Latest news of the domain name industry

Recent Posts

ICANN restarts work on controversial Whois privacy rules

Kevin Murphy, May 20, 2024, Domain Policy

ICANN is to bring in new rules for Whois privacy and proxy services, the best part of a decade after they were first proposed to massive controversy.

It’s looking for volunteers to work with Org staff on implementing policy recommendations that in 2015 led to tens of thousands of people expressing outrage about the dangers, as they saw it, of their privacy being breached.

ICANN is putting together an Implementation Review Team to help implement the recommendations of the Privacy and Proxy Services Accreditation Issues Policy Development Process, known as PPSAI, which sought to bring privacy/proxy services under ICANN’s regulatory umbrella.

The recommendations were hugely controversial in their first draft, which in a minority statement expressed the view that people should be banned from using their domains commercially if they were using privacy services.

But the IRT will be tasked with implementing the final draft, which expunged the calls for such a ban.

The policy still calls for ICANN to run an accreditation system for privacy/proxy services in much the same way as it accredits registrars. It also lays out rules for how such services should gather registrant data and how to treat customer interactions.

But the recommendations are undeniably from a different era, thunk up before the EU’s General Data Protection Regulation made privacy-by-default essentially the industry standard for Whois records.

The PPSAI recommendations now interact with policies and practices that have been adopted in the intervening years, such as the recent Registration Data Policy and the Registration Data Request Service.

People willing to donate 10 to 20 hours a month to the new IRT can check out more details here.

It now takes TWO WEEKS to get a Whois record with RDRS

Kevin Murphy, May 16, 2024, Domain Policy

There’s been a shocking increase in the time it takes to get a Whois record disclosed under ICANN’s Registration Data Request Service, according to the latest monthly data.

It took on average 14.09 days to have a request for private Whois data approved using RDRS in April, more than double the previous high, recorded in February, of 6.92 days, the data shows. The average since the system launched at the end of November is 6.73 days.

The average time to have a request denied was 11.26 days, up from 6.17 days in March, the data also shows.

RDRS is a mechanism that allows people — largely intellectual property interests and law enforcement — to request unredacted domain ownership information. ICANN doesn’t handle the requests, it just forwards them to the responsible registrar.

It’s not obvious from the data why requests in April suddenly took so much longer to approve. Any number of reasons, from technical problems to a shift in the mix towards particularly sluggish registrars, could have thrown the average.

The percentage of requests that were approved was down very slightly compared to March, at 19.16% compared to 20.26%. Denied requests were up to 71.26% compared to 69.5% in March. Requests were largely denied because of data protection law or because the requester didn’t provide enough information.

Since RDRS launched five months ago, there have been 1,215 disclosure requests, 210 of which were approved. That works out to about 1.36 approved requests per day.

Registrar coverage improved a little in April, with three registrars newly listed and one (Sweden’s Ilait AB, which has about 6,000 domains) removed. The number of gTLD domains covered as a percentage remained flat at 57%.

ICANN has spent almost $2 million on RDRS to date. It’s a two-year pilot, and at some point it will have to be decided whether the expense is worth it.

Alibaba, Name.com among new RDRS opt-ins

Kevin Murphy, April 17, 2024, Domain Registrars

Eleven registrars representing millions of domain names signed up to support ICANN’s Registration Data Request Service last month. One registrar dropped out.

One of Chinese tech giant Alibaba’s registrars was among the additions. Alibaba Cloud Computing (Beijing), which has 2.6 million names under management, is a notable addition given that one of its sister registrars was recently hit with an ICANN Compliance action due to alleged abuse inaction.

Also opting in to the Whois band-aid service were Identity Digital’s Name.com (2.2 million names), three of its sister companies, and Newfold Digital’s Register.com (1.5 million names). Nominalia, P.A Vietnam, and Ubilibet also signed up.

Realtime Register dropped out of the voluntary service, the third registrar to opt out since RDRS launched in Novemeber.

ICANN says its coverage is now 57% of the total gTLD domains out there, up from 55% in February. It has 86 registrars on-board in total, including most of the largest.

RDRS is a two-year pilot that offers people who want access to private Whois records, largely intellectual property interests and law enforcement, a simpler way to connect with the registrars holding that data.

Some registrars have already quit ICANN’s Whois experiment

Kevin Murphy, March 26, 2024, Domain Policy

ICANN’s two-year experiment in helping connect Whois users with registrars has grown its pool of participating registrars over the last few months, but it has lost a couple of not-insignificant companies along the way.

The Registration Data Request Service launched in November, promising to provide a hub for people to request the private data in Whois records, which is usually redacted. Monthly usage reports, first published in January, showed 72 registrars had joined the scheme at launch.

