Recent Posts
- Com Laude buys Fairwinds
- Unstoppable wants to be a registry back-end
- Sixteen new gTLD bids could face the firing squad
- Registry to release one-letter domains tomorrow
- New ICANN funding rules will cost smaller ccTLDs more
- .ai rival lines up gTLD bid
- Team Internet lays off 200
- Sixteen more orgs vie for cheap gTLDs, but…
- So who’s registering sunrise domains these days?
- Cloud gTLD gets launch dates
- Governments say new gTLD program “credibility” at stake
- NIXI planning doomed new gTLD bids
- AI experts replace Chapman on ICANN board
- RDRS may not be dead
- Single-letter .com lawsuit thrown out of court
- Golding challenges McCarthy for Nominet board seat
- Three applicants qualify for cheapo gTLDs
- Blockchain crisis looming for new gTLD next round
- Two more dot-brands leave Verisign for GoDaddy
- ICANN looking at new bulk reg rules
- Reseller loss hits Tucows’ DUM but not revenue
- GoDaddy counts cost of losing .co deal
- Wine producers worried about new gTLDs
- Goodyear tires of its dot-brand
- Team Internet loses Radix to Tucows
- ICANN’s “review of reviews” kicks off
- Huge registrars flee from RDRS
- Namecheap loses attempt to bring back .org price caps
- Registrar shamed for alleged crypto abuse neglect
- Poblete’s ICANN board seat safe
- .com off to strong start in Q3
- .my is growing like crazy
- ICANN settles $77 million sexual harassment suit
- Chinese domain spikiness ends in first half
- Registrars agree to higher ICANN fees
- ICANN to review reviews after review review request fails
- Got junk? June’s biggest gTLD growers do
- ICANN ditches Oman due to Middle-East conflicts
- ICANN’s mighty overlord flexes on transparency
- ICANN faces first pushback over DEI U-turn
- Loads of firms flunk out of next-round gTLD back-end program
- presidenttrump.xxx among thousands of dead .xxx domains suddenly springing to life
- One of the dumbest gTLDs just switched back-ends
- GoDaddy loses .co to Team Internet
- Governments erect bulk-reg barrier to new gTLD next round
- Little interest in cheapo gTLD program
- US government opposes most new gTLDs
- GoDaddy loses last Amazon business to Identity Digital
- Third Amazon gTLD launch dates revealed
- .TOP promises to play nice on DNS abuse
- Court denies ICANN’s #MeToo “cover up” attempt
- Launch dates for two more Amazon gTLDs revealed
- An end to “Club Med for geeks” ICANN?
- Some people paid premiums for .hot domain hacks
- .io questions in sharp focus as UK signs Chagos treaty
- Big .gdn registrar at risk
- ICANN “reaffirms its commitment to diversity and inclusion”
- ICANN kills off diversity and inclusion
- Kaufmann picked for ICANN board
- Conflicted? STFU under new ICANN rules
- .hot is for hookers? Amazon’s first premium regs revealed
- Gname adds another 200 registrars
- New Pope’s .com domain was registered the day Francis died
- Two deadbeat registrars get their ICANN marching orders
- DotMusic has sold a lot of names, but not many are turned on
- .med is a deeply weird gTLD, but it wants to be more normal
- ICANN cuts off money to UASG
- Web.com getting dumped
- .es and .pt riding out massive power outage
- .com is back as Verisign discounts bear fruit
- Dot-brand actually being used to get deleted
- Verisign gave Trump $100,000
- Private Whois requests hit new low after Tucows quits RDRS
- Zoom says GoDaddy took it down for hours
- The Soviet Union might be safe after all
- Google says its ccTLDs “are no longer necessary”
- Facebook thinks ICANN is a bit rubbish
- ICANN spending $365,000 a year on coffee and booze
- Regulator going after suicide site that even Epik banned
- .ai sees $600,000 auction sales in a month
- Pru trims its dot-brand portfolio
- UK’s Nigel Hickson has died
- .blog registry ordered to change name to Knock Knock RDAP There
- WordPress buys Canadian, swaps CentralNic for CIRA
- Latest ICANN salary porn ruins my terrible pun
- .co deal worth $77 million up for grabs
- I get a wrongful kicking as .su registry denies turn-off plan
- Sales and profits dip at Team Internet
- Four deadbeat registrars get terminated
- “No timeline” to retire Soviet Union from the DNS
- ICANN to kill off 60-day domain transfer lock
- Lancaster bags up its dot-brand
- Google readying its next batch of gTLD launches?
