Latest news of the domain name industry

Recent Posts

ICANN adds another six months to Whois reform roadmap

Kevin Murphy, November 4, 2021, Domain Policy

ICANN says that its preparatory work for possible Whois reforms will take another six months.

The Operational Design Phase for the System for Standardized Access and Disclosure will now conclude “by the end of February 2022”, ICANN said this week.

That’s after the Org missed its original September deadline after six months of work.

ICANN program manager Diana Middleton said at ICANN 72 last week that ODP had been delayed by various factors including surveys taking longer than expected and throwing up more questions than they answered.

A survey of Governmental Advisory Committee members due September 17 was extended until the end of October.

But she added that ICANN intends to throw its first draft of the output — an Operational Design Assessment — at its technical writers by the end of the month, with a document going before the board of directors in early February.

SSAD is the proposed system that would funnel requests for private Whois data through ICANN, with a new veneer of red tape for those wishing to access such data.

The ODP is ICANN’s brand-new process for deciding how it could be implemented, how much it would cost, and indeed whether it’s worthwhile implementing it at all.

It’s also being used to prepare for the next round of new gTLDs, with a 13-month initial deadline.

The longer the current ODP runs, the greater the cost to the eventual SSAD user.

Whois rule changes that nobody likes get approved anyway

Kevin Murphy, November 3, 2021, Domain Services

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

DI Leaders Roundtable #2 — Should we kill off “Whois”?

Kevin Murphy, November 11, 2019, Domain Tech

Should we stop using the word “Whois” to describe registration data lookup services?
That’s the question I posed for the second DI Leaders Roundtable.
I’m sure you’re all very well aware that the Registration Data Access Protocol (RDAP) is the imminent replacement for the Whois protocol, as the technical method by which domain registrant contact information is stored, transmitted and displayed.
ICANN also regularly refers to Registration Data Directory Services (RDDS) as a protocol-independent blanket term covering the concept of looking up Whois or RDAP data.
You may also recall that ICANN, which is ostensibly a technical body, appears to bedeprecating the word “Whois” in favor of “Lookup” on its own web-based query service.
ICANN has a track record of introducing new acronyms to describe already well-understood functions. The IANA has technically been called “Public Technical Identifiers” for years, but does anyone actually call it “PTI”? No, everyone still talks about “IANA”.
So I wanted to know:

Should we continue to call it “Whois” after the technical transition to RDAP is complete? Will you continue to refer to “Whois”? Should we change to a different word or acronym? Should the industry standardardize its language one way or the other?

There seems to be a general consensus that “Whois” ain’t going anywhere.
The responses, in no particular order.
Jothan Frakes, Executive Director, Domain Name Association
Mugshot

The term WHOIS won’t quickly leave the zeitgeist due to the decades of its use as a description of the lookup process. Lookup is somewhat confusing, as there is DNS Query lookup that works across the resolution system, and WHOIS Lookup that works to find registrant info via the registration system. As far as the term “Lookup” as the label for the new normal that is poised to replace WHOIS? It is better than the acronym “RDDS”. The general public probably would not assume that RDDS is a way to find out about a domain owner or registration information, because it sounds like it involves dentistry (DDS) if one is not following the ICANN world as close as insiders. Despite the evolutionary path the basic function seems to be on, it is likely that WHOIS continues to be what the nickname for the lookup process called, regardless of the support technology layers below it not literally being WHOIS.

Frank Schilling, CEO, Uniregistry
Mugshot

WHOIS IS DEAD, LONG LIVE WHOIS.
The echo of “Whois” will live long after Whois is dead and gone. The very nature of its replacement word “Lookup” ensures that the information hungry public will expect more fulsome data than ICANN intends the word to provide. There will continue to be services who try to engineer a Whois hack and provide accurate underlying data for paying customers. Whois is going to outlive all of us. Even those who diet, exercise, and eat organic food.

Dave Piscitello, Partner, Interisle Consulting Group

MugshotJust as most of the world isn’t familiar with new TLDs, most have no appreciation for the differences between Whois and RDAP. The term “Whois” is convenient, memorable, and embedded. It also represents a service to most users, not a protocol, so if we do “standardize” we should use “RDS”. While we sort out the disastrous effects of ICANN’s Temp Spec policy on both investigators and victims of DNS abuse, most parties involved with educating policy makers and legislators should continue to use Whois for consistency’s sake.

Christa Taylor, CMO, MMX

MugshotAs the old adage goes, “Don’t fix what’s not broken.” While “Whois” may have lost some of its luster due to GDPR I prefer to retain the term — it’s simple, representative of the information it provides and avoids adding any confusion especially for people outside of ICANN. Employing standardized language is, of course, logical and after twenty years of using “Whois” it is the accepted term both inside and outside the industry.

