Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
DomainTools scraps apps and APIs in war on spam
DomainTools is to scrap at least five of its services as it tries to crack down spam.
It’s getting rids of its mobile apps, its APIs, and is to stop showing registrants’ personal information to unauthenticated users.
CEO Tim Chen told us in an email at the weekend:
The Android app is no longer supported.
The iOS app will no longer be supported after February 20th.
The Developer API is no longer supported.
On February 20th, the Bulk Parsed Whois tool available to Personal Members will no longer be supported.
On February 20th, our production Whois API will no longer be available to individual membership levels, an Enterprise relationships will be required.
It’s all part of an effort to make sure DomainTools services are not being abused by spammers, which has lead to a dispute with GoDaddy over bulk access to its registrants’ Whois data.
The longstanding problem of new registrants getting spammed with calls and emails offering web hosting and such has escalated over the last few years. Domain Name Wire detailed the scale of the abuse registrants can experience in a post last week.
While to my knowledge nobody has directly accused DomainTools of facilitating such abuse, the scrapped services are the ones that would be most useful to these spammers.
The company is also going to scale back what guest users can see when they do a Whois lookup, and is to make automated scraping of Whois records more difficult for paying members.
In a blog post, Chen wrote last week:
As of today, unauthenticated users of the DomainTools Whois Lookup tool will not see personally identifiable information for the registrant parsed out in the results, and will be required to submit a CAPTCHA to see the full raw domain name Whois record. Phone numbers in the parsed results have been replaced with image files, much the same way emails have always been rendered
As well as hoping to ease relations with GoDaddy — the source of a very heavy chunk of DomainTools’ data — the moves are also part of the company’s strategy for dealing with the incoming General Data Protection Regulation.
This is the EU law that gives registrants more control over the privacy of their personal data.
Chen told us earlier this month that DomainTools is keen to ensure its enterprise-level suite of security products, which he said are vital for security and intellectual property investigations, continue to operatie under the new regime.
About 80% of DomainTools’ revenue comes from its enterprise-level customers, over 500 companies.
Three ways ICANN could gut Whois
ICANN has published three possible models of how Whois could be altered beyond recognition after European privacy law kicks in this May.
Under each model, casual Whois users would no longer have access to the wealth of contact information they do under the current system.
There may also be a new certification program that would grant access to full Whois records to law enforcement, consumer protection agencies and intellectual property interests.
The three models are each intended to address the General Data Protection Regulation, EU law that could see companies fined millions if they fail to protect the personal data of European citizens.
While GDPR affects all data collection on private citizens, for the domain name industry it’s particularly relevant to Whois, where privacy has always been an afterthought.
The three ICANN models, which are now subject to a short public comment period, differ from each other in three key areas: who has their privacy protected, which fields appear in public Whois by default, and how third parties such as law enforcement access the full records.
Model 1 is the most similar to the current system, allowing for the publication of the most data.
Under this model the name and postal address of the registrant would continue to be displayed in the public Whois databases.
Their email address and phone number would be protected, but the email and phone of the administrative and technical contacts — often the same person as the registrant — would be published.
If the registrant were a legal entity, rather than a person, all data fields would continue to be displayed as normal.
The other two models call for more restricted, or at least different, public output.
Under Model 2, the email addresses of the administrative and technical contacts would be published, but all other contact information, including the name of the registrant, would be redacted.
Model 3 proposes a crazy-sounding system whereby everything would be published unless the registrar/registry decided, on a domain-by-domain basis, that the field contained personal information.
This would require manual vetting of each Whois record and is likely to gather no support from the industry.
The three models also differ in how third parties with legitimate interests would access full Whois records.
Model 1 proposes a system similar to how zone files are published via ICANN’s Centralized Zone Data Service.
Under this model, users would self-certify that they have a legit right to the data (if they’re a cop or an IP lawyer, for example) and it would be up to the registry or registrar to approve or decline their request.
Model 2 envisages a more structured, formal, centralized system of certification for Whois users, developed with the Governmental Advisory Committee and presumably administered by ICANN.