- NomCom confirms Americans rejected from ICANN board
- Nova announces $45 million of new gTLD applications
- Registry makes .ai an option for Koreans
- it.com now bigger than Guatemala
- ICANN turns to AI and crowdsourcing for new gTLD program
- Amazon lawyer DiBiase elected to ICANN board
- Is .io safe now? Identity Digital now running Mauritian ccTLD
- Tucows quits ICANN’s Whois disclosure pilot
- Toshiba goes all-in on its dot-brand
- Google scuppers Team Internet acquisition after profit warning
- .ai channel doubles under new management
- Trump inclined to back deal that threatens .io
- As .com shrinks, China adds another 1.2 million domains
- Second new gTLD contention set revealed
- UK intros global domain takedown law
- No more Americans as Holland wins ICANN board seat
- Registries have started shutting down Whois
- ICANN wins IRP because complainant literally doesn’t exist
- .com could return to growth this quarter
- Could Musk’s DOGE kill off D3’s .doge?
- $2 million Christmas bonus for ICANN
- Another VW car dot-brand crashes out
- Largest back-end switch EVER as GoDaddy loses deal
- Yeah, we got phished, ICANN admits after crypto hack
- ICANN hacked to promote crypto scam
- Super Bowl a bit of a dud for .com?
- More gloom predicted for .com
- These are the .gov domains Trump has deleted so far
- Did Trump just create the world’s next ccTLD?
- $3,000 to do a Whois lookup?
- PIR to join GlobalBlock, but its crown jewel won’t
- LA wildfire victims get domain deletes delay
Is ICANN over-reacting to Whois privacy law?
Is ICANN pushing the domain industry to over-comply with the European Union’s incoming General Data Protection Regulation privacy law?
Governments and plenty of intellectual property and business lobbyists think so.
After days of criticism from unhappy IP lawyers, ICANN’s public meeting in Puerto Rico last week was capped with a withering critique of the organization’s proposed plan for the industry to become GDPR compliant as pertains Whois.
The Governmental Advisory Committee, in unusually granular terms, picked apart the plan in its usual formal, end-of-meeting advice bomb, which focused on making sure law enforcement and IP owners continue to get unfettered Whois access after GDPR kicks in in May.
Key among the GAC’s recommendations (pdf) is that the post-GDPR public Whois system should continue to publish the email address of each domain registrant.
Under ICANN’s plan — now known as the “Cookbook” — that field would be obscured and replaced with a contact form or anonymized email address.
The GAC advised ICANN to “reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;”.
But its rationale for the advice is a little wacky, suggesting that email addresses under some unspecified circumstances may not contain “personal data”:
publication of the registrant’s email address should be considered in light of the important role of this data element in the pursuit of a number of legitimate purposes and the possibility for registrants to provide an email address that does not contain personal data.
That’s kinda like saying your mailing address and phone number aren’t personal data, in my view. Makes no sense.
The GAC advice will have won the committee friends in the Intellectual Property Constituency and Business Constituency, which throughout ICANN 61 had been pressuring ICANN to check whether removing email addresses from public Whois was strictly necessary.
ICANN is currently acting as a non-exclusive middleman between community members and the 20-odd Data Protection Authorities — which will be largely responsible for enforcing GDPR — in the EU.
It’s running compliance proposals it compiles from community input past the DPAs in the hope of a firm nod, or just some crumbs of guidance.
But the BC and IPC have been critical that ICANN is only submitting a single, rather Draconian proposal — one which would eschew email addresses from the public Whois — to the DPAs.
In a March 13 session, BC member Steve DelBianco pressed ICANN CEO Goran Marby and other executives and directors repeatedly on this point.
“If they [the DPAs] respond ‘Yes, that’s sufficient,’ we won’t know whether it was necessary,” DelBianco said, worried that the Cookbook guts Whois more than is required.
