US official Heineman joins GoDaddy

Former US government official Ashley Heineman has joined the staff of GoDaddy.
Heineman was until quite recently a policy specialist at the US National Telecommunications and Information Administration and the US representative on ICANN’s Governmental Advisory Committee.
But GoDaddy confirmed to DI today that she’s now left NTIA and joined the market-leading registrar.
I don’t know what her job title is yet. One assumes it’s related to policy or legal issues.
Heineman spent 15 years at NTIA and has been the ICANN GAC rep for the US for the last few years.
She’s had a respectably hands-on role, for a GACer, including being a member of the ongoing “EPDP” cross-community working group conducting a post-GDPR review of Whois policy.
Judging by my embarrassing error at the weekend, the US is currently being represented on the GAC by the NTIA’s Vernita Harris.
I’ve also heard rumors from ICANN 66 that another former NTIA official has also recently moved into the domain name industry. I’ll blog it up just as soon as I get confirmation.

ICANN enters talks to kill off Whois for good

Whois’ days are numbered.
ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.
It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.
In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.
The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.
When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.
The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.
The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.
Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.
We could be looking at the death of Whois within a year.

Now you don’t have to live in the EU to register a .eu domain, but there’s a catch

Residents of countries outside the European Union are now able to register .eu domain names.
A new rule that kicked in at the weekend broadened eligibility from only residents of the EU and European Economic Area. Now, residency is irrelevant.
The catch is that you have to still have to be an EU citizen to qualify.
EURid, the .eu registry, said the change opens up the ccTLD to “millions of Europeans living around the world”.
In practice, it could open up the space to basically anyone.
While residency can fairly easily be checked by looking at the mailing address in a Whois record, demonstrating citizenship is a different kettle of fish.
There’s no indication that EURid is asking registrars to collect passport numbers at the point of sale, so it appears to be a post-registration enforcement regime.
.eu is also still open to non-EU citizens who live in the EU or EEA.
.eu had 3.6 million names under management at the last count, having declined by about 200,000 since the Brexit vote three years ago.
Let’s see if the new, liberalized regime has any impact.

Crunch time, again, for Whois access policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.
The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.
Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).
Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.
The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.
The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.
The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).
Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.
Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.
The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.
The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.
So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.
If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.
How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.
There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.
This will be a hot topic at ICANN 66 in Montreal next month.
Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Introducing… the DI Leaders Roundtable

