Survey says most Whois records “accurate”

Ninety-seven percent of Whois records contain working email addresses and/or phone numbers, according to the results of an ongoing ICANN survey.
The organization yesterday published the second of its now-biannual WHOIS Accuracy Reporting System reports, a weighty document stuffed with facts and figures about the reliability of Whois records.
It found, not for the first time, that the vast majority of Whois records are not overtly fake.
Email addresses and phone numbers found there almost always work, the survey found, and postal addresses for the most part appear to be real postal addresses.
The survey used a sample of 12,000 domains over 664 gTLDs. It tested for two types of accuracy: “syntactical” and “operability”.
Syntactical testing just checks, for example, whether the email address has an @ symbol in it and whether phone numbers have the correct number of digits.
Operability testing goes further, actually phoning and emailing the Whois contacts to see if the calls connect and emails don’t bounce back.
For postal addresses, the survey uses third-party software to see whether the address actually exists. No letters are sent.
The latest survey found that 97% of Whois records contain at least one working phone number or email address, “which implies that nearly all records contain information that can be used to establish immediate contact.”
If you’re being more strict about how accurate you want your records, the number plummets dramatically.
Only 65% of records had operable phone, email and postal contact info in each of the registrant, administrative and technical contact fields.
Regionally, fully accurate Whois was up to 77% in North America but as low as 49.5% in Africa.
So it’s not great news if Whois accuracy is your bugbear.
Also, the survey does not purport to verify that the owners of the contact information are in fact the true registrants, only that the information is not missing, fake or terminally out-of-date.
A Whois record containing somebody else’s address and phone number and a throwaway webmail address would be considered “accurate” for the survey’s purposes.
The 54-page survey can be found over here.

Privacy risk under new domain transfer policy

ICANN’s new domain Transfer Policy, which comes into effect tomorrow, creates risks for users of privacy/proxy services, registrars and others haved warned.
The policy could lead to private registrants having their contact information published in the public Whois for 60 days, the GNSO Council expects to formally tell ICANN this week.
“This could threaten privacy for at-risk registrants without clear benefit,” the Council says in a draft letter to the ICANN board.
The revised Transfer Policy was designed to help prevent domain hijacking.
The main change is that whenever there’s a “change of registrant”, the gaining and losing registrants both have to respond to confirmation emails before the change is processed.
However, “change of registrant” is defined in such a way that the confirmation emails would be triggered even if the registrant has not changed.
For example, if you change your last name in your Whois records due to marriage or divorce, or if you change email addresses, that counts as a change of registrant.
It now turns out that ICANN considers turning a privacy service on or off as a change of registrant, even though that only affects the public Whois data and not the underlying customer data held by the registrar.
The GNSO Council’s draft letter states:

ICANN has advised that any change to the public whois records is considered a change of registrant that is subject to the process defined through IRTP-C. Thus, turning a P/P service on or off is, from ICANN’s view, a change of registrant. It requires the CoR [change of registrant] process to be followed and more importantly could result in a registrant exposing his/her information in the public whois for 60 days. This could threaten privacy for at-risk registrants without clear benefit.

My understanding is that the exposure risk outlined here would only be to registrants who attempt to turn on privacy at their registrar then for whatever reason ignore, do not see or do not understand the subsequent confirmation emails.
Depending on implementation, it could lead to customers paying for a privacy service and not actually receiving privacy.
On the other side of the coin, it’s possible that an actual change in registrant might not trigger the CoR process if both gaining and losing registrants both use the same privacy service and therefore have identical Whois records.
The Council letter also warns about a possible increase in spam due to the changes:

many P/P services regularly generate new email addresses for domains in an effort to reduce spam. This procedure would no longer be possible, and registrants may be subject to unwanted messaging. Implementing the CoR for email changes that some providers do as often as every 3-5 days is not feasible.