Model 3 would require Whois users to supply a subpoena or court order in order to access records, which is sure to make it unpopular among the IP lobby and governments.
Each of the three models also differs in terms of the circumstances under which privacy is provided.
The models range from protecting records only when the registrant, registry, registrar or any other entity involved in the data processing has a presence in the European Economic Area to protecting records of all registrants everywhere regardless of whether they’re a person or a company.
Each model has different data retention policies, ranging from six month to two years after a registration expires.
None of the three models screw with registrars’ ability to pass data to thick-Whois registries, nor to their data escrow providers.
ICANN said it’s created these models based on the legal analyses it commissioned from the Hamilton law firm, as well as submissions from community members.
One such submission, penned by the German trade associated Eco, has received broad industry support.
It would provide blanket protection to all registrants regardless of legal status or location, and would see all personally identifiable information stripped from public Whois output.
Upon carrying out a Whois query, users would see only information about the domain, not the registrant.
There would be an option to request more information, but this would be limited to an anonymized email address or web form for most users.
Special users, such as validated law enforcement or IP interests, would be able to access the full records via a new, centralized Trusted Data Clearinghouse, which ICANN would presumably be responsible for setting up.
It’s most similar to ICANN’s Model 2.
It has been signed off by registries and registrars together responsible for the majority of the internet’s domain registrations: Afilias, dotBERLIN, CentralNic, Donuts, Neustar, Nominet, Public Interest Registry (PIR), Verisign, 1&1, Arsys, Blacknight, GoDaddy, Strato/Cronon, Tucows and United Domains.
ICANN said in a blog post that its three models are now open for public comment until January 29.
If you have strong opinions on any of the proposals, it might be a good idea to get them in as soon as possible, because ICANN plans to identify one of the models as the basis for the official model within 48 hours of the comment period closing.
GoDaddy and DomainTools scrap over Whois access
GoDaddy has seriously limited DomainTools’ access to its customers’ Whois records, pissing off DomainTools.
DomainTools CEO Tim Chen this week complained to DI that its access to Whois has been throttled back significantly in recent months, making it very difficult to keep its massive database of domain information up to date.
Chen said that DomainTools is currently only able to access GoDaddy’s Whois over port 43 at about 2% of the rate it had previously.
He said that this has been going on for about six months and that the market-leading registrar has been unresponsive to its requests to have previous levels restored.
“By throttling access to the data by 98% they’re defeating the ability of security practitioners to get data on GoDaddy domains,” Chen said. “It’s particularly troublesome because they [GoDaddy] are such a big part of DNS.”
“We have customers who say the quality of GoDaddy data is just degrading across the board, either through direct look-ups or in some of the DomainTools products themselves,” he said.
DomainTools customers include security professionals trying to hunt down the source of attacks and intellectual property interests trying to locate pirates and cybersquatters.
GoDaddy today confirmed to DI that it has been throttling DomainTools’ Whois access, and said that it’s part of ongoing anti-spam measures.
In recent years there’s been an increase in the amount of spam — usually related to web design, hosting, and SEO — sent to recent domain registrants using email addresses harvested from new Whois records.
GoDaddy, as the market-share leader in retail domain sales, takes a tonne of flak from customers who, unaware of standard Whois practice, think the company is selling their personal information to spammers.
This kind of Twitter exchange is fairly common on GoDaddy’s feed:
Being bombarded by web developers after purchasing domain frm @GoDaddy
I paid for that domain and u selling my personal info like anything.gotta switch frm godaddy.— Vikas Rawat (@VikasRa87555925) January 12, 2018
While GoDaddy is not saying that DomainTools is directly responsible for this kind of activity, throttling its port 43 traffic is one way the company is trying to counter the problem, VP of policy James Bladel told DI tonight.
“Companies like [DomainTools] present a challenge,” he said. “While we may know these folks, we don’t know who their customers are.”
But that’s just a part of the issue. GoDaddy was also concerned about the amount of resources DomainTools was consuming, and its own future legal responsibilities under the European Union’s forthcoming General Data Protection Regulation.
