Latest news of the domain name industry

Recent Posts

Surprise! Most private Whois look-ups come from Facebook

Kevin Murphy, February 20, 2019, Domain Policy

Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.

Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.

But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.

AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.

It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.

Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.

An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.

Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.

Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.

Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.

Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.

Crunch Whois privacy talks kick off

Kevin Murphy, January 16, 2019, Domain Policy

ICANN volunteers are meeting this week to attempt to finalize their recommendations on the future of Whois privacy.

Most members of the Expedited Policy Development Process working group have gathered in Toronto for three days of talks on what will likely become, in May this year, new contractually binding ICANN policy.

Discussions are kicking off pretty much at the same time this article is published and will last until Friday afternoon local time.

The EPDP group is due to publish its final report by February 1, leaving enough time for GNSO consideration, public comments, and an ICANN board of directors vote.

Its initial report, which recommended some big changes to Whois output, was published in November. Public comments on this report will lead to largely modest changes to the policy this week.

The timing is tight because Whois policy is currently governed by a one-year Temporary Specification, created by the ICANN board, which expires May 25.

The bulk of the work today will focus on formalizing the “purposes” of Whois data, something that is needed if ICANN policy is to be compliant with the EU General Data Protection Regulation.

The more controversial stuff, where consensus will be extraordinarily difficult to find, comes tomorrow, when the group discusses policies relating to privileged access to private Whois data.

This is the area where intellectual property and security interests, which want a program that enables them to get access to private data, have been clashing with non-commercial stakeholders, which accuse their opponents of advocating “surveillance”.

It’s not expected that a system of standardized, unified access will be created this week or by February 1. Rather, talks will focus on language committing ICANN to work on (or not) such a system in the near future.

Currently, there’s not even a consensus on what the definition of “consensus” is. It could be slow going.

Gluttons for punishment Observers can tune in to the view/listen-only Adobe Connect room for the meetings here.

The most-read stories of 2018

Kevin Murphy, January 3, 2019, Domain Services

Happy 2019!

As we crawl, dark-eyed and slurring, from our festive hibernation, I thought now would be a good time to do a quick reminder of 2018, in the form of a top-10 list of the most-read stories published by DI over the last 12 months.

If not today, then when?

I’ve excluded, as usual, articles that seem to show up prominently in my traffic logs every single day simply because Google seems to think they’ve got porn in them.

Stéphane Van Gelder dies after motorcycle accident

Stéphane Van Gelder was a registrar industry pioneer and long-time ICANN community leader, and his untimely death in a vehicle accident in March came as a great shock to many. The fact that this post was the most-read of the year is not surprising. He is missed by many, and was subsequently posthumously awarded ICANN’s Multistakeholder Ethos Award.

Has the world’s biggest new gTLD registry gone bankrupt?

This speculative post from June came about after I discovered that a court-appointed administrator had taken over ownership of all TLDs in the Famous Four Media portfolio. It later turned out that FFM had in fact been removed by investors in true portfolio owner Domain Venture Partners, which created a new company, GRS Domains, to take over. The full details of this evidently bitter boardroom fight have yet to emerge.

Donuts freezes .place gTLD ahead of new geofencing rules

Perhaps a surprising entry on the list, this story detailed how Donuts had essentially taken .place off the market in preparation for a planned repurposing of the gTLD to tie into the emerging “geofencing” infrastructure. The freeze happened in May, and as far as I can tell .place is still in limbo as the technology back-end is finalized, which may account for this post’s popularity.

ICANN number two Atallah is new CEO of Donuts

Not long after Donuts was acquired by a private equity fund partly controlled by former ICANN CEO Fadi Chehade, I received a tip-off that his former number two, Global Domains Division president Akram Atallah, had been headhunted to be the registry’s new CEO. It was officially confirmed a few hours later, but not before the unwashed hordes (that’s you) had given the DI server something to think about. The perception of a revolving door between ICANN and industry raised eyebrows, including from the US government.