ICANN has been aware of these issues for months. Its suggested solution is for registrars to make themselves the “Designated Agent” — a middleman permitted to authorize transfers — for all of their customers.
As we reported earlier this week, many large registrars are already doing this.
But registrars and the GNSO Council want ICANN to consider reinterpreting the new policy to exclude privacy/proxy services until a more formal GNSO policy can be created.
While the Policy Development Process that created the revised transfer rules wound up earlier this year, a separate PDP devoted to creating rules of privacy/proxy services is still active.
The Council suggests that this working group, known as PPSAI, could assume the responsibility of clearing up the mess.
In the meantime, registrars are rather keen that they will not get hit with breach notices by ICANN Compliance for failing to properly implement to what seems to be a complex policy.

Transferring domains gets more complex this week

A new anti-hijacking domain name transfer policy comes into effect this week at all ICANN-accredited registrars, potentially complicating the process of not only selling domains but also updating your own Whois records.
But many registrars have already rewritten their terms of service to make the new rules as hassle-free as possible (and essentially pointless).
From December 1, the old ICANN Inter-Registrar Transfer Policy starts governing inter-registrant transfers too, becoming simply the Transfer Policy.
Now, when you make updates to your Whois records that appear to suggest new ownership, you’ll have to respond to one or two confirmation emails, text messages or phone calls.
The policy change is the latest output of the interminable IRTP work within ICANN’s GNSO, and is designed to help prevent domain hijacking.
But because the changes are likely to be poorly understood by registrants at the outset, it’s possible some friction could be added to domain transfers.
Under the new Transfer Policy, you will have to respond to confirmation emails if you make any of the following:

• A change to the Registered Name Holder’s name or organization that does not appear to be merely a typographical correction;
• Any change to the Registered Name Holder’s name or organization that is accompanied by a change of address or phone number;
• Any change to the Registered Name Holder’s email address.

While registrars have some leeway to define “typographical correction” in their implementation, the notes to the policy seem to envisage single-character transposition and omission errors.
Registrants changing their last names due to marriage or divorce would apparently trigger the confirmation emails, as would transfers between parent and subsidiary companies.
The policy requires both the gaining and losing registrant to verify the “transfer”, so if the registrant hasn’t actually changed they’ll have to respond to two emails to confirm the desired changes.
Making any of the three changes listed above will also cause the unpopular 60-day transfer lock mechanism — which stops people changing registrars — to trigger, unless the registrant has previously opted out.
Registrars are obliged to advise customers that if the change of registrant is a prelude to an inter-registrar transfer, they’d be better off transferring to the new registrar first.
The new policy is not universally popular even among registrars, where complexity can lead to mistakes and therefore support costs.
Fortunately for them, the Transfer Policy introduces the concept of “Designated Agents” — basically middlemen that can approve registrant changes on your behalf.
Some registrars are taking advantage of this exception to basically make the confirmation aspects of the new policy moot.
Calling the confirmation emails an “unnecessary burden”, EuroDNS said last week that it has unilaterally made itself every customer’s Designated Agent by modifying its terms of service.
Many other registrars, including Tucows/OpenSRS, NameCheap and Name.com appear to be doing exactly the same thing.
In other words, many registrants will not see any changes as a result of the new Transfer Policy.
The truism that there’s no domain name policy that cannot be circumvented with a middleman appears to be holding.

After shaky start, .blog launches today

The new gTLD .blog goes into general availability today, after some mild controversy about the way the registry allocated reserved domain names.
Knock Knock Whois There, the registry affiliated with WordPress maker Automattic, last week apologized to some would-be customers for declining to honor some landrush pre-registrations.
Some registrants had complained that domains that were accepted for pre-registration were subsequently added to KKWT’s list of registry-reserved names, making them unavailable for registration.
KKWT said in a blog post Thursday that the confusion was due to it not having finalized its reserved list until just before its landrush period kicked off, November 2.
Registrars, including those accepting pre-registrations, were not given the final lists until the last minute.
Landrush applications cost around $250 but were refundable.
KKWT also revealed the make-up of its founders program domains, the 100-strong list of names it was allowed to allocate pre-sunrise.
The founders program currently seems to be a bit of a friends-and-family affair.
Of the 25 live founder sites currently listed, about 20 appear to be owned by the registry, its employees and close affiliates.
The registry said in its blog post that 25 super-generic domains had been given to WordPress.com. It seems the blog host will offer third-level names in these domains for free to its customers.
.blog had 1,743 domains in its zone file yesterday.
General availability starts about 30 minutes from the time this post was posted, at 1500 UTC. Prices are around the $30 mark.