“When [Chen] says they’re down to a fraction or a percentage of what they had previously, well what they had previously was they were updating and archiving Whois almost in real time,” Bladel said. “And that’s not going to fly.”
“That is not only, we feel, not congruent with our responsibilities to our customers’ data, but it’s also, later on down the road, exactly the kind of thing that GDPR and other regulations are designed to stop,” he said.
GDPR is the EU law that, when it fully kicks in in May, gives European citizens much more rights over the sharing and processing of their private data.
Bladel added that DomainTools is still getting more Whois access than other parties using port 43.
“They have a level of access that is much, much higher than what they would normally have as a registrar,” he said, “but much lower than I think they want, because they want to effectively download and keep current the entirety of the Whois database.”
I’m not getting a sense from GoDaddy that it’s likely to backtrack on its changes.
Indeed, the company also today announced that it from January 25 it will start to “mask” key elements of Whois records when queried over port 43.
GoDaddy told high-value customers such as domainers today that port 43 queries will no longer return the registrant’s first name, last name, email address or phone number.
Bulk Whois users such as registrars (and, I assume, DomainTools) that have been white-listed via the “GoDaddy Port43 Process” will continue to receive full records.
Its web-based Whois, which includes a CAPTCHA gateway to prevent scraping, will continue to function as normal.
Bladel said that these changes are NOT related to GDPR, nor to the fact that ICANN said a couple months back that it would not enforce compliance with Whois provisions of the Registrar Accreditation Agreement, subject to certain conditions.
Big changes at DomainTools as privacy law looms
Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.
Professional users such as domain investors are most likely to be impacted by the changes.
The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.
“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.
GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.
Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.
But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.
DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.
The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.
DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.
“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.
“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.
The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..
These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.
“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.
How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.
“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”
ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.
And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.
DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.
It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.
This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.
“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”
“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.
How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.
But Chen suggested that most casual users should not see too much impact.
“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.
“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.
“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.
Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.
How Whois could survive new EU privacy law
Reports of the death of Whois may have been greatly exaggerated.
Lawyers for ICANN reckon the current public system “could continue to exist in some form” after new European Union privacy laws kick in next May, according to advice published (hurriedly, judging by the typos towards the end) shortly before Christmas.
Hamilton, the Swedish law firm hired by ICANN to probe the impact of the General Data Protection Regulation, seems to be mellowing on its recommendation that Whois access be permanently “layered” according to who wants to access registration records.
Now, it’s saying that layered Whois access could merely be a “temporary solution” to protect the industry from fines and litigation until ICANN negotiates a permanent peace treaty with EU privacy regulators that would have less impact on current Whois users.
This opinion came in the third of three memorandums from Hamilton, published by ICANN last week. You can read it here (pdf).
With the first two memos strongly hinting that layered access would be the most appropriate way forward, the third points out the huge, possibly insurmountable burden this would place on registrars, registries, law enforcement agencies, the courts, IP lawyers, and others.
It instead suggests that layered access be temporary, with ICANN taking the lead in arranging a longer-term understanding with the EU.
The latest Hamilton memo seems to have taken on board comments from registries and registrars, intellectual property lawyers and domain investors, none of which are particularly enthusiastic about GDPR and the lack of clarity surrounding its impacts.
GDPR is an EU-wide law that gives much stronger protection to the personal data of private citizens.
Companies that process such data are kept on a much tighter leash and could face millions of euros of fines if they use the data for purposes their customers have not consented to or without a good enough reason.
It’s not a specifically intended to regulate Whois — indeed, its conflict with longstanding practice and ICANN rules seems to have been an afterthought — but Whois is the place the domain industry is most likely to find itself breaking the law.
It seems to be generally agreed that the current system of open, public access to all fields in all Whois records in all gTLDs would not be compliant with GDPR without some significant changes.
It also seems to be generally agreed that the data can be hugely useful for purposes such as police investigations, trademark enforcement and the domain secondary market.
