Latest news of the domain name industry

Recent Posts

Registrars open floodgate of Whois privacy outrage

Kevin Murphy, June 26, 2015, Domain Policy

A letter-writing campaign orchestrated by the leading domain registrars has resulted in ICANN getting hit with over 8,000 pro-privacy comments in less than a week.

It’s the largest volume of comments received by ICANN on an issue since right-wing Christian activists deluged ICANN with protests about .xxx, back in 2010.

The comments — the vast majority of them unedited template letters — were filed in response to the GNSO Privacy & Proxy Services Accreditation Issues (PPSAI) Working Group Initial Report.

That report attempts to bring privacy and proxy services, currently unregulated by ICANN, under ICANN’s contractual wing.

There are two problematic areas, as far as the registrars are concerned.

The first is the ability of trademark and copyright owners to, under certain circumstances, have the registrant of a privately registered name unmasked.

Upon receiving such a request, privacy services would have 15 days to obtain a response from their customer. They’d then have to make a call as to whether to reveal their contact information to the IP owner or not.

Possibly the most controversial aspect of this is described here:

Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding; nor can refusal to disclose be solely based on the fact that the request is founded on alleged intellectual property infringement in content on a website associated with the domain name.

In other words, the privacy services (in most cases, also the registrar) would be forced make a judgement on whether web site content is illegal, in the absence of a court order, before removing Whois privacy on a domain.

The second problematic area is an “additional statement” on domains used for commercial activity, appended to the PPSAI report, penned by MarkMonitor on behalf of Facebook, LegitScript, DomainTools, IP attorneys Smith, Gambreall & Russell, and itself.

Those companies believe it should be against the rules for anyone who commercially transacts via their web site to use Whois privacy.

Running ads on a blog, say, would be fine. But asking for, for example, credit card details in order to transact would preclude you from using privacy services.

The PPSAI working group didn’t even approach consensus on this topic, and it’s not a formal recommendation in its report.

Regardless, it’s one of the lynchpins of the current registrar letter-writing campaigns.

A page at SaveDomainPrivacy.org — the site backed by dozens of registrars big and small — describes circumstances under which somebody would need privacy even though they engage in e-commerce.

Home-based businesses, shelters for domestic abuse victims that accept donations, and political activists are all offered up as examples.

Visitors to the site are (or were — the site appears to be down right now (UPDATE: it’s back up)) invited to send a comment to ICANN supporting:

The legitimate use of privacy or proxy services to keep personal information private, protect physical safety, and prevent identity theft

The use of privacy services by all, for all legal purposes, regardless of whether the website is “commercial”

That privacy providers should not be forced to reveal my private information without verifiable evidence of wrongdoing

The content of the site was the subject of a sharp disagreement between MarkMonitor and Tucows executives last Saturday during ICANN 53. I’d tell you exactly what was said, but the recording of the relevant part of the GNSO Saturday session has not yet been published by ICANN.

Another site, which seems to be responsible for the majority of the 8,000+ comments received this week, is backed by the registrar NameCheap and the digital civil rights groups the Electronic Frontier Foundation and Fight For The Future.

NameCheap appears to be trying to build on the reputation it started to create for itself when it opposed the Stop Online Piracy Act a few years ago, going to so far as to link the Whois privacy reforms to SOPA on the campaign web site, which says:

Your privacy provider could be forced to publish your contact data in WHOIS or even give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?

We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process. If you agree, it’s time to tell ICANN.

The EFF’s involvement seems to have grabbed the attention of many reporters in the general tech press, generating dozens of headlines this week.

The public comment period on the PPSAI initial report ends July 7.

If it continues to attract attention, it could wind up being ICANN’s most-subscribed comment period ever.

Do geeks care about privacy more than Christians care about porn? We’ll find out in a week and a half.

Whois privacy reforms incoming

Kevin Murphy, May 6, 2015, Domain Policy

Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.

A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.

The report says that P/P services should be accredited by ICANN much like registrars are today.

Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.

A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.

Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.

So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.

Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.

There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.

The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.

There are a lot of gaps in the report. Work, it seems, still needs to be done.

For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.

The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.

There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.

One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.

Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.

There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.

Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.

There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.

Identity checks coming to Whois

Kevin Murphy, September 25, 2012, Domain Registrars

Pretty soon, if you want to register a domain name in a gTLD you’ll have to verify your email address and/or phone number or risk having your domain turned off.

That’s the latest to come out of talks between registrars, ICANN, governments and law enforcement agencies, which met last week in Washington DC to thrash out a new Registrar Accreditation Agreement.

While a new draft RAA has not yet been published, ICANN has reported some significant breakthroughs since the Prague meeting in June.

Notably, the registrars have agreed for the first time to do some minimal registrant identity checks — phone number and/or email address — at the point of registration.

Verification of mailing addresses and other data points — feared by registrars for massively adding to the cost of registrations — appears to be no longer under discussion.

The registrars have also managed to win another concession: newly registered domain names will be able to go live before identities have been verified, rather than only after.

The sticking point is in the “and/or”. Registrars think they should be able to choose which check to carry out, while ICANN and law enforcement negotiators think they should do both.

According to a memo released for discussion by ICANN last night:

It is our current understanding that law enforcement representatives are willing to accept post-­‐resolution verification of registrant Whois data, with a requirement to suspend the registration if verification is not successful within a specified time period. However, law enforcement recommends that if registrant Whois data is verified after the domain name resolves (as opposed to before), two points of data (a phone number and an email address) should be verified.

Among the other big changes is an agreement by registrars to an ICANN-run Whois privacy service accreditation system. Work is already underway on an accreditation framework.

After it launches, registrars will only be able to accept private registrations made via accredited privacy and proxy services.

Registrars have also agreed to some of law enforcement’s data retention demands, which has been a bone of contention due to worries about varying national privacy laws.

Under the new RAA, they would keep some registrant transaction data for six months after a domain is registered and other data for two years. It’s not yet clear which data falls into which category.

These and other issues outlined in ICANN’s latest update are expected to be talking points in Toronto next month.

It looks like a lot of progress has been made since Prague — no doubt helped by the fact that law enforcement has actually been at the table — and I’d be surprised if we don’t see a draft RAA by Beijing next April.

How long it takes to be adopted ICANN’s hundreds of accredited registrars is another matter.

One in five domains use a privacy service

Kevin Murphy, September 14, 2010, Domain Policy

As many as 20 million domain names are registered via Whois privacy or proxy services, an ICANN-sponsored study has found.

The study, conducted by the National Opinion Research Center, looked at a sample of 2,400 domains registered in .com, .org, .net, .info and .biz.

It found that 18% of these names used a privacy/proxy service to hide the contact details of the true registrant. Its margin of error means the actual number could be between 16% and 20%.

Extrapolating to the universe of 101 million domains registered in these five TLDs at the time the sample was taken in January 2009, NORC estimates that between 17.7 million and 18.4 million domains used a proxy.

NORC also estimates that the current number of private registrations could be “substantially higher” today, due to increased market traction for such services.

This, combined with the growth in registration numbers to over 115 million domain names as of January 2010, means that the actual number of privacy/proxy registrations among the top five gTLDs is likely to be substantially higher than 18 million.

When you consider that some privacy services charge as much as $10 a year for private registrations, that adds up to quite a healthy market.

  • Page 2 of 2
  • <
  • 1
  • 2