendation #2:

Per the EPDP Team Charter, the EPDP Team is committed to considering a system for Standardized Access to non-public Registration Data once the gating questions in the charter have been answered. This will include addressing questions such as:

• What are the legitimate purposes for third parties to access registration data?

• What are the eligibility criteria for access to non-public Registration data?

• Do those parties/groups consist of different types of third-party requestors?

• What data elements should each user/party have access to?

In this context, amongst others, disclosure in the course of intellectual property infringement and DNS abuse cases will be considered

This is basically a placeholder to assure the IP crowd that their wishes are still on the table for future debate — which I don’t think was ever in any doubt — but even this basic recommendation took hours to agree to.

The EPDP’s final report is due February 1, so it has just 70 days to discuss this hypothetical “Standardized Access” model. That’s assuming it started talks today, which it hasn’t.

It’s just nine weeks if we assume not a lot is going to happen over the Christmas/New Year week (most of the working group come from countries that celebrate these holidays).

For context, it’s taken the working group about 115 days just to get to the position it is in today.

Even if Standardized Access was the only issue being discussed — and it’s not, the group is also simultaneously going to be considering the public comment on its initial report, for starters — this is an absurdly aggressive deadline.

I feel fairly confident in predicting that, come February 1, there will be no agreement on a Standardized Access framework, at least not one that would be close to implementable.

Have your say

All 22 recommendations, along with a long list of questions, have now been put out for public comment.

The working group is keen to point out that all comments should provide rationales, and consider whether what they’re asking for would be GDPR-compliant, so comments along the lines of “Waaah! Whois should be open!” will likely be rapidly filed to the recycle bin.

It’s a big ask, considering that most people have just a slim grasp of what GDPR compliance actually means.

Complicating matters, ICANN is testing out a new way to process public comments this time around.

Instead of sending comments in by email, which has been the norm for two decades, a nine-page Google form has been created. This is intended to make it easier to link comments to specific recommendations. There’s also a Word version of the form that can be emailed.

Given the time constraints, it seems like an odd moment to be testing out new processes, but perhaps it will streamline things as hoped. We’ll see.

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.