Thick Whois coming to .com next year, price rise to follow?

Verisign could be running a “thick” Whois database for .com, .net and .jobs by mid-2017, under a new ICANN proposal.
A timetable published this week would see the final three hold-out gTLDs fully move over to the standard thick Whois model by February 2019, with the system live by next August.
Some people believe that Verisign might use the move as an excuse to increase .com prices.
Thick Whois is where the registry stores the full Whois record, containing all registrant contact data, for every domain in their TLD.
The three Verisign TLDs currently have “thin” Whois databases, which only store information about domain creation dates, the sponsoring registrar and name servers.
The model dates back to when the registry and registrar businesses of Verisign’s predecessor, Network Solutions, were broken up at the end of the last century.
But it’s been ICANN consensus policy for about three years for Verisign to eventually switch to a thick model.
Finally, ICANN has published for public comment its anticipated schedule (pdf) for this to happen.
Under the proposal, Verisign would have to start offering registrars the ability to put domains in its thick Whois by August 1 2017, both live via EPP and in bulk.
It would not become obligatory for registrars to submit thick Whois for all newly registered domains until May 1, 2018.
They’d have until February 1, 2019 to bulk-migrate all existing Whois records over to the new system.
Thick Whois in .com has been controversial for a number of reasons.
Some registrars have expressed dissatisfaction with the idea of migrating part of their customer relationship to Verisign. Others have had concerns that local data protection laws may prevent them moving data in bulk overseas.
The new proposal includes a carve-out that would let registrars request an exemption from the requirements if they can show it would conflict with local laws, which holds the potential to make a mockery out of the entire endeavor.
Some observers also believe that Verisign may use the expense of building and operating the new Whois system as an excuse to trigger talks with ICANN about increasing the price of .com from its current, frozen level.
Under its .com contract, Verisign can ICANN ask for a fee increase “due to the imposition of any new Consensus Policy”, which is exactly what the move to thick Whois is.
Whether it would choose to exercise this right is another question — .com is a staggeringly profitable cash-printing machine and this Whois is not likely to be that expensive, relatively speaking.
The proposed implementation timetable is open for public comment until December 15.

Big brands condemn “fraudulent” .feedback gTLD in ICANN complaint

Top Level Spectrum has been accused today of running the gTLD .feedback in a “fraudulent and deceptive” manner.
Over a dozen famous brands, corralled by corporate registrar MarkMonitor, today formally complained to ICANN that .feedback is a “complete sham”.
They reckon that the majority of .feedback domains belong to entities connected to the registry, violate trademarks, and have been stuffed with bogus and plagiarized reviews.
TLS denies any involvement.
MarkMonitor clients Adobe, American Apparel, Best Buy, Facebook, Levi and Verizon are among those that today filed a Public Interest Commitments Dispute Resolution Policy complaint with ICANN.
PICDRP is the mechanism third parties can use to complain about new gTLD registries they believe are in breach of the Public Interest Commitments found in their registry contracts.
The 50-page complaint (pdf), which comes with hundreds of pages of supporting documentation spread over 36 exhibits, purports to show TLS engaging in an “escalating pattern of discriminatory, fraudulent and deceptive registry misconduct”.
While the allegations of wrongdoing are fairly broad, the most interesting appears to be the claim that TLS quietly registered thousands of .feedback names matching trademarks to itself and then filled them with reviews either ripped off from Yelp! or supplied by overseas freelancers working for pennies.
TLS denies that it did any of this.
The .feedback registry is closely tied to the affiliated entity Feedback SAAS, which offers a hosted social platform for product/company reviews. Pricing for .feedback domains is dependent on whether registrants use this service or not.
The complaint states:

the overwhelming majority of domain names registered and activated within the .FEEDBACK TLD — over seventy percent (70%) — are currently owned and operated by Respondent [TLS], and parties working in concert with Respondent
…
Respondent has solicited and paid numerous third parties, including professional freelance writers who offer to post a set number of words for a fee, to write fabricated reviews regarding Complainants’ products and services.
…
These ostensibly independent reviews from ordinary consumers are intended to give the appearance of legitimate commentary within .FEEDBACK sites, when, in fact, the reviews are a complete sham.