Sandeep Ramchamdani, CEO, Radix Registry

MugshotFirst up, the transition to the RDAP system is much needed given the fundamental flaws of Whois.
It would help in placing some guardrails around customers’ privacy while still providing agencies such as law enforcement authenticated access that they need to do their work.
Whois is a major cause of spam and in the age where privacy is top currency, public, unauthenticated availability of personal data is unacceptable.
It should also smooth out inter-registrar transfers and lower customer frustration while moving out to a different service provider.
When it comes to its name, calling it “RDAP” or “Lookup” would be a branding error. It would cause some confusion and for those not intimately involved in the industry, who may find it hard to discover the new system.
In my mind, keeping the original nomenclature “Whois”, while making it clear that it’s a newer avatar of the same solution would be the way to go.
Can’t think of a better term than “Whois 2.0”.
Very easy to understand that it’s a newer, more advanced iteration of the same product.

Michele Neylon, CEO, Blacknight
Mugshot

Whois was originally a simple little protocol that allowed network operators to contact each other to address technical issues. It predates the usage of domain names or the “web”.
When domains were introduced the same concept was simply transposed over to the new identifiers.
However over the past 20 plus years the way that people viewed Whois has morphed dramatically. The first time I spoke at an ICANN meeting 12 years ago was on the subject of Whois!
Now the term is used both to talk about the technical protocol, which is being replaced in the gTLD space and the data that it is used to store and possibly display. We talk about “Thin Whois”, “Thick Whois” and so many other services and issues linked back to it.
Whois as a protocol is far from perfect, which is why replacing the technical side of it makes a lot of sense.
So with the world slowly moving towards a new technical method for processing domain registration data then maybe we should come up with another word for it. However I’m not sure if there’s much to be gained by doing that.
We are all used to the floppy disk icon to save a document, even if floppy disks are no longer used. With the term “Whois” being part of people’s vocabulary for the nearly a quarter of a century. it’d be pretty hard to find a simple replacement and have people adopt it widely. Sure, in the more technical conversations it makes sense to use more accurate terms like “RDAP”, but the average punter just wants to be able to use a term that they can understand.
Those of us who work with domains and internet technology in our day jobs might care about the “correct” terminology, but we’re in a minority. We all get excited when the mainstream media picks up on a story involving domain names or the DNS and even gets half of it right! If we conjure up some new term that we think is accurate it’ll take years before anyone outside our bubble is comfortable with it. So I don’t think we should.
We should simply accept that “Whois” is a term used to refer to domain registration data no matter what technology under the hood is used to handle it.

Rick Schwartz, domain investor

MugshotHate to give the same basic answer to two questions in a row, but who cares?
Really!! Who cares? Nobody!
This is inside baseball that doesn’t affect anyone on the entire planet except for a handful of domain investors and ICANN etc.
Call it whatever you like just make sure it’s public info.

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.
ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.
It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.
In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.
The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.
When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.
The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.
The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.
Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.
We could be looking at the death of Whois within a year.

Whois killer deadline has passed. Did most registrars miss it?

Kevin Murphy, August 28, 2019, Domain Registrars

The deadline for registrars to implement the new Whois-killer RDAP protocol passed yesterday, but it’s possible most registrars did not hit the target.
ICANN told registrars in February (pdf) that they had six months to start making RDAP (Registration Data Access Protocol) services available.
RDAP is the replacement for the age-old Whois protocol, and provides virtually the same experience for the end user, enabling them to query domain ownership records.
It’s a bit more structured and flexible, however, enabling future services such as tiered, authenticated access.
Despite the August 26 deadline coming and going, ICANN records suggest that as many as three quarter of accredited registrars have not yet implemented RDAP.
The IANA department started publishing the base URLs for registrar RDAP servers recent.
According to this list, there are 2,454 currently accredited registrars, of which only 615 (about 25%) have an RDAP server.
But I’m not convinced this number is particularly useful.
First, just because a registrar’s RDAP server is not listed, does not mean it does not have one.
For example, the two largest registrars, Tucows and GoDaddy, do not have servers on the list, but both are known to have been working on RDAP services for a long time through public pilots or live services. Similarly, some CentralNic registrars have servers listed while others do not.
Second, of the 1,839 accreditations without servers, at least 1,200 are DropCatch.com shells, which tips the scales towards non-compliance considerably.
Still, it seems likely that some registrars did in fact miss their deadline. How stringently ICANN chooses to enforce this remains to be seen.
ICANN itself replaced its “Whois” service with a “Lookup” service last month.
According to Michele Neylon of the registrar Blacknight, contracted parties can also discover RDAP URLs via ICANN’s closed RADAR registrar information portal.
RDAP and Whois will run concurrently for a while before Whois takes its final bow and disappears forever.

