Latest news of the domain name industry

Recent Posts

Criminal .uk suspensions down this year

Kevin Murphy, November 26, 2019, Domain Registries

Nominet suspended fewer .uk domain names due to reports of criminality in the last 12 months that in did in the prior period.
The registry said last week that is suspended 28,937 domains in the year to the end of October, down from 32,813 in the 2018 period.
That’s 0.22% of all .uk names, Nominet said.
As usual, complaints about intellectual property infringement — filed by copyright owners to the IP cops and handed to Nominet — account for the vast majority of takedowns, some 28,606 in the period.
The rest were suspended due to complaints about fraud, trading standards, financial conduct and healthcare products.
Only 16 requests were denied by Nominet, down from 114 in the previous year, and only five false-positive suspensions were reversed.
The controversial ban on “rape” domains resulted in 1,600 new regs getting automatically flagged, but zero getting suspended.
There were no requests from the Internet Watch Foundation to take down child sexual abuse material.
Nominet’s newish automated anti-phishing system, which uses pattern recognition to flag potential phishing domains at point of registration, saw 2,668 domains suspended before going live, of which 274 were released after the registrant passed due diligence checks.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.
The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.
Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).
Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.
The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.
The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.
The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).
Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.
Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.
The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.
The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.
So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.
If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.
How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.
There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.
This will be a hot topic at ICANN 66 in Montreal next month.
Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

PwC wants to be your Whois gatekeeper

Kevin Murphy, June 11, 2019, Domain Services

PricewaterhouseCoopers has built a Whois access system that may help domain name companies and intellectual property interests call a truce in their ongoing battle over access to private Whois data.
Its new TieredAccess Platform will enable registries and registrars to “outsource the entire process of providing access to non-public domain registration data”.
That’s according to IP lawyer Bart Lieben, partner at the Belgian law firm ARTES, who devised the system and is working with PwC to develop it.
The offering is designed to give trademark lawyers access to the data they lust after, while also reducing costs and mitigating domain name industry liability under the General Data Protection Regulation.
TieredAccess would make PwC essentially the gatekeeper for all requests for private Whois data (at least, in the registries plugged into the platform) coming from the likes of trademark owners, security researchers, lawyers and law enforcement agencies.
At one end, these requestors would be pre-vetted by PwC, after which they’d be able to ask for unredacted Whois records using PwC as an intermediary.
They’d have to pick from one of 43 pre-written request scenarios (such as cybersquatting investigation, criminal probe or spam prevention) and assert that they will only use the data they obtain for the stated purposes.
At the other end, registries and registrars will have adopted a set of rules that specify how such requests should be responded to.
A ruleset could say that cops get more access to data than security researchers, for example, or that a criminal investigation is more important than a UDRP complaint.
PwC has created a bunch of templates, but registrars and registries would be able to adapt these policies to their own tastes.
Once the rules are put in place, and the up-front implementation work has been done to plug PwC into their Whois servers, they wouldn’t have to worry about dealing with Whois requests manually as most are today. The whole lot would be automated.
Not even PwC would have human eyes on the requests. The private data would only be stored temporarily.
One could argue that there’s the potential for abusive or non-compliant requests making it through, which may give liability-nervous companies pause.
But the requests and response metadata would be logged for audit and compliance, so abusive users could be fingered after the act.
Lieben says the whole system has been checked for GDPR compliance, assuming its prefabricated baseline scenarios and templates are adopted unadulterated.
He said that the PwC brand should give clients on both sides “peace of mind” that they’re not breaking privacy law.
If a registrar requires an affidavit before releasing data, the assertions requestors make to PwC should tick that box, he said.
Given that this is probably a harder sell to the domain name industry side of the equation, it’s perhaps not surprising that it’s the requestors that are likely to shoulder most of the cost burden of using the service.
Lieben said a pricing model has not yet been set, but that it could see fees paid by registrars subsidized by the fees paid by requestors.
There’s a chance registries could wind up paying nothing, he said.
The project has been in the works since September and is currently in the testing phase, with PwC trying to entice registries and registrars onto the platform.
Lieben said some companies have already agreed to test the service, but he could not name them yet.
The service was developed against the backdrop of ongoing community discussions within ICANN in the Expedited Policy Development Working group, which is trying to create a GDPR-compliant policy for access to private Whois records.
ICANN Org has also made it known that it is considering making itself the clearinghouse for Whois queries, to allow its contracted parties to offload some liability.
It’s quite possible that once the policies are in place, ICANN may well decide to outsource the gatekeeper function to the likes of PwC.
That appears to be what Lieben has in mind. After all, it’s what he did with the Trademark Clearinghouse almost a decade ago — building it independently with Deloitte while the new gTLD rules were still being written and then selling the service to ICANN when the time came.
The TieredAccess service is described in some detail here.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.
The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.
Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.
David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.
Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.
Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”
“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”
He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.
The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.
For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.
It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.
The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.
While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.
Two weeks ago it called for comments on three possible Whois models that could be used from May.
That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

