Latest news of the domain name industry

Recent Posts

Weak demand for private Whois data, ICANN data shows

Kevin Murphy, January 17, 2024, Domain Services

There were fewer than six requests for private Whois data per day in December, and most of those were denied, according to newly published ICANN data.

The disappointing numbers, which also show that only about 2.5% of accredited registrars are participating, show that ICANN’s new Registration Data Request Service is certainly off to a slow start.

RDRS launched in November. It’s a ticketing system that enables people to request unredacted private Whois data, with no guarantee the requests will be granted, from registrars via an ICANN portal.

As it’s a two-year trial, ICANN promised to publish usage data every month. The first such report was published today (pdf).

The report shows that 1,481 requester accounts have been created so far, but that just 174 requests were made in December — about 5.6 per day on average.

Almost a third of requesters were intellectual property interests, with domain investors at 4.5% and law enforcement at 8%. Security researchers accounted for 15% of requests.

The data shows that most requests — 80.47% — were marked as “Denied” by registrars, largely because the registrar needed more information from the requester before it could process their request. ICANN said RDRS has no visibility into whether data was ultimately handed over outside of the system.

The supply-side data isn’t particularly encouraging either. Only 72 registrars were participating in RDRS at the end of the year.

That’s 2.5% of the 2,814 registrar entities ICANN contracts with, but if we exclude the 2,000+ drop-catching shell registrars owned by the likes of TurnCommerce, Newfold Digital and Gname, participation might be more fairly said to be closer to 10%.

ICANN said that the 72 registrars, which include many of the largest, account for 53% of all registered gTLD domain names, so you might think requesters have a better-than-even chance of being able to use the system for any given domain.

That’s not the case. RDRS data requesters are finding that the domain they are querying belongs to a non-participating registrar far more often than not — 80% of queries through the system were for domains not in the system, the report shows.

And when the registrar is participating, chances are that the data request will be denied — 80% were denied versus just 11.72% approved and 1.56% partially approved.

It takes on average two days for a request to be denied and four days for a request to be approved, the report shows.

While the results to date are arguably disappointing, given the years of effort the ICANN community and staff put in to build this thing, it’s still early days.

I also think it quite likely some of the numbers have been skewed by both the Christmas and New Year holiday period and early-adopter requesters kicking the tires with spurious requests.

ICANN begs people to use its new Whois service

Kevin Murphy, December 20, 2023, Uncategorized

ICANN’s CEO has published an open letter encouraging the community to spread the word about its new Registration Data Request Service.

Sally Costerton explained (pdf) that RDRS is a “free, global, one-stop shop ticketing system” that hooks up people seeking private Whois data with the relevant registrar.

“I appreciate your attention to this new service and ask that you share this information with the relevant stakeholders in your organization,” she concludes.

The plea comes after the late-November launch of the system and the revelation that the system currently has far from blanket coverage from registrars.

“Use of the RDRS is voluntary, but I’m pleased to let you know that we have strong participation from registrars already,” Costerton wrote.

Since I published a blog post three weeks ago naming 25 large registrars not participating in RDRS, only Markmonitor has chosen to sign up, adding another one million domains to RDRS’s footprint.

But it turns out Chinese registrar Alibaba, which I was unable to check due to a bug or downtime somewhere, definitely is not participating, so there are still 25 out of the 40 registrars with over a million domains that are not participating.

Usage on the demand side is not known, but ICANN says it will publish regular monthly progress reports.

The RDRS is considered a pilot. It will run for at least two years before ICANN figures out whether it’s worth keeping.

Most registrars are shunning ICANN’s new Whois system

Kevin Murphy, November 30, 2023, Domain Policy

Most of the largest domain registrars are not currently participating in ICANN’s new Registration Data Request Service, according to my research.

I used the RDRS tool to check domains managed by every accredited registrar that has over a million domains under management and discovered that at least 25 out of these 40 registrars do not currently support the service.

The number may be 26, but RDRS did not recognize any domains managed by Chinese registrar Ali Baba as valid, giving instead a “domain does not exist” error message, even for alibaba.com itself.