That number was up to 77, covering about 55% of all registered gTLD domain names, at the end of February, the latest report shows. Seven more registrars have signed up and two have dropped out.

The newbies include WordPress creator Automattic, which has 1.1 million names, PublicDomainRegistry, which has 4.4 million, Register.it, which has 666,000, and Turkiye’s METUnic, which has 235,000.

The two registrars quitting the project, apparently in January, are Combell (formerly Register.eu), which has 1.3 million domains, and Hong Kong’s Kouming.com, which has 57,000.

The latest data shows that RDRS returns a “registrar not supported” error 32.7% of the time.

The running total of requesters was up by 607 to 2937 in February, ICANN’s data shows. They filed 246 requests in the month for an RDRS total of 754 so far. Intellectual property owners were the main users, followed by law enforcement and security researchers.

There were 64 approved requests — where the registrar handed over the Whois data — to make a to-date total of 133. On 50 occasions requests were turned down because the registrar decided it could not turn over the data due to privacy law. These stats break down to 20% approval and 70% denial.

It took an average of 6.92 days to approve a given request — a steep incline from the 3.89 days in January — and 2.92 to deny one.

The full report, containing much more data, can be read as a PDF here.

Whois policy published without life-saving disclosure rule

Kevin Murphy, February 23, 2024, Domain Policy

ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.

When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.

But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.

The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).

It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.

But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.

I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.

The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.

But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.

For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window

The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.

An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.

In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.

From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.

Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?

But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.

ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:

the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.

ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.

It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.

There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.

But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.

The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.

And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.

Weak demand for private Whois data, ICANN data shows

Kevin Murphy, January 17, 2024, Domain Services

There were fewer than six requests for private Whois data per day in December, and most of those were denied, according to newly published ICANN data.

The disappointing numbers, which also show that only about 2.5% of accredited registrars are participating, show that ICANN’s new Registration Data Request Service is certainly off to a slow start.

RDRS launched in November. It’s a ticketing system that enables people to request unredacted private Whois data, with no guarantee the requests will be granted, from registrars via an ICANN portal.

As it’s a two-year trial, ICANN promised to publish usage data every month. The first such report was published today (pdf).

The report shows that 1,481 requester accounts have been created so far, but that just 174 requests were made in December — about 5.6 per day on average.

Almost a third of requesters were intellectual property interests, with domain investors at 4.5% and law enforcement at 8%. Security researchers accounted for 15% of requests.

The data shows that most requests — 80.47% — were marked as “Denied” by registrars, largely because the registrar needed more information from the requester before it could process their request. ICANN said RDRS has no visibility into whether data was ultimately handed over outside of the system.

The supply-side data isn’t particularly encouraging either. Only 72 registrars were participating in RDRS at the end of the year.

That’s 2.5% of the 2,814 registrar entities ICANN contracts with, but if we exclude the 2,000+ drop-catching shell registrars owned by the likes of TurnCommerce, Newfold Digital and Gname, participation might be more fairly said to be closer to 10%.

ICANN said that the 72 registrars, which include many of the largest, account for 53% of all registered gTLD domain names, so you might think requesters have a better-than-even chance of being able to use the system for any given domain.

That’s not the case. RDRS data requesters are finding that the domain they are querying belongs to a non-participating registrar far more often than not — 80% of queries through the system were for domains not in the system, the report shows.

And when the registrar is participating, chances are that the data request will be denied — 80% were denied versus just 11.72% approved and 1.56% partially approved.

It takes on average two days for a request to be denied and four days for a request to be approved, the report shows.

While the results to date are arguably disappointing, given the years of effort the ICANN community and staff put in to build this thing, it’s still early days.

I also think it quite likely some of the numbers have been skewed by both the Christmas and New Year holiday period and early-adopter requesters kicking the tires with spurious requests.

ICANN begs people to use its new Whois service

Kevin Murphy, December 20, 2023, Uncategorized

ICANN’s CEO has published an open letter encouraging the community to spread the word about its new Registration Data Request Service.

Sally Costerton explained (pdf) that RDRS is a “free, global, one-stop shop ticketing system” that hooks up people seeking private Whois data with the relevant registrar.

“I appreciate your attention to this new service and ask that you share this information with the relevant stakeholders in your organization,” she concludes.

The plea comes after the late-November launch of the system and the revelation that the system currently has far from blanket coverage from registrars.

“Use of the RDRS is voluntary, but I’m pleased to let you know that we have strong participation from registrars already,” Costerton wrote.