ICANN dumps the “Whois” in new Whois tool

Kevin Murphy, July 31, 2019, Domain Tech

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.
It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.
The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.
RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.
Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.
The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.
The old site looked like this:
Whois
The new site looks like this:
Whois
It’s pretty much useless for most domains, if you want to find out who actually owns them.
If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.
That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.
For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.
While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.
Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

Registrars given six months to deploy Whois killer

Kevin Murphy, March 1, 2019, Domain Policy

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.
gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.
Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.
ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.
The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.
It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.

Exclusive gang of 10 to work on making ICANN the Whois gatekeeper

Kevin Murphy, December 14, 2018, Domain Services

Ten people have been picked to work on a system that would see ICANN act as the gatekeeper for private Whois data.

The organization today announced the composition of what it’s calling the Technical Study Group on Access to Non-Public Registration Data, or TSG-RD.

As the name suggests, the group is tasked with designing a system that would see ICANN act as a centralized access point for Whois data that, in the GDPR era, is otherwise redacted from public view.

ICANN said such a system:

would place ICANN in the position of determining whether a third-party’s query for non-public registration data ought to be approved to proceed. If approved, ICANN would ask the appropriate registry or registrar to provide the requested data to ICANN, which in turn would provide it to the third party. If ICANN does not approve the request, the query would be denied. 

There’s no current ICANN policy saying that the organization should take on this role, but it’s one possible output of the current Expedited Policy Development Process on Whois, which is focusing on how to bring ICANN policy into compliance with GDPR.

The new group is not going to make the rules governing who can access private Whois data, it’s just to create the technical framework, using RDAP, that could be used to implement such rules.

The idea has been discussed for several months now, with varying degrees of support from contracted parties and the intellectual property community.

Registries and registrars have cautiously welcomed the notion of a central ICANN gateway for Whois data, because they think it might make ICANN the sole “data controller” under GDPR, reducing their own legal liability.

IP interests of course leap to support any idea that they think will give them access to data GDPR has denied them.

The new group, which is not a formal policy-making body in the usual ICANN framework, was hand-picked by Afilias CTO Ram Mohan, at the request of ICANN CEO Goran Marby.

As it’s a technical group, the IP crowd and other stakeholders don’t get a look-in. It’s geeks all the way down. Eight of the 10 are based in North America, the other two in the UK. All are male. A non-zero quantity of them have beards.

  • Benedict Addis, Registrar Of Last Resort.
  • Gavin Brown, CentralNic.
  • Jorge Cano, NIC Mexico.
  • Steve Crocker, former ICANN chair.
  • Scott Hollenbeck, Verisign.
  • Jody Kolker, GoDaddy.
  • Murray Kucherawy, Facebook.
  • Andy Newton, ARIN.
  • Tomofumi Okubo, DigiCert.

While the group is not open to all-comers, it’s not going to be secretive either. Its mailing list is available for public perusal here, and its archived teleconferences, which are due to happen for an hour every Tuesday, can be found here. The first meeting happened this week.

Unlike regular ICANN work, the new group hopes to get its work wrapped up fairly quickly, perhaps even producing an initial spec at the ICANN 64 meeting in Kobe, Japan, next March.

For ICANN, that’s Ludicrous Speed.

Facebook clashes with registrars after massive private data request

Kevin Murphy, July 26, 2018, Domain Policy

Facebook is on the warpath, testing the limits of personal data disclosure in the post-GDPR world.
Via an intermediary called AppDetex, the company recently filed 500 requests for non-public Whois contact information with various registrars, covering potentially thousands of domains, and is now complaining to ICANN that almost all of the replies it received were “non-responsive”.
DI has learned that Facebook is not only asking registrars for Whois data on specific domains it believes infringe its trademarks, however. It’s also asking them to provide complete lists of domains owned by the same registrant, along with the Whois data for those domains, something registrars have never been obliged to provide, even pre-GDPR.
It’s now pissed that almost all of its requests were blown off, with registrars giving various reasons they could not provide the data.
AppDetex is a brand protection services firm and ICANN-accredited registrar. It’s built an automated system for generating Whois disclosure requests and sending them to registrars.
Ben Milam, its general counsel, wrote to ICANN last week to urge the organization to come up with, and more importantly enforce, a framework for brand owners to request private Whois data.
The company has stopped short of filing formal complaints against the registrars with ICANN’s compliance division, but Milam said it will in future:

we do plan to file complaints in the future, but not until ICANN has (i) established proper disclosure guidelines for non-public WHOIS requests for the registrar base to follow, and (ii) implemented an enforcement process that will ensure that brand holder requests are being satisfied.