Google’s .app gTLD beats .porn to biggest sunrise yet

Google’s eagerly anticipated .app gTLD hit the market mid-year, and got off to a strong start with a sunrise period beaten only by defensive-heavy .porn. It’s very likely the strongest sunrise period of the 2012 round so far. The TLD has something like 350,000 domains under management today, which for new gTLDs is pretty much a success story.

GoDaddy and DomainTools scrap over Whois access

This story about GoDaddy and DomainTools fighting about whether the latter could get unmitigated access to the former’s Whois database was published in January, long before the full impact of GDPR on Whois privacy was known, and therefore now, with the benefit of hindsight, feels hopelessly naive.

How all 33 European ccTLDs are handling GDPR

Good grief, did I write a “listicle”? To mark the day GDPR came into full effect, I trawled through the web sites, news releases and policy documents of 33 European ccTLDs to see how each registry was planning to comply with the strict new privacy legislation, so you didn’t have to. The results were surprisingly diverse.

Google’s $25 million .app domain finally has a launch date

Remember how I said .app was “eagerly anticipated”? The fact that this post, merely noting the TLD’s launch timetable, hit the top 10 most-read stories for the year is perhaps proof of that.

Facebook clashes with registrars after massive private data request

Many big brands were unhappy with how ICANN and the industry turned off their unfettered Whois access following GDPR, none more so than Facebook, which has been piling pressure on ICANN to force registrars to acquiesce to its data requests. This July story revealed how it had started using a close intermediary called AppDetex to bombard registrars with over-broad disclosure requests. Registrars subsequently fought back, and AppDetex later gave me a demo of its early-stage software. The fight, no doubt, continues.

These 33 people will decide the future of Whois

Another GDPR listicle? In this July post I prepared brief bios of the volunteers selected to work on ICANN’s first Expedited Policy Development Process working group, which is challenged with coming up with a permanent policy solution to GDPR, amenable to all sections of the community. Needless to say, they’re still working on it…

That’s the top 10 most-read articles on DI in 2018. Honorable mentions go to Fight breaks out as Afilias eats Neustar’s Aussie baby, How a single Whois complaint got this registrar shitcanned and Some men at ICANN meetings really are assholes, simply because I like the headlines.

Happy new year to all DI readers. I don’t tell you this nearly regularly enough, but I really do love you all more than words could possibly describe.

Exclusive gang of 10 to work on making ICANN the Whois gatekeeper

Kevin Murphy, December 14, 2018, Domain Services

Ten people have been picked to work on a system that would see ICANN act as the gatekeeper for private Whois data.

The organization today announced the composition of what it’s calling the Technical Study Group on Access to Non-Public Registration Data, or TSG-RD.

As the name suggests, the group is tasked with designing a system that would see ICANN act as a centralized access point for Whois data that, in the GDPR era, is otherwise redacted from public view.

ICANN said such a system:

would place ICANN in the position of determining whether a third-party’s query for non-public registration data ought to be approved to proceed. If approved, ICANN would ask the appropriate registry or registrar to provide the requested data to ICANN, which in turn would provide it to the third party. If ICANN does not approve the request, the query would be denied. 

There’s no current ICANN policy saying that the organization should take on this role, but it’s one possible output of the current Expedited Policy Development Process on Whois, which is focusing on how to bring ICANN policy into compliance with GDPR.

The new group is not going to make the rules governing who can access private Whois data, it’s just to create the technical framework, using RDAP, that could be used to implement such rules.

The idea has been discussed for several months now, with varying degrees of support from contracted parties and the intellectual property community.

Registries and registrars have cautiously welcomed the notion of a central ICANN gateway for Whois data, because they think it might make ICANN the sole “data controller” under GDPR, reducing their own legal liability.

IP interests of course leap to support any idea that they think will give them access to data GDPR has denied them.