ICANN general counsel John Jeffrey conceded that the Cookbook given to the DPAs only contains one proposal, but said that it also outlines the “competing views” in the ICANN community on publishing email addresses and asks for guidance.
But email addresses are not the only beef the GAC/IPC/BC have with the ICANN proposal.
On Thursday, the GAC also advised that legal entities that are not “natural persons” should continue to have their full information published in the public Whois, on the grounds that GDPR only applies to people, not organizations.
That’s contrary to ICANN’s proposal, which for pragmatic reasons makes no distinction between people and companies.
There’s also the question of whether the new regime of Whois privacy should apply to all registrants, or just those based in the European Economic Area.
ICANN plans to give contracted parties the option to make it apply in blanket fashion worldwide, but some say that’s overkill.
Downtime for Whois?
While there’s bickering about which fields should be made private under the new regime, there doesn’t seem to be any serious resistance to the notion that, after May, Whois will become a two-tier system with a severely depleted public service and a firewalled, full-fat version for law enforcement and whichever other “legitimate users” can get their feet in the door.
The problem here is that while ICANN envisions an accreditation program for these legitimate users — think trademark lawyers, security researchers, etc — it has made little progress towards actually creating one.
In other words, Whois could go dark for everyone just two months from now, at least until the accreditation program is put in place.
The GAC doesn’t like that prospect.
It said in its advice that ICANN should: “Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties”.
But ICANN executives said in a session on Thursday that the org plans to ask the DPAs for a deferral of enforcement of GDPR over Whois until the domain industry has had time to come into compliance while continuing to grant access to full Whois to police and special interests.
December appears to be the favored date for this proposed implementation deadline, but ICANN is looking for feedback on its timetable by this coming Friday, March 23.
But the IPC/BC faction are not stting on their hands.
Halfway through ICANN 61 they expressed support for a draft accreditation model penned by consultant Fred Felman, formerly of brand protection registrar MarkMonitor.
The model, nicknamed “Cannoli” (pdf) for some reason, unsurprisingly would give full Whois access to anyone with enough money to afford a trademark registration, and those acting on behalf of trademark owners.
Eligible accreditees would also include security researchers and internet safety organizations with the appropriate credentials.
Once approved, accredited Whois users would have unlimited access to Whois records for defined purposes such as trademark enforcement or domain transfers. All of their queries would be logged and randomly audited, and they could lose accreditation if found to be acting outside of their legitimate purpose.
But Cannoli felt some resistance from ICANN brass, some of whom pointed out that it had been drafted by just one part of the community
“If the community — the whole community — comes up with an accreditation model we would be proud to put that before the DPAs,” Marby said during Thursday’s public forum in Puerto Rico.
It’s a somewhat ironic position, given that ICANN was just a few weeks ago prepared to hand over responsibility for creating the first stage of the accreditation program — covering law enforcement — wholesale to the GAC.
The GAC’s response to that request?
It’s not interested. Its ICANN 61 communique said the GAC “does not envision an operational role in designing and implementing the proposed accreditation programs”.
Now Latvia guts Whois to comply with GDPR
Latvia has become the latest country to announce plans to cut back on Whois provision to comply with incoming European Union privacy law.
Its .lv ccTLD is the first I’m aware of to announce that it plans to cut back on the amount of data it actually collects in addition to how much it publishes.
NIC.lv said it will not longer require registrants to submit one postal address, instead of two. It will not longer require a something called a “fax” number, whatever that is, either.
The registry currently does not publish the names or physical addresses of its natural person registrants, but following the introduction of the General Data Protection Regulation in May it will stop publishing telephone numbers and email addresses too.
It will instead present a form that can be used to contact the registrant, a little like ICANN is proposing for gTLDs.
The company also plans to rate-limit Whois queries to mitigate harvesting.
The proposed changes are open for comments until April 12.
.lv has about 120,000 domains under management, according to its web site.
Austria to stop publishing most Whois data
Austrian ccTLD operator nic.at will no longer publish any Whois information for individual registrants, in order to comply with incoming EU privacy law.
“Natural persons’ data will no longer be published from mid-May 2018,” the company said today.
Data concerning legal entities such as companies will continue to be published, it added.
