Latest news of the domain name industry

Recent Posts

Tucows splurges $30 million on Ascio

Kevin Murphy, March 19, 2019, Domain Registrars

Tucows has spent almost $30 million on rival channel-focused registrar Ascio Technologies.

The company announced this morning that the $29.44 million deal will add about 1.8 million domains to its portfolio of managed names, along with an extra 500 resellers.

Ascio was generating $4 million of annual EBITDA before the deal closed, Tucows said in a press release, adding:

The Ascio reseller base fits squarely with Tucows’ core customer profile — ISPs, web hosting companies and website builders serving quality businesses that reward outstanding customer service with long-term loyalty.

Ascio has been owned by CSC Digital Brand Services since 2016, when it was acquired as part of a bundle of registrars in the NetNames group.

As a channel play, it was not really a fit with CSC’s core brand-protection market. It is of course a fit with Tucows, which owns OpenSRS.

The deal, which closed yesterday, has reduced choice in the space, which may not sit well with some resellers.

Surprise! Most private Whois look-ups come from Facebook

Kevin Murphy, February 20, 2019, Domain Policy

Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.

Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.

But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.

AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.

It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.

Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.

An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.

Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.

Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.

Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.

Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.

First chance to have your say on the future of Whois

Kevin Murphy, November 23, 2018, Domain Policy

RIP: the Whois Admin.

Standard Whois output is set to get slimmed down further under newly published policy proposals.

The community working group looking at post-GDPR Whois has decided that the Admin Contact is no longer necessary, so it’s likely to get scrapped next year.

This is among several recommendations of the Expedited Policy Development Process working group on Whois, which published its initial report for public comment late Wednesday.

As expected, the report stops short of addressing the key question of how third-parties such as intellectual property interests, domain investors, security researchers and the media could get streamlined access to private Whois data.

Indeed, despite over 5,000 person-hours of teleconferences and face-to-face meetings and about 1,000 mailing list messages since work began in early August, the EPDP’s 50 members have yet to reach consensus on many areas of debate.

What they have reached is “tentative agreement” on 22 recommendations on how to bring current ICANN Whois policy into line with EU privacy law, the General Data Protection Regulation.

The work is designed to replace the current Temporary Specification, a Band-Aid imposed by the ICANN board of directors, which is due to expire next May.

The EPDP initial report proposes a few significant changes to what data is collected and publicly displayed by the Whois system.

The most notable change is the complete elimination of the Admin Contact fields.

Currently, Whois contains contact information for the registrant, admin contact and technical contact. It’s often the same data replicated across all three records, and under the Temp Spec the large majority of the data is redacted.

Under the EPDP’s proposal, the Admin Contact is superfluous and should be abandoned altogether. Not only would it not be displayed, but registrars would not even collect the data.

The Tech Contact is also getting a haircut. Registrars would now only be able to collect name, phone and email address, and it would be optional for the registrant whether to provide this data at all. In any event, all three fields would be redacted from public Whois output.

For the registrant, all contact information except state/province and country would be redacted.

There’s no agreement yet on whether the optional “organization” field would be redacted, but the group has agreed that registrars should provide better guidance to registrants about whether they need to provide that data.

While data on legal persons such as companies is not protected by GDPR, some fear that natural person registrants may just naively type their own name into that box when registering a name, inadvertently revealing their identities to the public.

Those providing Whois output would be obliged, as they are under the Temp Spec, to publish an anonymized email address or web-based contact form to allow users to contact registrants without personal information being disclosed.

That German lawsuit

The recommendation to slash what data is collected could have an impact on ICANN’s lawsuit against Tucows’ German subsidiary, EPAG.

ICANN is suing EPAG after the registrar decided that collecting admin and tech contact info was not compliant with GPDR. It’s been looking, unsuccessfully, for a ruling forcing the company to carry on collecting this data.

Tucows is of the view that if the admin and tech contacts are third parties to the registration agreement, it has no right to collect data about them under the GDPR.

If ICANN’s own community policy development process is siding with Tucows, this could guide ICANN’s future legal strategy, but not, it appears, until it becomes firm consensus policy.

I asked ICANN general counsel John Jeffrey about whether the EPDP’s work could affect the lawsuit during an interview October 5, shortly after it became clear that the admin/tech contact days might be numbered.

“Maybe,” he said. “If it becomes part of the policy we’ll have to assess that. Until there’s a new policy though, what we’re working with is the Temp Spec. The Temp Spec we believe is enforceable, we believe have the legal support for that, and we’ll continue down that path.”