The idea that layered access — where different sets of folks get access to different sets of data based on their legitimate needs — might be a solution has therefore gained some support.
Hamilton notes:
Given the limited time remaining until the GDPR enters into effect, we believe that the best chance of continuing to provide the Whois services and still be compliant with the GDPR will be to implement an interim solution based on an layered access model that would ensure continued processing of Whois data for some limited purposes.
The problem with this solution, as Hamilton now notes, is that it could be hugely impractical.
such a model would require the registrars to perform an assessment of interests in accordance with Article 6.1(f) GDPR on an individual case-by-case basis each time a request for access is made. This would put a significant organizational and administrative pressure on the registrars and also require them to obtain and maintain the competence required to make such assessments in order to deliver the requested data in a reasonably timely manner. In our opinion, public access to (limited) Whois data would therefore be of preference and necessary to fulfill the above purposes in a practical and efficient way.
And, Hamilton says, a scenario in which all cops had access to all Whois data would not necessarily be GDPR-compliant. Police may have to right to access the data, but they’d have to request it on a case-by-case basis.
Registrars — or even the courts — would have to make the decision as to whether each request was legit.
It would get even more complex for registrars when the Whois requester was an IP lawyer, as they’d have to check whether it was appropriate to disclose the personal data to both the lawyer and her client, the memo says.
For registrars, the largely nominal cost of providing a Whois service today would suddenly rocket as each Whois lookup would require human intervention.
Having introduced the concept of layered access and then shot it to pieces, Hamilton finally recommends that ICANN start talks with data protection authorities in the EU in order to find a solution where Whois services can continue to be provided in a form available to the general public in the future”.
ICANN should start an “informal dialogue” with the Article 29 Working Party, the EU privacy watchdog made up of data protection authorities from each member state, and initiate formal consultations with one or more of these DPAs individually, the memo recommends.
The WP29 could prove a tough chat, given that the group has a long history of calling for layered access, and its views, even if changed, would not be binding anyway.
So Hamilton says ICANN, in conjunction with its registries and registrars, should carry out a formal data protection impact assessment (DPIA) and submit it to a relevant DPA in a EU country where it has a corporate presence, such as Belgium.
That way, at least ICANN has a chance of retaining Whois in a vaguely recognizable form while protecting the industry from crippling extra costs.
In short, the industry is still going to have to make some changes to Whois in the first half of 2018, some of which may make Whois access troublesome for many current users, but those changes may not last forever.
ICANN CEO Goran Marby said in a blog post:
We’ve made it a high priority to find a path forward to ensure compliance with the GDPR while maintaining WHOIS to the greatest extent possible. Now, it is time to identify potential models that address both GDPR and ICANN compliance obligations.
We’ll need to move quickly, while taking measured steps to develop proposed compliance models. Based on the analysis from Hamilton, it appears likely that we will need to incorporate the advice about using a layered access model as a way forward.
He wants the industry to submit compliance models by January 10 for publication January 15, with ICANN hoping to “settle on a compliance model by the end of January”.
ICANN: tell us how you will break Whois rules
ICANN has invited registrars and registries to formally describe how they plan to break the current rules governing Whois in order to come into compliance with European Union law.
The organization today published a set of guidelines for companies to submit proposals for closing off parts of Whois to most internet users.
It’s the latest stage of the increasingly panicky path towards reconciling ICANN’s contracts with the General Data Protection Regulation, the EU law that comes into full effect in a little over five months.
GDPR is designed to protect the privacy of EU citizens. It’s generally thought to essentially ban the full, blanket, open publication of individual registrants’ contact information, but there’s still some confusion about what exactly registries and registrars can do to become compliant.
Fines maxing out at of millions of euros could be levied against companies that break the GDPR.
ICANN said last month that it would not pursue contracted parties that have to breach their agreements in order to avoid breaking the law.
The catch was that they would have to submit their proposals for revised Whois services to ICANN for approval first. Today is the first time since then that ICANN has officially requested such proposals.
The request appears fairly comprehensive.