The move is of course an effort to become compliant with the General Data Protection Regulation, which currently has the industry scrambling around in the dark looking for ways avoid avoid millions of euros of potential fines.
nic.at will continue to collect the private data of individual registrants, but it will only publish technical information such as the name of the registrar and name servers in response to public Whois queries.
Companies will have their names and addresses published, but will have the option to have their email address and phone number hidden.
nic.at said it will disclose records to “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and can prove that their rights have been infringed”.
People will be able to opt-in to having their information published
It’s arguably a more Draconian implementation of GDPR than the one proposed by ICANN for gTLDs, but it appears to be in line with plans already announced by Nominet for .uk and DENIC for .de.
Lawyer: GoDaddy Whois changes a “critical” contract breach
GoDaddy is in violation of its ICANN registrar contract by throttling access to its Whois database, according to a leading industry lawyer.
Brian Winterfeldt of the Winterfeldt IP Group has written to ICANN to demand its compliance team enforces what he calls a “very serious contractual breach”.
At issue is GoDaddy’s recent practice, introduced in January, of masking key fields of Whois when accessed in an automated fashion over port 43.
The company no longer shows the name, email address or phone number of its registrants over port 43. Web-based Whois, which has CAPTCHA protection, is unaffected.
It’s been presented as an anti-spam measure. In recent years, GoDaddy has been increasingly accused (wrongly) of selling customer details to spammers pitching web hosting and SEO services, whereas in fact those details have been obtained from public Whois.
But many in the industry are livid about the changes.
Back in January, DomainTools CEO Tim Chen told us that, even as a white-listed known quantity, its port 43 access was about 2% of its former levels.
And last week competing registrar Namecheap publicly complained that Whois throttling was hindering inbound transfers from GoDaddy.
Winterfeldt wrote (pdf) that “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny
port 43 Whois access to any particular IP address”, adding:
The GoDaddy whitelist program has created a dire situation where businesses dependent upon unmasked and robust port 43 Whois access are forced to negotiate wholly subjective terms for access, and are fearful of filing complaints with ICANN because they are reticent to publicize any disruption in service, or because they fear retaliation from GoDaddy…
This is a very serious contractual breach, which threatens to undermine the stability and security of the Internet, as well as embolden other registrars to make similar unilateral changes to their own port 43 Whois services. It has persisted for far too long, having been officially implemented on January 25, 2018. The tools our communities use to do our jobs are broken. Cybersecurity teams are flying blind without port 43 Whois data. And illegal activity will proliferate online, all ostensibly in order to protect GoDaddy customers from spam emails. That is completely disproportionate and unacceptable
He did not disclose which client, if any, he was writing on behalf of, presumably due to fear of reprisals.
He added that his initial outreaches to ICANN Compliance have not proved fruitful.
ICANN said last November that it would not prosecute registrar breaches of the Whois provisions of the Registrar Accreditation Agreements, subject to certain limits, as the industry focuses on becoming compliant with the General Data Protection Regulation.
But GoDaddy has told us that the port 43 throttling is unrelated to GDPR and to the compliance waiver.
Masking Whois data, whether over port 43 or not, is likely to soon become a fact of life anyway. ICANN’s current proposal for GDPR compliance would see public Whois records gutted, with only accredited users (such as law enforcement) getting access to full records.
Whois privacy will soon be free for most domains
Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.
ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.
The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.
Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.
After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.
Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.
Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.
Registrants would have the right to opt in to having their full record displayed in the public Whois.
Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.
The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.
This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.
The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.
The model would apply to all gTLD domains where there is some connection to the European Economic Area.
If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.
Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.
While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.
The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.
Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.
The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.
Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.
Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.
[table id=50 /]
The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.
With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.
ICANN would reject call for “diversity” office
ICANN’s board of directors would reject a call for an “Office of Diversity”, due to its current budget crunch.
The board said as much in remarks filed to a public comment period that got its final report this week.
The report of the CCWG-Accountability Work Stream 2 working group had recommended several potential things ICANN could do to improve diversity in the community, largely focused on collecting and publishing data on diversity.
“Diversity” for the purposes of the recommendations does not have the usual racial connotations of the word. Instead it means: geography, language, gender, age, physical disability, skills and stakeholder group.
