Latest news of the domain name industry

Recent Posts

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.

ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.

The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.

Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.

After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.

Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.

Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.

Registrants would have the right to opt in to having their full record displayed in the public Whois.

Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.

The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.

This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.

The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.

The model would apply to all gTLD domains where there is some connection to the European Economic Area.

If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.

Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.

While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.

The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.

Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.

The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.

Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.

Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.

Domain NameDisplay
Registry Domain IDDisplay
Registrar WHOIS ServerDisplay
Registrar URLDisplay
Updated DateDisplay
Creation DateDisplay
Registry Expiry DataDisplay
Registrar Registration Expiration DateDisplay
RegistrarDisplay
Registrar IANA IDDisplay
Registrar Abuse Contact EmailDisplay
Registrar Abuse Contact PhoneDisplay
ResellerDisplay
Domain StatusDisplay
Domain StatusDisplay
Domain StatusDisplay
Registry Registrant IDDo not display
Registrant NameDo not display
Registrant OrganizationDisplay
Registrant StreetDo not display
Registrant CityDo not display
Registrant State/ProvinceDisplay
Registrant Postal CodeDo not display
Registrant CountryDisplay
Registrant PhoneDo not display
Registrant Phone ExtDo not display
Registrant FaxDo not display
Registrant Fax ExtDo not display
Registrant EmailAnonymized email or web form
Registry Admin IDDo not display
Admin NameDo not display
Admin OrganizationDo not display
Admin StreetDo not display
Admin CityDo not display
Admin State/ProvinceDo not display
Admin Postal CodeDo not display
Admin CountryDo not display
Admin PhoneDo not display
Admin Phone ExtDo not display
Admin FaxDo not display
Admin Fax ExtDo not display
Admin EmailAnonymized email or web form
Registry Tech IDDo not display
Tech NameDo not display
Tech OrganizationDo not display
Tech StreetDo not display
Tech CityDo not display
Tech State/ProvinceDo not display
Tech Postal CodeDo not display
Tech CountryDo not display
Tech PhoneDo not display
Tech Phone ExtDo not display
Tech FaxDo not display
Tech Fax ExtDo not display
Tech EmailAnonymized email or web form
Name ServerDisplay
Name ServerDisplay
DNSSECDisplay
DNSSECDisplay
URL of ICANN Whois Inaccuracy Complaint FormDisplay
>>> Last update of WHOIS databaseDisplay

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.

With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

Why are you doing that Whois search? DENIC wants to know

Kevin Murphy, February 6, 2018, Domain Registries

In a taste of what might be coming under EU privacy legislation, DENIC wants you to jump through some new hoops before it lets you see Whois data.

When doing a Whois query on its web site today, the German ccTLD registry first asks you to answer the question: “How do you justify your legitimate interest in accessing the whois data?”

It’s a multiple-choice question, with an extra field for typing in your reasons for doing the query.

Possible answers include “because you think that the use of the domain raises a legal problem”, which appears to be for trademark lawyers, and “because you want to collect information about the domain holder for business purposes”, which appears to be for domainers.

Denic whois

There’s no wrong answer that will deny you access to the Whois record you want to see, but users are warned that their use of Whois data is only to be for “legitimate purposes”, under pain of legal action.

A DENIC spokesperson told DI that the new system was introduced today “for statistical reasons”

“Its aim is just to get a better idea of the DENIC whois usage pattern and of the extent to which different user groups are utilising the extended service,” she said.

The move should be viewed in the context of the incoming General Data Protection Regulation, an EU privacy law that becomes fully implemented in May this year.

While there’s been a lot of focus on how this will effect ICANN and its harem of contracted gTLDs, it’s easy to forget that it affects ccTLDs just as much.

By conducting this mandatory survey of real Whois users, DENIC will presumably be able to gather some useful data that will inform how it stays GDPR-compliant after May.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.

The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.

Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.

David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.

Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.

Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”

“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”

He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.

The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.

For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.

It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.

The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.

While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.

Two weeks ago it called for comments on three possible Whois models that could be used from May.

That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

DomainTools scraps apps and APIs in war on spam

Kevin Murphy, January 22, 2018, Domain Services

DomainTools is to scrap at least five of its services as it tries to crack down spam.

It’s getting rids of its mobile apps, its APIs, and is to stop showing registrants’ personal information to unauthenticated users.

CEO Tim Chen told us in an email at the weekend:

The Android app is no longer supported.

The iOS app will no longer be supported after February 20th.

The Developer API is no longer supported.

On February 20th, the Bulk Parsed Whois tool available to Personal Members will no longer be supported.

On February 20th, our production Whois API will no longer be available to individual membership levels, an Enterprise relationships will be required.

It’s all part of an effort to make sure DomainTools services are not being abused by spammers, which has lead to a dispute with GoDaddy over bulk access to its registrants’ Whois data.

The longstanding problem of new registrants getting spammed with calls and emails offering web hosting and such has escalated over the last few years. Domain Name Wire detailed the scale of the abuse registrants can experience in a post last week.