Today, I’m introducing what I hope to be the first of several regular features, the DI Leaders Roundtable.
Every week or two, I’ll be putting a single question to a collection of domain industry and ICANN community leaders and compiling their responses in order to gain some insight into current thoughts on hot topics or broader industry trends from some of the space’s top thinkers.
I’ve tried to reflect a broad cross-section of the industry, with a mix of business, policy and technical expertise from registries, registrars, back-ends, new gTLDs, legacy gTLDs, investors, etc.
The initial line-up for the panel, which will likely evolve as time goes by, is, in alphabetical order.
Ben Crawford, CEO, CentralNic
Crawford is CEO of CentralNic, a triple-play domain company based in London and listed on the Alternative Investment Market. Initially a vendor of pseudo-gTLDs such as uk.com and gb.com, CentralNic has over the course of the last seven years evolved into a company that sells both its own self-managed TLDs, such as .sk, as well as acting as a back-end for the likes of .xyz, .site and .online. Describing itself as a consolidator, the company nowadays makes most of its money via the registrar side of the house as a result of a series of mergers and acquisitions, particularly the merger with KeyDrive last year.
Jothan Frakes, Executive Director, Domain Name Association
A long-time industry jack-of-all-trades, Frakes is currently executive director of the Domain Name Association, the prominent industry trade group. Frakes has acted in a number of roles at domain name companies, as well as co-founding the popular NamesCon conference back in 2014. His technical credentials can be exemplified by, among other activities, his participation in Mozilla’s Public Suffix List, while his policy nous could be vouched for by many who have worked with him during his 20 years of ICANN participation.
Richard Kirkendall, CEO, NameCheap
Kirkendall founded leading budget registrar NameCheap in 2000 and has occupied the office of CEO ever since. A long-time Enom reseller, NameCheap’s popularity was for many years shrouded in mystery. It finally transferred the last of its Enom names over to its own accreditation in January 2018, revealing it to have 7.5 million gTLD names under management. It added a further two million over the next 18 months, and says it has over 10 million names in total. NameCheap is known for its low prices and for its occasional support for pro-freedom political causes such as the Electronic Frontier Foundation.
Milton Mueller, Professor, Georgia Tech
Mueller is an academic and among the most prominent voices in ICANN’s Non-Commercial Stakeholder Group. Based at the School of Public Policy at the Georgia Institute of Technology, he founded the Internet Governance Project, an independent policy research outfit, in 2004. He’s the author of several books on the topic, and very active in ICANN policy development, including the current effort to balance privacy rights with commercial interests in the Whois system.
Jeff Neuman, Senior VP, Com Laude
Neuman is senior vice president of brand-protection registrar Com Laude and sister company Valideus, which provides new gTLD consultancy services to brand owners. From 2000 until 2015, he worked in senior policy and registry business roles at Neustar, helping to apply for and launch .biz in 2001. A noted ICANN policy expert, Neuman has sat on various ICANN working groups and currently co-chairs the New gTLD Subsequent Procedures Policy Development Process, which is developing the rules for the next round of new gTLDs.
Jon Nevett, CEO, Public Interest Registry
Nevett is CEO of Public Interest Registry, which manages the 10-million-domain-strong legacy gTLD .org and a handful of new gTLDs. Prior to PIR, he was executive vice president of Donuts, and one of its four co-founders. He’s been in the domain business since 2004, when he joined Network Solutions as a senior VP on the policy side of the house. Nevett has also been involved in ICANN policy-making, including a stint as chair of the Registrars Constituency.
Michele Neylon, CEO, Blacknight
Neylon is CEO and co-founder of Blacknight Internet Solutions, a smaller registrar based in Ireland. Known for his “often outspoken” policy views, he’s a member of several ICANN working groups, sits on the GNSO Council representing registrars, and is a member of stakeholder group committees for various ccTLD registries including .eu, .ie and .us. Blacknight has almost 60,000 gTLD registrations to its name but also specializes in serving its local ccTLD market.
Dave Piscitello, Partner, Interisle Consulting Group
Piscitello is currently a partner at security consultancy Interisle Consulting Group, having retired from his role as vice president of security and ICT coordination at ICANN last year. With over 40 years in the security business, he’s also a board member of the Coalition Against Unsolicited Commercial Email (CAUCE) and the Anti-Phishing Working Group (APWG). Interisle is an occasional ICANN security contractor.
Sandeep Ramchamdani, CEO, Radix Registry
Ramchandani is CEO of Mumbai-based new gTLD registry Radix, which currently has a portfolio of 10 gTLDs and one ccTLD. It’s known primarily for its low-cost, high-volume, pure-generic business model, which has seen its two best performers, .online and .site, rack up almost three million domains between them. Radix is a unit of Directi Group, which is where Ramchandani cut his teeth for almost a decade before taking the reins of Radix in 2012.
Frank Schilling, CEO, Uniregistry
Schilling started off as a domain investor at the second level, 19 years ago, eventually managing hundreds of thousands of secondary-market domains with his company Name Administration, before founding Uniregistry in order to invest in new gTLDs in 2012. As a registry, Uniregisty has about a quarter of a million names spread across its 22-TLD portfolio; as a registrar it has over 1.2 million domains under management. Schilling is widely considered one of the most successful domain investment pioneers.
Rick Schwartz, aka the “Domain King”
Schwartz is viewed by domain investors as one of the most successful domainers of all time, and is known for his forthright, blunt criticisms of both new gTLDs and poor domain investment strategies. He’s been buying and selling domain names since 1995, and has sold several category-killer .com domains for seven-figure sums. Schwartz also founded the T.R.A.F.F.I.C. domainer conference in 2004, and it ran for 10 years.