Registries and registrars will have to describe how their Whois would differ from the norm, how it would affect interoperability, how protected data could be accessed by parties with “legitimate interests”, and so on.
Proposals would be given to ICANN’s legal adviser on GDPR, the Swedish law firm Hamilton, and published on ICANN’s web site.
ICANN notes that submitting a proposal does not guarantee that it will be accepted.
Open Whois must die, Europe privacy chiefs tell ICANN
Unfettered public access to full Whois records is illegal and has to got to go, an influential European Union advisory body has told ICANN.
The Article 29 Working Party on Data Protection, WP29, wrote to ICANN yesterday to say that “that the original purposes of the WHOIS directories can be achieved via layered access” and that the current system “does not appear to meet the criteria” of EU law.
WP29 is made up of representatives of the data protection agencies in each EU member state. It’s named after Article 29 of the EU’s 1995 Data Protection Directive.
This directive is parent legislation of the incoming General Data Protection Regulation, which from May 2018 will see companies fined potentially millions of euros if they fail to protect the privacy of EU citizens’ data.
But WP29 said that there are questions about the legality of full public Whois under even the 1995 directive, claiming to have been warning ICANN about this since 2003:
WP29 wishes to stress that the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.
Under the directive and GDPR, companies are not allowed to make consent to the publication of private data a precondition of a service, which is currently the case with domain registration, according to WP29.
Registrars cannot even claim the publication is contractually mandated, because registrants are not party to the Registrar Accreditation Agreement, the letter (pdf) says.
WP29 adds that law enforcement should still be able to get access to Whois data, but that a “layered” access control approach should be used to prevent full disclosure to anyone with a web browser.
ICANN recently put a freeze on its contract compliance activities surrounding Whois, asking registries and registrars to supply the organization with the framework and legal advice they’re using to become compliant with GDPR.
Registries and registrars are naturally impatient — after a GDPR-compatible workaround is agreed upon, they’ll still need to invest time and resources into actually implementing it.
But ICANN recently told contracted parties that it hopes to lay out a path forward before school breaks up for Christmas December 22.
ICANN chief tells industry to lawyer up as privacy law looms
The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.
That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.
The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.
“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.
“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.
GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.
For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.
But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.
The latest official line from ICANN is:
At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.
Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.
A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).
Even after this report, Marby said ICANN is still in “discovery” mode.
Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.
He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.
Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.
It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”
This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.
Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.
ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.
The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.
General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.
“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.
Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.
ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.
Amsterdam refuses to publish Whois records as GDPR row escalates
Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.
Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.
ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.
dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.
Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.
That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.
It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.
Legal entities such as companies do not count as “private persons”.
Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.
It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.
But the registries have lawyered up already, regardless.
A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.
The GDPR is perhaps the most pressing issue for ICANN at the moment.
It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.
It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.
One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.
According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.
These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.
During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.
“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”
ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.
It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.
ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.
But the domain industry has accused ICANN the organization of not doing enough fast enough.
Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.
They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.
Complaining that ICANN is moving too slowly, the October 13 letter states:
The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.
…
GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.
For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.
Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.
The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.
UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.
Halloran made ICANN’s first chief data protection officer
ICANN lifer Dan Halloran has added the title of chief data protection officer to his business card.
The long-serving deputy general counsel was named ICANN’s first CDPO on Friday, continuing to report to his current boss, general counsel John Jeffrey.
Privacy is currently the hottest topic in the ICANN community, with considerable debate about how contracted parties might be able to reconcile their ICANN obligations with forthcoming European data protection legislation.
But Halloran’s new role only covers the protection of personal data that ICANN itself handles; it does not appear to give him powers in relation to ongoing discussions about how registries and registrars comply with data privacy regulations.
He will be tasked with overseeing privacy frameworks for data handling and conducting occasional reviews, ICANN said.
ICANN has on occasion messed up when it comes to privacy, such as when it accidentally published the home addresses of new gTLD applicants in 2012, or when it made sensitive applicant financial data openly searchable on its applicant portal.
Halloran joined ICANN over 17 years ago and before his deputy GC position served as chief registrar liaison.
Recent Comments