Latest news of the domain name industry

Recent Posts

Group uses FOI to demand entire .nyc Whois database

Former .nyc hopeful Connecting.nyc has requested a dump of the entire .nyc Whois database using freedom of information legislation.

According to a blog post, the group has filed a request under the New York Freedom of Information Law for all 75,000 Whois records.

Connecting.nyc says it wants the data in order to plot every .nyc registrant on a map of the city to see “if the name purchasers were spread evenly over the city or concentrated in a particular neighborhood or borough. And if they were from a particular social or economic strata.”

It says it has spent 10 weeks asking for the data via email but has been rebuffed.

Under ICANN Registry Agreements, registries are under no obligation to offer bulk Whois access. Registrars are supposed to allow it under their accreditation agreements, but are allowed to charge huge sums.

The .nyc space does not allow private registrations. Its Whois data is all publicly accessible and could conceivably be mined via sequential queries.

The new gTLD is managed by Neustar but assigned to the City of New York, making it essentially government-owned.

It will be interesting to see whether Whois access falls under FOI law. Many other geographic gTLDs have government links and may fall under their own respective FOI legislation.

Connecting.nyc once intended to apply for .nyc itself, but is now a sort of self-appointed community watchdog for the gTLD. It’s an At-Large structure within ICANN.

Whois privacy reforms incoming

Kevin Murphy, May 6, 2015, Domain Policy

Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.

A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.

The report says that P/P services should be accredited by ICANN much like registrars are today.

Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.

A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.

Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.

So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.

Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.

There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.

The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.

There are a lot of gaps in the report. Work, it seems, still needs to be done.

For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.

The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.

There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.

One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.

Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.

There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.

Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.

There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.

Google leaks 282,000 private Whois records

Kevin Murphy, March 13, 2015, Domain Registrars

Google has accidentally revealed registrant contact information for 282,867 domain names that were supposed to be protected by a privacy service.

The bug reportedly affected 94% of the 305,925 domains registered via Google Apps, an eNom reseller.

The glitch was discovered by Cisco and reported to Google February 19. It has since been fixed and customers were notified yesterday.

Google acknowledged in an email to customers that the problem was caused by a “software defect in the Google Apps domain renewal system”.

It seems that anyone who acquired a domain with privacy through Google Apps since mid-2013 and has since renewed the registration will have had their identities unmasked in Whois upon renewal.

Names, addresses, emails and phone numbers were revealed.

Due to services such as DomainTools, which cache Whois records, there’s no putting the genie back in the bottle. The information is out there for good now.

It’s a pretty major embarrassment for Google, which recently launched its own registrar.

Nominet to give nod to .uk privacy services

Kevin Murphy, March 12, 2015, Domain Registries

Nominet plans to start accrediting proxy/privacy services in .uk domain names, and to make it easier to opt-out of having your full contact details published in Whois.

The proposed policy changes are outlined in a consultation opened this morning.

“We’ve never recognized privacy services,” director of policy Eleanor Bradley told DI. “If you’ve registered a .uk with a privacy service, we consider the privacy service to be the registrant of that domain name.”

“We’ve been pretending almost that they didn’t exist,” she said.

Under the proposed new regime, registrars would submit a customer’s full contact details to Nominet, but Nominet would publish the privacy service’s information in the domain’s Whois output.

Nominet, getting its hands on the customer data for the first time, would therefore start treating the end customer as the true registrant of the domain.

The company says that introducing the service would require minimal work and that it does not intend to charge registrars an additional fee.

Currently, use of privacy services in .uk is pretty low — just 0.7% of its domains, up from 0.09% a year ago.

Bradley said such services are becoming increasingly popular due to some large UK registrars beginning to offer them.

One of the reasons for low penetration is that quite a lot of privacy is already baked in to the .uk Whois database.

If you’re an individual, as opposed to a “trading” business, you’re allowed to opt-out of having any personal details other than your name published in Whois.

A second proposed reform would make that opt-out available to a broader spectrum of registrants, Nominet says.

“We’ve found over the last few years that it’s quite a hard distinction to draw,” Bradley said. “We’ve had some criticisms for our overly strict application of that.”

In future, the opt-out would be available according to these criteria:

i. The registrant must be an individual; and,
ii. The domain name must not be used:
a) to transact with customers (merchant websites);
b) to collect personal data from subjects (ie data controllers as defined in the Data Protection Act);
c) to primarily advertise or promote goods, services, or facilities.

The changes would allow an individual blogger to monetize her site with advertising without being considered a “trading” entity, according to Nominet.

But a line would be drawn where an individual collected personal data on users, such as email addresses for a mailing list, Bradley said.

Nominet says in its consultation documents:

Our continued commitment to Nominet’s role as the central register of data will enable us to properly protect registrants’ rights, release contact data where necessary under the existing exemptions, and maintain public confidence in the register. It acknowledges that some registrants may desire privacy, whilst prioritising the core function of the registry in holding accurate records.

The proposals are open for comments until June 3, which means they could potentially become policy later this year.

DreamHost hit with big breach notice

Kevin Murphy, November 3, 2014, Domain Registrars

DreamHost, a web hosting provider which says it hosts over 1.3 million web sites, has been hit with a lengthy ICANN compliance notice, largely concerning alleged Whois failures.

The breach notice raises questions about the company’s popular free Whois privacy service.

Chiefly, DreamHost has failed to demonstrate that it properly investigates Whois inaccuracy complaints, as required by the Registrar Accreditation Agreement, according to ICANN.

The notice contains numerous other complaints about alleged failures to publish information about renewal fees, its directors and abuse contacts on its web site.

The domain highlighted by ICANN in relation to the Whois failure is senect.com

ICANN sent three compliance notices to DreamHost concerning a Whois inaccuracy report for the domain name and requested DreamHost demonstrate that it took reasonable steps to investigate the Whois inaccuracy claims. DreamHost’s failure to provide documentation demonstrating the reasonable steps it took to investigate and correct the alleged Whois inaccuracy is a breach of Section 3.7.8 of the RAA.

Weirdly, senect.com has been under private registration at DreamHost since the start of 2012.

ICANN seems to be asking the registrar to investigate itself in this case.

DreamHost offers private registration to its customers for free. It populates the Whois with proxy contact information and the registrant name “A Happy DreamHost Customer”.

DomainTools associates “A Happy DreamHost Customer” with over 710,000 domain names.

As an accredited registrar, DreamHost had over 822,000 gTLD domain names at the last count. According to its web site, it has over 400,000 customers.

The breach notice also demands the company immediately start including the real contact information for its privacy/proxy customers in its data escrow deposits.

ICANN has given the company until November 21 to resolve a laundry list of alleged RAA breaches, or risk losing its accreditation.