(It might be worth noting that Thomas Rickert, whose law firm represents EPAG in this case, is on the EPDP working group in his capacity of head of domains for German trade group eco. He is, of course, just one of the 31 EPDP members developing these recommendations at any given time.)

IP wheel-spinning

The main reason it’s taken the EPDP so long to reach the initial report stage — the report was originally due during the ICANN 63 Barcelona meeting a month ago — has been the incessant bickering between those advocating for, and opposing, the rights of intellectual property interests to access private Whois data.

EPDP members from the IP Constituency and Business Constituency have been attempting to future-proof the work by getting as many references to IP issues inserted into the recommendations as they can, before the group has turned its attention to addressing them specifically.

But they’ve been opposed every step of the way by the Non-Commercial Stakeholders Group, which is concerned the IP lobby is trying to policy its way around GDPR as it relates to Whois.

Many hours have been consumed by these often-heated debates.

My feeling is that the NCSG has been generally winning, but probably mainly because the working group’s charter forbade discussion about access until other issues had been addressed.

As it stands today, the initial report contains this language in Recommendation #2:

Per the EPDP Team Charter, the EPDP Team is committed to considering a system for Standardized Access to non-public Registration Data once the gating questions in the charter have been answered. This will include addressing questions such as:

• What are the legitimate purposes for third parties to access registration data?

• What are the eligibility criteria for access to non-public Registration data?

• Do those parties/groups consist of different types of third-party requestors?

• What data elements should each user/party have access to?

In this context, amongst others, disclosure in the course of intellectual property infringement and DNS abuse cases will be considered

This is basically a placeholder to assure the IP crowd that their wishes are still on the table for future debate — which I don’t think was ever in any doubt — but even this basic recommendation took hours to agree to.

The EPDP’s final report is due February 1, so it has just 70 days to discuss this hypothetical “Standardized Access” model. That’s assuming it started talks today, which it hasn’t.

It’s just nine weeks if we assume not a lot is going to happen over the Christmas/New Year week (most of the working group come from countries that celebrate these holidays).

For context, it’s taken the working group about 115 days just to get to the position it is in today.

Even if Standardized Access was the only issue being discussed — and it’s not, the group is also simultaneously going to be considering the public comment on its initial report, for starters — this is an absurdly aggressive deadline.

I feel fairly confident in predicting that, come February 1, there will be no agreement on a Standardized Access framework, at least not one that would be close to implementable.

Have your say

All 22 recommendations, along with a long list of questions, have now been put out for public comment.

The working group is keen to point out that all comments should provide rationales, and consider whether what they’re asking for would be GDPR-compliant, so comments along the lines of “Waaah! Whois should be open!” will likely be rapidly filed to the recycle bin.

It’s a big ask, considering that most people have just a slim grasp of what GDPR compliance actually means.

Complicating matters, ICANN is testing out a new way to process public comments this time around.

Instead of sending comments in by email, which has been the norm for two decades, a nine-page Google form has been created. This is intended to make it easier to link comments to specific recommendations. There’s also a Word version of the form that can be emailed.

Given the time constraints, it seems like an odd moment to be testing out new processes, but perhaps it will streamline things as hoped. We’ll see.

ICANN probing Donuts and Tucows over anti-Jewish web site

Kevin Murphy, November 16, 2018, Domain Policy

ICANN is investigating Tucows and Donuts over a web site that hosts antisemitic, white supremacist content.

CEO Goran Marby said in a letter published this week that he has referred a complaint about the web site judas.watch to ICANN’s Compliance department.

The web site in question says it is dedicated to documenting “anti-White traitors, agitators and subversives & highlighting Jewish influence.” It appears to be half database, half blog.

Its method of “highlighting Jewish influence” is possibly the most disturbing part — the site tags people it believes are Jewish with a yellow Star of David, mimicking the way the Nazis identified Jews during the Holocaust.

The site is quite liberal in how it applies these stars, going so far as to label UK Labour Party leader Jeremy Corbyn, who has been fighting off his own allegations of antisemitism for years, as Jewish.

Over 1,600 people and organizations are currently listed. Posts there also seem keen to highlight its subjects’ sexual orientation.

As far as I can tell, there are no direct calls to violence on the site, and the level of what you might call “hate speech” is pretty mild. It publishes the social media handles of its subjects, but I could not find any physical addresses or phone numbers.