Cops tell Nominet to yank 16,000 domains, Nominet complies

Kevin Murphy, November 15, 2017, Domain Registries

Nominet suspended over 16,000 .uk domain names at the request of law enforcement agencies in the last year.
The registry yanked 16,632 domains in the 12 months to October 31, more than double the 8,049 it suspended in the year-earlier period.
The 2016 number was in turn more than double the 2015 number. The 2017 total is more than 16 times the number of suspended domains in 2014, the first year in which Nominet established this cozy relationship with the police.
The large majority of names — 13,616 — were suspended at the request of the Police Intellectual Property Crime Unit. Another 2,781 were taken down on the instruction of National Fraud Intelligence Bureau.
Nominet has over 12 million .uk domains under management, so 16,000 names is barely a blip on the radar overall.
But the fact that police can have domains taken down in .uk with barely any friction does not appear to be acting as a deterrent to bad actors when they choose their TLD.
The registry said that just 15 suspensions were reversed — which requires the consent of the reporting law enforcement agency — during the period. That’s basically flat on 2016.
“A suspension is reversed if the offending behavior has stopped and the enforcing agency has since confirmed that the suspension can be lifted,” the company said.
The company does not publish data on how many registrants requested a reversal and didn’t get one, nor does it publish any of the affected domains, so we have no way of knowing whether there’s any ambiguity or overreach in the types of domains the police more or less unilaterally have taken down.
It seems that the only reasons suspension requests do not result in suspensions are when domains have already been suspended or have already been transferred to an IP rights holder by court order. There were 32 of those in the last 12 months, half 2016 levels.
The separate, ludicrously onerous preemptive ban on domains that appear to encourage sexual violence resulted in just two suspensions in the last year, bringing the total new domains suspended under the rule since 2014 to just six.
Some poor bugger at Nominet had to trawl through 3,410 new registrations containing strings such as “rape” in 2017 to achieve that result, up from 2,407 last year.

ICANN loosens Whois privacy rules for registrars

Kevin Murphy, April 20, 2017, Domain Policy

ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.
From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.
Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.
In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.
The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.
European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.
ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.
Dozens of European registrars have applied for and obtained this RAA opt-out.

Registrants guilty until proven innocent, say UK cops

Kevin Murphy, August 19, 2015, Domain Registrars

UK police have stated an eyebrow-raising “guilty until proven innocent” point of view when it comes to domain name registrations, in comments filed recently with ICANN.
In a Governmental Advisory Committee submission (pdf) to a review of the Whois accuracy rules in the Registrar Accreditation Agreement, unspecified “UK law enforcement” wrote:

Internet governance efforts by Industry, most notably the ICANN 2013 RAA agreement have seen a paradigm shift in Industry in the way a domain name is viewed as “suspicious” before being validated as “good” within the 15 day period of review.
UK law enforcement’s view is that a 45 day period would revert Industry back to a culture of viewing domains “good” until they are proven “bad” therefore allowing crime to propagate and increase harm online.

The GAC submission was made August 13 to a public comment period that closed July 3.
The Whois Accuracy Program Specification Review had proposed a number of measures to bring more clarity to registrars under the 2013 RAA.
One such measure, proposed by the registrars, was to change the rules so that registrars have an extra 30 days — 45 instead of 15 — to validate registrants’ contact information before suspending the domain.
That’s what the UK cops — and the GAC as a whole — don’t like.
They have a point, of course. Criminals often register domains with bogus contact information with the expectation that the domains will not have a long shelf life. Fifteen days is actually quite generous if you want to stop phishing attacks, say.
The Anti-Phishing Working Group says phishing attacks have an average up-time of 29 hours.
Clearly, ICANN’s Whois accuracy program is doing little to prevent phishing as it is; a switch to 45 days would presumably have little impact.
But the number of domains suspended for lack of accuracy at any given time is estimated to be in the hundreds of thousands, and registrars say it’s mostly innocent registrants who are affected.
Verisign said this March that .com domains “on hold” grew from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.
In June 2014, registrars claimed that over 800,000 domains had been suspended for want of Whois accuracy in the first six months the policy was in place.