An investigation carried out by MarkMonitor (pdf) showed that of the 2,787 .feedback domains registered up to July 31, 73% were registered to just five registrants.
The top registrant, Liberty Domains LLC of Las Vegas, owned 47% of these domains.
MarkMonitor believes this company (which it said does not show up in Nevada company records) and fourth-biggest registrant Core Domains LLC (based at the same Vegas mail forwarding service) are merely fronts for TLS, though it has no smoking gun proving this connection.
TLS CEO Jay Westerdal denies the company is affiliated with Liberty.
The MarkMonitor investigation counted 27,573 reviews on these sites, but 22% of them purported have been written prior to the date the domain was registered, in some cases by years.
The company reckons hundreds of reviews can be traced to five freelance writers who responded to February job ads looking for people who could write and post 10 150-word reviews per hour.
Other reviews appear to have been copied wholesale from Yelp! (this can be easily verified by visiting almost any .feedback site and searching for exact-match content on Google).
Westerdal told DI last week that registrants can use an API to import reviews.
The brands’ complaint goes on to criticize TLS for its Free.feedback offering, a very odd, bare-bones web site which seems to offer free .feedback domains.
When you type a domain or email address into the form on Free.feedback, it offers to give you the equivalent .feedback domain for free, automatically populating a second form with the Whois record of the original domain.
According to the complaint, after somebody registers a free .feedback domain, Feedback SAAS starts contacting the person listed in the Whois about their “free trial registration” regardless of whether they were actually the person who signed up the the domain. The complaint states:

Complainants and multiple other trademark owners who received such email notifications from Feedback SAAS and TLS registrars never visited the FREE.FEEDBACK website, and they never requested a free trial registration in the .FEEDBACK TLD

I’ve been unable to fully replicate this experience in attempts to test Free.feedback.
The complaint alleges multiple breaches of the PICs in the .feedback ICANN Registry Agreement.
The brands want ICANN Compliance to conduct a thorough investigation of .feedback, for all Free.feedback domains with phony Whois to be terminated, and for affected trademark owners to get refunds. They also want their legal costs paid by TLS.
ICANN does not typically publish the outcome of PICDRP complaints. Indeed, this is only the second one I’m aware of. It’s difficult to judge what MarkMonitor’s posse’s chances of success are.

Google could shake up the registry market with new open-source Nomulus platform

Google has muscled in to the registry service provider market with the launch of Nomulus, an open-source TLD back-end platform.
The new offering appears to be tightly integrated with Google’s various cloud services, challenging long-held registry pricing conventions.
There are already indications that at least one of the gTLD market’s biggest players could be considering a move to the service.
Donuts revealed yesterday it has been helping Google with Nomulus since early 2015, suggesting a shift away from long-time back-end partner Rightside could be on the cards.
Nomulus, which is currently in use at Google Registry’s handful of early-stage gTLDs, takes care of most of the core registry functions required by ICANN, Google said.
It’s a shared registration system based on the EPP standard, able to handle all the elements of the domain registration lifecycle.
Donuts contributed code enabling features it uses in its own 200-ish gTLDs, such as pricing tiers, the Early Access Period and Domain Protected Marks List.
Nomulus handles Whois and likely successor protocol RDAP (Registration Data Access Protocol).
For DNS resolution, it comes with a plug-in to make TLDs work on the Google Cloud DNS service. Users will also be able to write code to use alternative DNS providers.
There’s also software to handle daily data escrow to a third-party provider, another ICANN-mandated essential.
But Nomulus lacks critical features such as billing and fully ICANN-compliant reporting, according to documentation.
So will anyone actually use this? And if so, who?
It’s too early to say for sure, but Donuts certainly seems keen. In a blog post, CEO Paul Stahura wrote:

As the world’s largest operator of new TLDs, Donuts must continually explore compelling technologies and ensure our back-end operations are cost-efficient and flexible… Google has a phenomenal record of stability, an almost peerless engineering team, endless computing resources and global scale. These are additional potential benefits for us and others who may contribute to or utilize the system. We have been happy to evaluate and contribute to this open source project over the past 20 months because this platform provides Donuts with an alternative back-end with significant benefits.