The complaint to ICANN (pdf) came from WerteInitiative (“Values Initiative”), which appears to be a small, relatively new Jewish civil society group based in Germany.

WerteInitiative said judas.watch “poses a direct threat to the named persons with unforeseeable consequences for them, and especially so for the identified Jews”.

“We want this site banned from the Internet and ask for your help in doing so: can you help us to find out who behind this page is, so we can get it banned in Germany?” the letter concludes.

The domain has been behind Whois privacy since it was registered in 2014, so the registrant’s name was not public even prior to GDPR.

Marby, in response (pdf), says the complaint “raises a serious issue”.

While he goes to some lengths to explain that ICANN does not have the authority, contractual or otherwise, to demand the suspension of any domain name, he said he has nevertheless referred the complaint to Compliance.

Compliance has already reached out to the organization for more information, Marby said.

He also encouraged WerteInitiative to talk to .watch registry Donuts and judas.watch registrar eNom (owned by Tucows), as well as the hosting company, to see if that could help resolve the issue.

While ICANN is always adamant that it does not venture into content regulation, it strikes me that this exchange shows just what a tightrope it walks.

It comes against the backdrop of controversy over the suspension by GoDaddy of the domain Gab.com, a Twitter clone largely hosting far-right voices that have been banned from other social media platforms.

This is how AppDetex works

Kevin Murphy, October 25, 2018, Domain Services

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.

AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.

Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.

In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.

First off, Whois Requester appears to be only partially automated.

Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.

“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.

“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.

But, according to AppDetex, these assumptions are not correct.

Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.

AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.

It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.

Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.

The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.

Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.

At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.

If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.

The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.

Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.

Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.

As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.

Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.

Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.

This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.

The fact that human review is required before requests are sent out “just makes it worse”, they also said.

CentralNic acquired yet another company

Kevin Murphy, September 7, 2018, Domain Registrars

Acquisitive registry/registrar CentralNic has picked up another company, paying up to €2.56 million ($2.95 million) for a small Delaware-based registrar.

It will pay €1.5 million up-front for GlobeHosting, with the rest coming in two annual installments.

GlobeHosting may have a US corporate address, but it plays primarily in the Romanian and Brazilian markets.

It’s not ICANN-accredited. Instead, it acts as a Tucows reseller for gTLD domains (though I imagine that arrangement’s days are numbered).

The company had revenue of €849,000 for the 12 months to July 31 2018 and EBITDA of €419,000, CentralNic said.

The timing is arguably opportunistic. Earlier this year, Romanian registry ICI Bucharest (or ROtld) introduced an annual domain registration renewal fee for the first time (for real).

It recently started deleting names that do not pay the fee, a modest €6 per year.

CentralNic said that GlobeHosting, which appears to be notable player in the .ro market, is “expected to benefit” from this change.

No Verfügungsanspruch for ICANN in GDPR lawsuit

Kevin Murphy, August 7, 2018, Domain Policy

ICANN has lost its latest attempt to use the German courts to force Tucows to continue to collect Whois records the registrar thinks are unnecessary.

In an August 1 ruling, a translation of which (pdf) has been published by ICANN, the court ruled that no preliminary injunction (or “Verfügungsanspruch”) was necessary, because ICANN has not shown it would suffer irreparable harm without one.

ICANN wants Tucows’ German subsidiary EPAG to carry on collecting the Admin-C and Tech-C fields of Whois, even though the registrar thinks that would make it fall foul of Europe’s new General Data Protection Regulation.

The organization has already had two adverse decisions at a lower court, and the appeals court‘s latest ruling does not change anything. The judge ruled:

The Applicant [ICANN] has already not demonstrated that a preliminary injunction is required in order to avoid substantial disadvantages. To the extent the Applicant submitted in its application that interim relief was necessary in order to avert irreparable harm by arguing that the data to be collected would otherwise be irretrievably lost, this is not convincing. The Defendant [EPAG] could at a later point collect this data from the respective domain holder by a simple inquiry, provided that an obligation in this regard should be established.

The court also declined to refer the case to the European Court of Justice, as ICANN had wanted, because nothing in the ruling required GDPR to be interpreted.

This a a blow, because the whole point of the lawsuit is for ICANN and registrars to get some clarity on what the hell GDPR actually requires when it comes to Whois.

ICANN said it is “considering its next steps, including possible additional filings before the German courts”, noting that the “main proceedings” of the case are still ahead of it.

ICANN’s GDPR lawsuit bounced up to appeals court

Kevin Murphy, July 24, 2018, Domain Policy

ICANN’s lawsuit against Tucows’ German subsidiary EPAG has been bounced up to a higher court in Cologne.