The letter says that only one registrar responded adequately, to three of its disclosure requests. That was FBS Inc, which I believe is Turkey’s largest registrar. Turkey is not in the EU.
One registrar on Facebook’s naughty list is Ireland-based Blacknight Solutions, which received three disclosure requests but did not provide AppDetex with the information it wanted.
Blacknight CEO Michele Neylon shared a copy of one of these requests, which he said was received via email July 2, with DI.
In my view, the request is clearly automated, giving the registrar a deadline to respond 48 hours in the future accurate to the second. It cites five Facebook trademarks — Facebook, FB, Instagram, Oculous and WhatsApp.
At Blacknight’s request, I won’t disclose the domain here, but it begins with the string “insta”. At first glance it’s not an clear-cut case of cybersquatting the Instagram trademark. It’s currently parked, displaying ad links unrelated to Instagram.
The email asks the registrar to turn over the full non-public Whois contact information for the registrant, technical contact and administrative contact, but it goes on to also ask for:

4. All other domain names registered under this registrant’s account or email address
5. All information in requests 1, 2, and 3 for all domains provided in response to request 4

This would increase the volume of Whois records requested by Facebook from 500 to, very probably, thousands.
This reverse-Whois data was not previously available via vanilla registrar-provided Whois, though it may be under successor protocol RDAP. Brand owners would have to use a commercial third-party service such as DomainTools in order to connect a registrant to the rest of his portfolio.
It’s debatable whether registrars will be obliged to provide this reverse-Whois capability on non-public data to brand owners even after RDAP becomes the norm.
The request says Facebook needs the data in order “to investigate and prevent intellectual property infringement and contact infringing parties and relevant service providers” and “to facilitate legal action against the registrant”.
Facebook says it’s entitled to the data under Article 6(1)(f) of the GDPR as it’s “necessary for the purposes of our legitimate interests, namely (1) identifying the registered holder of a domain name and their contact information to investigate and respond to potential trademark infringement and (2) enforcing legal claims.”
Currently, registrars are governed by ICANN’s Temporary Specification for Whois, a GDPR-related Band-Aid designed to last until the ICANN community can create a formal policy.
Access to non-public Whois data is governed by section 4 of the Temp Spec, which reads in part:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

In the absence of a formal ICANN policy, legal precedent, or specific guidance from data protection authorities, it’s not abundantly clear how registrars are supposed to comply with this clause of the spec, which may explain why Facebook is getting different responses from different registrars.
Neylon said that Blacknight responded to the disclosure requests by asking Facebook to produce an Irish court order.
He said the requests were overly broad, did not provide any contact information for the requester, did not provide a specific complaint against the registrants, and did not specify what privacy safeguards Facebook planned to subject the data to once it was handed over.
It seems Blacknight was not alone. According to AppDetex’s letter to ICANN, at least six other registrars replied denying the requests and saying:

complainant (Facebook) must utilize legal process of a subpoena or court order; complainant must file a UDRP action; complainant must file an action with WIPO; complainant must contact WIPO; and/or complainant’s request has been forwarded to the domain owner.

Milam said (pdf) that he expects the volume of requests to increase and that registrars’ responses will be forwarded to ICANN Compliance to help create a normalized framework for dealing with such requests.

ICANN approves messy, unfinished Whois policy

Kevin Murphy, May 18, 2018, Domain Policy

With a week left on the GDPR compliance clock, ICANN has formally approved a new Whois policy that will hit all gTLD registries and registrars next Friday.
The Temporary Specification for gTLD Registration Data represents the first time in its history ICANN has invoked contractual clauses that allow it to create binding policy in a top-down fashion, eschewing the usual community processes.
The policy, ICANN acknowledges, is not finished and needs some work. I would argue that it’s also still sufficiently vague that implementation in the wild is likely to be patchy.
What’s in public Whois?
The policy is clearest, and mostly unchanged compared to previous drafts, when it comes to describing which data may be published in public Whois and which data must be redacted.
If you do a Whois query on a gTLD domain from next week, you will no longer see the name, address, phone/fax number or email address of the registrant, admin or tech contacts.
You will continue to see the registrant’s organization, if there is one, and the country in which they are based, as well as some information about the registrar and name servers.
In future, public RDAP-based Whois databases will have to output “REDACTED FOR PRIVACY” in these fields, but for now they can just be blank.
While the GDPR is only designed to protect the privacy of humans, rather than companies, and only those connected to the European Union, the ICANN policy generally assumes that all registrants will be treated the same.
It will be possible for any registrant to opt out of having their data redacted, if being contactable is more important to them than their privacy.
What about privacy services?
Since the May 14 draft policy, ICANN has added a carve-out for domains that are already registered using commercial privacy/proxy services.
Whois records for those domains are NOT going to change under the new policy, which now has the text:

in the case of a domain name registration where a privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar MUST return in response to any query full WHOIS data, including the existing proxy/proxy pseudonymized email.