The new group, which is not a formal policy-making body in the usual ICANN framework, was hand-picked by Afilias CTO Ram Mohan, at the request of ICANN CEO Goran Marby.

As it’s a technical group, the IP crowd and other stakeholders don’t get a look-in. It’s geeks all the way down. Eight of the 10 are based in North America, the other two in the UK. All are male. A non-zero quantity of them have beards.

  • Benedict Addis, Registrar Of Last Resort.
  • Gavin Brown, CentralNic.
  • Jorge Cano, NIC Mexico.
  • Steve Crocker, former ICANN chair.
  • Scott Hollenbeck, Verisign.
  • Jody Kolker, GoDaddy.
  • Murray Kucherawy, Facebook.
  • Andy Newton, ARIN.
  • Tomofumi Okubo, DigiCert.

While the group is not open to all-comers, it’s not going to be secretive either. Its mailing list is available for public perusal here, and its archived teleconferences, which are due to happen for an hour every Tuesday, can be found here. The first meeting happened this week.

Unlike regular ICANN work, the new group hopes to get its work wrapped up fairly quickly, perhaps even producing an initial spec at the ICANN 64 meeting in Kobe, Japan, next March.

For ICANN, that’s Ludicrous Speed.

First chance to have your say on the future of Whois

Kevin Murphy, November 23, 2018, Domain Policy

RIP: the Whois Admin.

Standard Whois output is set to get slimmed down further under newly published policy proposals.

The community working group looking at post-GDPR Whois has decided that the Admin Contact is no longer necessary, so it’s likely to get scrapped next year.

This is among several recommendations of the Expedited Policy Development Process working group on Whois, which published its initial report for public comment late Wednesday.

As expected, the report stops short of addressing the key question of how third-parties such as intellectual property interests, domain investors, security researchers and the media could get streamlined access to private Whois data.

Indeed, despite over 5,000 person-hours of teleconferences and face-to-face meetings and about 1,000 mailing list messages since work began in early August, the EPDP’s 50 members have yet to reach consensus on many areas of debate.

What they have reached is “tentative agreement” on 22 recommendations on how to bring current ICANN Whois policy into line with EU privacy law, the General Data Protection Regulation.

The work is designed to replace the current Temporary Specification, a Band-Aid imposed by the ICANN board of directors, which is due to expire next May.

The EPDP initial report proposes a few significant changes to what data is collected and publicly displayed by the Whois system.

The most notable change is the complete elimination of the Admin Contact fields.

Currently, Whois contains contact information for the registrant, admin contact and technical contact. It’s often the same data replicated across all three records, and under the Temp Spec the large majority of the data is redacted.

Under the EPDP’s proposal, the Admin Contact is superfluous and should be abandoned altogether. Not only would it not be displayed, but registrars would not even collect the data.

The Tech Contact is also getting a haircut. Registrars would now only be able to collect name, phone and email address, and it would be optional for the registrant whether to provide this data at all. In any event, all three fields would be redacted from public Whois output.

For the registrant, all contact information except state/province and country would be redacted.

There’s no agreement yet on whether the optional “organization” field would be redacted, but the group has agreed that registrars should provide better guidance to registrants about whether they need to provide that data.

While data on legal persons such as companies is not protected by GDPR, some fear that natural person registrants may just naively type their own name into that box when registering a name, inadvertently revealing their identities to the public.

Those providing Whois output would be obliged, as they are under the Temp Spec, to publish an anonymized email address or web-based contact form to allow users to contact registrants without personal information being disclosed.

That German lawsuit

The recommendation to slash what data is collected could have an impact on ICANN’s lawsuit against Tucows’ German subsidiary, EPAG.

ICANN is suing EPAG after the registrar decided that collecting admin and tech contact info was not compliant with GPDR. It’s been looking, unsuccessfully, for a ruling forcing the company to carry on collecting this data.