In total, the 25 registrars coming up blank look after over 63 million gTLD domains, about 28% of the total.

Some very recognizable brands are not in the system.

Squarespace Domains II, the new name for the old Google Domains, the fourth-largest registrar, is the largest company not participating. Together with its original accreditation, Squarespace Domains, they have over 10 million domains under management.

TurnCommerce, GMO, IONOS, NameSilo, PDR, Gname, Dynadot, Wix, OVH, Register.com, FastDomain, Name.com, Domain.com, Hostinger, Sav.com, Xin Net, West.cn, Cronon, Domain Robot, Automattic, DNSPod, and Cloudflare are also not in the system.

Oh, and neither is Markmonitor.

While I only checked 40 registrars, not the full 2,702 that were active in the July registry transaction reports, I would expect the level of support to decline the lower down the list you get, particularly as hundreds of accreditations have a trivial number of domains or are merely aliases for companies already known to not support RDRS.

It’s quite possible some of the registrars I’ve named here are planning to sign up and have just been slow to do so, but they’ve had plenty of time — ICANN has been onboarding registrars since September 20.

The level of support from the registrar industry will be critical to judging whether the RDRS project is deemed a success.

In a recent letter to the GNSO Council discussing “success criteria” for the program, ICANN chair Tripti Sinha wrote (pdf):

The Board agrees that the participation of a sufficient number of registrars with a sufficient number of domain name registrations under management will be important with respect to gathering data.

On the bright side, GoDaddy, Tucows and Namecheap are on board, and that represents about 90 million domains. GoDaddy alone accounts for 65 million, slightly more than the combined total of the 25 large registrars that are not participating.

RDRS is a system designed to simplify the process of requesting non-public Whois data by passing all such requests to the relevant registrars through a central hub.

Of course, it’s only useful if the registrars are actually in the system.

ICANN’s private Whois data request service goes live

Kevin Murphy, November 28, 2023, Domain Registrars

ICANN has this evening gone live with its service that enables anyone to request private Whois data on any gTLD domain.

The Registration Data Request Service lets people request contact information on registrants that would otherwise be redacted in the public Whois due to laws such as the GDPR.

The press release announcing the launch seems to have come out an hour or two before the service actually became accessible, but it’s definitely live now and I’ve tried it out.

The system is defined largely by what it isn’t. It isn’t an automated way to get access to private data. It isn’t guaranteed to result in private data being released. It isn’t an easy workaround to post-GDPR privacy restrictions.

It is a way to request an unredacted Whois record knowing only the domain and not having to faff around figuring out who the registrar is and what their mechanisms and policies are for requesting the data.

After scaling back the extremely complex and expensive original community recommendations for a post-GDPR Whois service, ICANN based the RDRS on its now decade-old Centralized Zone Data Service, which acts as an intermediary between registries and people like myself who enjoy sniffing around in zone files.

The RDRS merely connects Whois data requestors — the default settings in the interface suggest that ICANN thinks they’ll mostly be people with court orders — with the registrars in charge of the domains they are interested in.

Anyone who has used CZDS will recognize the interface, but the requesting process is longer, more complex, and requires accepting more disclaimers and Ts&Cs. That said, it’s not particularly confusing.

At first glance, it looks fine. Slick, even. I’ve used it to submit a test request with GoDaddy for my own Whois data, specifying that whoever deals with the request is free to ignore it. Let’s see what happens.

Whois disclosure system coming this year?

Kevin Murphy, March 2, 2023, Domain Tech

ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.

The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.

The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”

That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.

The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.

The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.

It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.

If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.

The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).

ICANN expects to approve Whois Disclosure System next month

Kevin Murphy, December 20, 2022, Domain Policy

ICANN could be offering a centralized system for requesting private domain registration data as early as a year from now, a mere five and a half years after GDPR ruined the global Whois system for many.

The Org recently alluded to its “board’s anticipated January 2023 vote to move forward in implementing the new system to streamline the intake and routing of requests for access to nonpublic gTLD registration data” in a blog post.