Are Whois email checks doing more harm than good?

“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.
These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.
Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.
The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.
There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.
Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.
Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.
“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.
Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.
At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.
“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”
Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.
Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.
The exact Chehade line, from the Durban public forum transcript, was:

law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.

Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”
Speaking at greater length, director Mike Silber said:

What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.

So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?
It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.
I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.
But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.
They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.
Law enforcement may be about to find itself on the back foot in this long-running debate.

ICANN helps bust Russian child porn ring

Kevin Murphy, October 24, 2013, Domain Policy

ICANN recently helped break up a Russian child pornography ring.
That’s according to a remarkable anecdote from CEO Fadi Chehade, speaking during a session at the Internet Governance Forum in Bali, Indonesia today.
The “investigative effort” took “months” and seems to have entailed ICANN staff sifting through company records and liaising with law enforcement and domain name companies on three continents.
Here’s the anecdote in full:

We participated in a global effort to break down a child pornography ring.
You think: what is ICANN doing with a child pornography ring? Well, simple answer: where does child pornography get put up? On a web site. Where’s that web site hosted? Well, probably at some hosting company that was given the web site name by a registrar that is hopefully a registrar or reseller in the ICANN network.
We have a public responsibility to help with that.
We have some of the smartest people in the world in that space.
It took us months to nail the child pornography ring.
It took us through LA to Panama. We had to work with the attorney general of Panama to find the roots of that company. One of our team members who speaks Spanish went into public company records until he found, connected — these are investigative efforts that we do with law enforcement — then we brought in the registrars, the registries… and it turned out that this ring was actually in Russia and then we had to involve the Russian authorities.
ICANN does all of this work quietly, in the background, for the public interest.

Wow.
At first I wasn’t sure what to make of this. On the one hand: this obviously excellent news for abused kids and ICANN should be congratulated for whatever role it took in bringing the perpetrators to justice.
On the other hand: is it really ICANN’s job to take a leading role in covert criminal investigations? Why are ICANN staffers needed to trawl through Panamanian company records? Isn’t this what the police are for?
ICANN is, after all, a technical coordination body that repeatedly professes to not want to involve itself in “content” issues.
Session moderator Bertrand de La Chappelle, currently serving out his last month on the ICANN board of directors, addressed this apparent disconnect directly, asking Chehade to clarify that ICANN is not trying to expand its role.
In response, Chehade seemed to characterize ICANN as something of an ad hoc coordinator in these kinds of circumstances:

There are many topics that there is no home for them to be addressed, so ICANN gets the pressure. People come to us and say: “Well you solve this, aren’t you running the internet?”
We are not running the internet. We do names and numbers. We’re a technical community, that’s what we do.
But the pressure is mounting on us. So it’s part of our goal to address the larger issues that we’re not part of, is to frankly keep us focused on our remit. In fact, ICANN should become smaller, not bigger. It should focus on what it does. The only area we should get bigger in is involving more people so we can truly say we’re legitimate and inclusive.
The bigger issues and the other issues of content and how the internet is used and who does what, we should be very much in the background. If there is a legal issue, if we are approached legally by an edict of a court or… if it’s a process we have to respond to it.
We don’t want to be instigating or participating or leading… we don’t, we really don’t.

A desire to make ICANN smaller doesn’t seem to tally with the rapid expansion of its global footprint of hubs and branch offices and the planned doubling of its staff count.
Indeed, the very next person to speak on today’s panel was Chehade’s senior advisor and head of communications Sally Costerton, who talked about her team doubling in size this year.
I don’t personally subscribe to the idea that ICANN should be shrinking — too much is being asked of it, even if it does stick to its original remit — but I’m also not convinced that it’s the right place to be be carrying out criminal investigations. That’s what the cops are for.

Cops say new gTLDs shouldn’t launch without a Big Brother RAA

Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.