In a roundabout way, Donuts is essentially saying that Nomulus could work out cheaper than its current back-end, Rightside.
The biggest change heralded by Nomulus is certainly pricing.
For as long as there has been a competitive market for back-end domain registry services, pricing has been on a per-domain basis.
While pricing and model vary by provider and customer, registry operators typically pay their RSPs a flat fee and a buck or two for each domain they have under management.
Pricing for dot-brands, where DUM typically comes in at under 100 today, is believed to be weighted much more towards the flat-fee service charge element.
But that’s not how Nomulus is to be paid for.
While the software is open source and free, it’s designed to run on Google’s cloud hosting services, where users are billed on the fly according to their usage of resources such as storage and bandwidth consumed.
For example, the Google Cloud Datastore, the company’s database service that Nomulus uses to store registration and Whois records, charges are $0.18 per gigabyte of storage per month.
For a small TLD, such as a dot-brand, one imagines that storage costs could be reduced substantially.
However, Nomulus is not exactly a fire-and-forget solution.
There is no Google registry service with customer support reps and such, at least not yet. Nomulus users are responsible for building and maintaining their registry like they would any other hosted application.
So the potentially lower service costs would have to be balanced against potentially higher staffing costs.
My hunch based on the limited available information is that for a dot-brand or a small niche TLD operating on a skeleton crew that may lack technical expertise, moving to Nomulus could be a false economy.
With this in mind, Google may have just created a whole new market for middleman RSPs — TLD management companies that can offer small TLDs a single point of contact for technical expertise and support but don’t need to build out and own their own expensive infrastructure.
The barrier to entry to the RSP market may have just dropped like a rock, in other words.
And Nomulus may work out more attractive to larger TLD operators such as Donuts, with existing teams of geeks, that can take advantage of Google’s economies of scale.
Don’t expect any huge changes overnight though. Migrating between back-ends is not an easy or cheap feat.
As well as ICANN costs, and data migration and software costs, there’s also the non-trivial matter of shepherding a horde of registrars over to the new platform.
How much impact Nomulus will have on the market remains to be seen, but it has certainly given the industry something to think about.

Registrar accused of pimping prescription penis pills

ICANN has implicated a Chinese domain name registrar in the online selling of medications, including Viagra and Cialis, without the required prescription.
The organization’s Compliance department filed a contract breach notice with Nanjing Imperiosus, which does business as DomainersChoice.com, today.
The move follows an allegation from pharmacy watchdog LegitScript in the US Congress that DomainersChoice is “rogue internet pharmacy operator”.
Because ICANN has no authority to police online pharmacies, it’s gone after the registrar based on an obscure part of the Registrar Accreditation Agreement.
Section 3.7.7 of the 2013 RAA says that domains must be registered to a third party, unless they’re used by the registrar in the course of providing its registrar services.
According to ICANN, DomainersChoice has refused to provide evidence that many of its domains are not in fact registered to itself and CEO Stefan Hansmann, in violation of this clause.
It cites 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net as examples of domains apparently registered to Hansmann and his company.
Historical Whois records show Hansmann and Nanjing Imperiosus as the registrant of these names until recently.
The domains all refer to erectile dysfunction medicines, which are usually only available in the US with a prescription.
A reverse Whois lookup reveals Hansmann’s name in the records for many more pharmaceuticals-related domains, some of which are for more serious medical conditions.
Several of the domains contain the words “without prescription” or similar, where the drug in question requires a prescription in the US.
Some of the domains do not currently resolve or no longer provide current Whois records and others have been recently transferred, but some resolve to apparently active e-commerce sites.
ICANN’s breach notice (pdf) doesn’t allege any illegal activity.
The same cannot be said for LegitScript CEO John Horton, who lumped DomainersChoice in with a few other registrars he believes are operating “illegal online pharmacies”.
Horton testified (pdf) before Congress last month that the registrar was playing host to 2,300 such sites.
The testimony was filed September 14, the same day ICANN began its compliance investigation.
ICANN’s notice, which alleges a handful of other relatively trivial breaches, asks that Hansmann provide a full list of domains registered in his and his company’s name via DomainersChoice.
It also demands evidence that the domains were either used to provide registrar services or were registered to a third party.
It wants all that by November 2, after which it may start to terminate the company’s RAA.