It has previously stated that it will take nine months to develop and roll out the system, along with a three-month “ramp-up period”, but that preparatory work may have already started.

The system will be based on CZDS, the service that currently allows people to request zone file data from registries, and cost $3.3 million to develop and run for its anticipated two-year trial period.

Don’t expect it to be called the Whois Disclosure System though. Community feedback has been pretty clear that “disclosure” is an inappropriate word because the system merely manages requests and does not actually disclose anything.

It’s also going to be voluntary for both requesters and registrars/registries for now.

The system was previously known as SSAD Lite, a cut-down version of the community-recommended System for Standardized Access and Disclosure, which ICANN estimated would have cost infinity dollars and take a century to implement.

Registrars CAN charge for Whois, ICANN grudgingly admits

Kevin Murphy, December 1, 2022, Domain Registrars

ICANN is powerless to prevent registrars from charging for access to non-public Whois data, the Org has reluctantly admitted.

In a recent advisory, ICANN said it is “concerned” that registrars including Tucows have been charging fees to process requests for data that would otherwise be redacted in the free public Whois.

But it said there’s nothing in the Registrar Accreditation Agreement, specifically the Temporary Specification governing Whois in the post-GDPR world, that bans such services:

While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.

So basic Whois results, with all the juicy info redacted, has to be free, but registrars can bill organizations who ask for the veil to be lifted. ICANN wrote:

ICANN org is concerned that registrars’ imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet

The advisory calls out Tucows’ Tiered Access Compliance and Operations system, TACO, as the primary example of a registrar charging for data, but notes that others are too.

Not long after the advisory was published, Tucows posted an article in which it explained that the fees are necessary to cover the cost of the “thousands” of automated requests it has received in the last four years.

Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement.

Facebook, now Meta, was at first, and may still well be, a frequent bulk filer.

Tucows said that it “frequently” waives its fees upon request for “single-use requestors and private parties”.

Identity Digital publishes treasure trove of abuse data

Kevin Murphy, October 3, 2022, Domain Registries

Identity Digital, the old Donuts, has started publishing quarterly reports containing a wealth of data on reported abuse and the actions it takes in response.

The data for the second quarter, released (pdf) at the weekend, shows that the registry receives thousands of reports and suspends hundreds of domains for DNS abuse, but the number of domains it takes down for copyright infringement is quite small.

ID said that it received 3,007 reports covering 3,816 unique domains in the quarter, almost 93% of which related to phishing. The company said the complaints amounted to 0.024% of its total registered domains.

Most cases were resolved by third parties such as the registrar, hosting provider, or registrant, but ID said it suspended (put on “protective hold”) 746 domains during the period. In only 11% of cases was no action taken.

The company’s hitherto opaque “Trusted Notifier” program, which allows the Motion Picture Association and Recording Industry Association of America to request takedowns of prolific piracy sites resulted in six domain suspensions, all as a result of MPA requests.

The Internet Watch Foundation, which has similar privileges, resulted in 26 domains being reported for child sexual abuse material. Three of these were suspended, and the remainder were “remediated” by the associated registrar, according to ID.

The report also breaks down how many requests for private Whois data the company received, and how it processed them. Again, the numbers are quite low. Of requests for data on 44 domains, 18 were tossed for incompleteness, 23 were refused, and only three resulted in data being handed over.

Perhaps surprisingly, only two of the requests related to intellectual property. The biggest category was people trying to buy the domain in question.

This is a pretty cool level of transparency from ID and it’ll be interesting to see if its rivals follow suit.

Whois Disclosure System to cost up to $3.3 million, run for one year

Kevin Murphy, September 13, 2022, Domain Policy

ICANN has published its game plan for rolling out a Whois Disclosure System ahead of next week’s ICANN 75 public meeting in Kuala Lumpur.

The Org reckons the system will take nine months to build and will cost up to $3.3 million to develop and run for two years, although it might wind up getting shut down after just one year.