Since I published a blog post three weeks ago naming 25 large registrars not participating in RDRS, only Markmonitor has chosen to sign up, adding another one million domains to RDRS’s footprint.

But it turns out Chinese registrar Alibaba, which I was unable to check due to a bug or downtime somewhere, definitely is not participating, so there are still 25 out of the 40 registrars with over a million domains that are not participating.

Usage on the demand side is not known, but ICANN says it will publish regular monthly progress reports.

The RDRS is considered a pilot. It will run for at least two years before ICANN figures out whether it’s worth keeping.

Most registrars are shunning ICANN’s new Whois system

Kevin Murphy, November 30, 2023, Domain Policy

Most of the largest domain registrars are not currently participating in ICANN’s new Registration Data Request Service, according to my research.

I used the RDRS tool to check domains managed by every accredited registrar that has over a million domains under management and discovered that at least 25 out of these 40 registrars do not currently support the service.

The number may be 26, but RDRS did not recognize any domains managed by Chinese registrar Ali Baba as valid, giving instead a “domain does not exist” error message, even for alibaba.com itself.

In total, the 25 registrars coming up blank look after over 63 million gTLD domains, about 28% of the total.

Some very recognizable brands are not in the system.

Squarespace Domains II, the new name for the old Google Domains, the fourth-largest registrar, is the largest company not participating. Together with its original accreditation, Squarespace Domains, they have over 10 million domains under management.

TurnCommerce, GMO, IONOS, NameSilo, PDR, Gname, Dynadot, Wix, OVH, Register.com, FastDomain, Name.com, Domain.com, Hostinger, Sav.com, Xin Net, West.cn, Cronon, Domain Robot, Automattic, DNSPod, and Cloudflare are also not in the system.

Oh, and neither is Markmonitor.

While I only checked 40 registrars, not the full 2,702 that were active in the July registry transaction reports, I would expect the level of support to decline the lower down the list you get, particularly as hundreds of accreditations have a trivial number of domains or are merely aliases for companies already known to not support RDRS.

It’s quite possible some of the registrars I’ve named here are planning to sign up and have just been slow to do so, but they’ve had plenty of time — ICANN has been onboarding registrars since September 20.

The level of support from the registrar industry will be critical to judging whether the RDRS project is deemed a success.

In a recent letter to the GNSO Council discussing “success criteria” for the program, ICANN chair Tripti Sinha wrote (pdf):

The Board agrees that the participation of a sufficient number of registrars with a sufficient number of domain name registrations under management will be important with respect to gathering data.

On the bright side, GoDaddy, Tucows and Namecheap are on board, and that represents about 90 million domains. GoDaddy alone accounts for 65 million, slightly more than the combined total of the 25 large registrars that are not participating.

RDRS is a system designed to simplify the process of requesting non-public Whois data by passing all such requests to the relevant registrars through a central hub.

Of course, it’s only useful if the registrars are actually in the system.

ICANN’s private Whois data request service goes live

Kevin Murphy, November 28, 2023, Domain Registrars

ICANN has this evening gone live with its service that enables anyone to request private Whois data on any gTLD domain.

The Registration Data Request Service lets people request contact information on registrants that would otherwise be redacted in the public Whois due to laws such as the GDPR.

The press release announcing the launch seems to have come out an hour or two before the service actually became accessible, but it’s definitely live now and I’ve tried it out.

The system is defined largely by what it isn’t. It isn’t an automated way to get access to private data. It isn’t guaranteed to result in private data being released. It isn’t an easy workaround to post-GDPR privacy restrictions.

It is a way to request an unredacted Whois record knowing only the domain and not having to faff around figuring out who the registrar is and what their mechanisms and policies are for requesting the data.

After scaling back the extremely complex and expensive original community recommendations for a post-GDPR Whois service, ICANN based the RDRS on its now decade-old Centralized Zone Data Service, which acts as an intermediary between registries and people like myself who enjoy sniffing around in zone files.

The RDRS merely connects Whois data requestors — the default settings in the interface suggest that ICANN thinks they’ll mostly be people with court orders — with the registrars in charge of the domains they are interested in.

Anyone who has used CZDS will recognize the interface, but the requesting process is longer, more complex, and requires accepting more disclaimers and Ts&Cs. That said, it’s not particularly confusing.

At first glance, it looks fine. Slick, even. I’ve used it to submit a test request with GoDaddy for my own Whois data, specifying that whoever deals with the request is free to ignore it. Let’s see what happens.

Whois disclosure system coming this year?

Kevin Murphy, March 2, 2023, Domain Tech

ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.

The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.

The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”

That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.

The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.

The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.

It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.

If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.

The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).