Tucows is of the view that if the admin and tech contacts are third parties to the registration agreement, it has no right to collect data about them under the GDPR.

If ICANN’s own community policy development process is siding with Tucows, this could guide ICANN’s future legal strategy, but not, it appears, until it becomes firm consensus policy.

I asked ICANN general counsel John Jeffrey about whether the EPDP’s work could affect the lawsuit during an interview October 5, shortly after it became clear that the admin/tech contact days might be numbered.

“Maybe,” he said. “If it becomes part of the policy we’ll have to assess that. Until there’s a new policy though, what we’re working with is the Temp Spec. The Temp Spec we believe is enforceable, we believe have the legal support for that, and we’ll continue down that path.”

(It might be worth noting that Thomas Rickert, whose law firm represents EPAG in this case, is on the EPDP working group in his capacity of head of domains for German trade group eco. He is, of course, just one of the 31 EPDP members developing these recommendations at any given time.)

IP wheel-spinning

The main reason it’s taken the EPDP so long to reach the initial report stage — the report was originally due during the ICANN 63 Barcelona meeting a month ago — has been the incessant bickering between those advocating for, and opposing, the rights of intellectual property interests to access private Whois data.

EPDP members from the IP Constituency and Business Constituency have been attempting to future-proof the work by getting as many references to IP issues inserted into the recommendations as they can, before the group has turned its attention to addressing them specifically.

But they’ve been opposed every step of the way by the Non-Commercial Stakeholders Group, which is concerned the IP lobby is trying to policy its way around GDPR as it relates to Whois.

Many hours have been consumed by these often-heated debates.

My feeling is that the NCSG has been generally winning, but probably mainly because the working group’s charter forbade discussion about access until other issues had been addressed.

As it stands today, the initial report contains this language in Recommendation #2:

Per the EPDP Team Charter, the EPDP Team is committed to considering a system for Standardized Access to non-public Registration Data once the gating questions in the charter have been answered. This will include addressing questions such as:

• What are the legitimate purposes for third parties to access registration data?

• What are the eligibility criteria for access to non-public Registration data?

• Do those parties/groups consist of different types of third-party requestors?

• What data elements should each user/party have access to?

In this context, amongst others, disclosure in the course of intellectual property infringement and DNS abuse cases will be considered

This is basically a placeholder to assure the IP crowd that their wishes are still on the table for future debate — which I don’t think was ever in any doubt — but even this basic recommendation took hours to agree to.

The EPDP’s final report is due February 1, so it has just 70 days to discuss this hypothetical “Standardized Access” model. That’s assuming it started talks today, which it hasn’t.

It’s just nine weeks if we assume not a lot is going to happen over the Christmas/New Year week (most of the working group come from countries that celebrate these holidays).

For context, it’s taken the working group about 115 days just to get to the position it is in today.

Even if Standardized Access was the only issue being discussed — and it’s not, the group is also simultaneously going to be considering the public comment on its initial report, for starters — this is an absurdly aggressive deadline.

I feel fairly confident in predicting that, come February 1, there will be no agreement on a Standardized Access framework, at least not one that would be close to implementable.

Have your say

All 22 recommendations, along with a long list of questions, have now been put out for public comment.

The working group is keen to point out that all comments should provide rationales, and consider whether what they’re asking for would be GDPR-compliant, so comments along the lines of “Waaah! Whois should be open!” will likely be rapidly filed to the recycle bin.

It’s a big ask, considering that most people have just a slim grasp of what GDPR compliance actually means.

Complicating matters, ICANN is testing out a new way to process public comments this time around.

Instead of sending comments in by email, which has been the norm for two decades, a nine-page Google form has been created. This is intended to make it easier to link comments to specific recommendations. There’s also a Word version of the form that can be emailed.

Given the time constraints, it seems like an odd moment to be testing out new processes, but perhaps it will streamline things as hoped. We’ll see.