The Whois Disclosure System, previously known as SSAD Light, is a mechanism whereby anyone with an ICANN account — probably mainly IP lawyers in practice — can request unredacted private Whois data from registrars.

The system is to be built using retooled software from the current Centralized Zone Data Service, which acts as a hub for researchers who want to request zone files from gTLD registry operators.

ICANN’s design paper (pdf), which contains many mock-ups of the likely user interface, describes the new system like this:

Just as in CZDS, a requestor navigates to the WHOIS Disclosure System web page, logs into their ICANN Account, and is presented with a user experience much like the current CZDS. In this experience, requestors can see pending and past requests as well as metadata (timestamps, status, etc.) associated with those requests. For a requestor’s pending requests, they can see all the information related to that request.

Requests filed with the system will be routed to the relevant registrar via the Naming Services Portal, whereupon the registrar can choose how to deal with it. The system doesn’t change the fact that registrars have this discretion.

But the system will be voluntary for not only the requesters — who can still contact the registrar directly if they wish — but also the registrars. One can imagine smaller and frequently abused registrars won’t want the hassle.

The cost of this system will be $2.7 million in staffing costs, with $90,000 in external licensing costs and another $500,000 in contingency costs. Because ICANN has not budgeted for this, it will come from the Supplemental Fund for Implementation of Community Recommendations, which I believe currently has about $20 million in it.

This is far and away cheaper than the full-fat SSAD originally proposed by the GNSO, which ICANN in January estimated could cost up to $27 million to build over five years.

While cheaper, there are still substantial questions remaining about whether it will be popularly used, and whether it will be useful in getting private Whois data into the hands of the people who say they need it.

ICANN is saying that the Whois Disclosure System will run for one year “at which point the data sets collected will be analyzed and presented for further discussion between the GNSO Council and Board”.

The design paper will be discussed at multiple ICANN 75 sessions, starting this weekend.

Belgium slashes its ICANN funding in “mission creep” protest

Kevin Murphy, August 12, 2022, Domain Policy

DNS Belgium has cut its contribution to ICANN’s budget by two thirds, in protest at ICANN’s “mission creep” and its handling of GDPR.

The Belgian ccTLD registry informed ICANN CFO Xavier Calvez that it will only pay $25,000 this fiscal year, compared to the $75,000 it usually pays.

Registry general manager Philip Du Bois wrote (pdf) that “during recent years there has been a shift in focus which is not in the benefit of ccTLD’s”.

ICANN has become a large corporate structure with a tendency to suffer from “mission creep”… At the same time ICANN seems to fail in dealing in an appropriate way with important issues such as GDPR/privacy. It goes beyond our comprehension that ICANN and its officers don’t feel any reluctancy to “advise” European institutions and national governmental bodies to embrace “standards developed by the multi-stakeholder structures on international level” while at the same time it is obvious that ICANN itself has not yet mastered the implementation of important European legislation.

Based in the heart of the EU, DNS Belgium was a strong proponent of Whois privacy many years before the GDPR came into effect in 2018.

Calvez, in his reply (pdf), acknowledges that ccTLD contributions are voluntary, but seems to insinuate (call me a cynic) that the criticisms are hollow and that the registry might simply be trying to reduce its costs during an economic downturn:

We do appreciate any amount of contribution, and also that the ability for any ccTLD to contribute varies over time, including based on economic circumstances. We do understand that the reduction of DNS Belgium’s contribution from US$75,000 to US$25,000 represents a significant and meaningful reduction of costs for DNS Belgium.

DNS Belgium seems to be doing okay, based on its latest annual financial report. It’s not a huge company, but registrations and revenue have been growing at a slow and steady rate for the last several years.

All ccTLD contributions to ICANN are voluntary, but there are suggested donations based on how many domains a registry has under management, ranging from the $225,000 paid by the likes of the UK registry to the $500 paid by the likes of Pitcairn.

DNS Belgium, which manages about 1.7 million names, falls into the third-highest band, with a $75,000 suggested contribution.

ICANN is budgeting for funding of $152 million in its current FY23.