Latest news of the domain name industry

Recent Posts

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.

ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.

It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.

In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.

The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.

When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.

The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.

The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.

Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.

We could be looking at the death of Whois within a year.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.

The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.

Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).

Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.

The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.

The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.

The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).

Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.

Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.

The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.

The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.

So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.

If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.

How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.

There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.

This will be a hot topic at ICANN 66 in Montreal next month.

Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Whois killer deadline has passed. Did most registrars miss it?

Kevin Murphy, August 28, 2019, Domain Registrars

The deadline for registrars to implement the new Whois-killer RDAP protocol passed yesterday, but it’s possible most registrars did not hit the target.

ICANN told registrars in February (pdf) that they had six months to start making RDAP (Registration Data Access Protocol) services available.

RDAP is the replacement for the age-old Whois protocol, and provides virtually the same experience for the end user, enabling them to query domain ownership records.

It’s a bit more structured and flexible, however, enabling future services such as tiered, authenticated access.

Despite the August 26 deadline coming and going, ICANN records suggest that as many as three quarter of accredited registrars have not yet implemented RDAP.

The IANA department started publishing the base URLs for registrar RDAP servers recent.

According to this list, there are 2,454 currently accredited registrars, of which only 615 (about 25%) have an RDAP server.

But I’m not convinced this number is particularly useful.

First, just because a registrar’s RDAP server is not listed, does not mean it does not have one.

For example, the two largest registrars, Tucows and GoDaddy, do not have servers on the list, but both are known to have been working on RDAP services for a long time through public pilots or live services. Similarly, some CentralNic registrars have servers listed while others do not.

Second, of the 1,839 accreditations without servers, at least 1,200 are DropCatch.com shells, which tips the scales towards non-compliance considerably.

Still, it seems likely that some registrars did in fact miss their deadline. How stringently ICANN chooses to enforce this remains to be seen.

ICANN itself replaced its “Whois” service with a “Lookup” service last month.

According to Michele Neylon of the registrar Blacknight, contracted parties can also discover RDAP URLs via ICANN’s closed RADAR registrar information portal.

RDAP and Whois will run concurrently for a while before Whois takes its final bow and disappears forever.

ICANN dumps the “Whois” in new Whois tool

Kevin Murphy, July 31, 2019, Domain Tech

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.

It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.

The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.

RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.

Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.

The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.

The old site looked like this:

Whois

The new site looks like this:

Whois

It’s pretty much useless for most domains, if you want to find out who actually owns them.

If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.

That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.

For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.

While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.

Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

Airline hit with $230 million GDPR fine

Kevin Murphy, July 8, 2019, Domain Policy

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.

This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.

About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..

It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.

The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.

Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.

The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.

GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.