Some members of the working group had proposed an independent diversity office, to ensure ICANN sticks to diversity commitments, but this did not gain consensus support and was not a formal recommendation.
Some commenters, including (in a personal capacity) a current vice chair of the Governmental Advisory Committee and a former ICANN director, had echoed the call for an office of diversity.
But ICANN’s board said it would not be able to support such a recommendation:
Given the lack of clarity around this office, lack of consensus support within the subgroup (and presumably within the CCWG-Accountability and the broader community), and noting the previously-mentioned budget and funding constraints and considerations, the Board is not in a position to accept this item if it were to be presented as a formal consensus-based recommendation
In general terms, it encouraged the working group to consider ICANN’s “limited funding” when it makes its final recommendations.
It added that it may be difficult for ICANN to collect personal data on community members, in light of the General Data Protection Regulation, the EU privacy law that kicks in this May.
All the comments on the report can be found here.
Why are you doing that Whois search? DENIC wants to know
In a taste of what might be coming under EU privacy legislation, DENIC wants you to jump through some new hoops before it lets you see Whois data.
When doing a Whois query on its web site today, the German ccTLD registry first asks you to answer the question: “How do you justify your legitimate interest in accessing the whois data?”
It’s a multiple-choice question, with an extra field for typing in your reasons for doing the query.
Possible answers include “because you think that the use of the domain raises a legal problem”, which appears to be for trademark lawyers, and “because you want to collect information about the domain holder for business purposes”, which appears to be for domainers.
There’s no wrong answer that will deny you access to the Whois record you want to see, but users are warned that their use of Whois data is only to be for “legitimate purposes”, under pain of legal action.
A DENIC spokesperson told DI that the new system was introduced today “for statistical reasons”
“Its aim is just to get a better idea of the DENIC whois usage pattern and of the extent to which different user groups are utilising the extended service,” she said.
The move should be viewed in the context of the incoming General Data Protection Regulation, an EU privacy law that becomes fully implemented in May this year.
While there’s been a lot of focus on how this will effect ICANN and its harem of contracted gTLDs, it’s easy to forget that it affects ccTLDs just as much.
By conducting this mandatory survey of real Whois users, DENIC will presumably be able to gather some useful data that will inform how it stays GDPR-compliant after May.
US and EU call for Whois to stay alive
Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.
The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.
Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.
David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.
Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.
Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”
“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”
He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.
The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.
For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.
It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.
The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.
While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.
Two weeks ago it called for comments on three possible Whois models that could be used from May.
That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.
DomainTools scraps apps and APIs in war on spam
DomainTools is to scrap at least five of its services as it tries to crack down spam.
It’s getting rids of its mobile apps, its APIs, and is to stop showing registrants’ personal information to unauthenticated users.
CEO Tim Chen told us in an email at the weekend:
The Android app is no longer supported.
The iOS app will no longer be supported after February 20th.
The Developer API is no longer supported.
On February 20th, the Bulk Parsed Whois tool available to Personal Members will no longer be supported.
On February 20th, our production Whois API will no longer be available to individual membership levels, an Enterprise relationships will be required.
It’s all part of an effort to make sure DomainTools services are not being abused by spammers, which has lead to a dispute with GoDaddy over bulk access to its registrants’ Whois data.
The longstanding problem of new registrants getting spammed with calls and emails offering web hosting and such has escalated over the last few years. Domain Name Wire detailed the scale of the abuse registrants can experience in a post last week.
While to my knowledge nobody has directly accused DomainTools of facilitating such abuse, the scrapped services are the ones that would be most useful to these spammers.
The company is also going to scale back what guest users can see when they do a Whois lookup, and is to make automated scraping of Whois records more difficult for paying members.
In a blog post, Chen wrote last week:
As of today, unauthenticated users of the DomainTools Whois Lookup tool will not see personally identifiable information for the registrant parsed out in the results, and will be required to submit a CAPTCHA to see the full raw domain name Whois record. Phone numbers in the parsed results have been replaced with image files, much the same way emails have always been rendered
As well as hoping to ease relations with GoDaddy — the source of a very heavy chunk of DomainTools’ data — the moves are also part of the company’s strategy for dealing with the incoming General Data Protection Regulation.