The suit seeks to force Tucows to continue to collect the Admin-C and Tech-C fields of the Whois spec, something which is required by the Registrar Accreditation Agreement but which Tucows argues would force it to breach the General Data Protection Regulation.

The court of first instance denied ICANN’s application for an injunction.

ICANN then appealed, suggesting that the case should be referred to the European Court of Justice for a definitive answer.

Instead, the Bonn “Regional Court” has referred the case to the “Higher Regional Court” in Cologne. ICANN said the ECJ referral is still a possibility, however.

The lower court did not change its original ruling, but nor did it consider ICANN’s new arguments, which will transfer to the higher court’s attention, according to ICANN.

If you want a migraine to match mine, you can read an ICANN-provided English translation of the latest ruling here (pdf).

Euro-Whois advice still as clear as mud

Kevin Murphy, July 6, 2018, Domain Policy

European privacy chiefs have again weighed in to the ongoing debate about GDPR and Whois, offering another thin batch of vague advice to ICANN.

The European Data Protection Board, in its latest missive (pdf), fails to provide much of the granular “clarity” ICANN has been looking for, in my view.

It does offer a few pieces of specific guidance, but it seems to me that the general gist of the letter from EDPB chair Andrea Jelinek to ICANN CEO Goran Marby is basically: “You’re on your own buddy.”

If the question ICANN asked was “How can we comply with GDPR?” the answer, again, appears to be generally: “By complying with GDPR.”

To make matters worse, Jelinek signs off with a note implying that the EDPB now thinks that it has given ICANN all the advice it needs to run off and create a GDPR-compliant accreditation system for legitimate access to private Whois data.

The EDPB is the body that replaced the Article 29 Working Party after GDPR came into effect in May. It’s made up of the data protection authorities of all the EU member states.

On the accreditation discussion — which aims to give the likes of trademark owners and security researchers access to Whois data — the clearest piece of advice in the letter is arguably:

the personal data processed in the context of WHOIS can be made available to third parties who have a legitimate interest in having access to the data, provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of GDPR are met, including the provision of clear information to data subjects.

That’s a fairly straightforward statement that ICANN is fine to go ahead with the creation of an accreditation model for third parties, just as long as it’s quite tightly regulated.

But like so much of its advice, it contains an unhelpful nested reference to GDPR compliance.

The letter goes on to say that logging Whois queries should be part of these controls, but that care should be taken not to tip off registrants being investigated by law enforcement.

But it makes no effort to answer Marby’s questions (pdf) about who these legit third-parties might be and how ICANN might go about identifying them, which is probably the most important outstanding issue right now.

Jelinek also addresses ICANN’s lawsuit against Tucows’ German subsidiary EPAG, and I have to disagree with interpretations of its position published elsewhere.

The Register’s Kieren McCarthy, my Chuckle Brother from another Chuckle Mother, reckons the EDPB has torpedoed the lawsuit by “stating clearly that it cannot force people to provide additional ‘admin’ and ‘technical’ contacts for a given domain name”.

Under my reading, what it actually states is that registrants should be able to either use their own contact data, or anonymized contact information identifying a third party, in these records.

The EDPB clearly anticipates that admin and technical contacts can continue to exist, as long as they contain non-personal contact information such as “admin@example.com”, rather than “kevin@example.com”.

That’s considerably more in line with ICANN’s position than that of Tucows, which wants to stop collecting that data altogether.

One area where EDPB does in fact shoot down ICANN’s new Whois policy is when it comes to data retention.

The current ICANN contracts make registrars retain data for two years, but the EDPB notes that ICANN does not explain why or where that number comes from (I hear it was “pulled out of somebody’s ass”).

The EDPB says that ICANN needs to “re-evaluate the proposed data retention period of two years and to explicitly justify and document why it is necessary”.

Finally, the EDPB weighs in on the issue of Whois records for “legal persons” (as opposed to “natural persons”). It turns out their Whois records are not immune to GDPR either.

If a company lists John Smith and john.smith@example.com in its Whois records, that’s personal data on Mr Smith and therefore falls under GDPR, the letter says.

That should provide a strong incentive for registries and registrars to stop publishing potentially personal fields, if they’re still doing so.

How ICANN thinks YOU could get full Whois access

Kevin Murphy, June 20, 2018, Domain Policy

With blanket public Whois access now firmly a thing of the past due to GDPR, ICANN has set the ball rolling on an accreditation system that would reopen the data doors to certain select parties.