In the near term, this will presumably require registries/registrars to keep track of known privacy services. ICANN is working on a privacy/proxy accreditation program, but it’s not yet live.
So how do you contact registrants?
The policy begins to get more complicated when it addresses the ability to actually contact registrants.
In place of the registrant’s email address in public Whois, registries/registrars will now have to publish an anonymized email address or link to a web-based contact form.
Neither one of these options should be especially complex to implement — mail forwarding is a staple service at most registrars — but they will take time and effort to put in place.
ICANN indicated earlier this week that it may give contracted parties some breathing room to get this part of the policy done.
Who gets to see the private data?
The policy begins to fall apart when it describes granting access to full, unexpurgated, thick Whois records to third parties.
It seems to do a fairly good job of specifying that known quantities such as URS/UDRP providers, escrow providers, law enforcement, and ICANN itself continue to get access.
But it’s fuzzier when it comes to entities that really would like to continue to access Whois data, such as trademark lawyers, security service providers and consumer protection concerns.
While ICANN is adamant that third parties with “legitimate interests” should get access, the new policy does not enumerate with any specificity who these third parties are and the mechanism(s) contracted parties must use to grant such access.
This is what the policy says:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject

This appears to give contracted parties the responsibility to make legal judgment calls — balancing the GDPR-based privacy rights of the registrant against the “legitimate interests” of the requester — every time they get a thick Whois request.
The policy goes on to say that when European privacy regulators, the courts, or other legislation or regulation has specifically approved a certain class of requester, ICANN will relay this news to the industry and it will have 90 days to make sure that class gets full Whois access.
But the policy does not specify any formal mechanism by which anyone goes about requesting a thick record.
Do they just phone up the registrar and ask? Does the registrar have to publish a contact address for this purpose? How does the registrar go about confirming the requester is who they say they are? Should they keep white-lists of approved requesters, or approve each request on a domain-by-domain basis? When does the right of a trademark owner outweigh the privacy right of an individual?
None of these questions are answered by the policy, but in a non-binding annex ICANN points to ongoing community work to create an “accreditation and access model”.
That work appears to be progressing at a fair rapid clip, but I suspect that’s largely because the trademarks lawyers are holding the pens and discussions are not following ICANN’s usual consensus-building policy development rules.
When the work is absorbed into the ICANN process, we could be looking at a year or more before something gets finalized.
How will transfers work?
Because Whois is used during the inter-registrar transfer process, ICANN has also had to tweak its Inter-Registrar Transfer Policy to take account of instances where registrars can’t access each other’s databases.
Basically, it’s scrapping the requirement for gaining registrars to obtain a Form of Authorization from the Whois-listed registrant before they start an inbound transfer.
This will remove one hoop registrants have to jump through when they switch registrars (though losing registrars still have to obtain an FOA from them) at the cost of making it marginally easier for domain theft to occur.
What happens next?
ICANN acknowledges, in seven bullet points appended to the policy, that the community has more work to do, mainly on the access/accreditation program.
Its board resolution “acknowledges that there are other implementation items that require further community conversation and that the Board encourages the community to resolve as quickly as possible”.
The board has also asked ICANN staff to produce more explanatory materials covering the policy.
It also temporarily called off its Governmental Advisory Committee consultation, which I wrote about here, after receiving a letter from the GAC.
But the big next step is turning this Temporary Policy into an actual Consensus Policy.
The Temporary Policy mechanism, which has never been used before, is set up such that it has to be renewed by the board every 90 days, up to a maximum of one year.
This gives the GNSO until May 25 next year to complete a formal Policy Development Process. In fact, it will be a so-called “Expedited” PDP or EPDP, that cuts out some of the usual community outreach in order to provide a speedier result.
This, too, will be an unprecedented test of an ICANN policy-making mechanism.
The GNSO will have the Temporary Policy baseline to work from, but the Temporary Policy is also subject to board-level changes so the goalposts may move while the game is being played.
It’s going to be a big old challenge, and no mistake.