This is the EU law that gives registrants more control over the privacy of their personal data.
Chen told us earlier this month that DomainTools is keen to ensure its enterprise-level suite of security products, which he said are vital for security and intellectual property investigations, continue to operatie under the new regime.
About 80% of DomainTools’ revenue comes from its enterprise-level customers, over 500 companies.
Three ways ICANN could gut Whois
ICANN has published three possible models of how Whois could be altered beyond recognition after European privacy law kicks in this May.
Under each model, casual Whois users would no longer have access to the wealth of contact information they do under the current system.
There may also be a new certification program that would grant access to full Whois records to law enforcement, consumer protection agencies and intellectual property interests.
The three models are each intended to address the General Data Protection Regulation, EU law that could see companies fined millions if they fail to protect the personal data of European citizens.
While GDPR affects all data collection on private citizens, for the domain name industry it’s particularly relevant to Whois, where privacy has always been an afterthought.
The three ICANN models, which are now subject to a short public comment period, differ from each other in three key areas: who has their privacy protected, which fields appear in public Whois by default, and how third parties such as law enforcement access the full records.
Model 1 is the most similar to the current system, allowing for the publication of the most data.
Under this model the name and postal address of the registrant would continue to be displayed in the public Whois databases.
Their email address and phone number would be protected, but the email and phone of the administrative and technical contacts — often the same person as the registrant — would be published.
If the registrant were a legal entity, rather than a person, all data fields would continue to be displayed as normal.
The other two models call for more restricted, or at least different, public output.
Under Model 2, the email addresses of the administrative and technical contacts would be published, but all other contact information, including the name of the registrant, would be redacted.
Model 3 proposes a crazy-sounding system whereby everything would be published unless the registrar/registry decided, on a domain-by-domain basis, that the field contained personal information.
This would require manual vetting of each Whois record and is likely to gather no support from the industry.
The three models also differ in how third parties with legitimate interests would access full Whois records.
Model 1 proposes a system similar to how zone files are published via ICANN’s Centralized Zone Data Service.
Under this model, users would self-certify that they have a legit right to the data (if they’re a cop or an IP lawyer, for example) and it would be up to the registry or registrar to approve or decline their request.
Model 2 envisages a more structured, formal, centralized system of certification for Whois users, developed with the Governmental Advisory Committee and presumably administered by ICANN.
Model 3 would require Whois users to supply a subpoena or court order in order to access records, which is sure to make it unpopular among the IP lobby and governments.
Each of the three models also differs in terms of the circumstances under which privacy is provided.
The models range from protecting records only when the registrant, registry, registrar or any other entity involved in the data processing has a presence in the European Economic Area to protecting records of all registrants everywhere regardless of whether they’re a person or a company.
Each model has different data retention policies, ranging from six month to two years after a registration expires.
None of the three models screw with registrars’ ability to pass data to thick-Whois registries, nor to their data escrow providers.
ICANN said it’s created these models based on the legal analyses it commissioned from the Hamilton law firm, as well as submissions from community members.
One such submission, penned by the German trade associated Eco, has received broad industry support.
It would provide blanket protection to all registrants regardless of legal status or location, and would see all personally identifiable information stripped from public Whois output.
Upon carrying out a Whois query, users would see only information about the domain, not the registrant.
There would be an option to request more information, but this would be limited to an anonymized email address or web form for most users.
Special users, such as validated law enforcement or IP interests, would be able to access the full records via a new, centralized Trusted Data Clearinghouse, which ICANN would presumably be responsible for setting up.
It’s most similar to ICANN’s Model 2.
It has been signed off by registries and registrars together responsible for the majority of the internet’s domain registrations: Afilias, dotBERLIN, CentralNic, Donuts, Neustar, Nominet, Public Interest Registry (PIR), Verisign, 1&1, Arsys, Blacknight, GoDaddy, Strato/Cronon, Tucows and United Domains.
ICANN said in a blog post that its three models are now open for public comment until January 29.
If you have strong opinions on any of the proposals, it might be a good idea to get them in as soon as possible, because ICANN plans to identify one of the models as the basis for the official model within 48 hours of the comment period closing.
Recent Comments