While to my knowledge nobody has directly accused DomainTools of facilitating such abuse, the scrapped services are the ones that would be most useful to these spammers.

The company is also going to scale back what guest users can see when they do a Whois lookup, and is to make automated scraping of Whois records more difficult for paying members.

In a blog post, Chen wrote last week:

As of today, unauthenticated users of the DomainTools Whois Lookup tool will not see personally identifiable information for the registrant parsed out in the results, and will be required to submit a CAPTCHA to see the full raw domain name Whois record. Phone numbers in the parsed results have been replaced with image files, much the same way emails have always been rendered

As well as hoping to ease relations with GoDaddy — the source of a very heavy chunk of DomainTools’ data — the moves are also part of the company’s strategy for dealing with the incoming General Data Protection Regulation.

This is the EU law that gives registrants more control over the privacy of their personal data.

Chen told us earlier this month that DomainTools is keen to ensure its enterprise-level suite of security products, which he said are vital for security and intellectual property investigations, continue to operatie under the new regime.

About 80% of DomainTools’ revenue comes from its enterprise-level customers, over 500 companies.

Three ways ICANN could gut Whois

Kevin Murphy, January 15, 2018, Domain Policy

ICANN has published three possible models of how Whois could be altered beyond recognition after European privacy law kicks in this May.

Under each model, casual Whois users would no longer have access to the wealth of contact information they do under the current system.

There may also be a new certification program that would grant access to full Whois records to law enforcement, consumer protection agencies and intellectual property interests.

The three models are each intended to address the General Data Protection Regulation, EU law that could see companies fined millions if they fail to protect the personal data of European citizens.

While GDPR affects all data collection on private citizens, for the domain name industry it’s particularly relevant to Whois, where privacy has always been an afterthought.

The three ICANN models, which are now subject to a short public comment period, differ from each other in three key areas: who has their privacy protected, which fields appear in public Whois by default, and how third parties such as law enforcement access the full records.

Model 1 is the most similar to the current system, allowing for the publication of the most data.

Under this model the name and postal address of the registrant would continue to be displayed in the public Whois databases.

Their email address and phone number would be protected, but the email and phone of the administrative and technical contacts — often the same person as the registrant — would be published.

If the registrant were a legal entity, rather than a person, all data fields would continue to be displayed as normal.

The other two models call for more restricted, or at least different, public output.

Under Model 2, the email addresses of the administrative and technical contacts would be published, but all other contact information, including the name of the registrant, would be redacted.

Model 3 proposes a crazy-sounding system whereby everything would be published unless the registrar/registry decided, on a domain-by-domain basis, that the field contained personal information.

This would require manual vetting of each Whois record and is likely to gather no support from the industry.

The three models also differ in how third parties with legitimate interests would access full Whois records.

Model 1 proposes a system similar to how zone files are published via ICANN’s Centralized Zone Data Service.

Under this model, users would self-certify that they have a legit right to the data (if they’re a cop or an IP lawyer, for example) and it would be up to the registry or registrar to approve or decline their request.

Model 2 envisages a more structured, formal, centralized system of certification for Whois users, developed with the Governmental Advisory Committee and presumably administered by ICANN.

Model 3 would require Whois users to supply a subpoena or court order in order to access records, which is sure to make it unpopular among the IP lobby and governments.

Each of the three models also differs in terms of the circumstances under which privacy is provided.

The models range from protecting records only when the registrant, registry, registrar or any other entity involved in the data processing has a presence in the European Economic Area to protecting records of all registrants everywhere regardless of whether they’re a person or a company.

Each model has different data retention policies, ranging from six month to two years after a registration expires.

None of the three models screw with registrars’ ability to pass data to thick-Whois registries, nor to their data escrow providers.

ICANN said it’s created these models based on the legal analyses it commissioned from the Hamilton law firm, as well as submissions from community members.

One such submission, penned by the German trade associated Eco, has received broad industry support.

It would provide blanket protection to all registrants regardless of legal status or location, and would see all personally identifiable information stripped from public Whois output.

Upon carrying out a Whois query, users would see only information about the domain, not the registrant.

There would be an option to request more information, but this would be limited to an anonymized email address or web form for most users.

Special users, such as validated law enforcement or IP interests, would be able to access the full records via a new, centralized Trusted Data Clearinghouse, which ICANN would presumably be responsible for setting up.

It’s most similar to ICANN’s Model 2.

It has been signed off by registries and registrars together responsible for the majority of the internet’s domain registrations: Afilias, dotBERLIN, CentralNic, Donuts, Neustar, Nominet, Public Interest Registry (PIR), Verisign, 1&1, Arsys, Blacknight, GoDaddy, Strato/Cronon, Tucows and United Domains.

ICANN said in a blog post that its three models are now open for public comment until January 29.

If you have strong opinions on any of the proposals, it might be a good idea to get them in as soon as possible, because ICANN plans to identify one of the models as the basis for the official model within 48 hours of the comment period closing.