Registrar suspended over dodgy transfers

ICANN has suspended a Los Angeles-based registrar after failing to get answers to its questions about a bunch of domain transfer.
World Biz Domains won’t be able to sell any gTLD domains, or accept transfers, from October 16 until January 13 next year. It will also have to post ICANN’s suspension notice on its home page.
Its crime? Failing to provide ICANN with records proving that the change of registrant requests for 15 potentially valuable domain names were legitimate.
ICANN has been badgering World Biz for these records since April, but says it was given the runaround.
The domains in question — 28.net, 68.net, 88.org, changi.com, tay.net, goh.net, koh.net, kuantan.com, yeong.com, merlion.org, og.net, raffles.net, sentosa.org, sg.org and shenton.com — all appear to have been registered to a Singaporean investor using the registrar DomainDiscover until about a year ago.
The non-numeric names all have significance to Singapore or neighboring Malaysia one way or the other. Some of them are arguably UDPR fodder.
Shenton is a busy street and hotel in the city, Merlion is Singapore’s lion mascot, Sentosa is a Singaporean island, and Raffles is of course the name of the famous hotel. Other domains on the list are common Chinese surnames used by Singaporeans.
It appears that about a year ago, according to DomainTools’ historical Whois records, they were transferred to World Biz and put under privacy protection.
There’s no specific claim in ICANN’s notice that any domain hijacking has taken place, but it’s easy to infer that the original registrant was for some reason not happy that the domains changed hands and therefore complained to ICANN.
Some of the domains in question have since been transferred to other registrars and may have been returned to the original registrant.
If ICANN’s track record of demanding records is any guide, this will not help World Biz come into compliance.
Should it be terminated, it looks like very few registrants will be affected.
While World Biz at one point had over 5,000 gTLD domains under management, it’s been shrinking consistently for the best part of a decade and in May had just 74 DUM.
September last year, when the domains in question moved to World Biz, was the company’s most-successful month in terms of inbound transfers — 17 domains — since I started tracking this kind of data nine years ago.

.blog registry handover did NOT go smoothly

The transition of .blog between registry back-end providers ended up taking six times longer than originally planned, due to “a series of unforeseen issues”.
Registry Knock Knock Whois There today told registrars that the move from Nominet to CentralNic took 18 hours to complete, far longer than the two to three hours anticipated.
An “unexpected database error” was blamed at one point for the delay, but KKWT said it is still conducting a post-mortem to figure out exactly what went wrong.
During the downtime, .blog registrations, renewals, transfers and general domain management at the registry level would not have been possible.
DNS resolution was not affected, so registrants of .blog domains would have been able to use their web sites and email as usual.
The migration, which covered roughly 200,000 domains, wrapped up at around 0800 UTC this morning. It seems engineers at the two back-end providers, both based in the UK, will have been working throughout the night to fix the issues.
KKWT reported the new CentralNIC EPP back-end functioning as expected but that several days of “post-migration clean-up” are to be expected.
Eighteen hours is more than the acceptable 14 hours of monthly downtime for EPP services under ICANN’s standard Registry Agreement, but below the 24 hours of weekly downtime at which emergency measures kick in.
CentralNic already handles very large TLDs, including .xyz, but I believe this is the largest incoming migration it’s handled to date.
KKWT is owned by Automattic, the same company as WordPress.com.

Whois killer deadline has passed. Did most registrars miss it?

The deadline for registrars to implement the new Whois-killer RDAP protocol passed yesterday, but it’s possible most registrars did not hit the target.
ICANN told registrars in February (pdf) that they had six months to start making RDAP (Registration Data Access Protocol) services available.
RDAP is the replacement for the age-old Whois protocol, and provides virtually the same experience for the end user, enabling them to query domain ownership records.
It’s a bit more structured and flexible, however, enabling future services such as tiered, authenticated access.
Despite the August 26 deadline coming and going, ICANN records suggest that as many as three quarter of accredited registrars have not yet implemented RDAP.
The IANA department started publishing the base URLs for registrar RDAP servers recent.
According to this list, there are 2,454 currently accredited registrars, of which only 615 (about 25%) have an RDAP server.
But I’m not convinced this number is particularly useful.
First, just because a registrar’s RDAP server is not listed, does not mean it does not have one.
For example, the two largest registrars, Tucows and GoDaddy, do not have servers on the list, but both are known to have been working on RDAP services for a long time through public pilots or live services. Similarly, some CentralNic registrars have servers listed while others do not.
Second, of the 1,839 accreditations without servers, at least 1,200 are DropCatch.com shells, which tips the scales towards non-compliance considerably.
Still, it seems likely that some registrars did in fact miss their deadline. How stringently ICANN chooses to enforce this remains to be seen.
ICANN itself replaced its “Whois” service with a “Lookup” service last month.
According to Michele Neylon of the registrar Blacknight, contracted parties can also discover RDAP URLs via ICANN’s closed RADAR registrar information portal.
RDAP and Whois will run concurrently for a while before Whois takes its final bow and disappears forever.