.blog gets 600 applications halfway through sunrise

WordPress developer Automattic has received over 600 applications for .blog sunrise registrations halfway through its sunrise period.
The company’s registry subsidiary, Knock Knock Whois There, said Friday that it has passed the 600 mark with about another 30 days remaining on the clock.
While it’s a poor performance by pre-2012 standards, if all the applications to date convert into registrations it’s still enough to put .blog into the top 10 most-popular sunrises of the current round.
According to DI’s data, the top three sunrise performers from the 2012 application round are .porn (2,091), .sucks (2,079) and .adult (2,049).
The most recent successful sunrise, by these standards, was GMO Registry’s .shop, which finished with 1,182 applications.
.blog’s sunrise ends October 17. It seems to be expecting to benefit from a late flood of applications, as is sometimes the case with sunrise periods.
General availability begins November 21.

Registries rebel against ICANN’s Whois upgrade decree

Registry operators are challenging an ICANN decision to force them to launch a new Whois-style service, saying it will cost them too much money.
The Registries Stakeholder Group has filed a Request for Reconsideration — a low-level appeal — of a decision asking them to launch RDAP services to complement their existing Whois.
RDAP, Registration Data Access Protocol, is being broadly touted as the successor to Whois.
It offers the same functionality — you can query who owns a domain — but the data returned is more uniformly structured. It also enables access control, so not every user would have access to every field.
The RySG now claims that ICANN is trying to sneak an obligation to implement RDAP into its registry agreements through a “backdoor” in the form of the new Consistent Labeling and Display Policy.
That policy, which originated in a formal, community-driven GNSO Policy Development Process, seeks to normalize Whois (or Registration Data Services, in its generic not protocol-specific wording) output to make it easier to machine-read.
It applies to all gTLDs except .com, .net and .jobs (which are “thin” registries) and would come into effect February 1 next year.
Registries appear happy to implement the CL&D policy, but not as currently written. It now contains, almost as an aside, this requirement:

The implementation of an RDAP service in accordance with the “RDAP Operational Profile for gTLD Registries and Registrars” is required for all gTLD registries in order to achieve consistent labeling and display.

The RySG argues in its RfR (pdf) that implementing RDAP was never part of the community-endorsed plan, and that it is not “commercially feasible” to do so right now.

The 2012 new gTLD Registry Agreement specifies that implementation of the protocol now known as RDAP be commercially feasible before it’s required. The RySG can’t even respond as to whether it’s feasible or not since no reasoning to that regard was provided in the notice to implement such services.
Furthermore, some of our members are on record stating that since the RDAP profile replicates the known deficiencies of WHOIS – which is currently being studied by a PDP WG – so it’s not commercially feasible to deploy it to mimic a flawed system.
The introduction of RDAP represents an additive requirement for Registries to operate a new (additive) service. As there are no provisions for the sunset of the legacy Whois service, it’s unclear how this additional requirement can be considered commercially feasible.

In other words, the registries think it could be too costly to deploy RDAP and Whois at the same time, especially given that RDAP is not finished yet.
It’s yet another case of domain companies accusing ICANN the organization of slipping in requirements without community support.
Whether the RfR will be successful is debatable. There’s only been a few Reconsideration requests that have been approved by the ICANN board in the history of the mechanism.
However, the board may be feeling especially diligent when it comes to look at this particular RfR, due to the spotlight that was recently shone on the Reconsideration process by an Independent Review Process panel, which determined that the board just rubber-stamped decisions written by house lawyers.