The org yesterday published a high-level framework document for a “Unified Access Model” that could give Whois access to approved users such as police, lawyers, and even common registrants.

It contains many elements that are sure to be controversial, such as paying fees for Whois access, the right of governments to decide who gets approved, and ICANN’s right to see every single Whois query carried out under the program.

It’s basically ICANN’s attempt to frame the conversation about Whois access, outlining what it expects from community members such as registries and registrars, governments and others.

It outlines a future in which multiple “Authenticating Bodies” would hand out credentials (either directly or via referral to a central authority) to parties they deem eligible for full Whois access.

These Authenticating Bodies could include entities such as WIPO or the Trademark Clearinghouse for trademark lawyers and Interpol or Europol for law enforcement agencies.

Once suitably credentialed, Whois users would either get unexpurgated Whois access or access to only fields appropriate to their stated purpose. That’s one of many questions still open for discussion.

There could be fees levied at various stages of the process, but ICANN says there should be a study of the financial implications of the model before a decision is made.

Whois users would have to agree to a code of conduct specific to their role (cop, lawyer, registrant, etc) that would limit how they could use the data they acquire.

Additionally, registrars and registries would have to log every single Whois query and hand those logs over to ICANN for compliance and audit purposes. ICANN said:

based on initial discussions with members of the Article 29 Working Party, ICANN proposes that registry operators and registrars would be required to maintain audit logs of domain name queries for non-public WHOIS data, unless logging a particular entry is contrary to a relevant court order. The logs would be available to ICANN org for audit/compliance purposes, relevant data protection authorities, the registrant, or pursuant to a court order.

On the higher-level question of who should be given the keys to the new gates Whois — it’s calling them “Eligible User Groups” — ICANN wants to outsource the difficult decisions to either governments or, as a backstop, the ICANN community.

The proposal says: “Eligible User Groups might include intellectual property rights holders, law enforcement authorities, operational security researchers, and individual registrants.”

It wants the European Economic Area members of its Governmental Advisory Committee, and then the GAC as a whole, to “identify or facilitate identification of broad categories” of eligible groups.

ICANN’s next public meeting, ICANN 62, kicks off in Panama at the weekend, so the GAC’s next formal communique, which could address this issue, is about a week away.

ICANN also wants the GAC to help it identify potential Authenticating Bodies that would hand out credentials.

But the GAC, in its most recent communique, has already declined such a role, saying in March that it “does not envision an operational role in designing and implementing the proposed accreditation programs”.

If it sticks with that position, ICANN says it will turn to the community to have this difficult conversation.

It notes specifically the informal working group that is currently developing a “community” Accreditation & Access Model For Non-Public WHOIS Data.

This group is fairly controversial as it is perceived by some, fairly I think, as being dominated by intellectual property interests.

The group’s draft model is already in version 1.6 (pdf), and at 47 pages is much more detailed than ICANN’s proposal, but its low-traffic mailing list has almost no contracted parties on board and the IP guys are very decidedly holding the pen.

There’s also a separate draft, the Palage Differentiated Registrant Data Access Model (or “Philly Special”) (Word doc), written by consultant Michael Palage, which has received even less public discussion.

ICANN’s proposal alludes to these drafts, but it does not formally endorse either as some had feared. It does, however, provide a table (pdf) comparing its own model to the other two.

What do not get a mention are the access models already being implemented by individual registrars.

Notably, Tucows is ready to launch TieredAccess.com, a portal for would-be Whois users to obtain credentials to view Tucows-managed Whois records.

This system grants varying levels of access to “law enforcement, commercial litigation interests, and security researchers”, with law enforcement given the highest level of access, Tucows explained in a blog post yesterday.

That policy is based on the GDPR principle of “data minimization”, which is the key reason it’s currently embroiled in an ICANN lawsuit (unrelated to accreditation) in Germany.

Anyway, now that ICANN has published its own starting point proposal, it is now expected that the community will start to discuss the draft in a more formal ICANN setting. There are several sessions devoted to GDPR and Whois in Panama.

ICANN also expects to take the proposal to the European Data Protection Board, the EU committee of data protection authorities that replaced the Article 29 Working Party when GDPR kicked in last month.

However, in order for any of this to become binding on registries and registrars it will have to be baked into their contracts, which will mean it going through the regular ICANN policy development process, and it’s still not clear how much enthusiasm there is for that step happening soon.