Three-letter .com owned by hospital “hijacked”

A California hospital has seen its three-letter .com domain reportedly hijacked and transferred to a registrar in China.
Sonoma Valley Hospital, a 75-bed facility north of San Francisco, was using svh.com as its primary domain until earlier this month, when it abruptly stopped working.
The Sonoma Index-Tribune reports that the domain was “maliciously acquired”, according to a hospital spokesperson.
It does not seem to be a case of a lapsed registration.
Historical Whois records archived by DomainTools show that svh.com, which had been registered with Network Solutions, had over a year left on its registration when it was transferred to BizCN in early August.
BizCN is based in China and has around 711,000 gTLD domains under management, having shrunk by about 300,000 names over the 12 months to April.
The Sonoma newspaper speculates that the domain may have been hijacked via a phishing attack. It’s not clear whether the hospital or NetSol, part of the Web.com group, was the target.
Three-letter .com names are highly prized, usually selling for tens of thousands of dollars.
Domain investors should obviously steer clear of svh.com, which will is probably already up for sale.
Not only is there a possibility of attracting unwelcome legal attention, but there’s also the moral implications of paying somebody who would steal from a hospital.
The hospital in question has now changed its name to sonomavalleyhospital.org. This transition, which includes migrating the email addresses of all of its staff, seems to have taken several days.
Anyone sending personal medical information to the old svh.com email addresses may find that information in the wrong hands.

After more racist shootings, take one guess which registrar 8chan just switched to

Controversial web forum 8chan has moved its domain name to a new registrar after it was linked to at least one of the two mass shootings that occurred in the US over the weekend.
According to Whois records, it’s just jumped to racist-friendly Epik, having been registered at Tucows since 2003.
The switch appears to have happened in the last few hours. At time of writing, you’re going to get different results depending which Whois server you ping.
Some servers continue to report Tucows as the registrar of record, perhaps using cached data, but Epik’s result looks like this:

8chan is an image/discussion board that describes itself as “the Darkest Reaches of the Internet”. It’s reportedly heavily used by racists, extremists and those with an interest in child pornography.
It was widely linked by the media to the shooting in the border town of El Paso, Texas on Saturday, which claimed the lives of 20 people and left 26 more injured.
The suspect in the case reportedly posted to 8chan a 2,300-word racist “manifesto”, in which he ranted against Latino immigration, just 20 minutes before launching the attack.
This morning, Cloudflare announced that it would no longer provide denial-of-service attack protection for the web site, saying:

The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.

Google removed the site from its index a few years ago, due to allegations about child abuse material.
At this point, it’s not clear whether Tucows also ejected 8chan, or whether its owners decided to jump ship, perhaps sensing which way the wind is blowing.
Its new home, Epik, calls itself the “Swiss bank” of domain registrars, and has actively courted sites that enable far-right political views.
The registrar openly sought the business of Gab.com, the Twitter clone used largely by those who have been banned by Twitter, after GoDaddy suspended the site’s domain last November.
In March this year, Epik CEO Rob Monster came under fire for publicly doubting the veracity of the video of the mosque shootings in Christchurch, New Zealand, which killed 50 people.
8chan was also frequented by the perpetrator of that attack, among others.
Epik is described as “cornering the market on websites where hate speech is thriving”, according to the Southern Poverty Law Center, an anti-racist group.
Monster has said that he does not support the views of extremists, but merely wants to provide a platform where registrants can exercise their rights to free speech.