Recent Posts
- Epik drops another 50,000 domains after scandal
- Palage’s epic rant as he asks ICANN to cancel Verisign’s .net contract
- Papac named interim ICANN Ombudsman
- Nominet takes over Bounty mutineers’ ccTLD
- .tube registry claims victory in linkification fight
- Ancient registrar gets ICANN breach notice over UDRP
- ICANN is starting to auto-renew new gTLD contracts
- Freenom hit by FIFTH ICANN action after litany of screw-ups
- Second DNSSEC screw-up takes down Aussie web sites
- Nominet adds handcuffs clause to proposed new Articles
- Single/plural gTLD combos to be UNBANNED
- ICANN rejects a whole bunch of new gTLD policy stuff
- Volkswagen ditches its dot-brand
- Radix looking for a back-end
- Is this why WhatsApp hates some TLDs but not others?
- Blockchain domain firm raises $2.5 million
- Verisign: 1.7 million domain industry growth in Q2
- Namecheap has given away 500,000 free .me domains
- Epik had another terrible month in May
- Blockchain startup gets $5 million to apply for gTLDs
- Buckridge to replace Shears on ICANN board
- CentralNic rebrands as Team Internet
- .ai sells 100,000 domains in a year
- Google to launch two fun new gTLDs next month
- Domainers not welcome as .music readies September launch
- Another six dot-brands self-terminate (two are very strange)
- Four more years for Identity Digital in Oz
- ICANN might be a director light after election stalemate
- ICANN turns down money from blockchain alt-root
- CentralNic chief calls on industry to tackle climate change
- London Domain Summit starts tomorrow
- Closed generics ban likely to remain after another policy group failure
- Ukrainian domains slide as war becomes the new normal
- Epik had worst month ever in April
- Go.Compare now redirecting to the .com
- Huge telco dumps gTLDs after rebrand
- Rejected former director threatens to sue Nominet
- April 2026 is the date for the next new gTLD round
- Doria leaving ICANN board a loss for new gTLD program
- A second new gTLD has FAILED and will be sold off
- .web hit by second ICANN complaint
- Registrar linked to defunct social network terminated
- Three candidates stand for Nominet board
- Next round of gTLDs could come much sooner than expected
- Registering .cv domains might become easier
- Musk prematurely announces Twitter is now X
- Nominet admits membership fees mistake
- Government to regulate UK-related domain names
- Domainer objects to Epik’s acquisition over Masterbucks collapse
- Freenom is losing another ccTLD after collecting military emails
- DENIC kicks out NCC as ICANN’s sole escrow agent
- ICANN takes over country’s ccTLD after Hall of Famer’s death
- ICANN Ombudsman quits
- ICA baffled by plan to outlaw domaining in India
- No $8 million discount for dot-brands, says ICANN
- Epik lost 125,000 domains in Q1
- Buckingham leaves Nominet’s board early
- Epik is off the ICANN naughty step
- Identity Digital is gobbling up Verisign’s back-end business
- o.com auction likely a damp squib after Overstock rebrand
- ICANN actually CHANGES Verisign’s .net contract after public comments
- GoDaddy takes over .health
- The looooong road to urgently hiring ICANN’s next CEO
- Rwanda picked for ICANN meeting
- Governments call for ban on gTLD auctions
- Red Cross gets takedown powers over .org domains
- Domain universe grew 1% in Q1
- Closed generics and IDNs debates are big drag on new gTLDs
- New gTLD registry gets second ICANN breach notice
- Epik lost another 22,000 domains to transfers in February
- Mystery buyer rescues Epik at end of crazy week
- Millions of domains to be deleted as Freenom loses its first TLD
- Everyone hates Verisign’s new .net deal
- UAE boasts rapid domain growth in 2022
- ICANN just put a date on the next new gTLD round
- Three more straggler new gTLDs coming soon
- Three more dot-brands realize the futility of existence
- woke.com among domains in NamesCon auction
- Domainer asks court to block Epik sell-off
- .web delay likely after Verisign rival files ICANN appeal
- CentralNic starts returning cash to shareholders as revenue grows
- Newly launched .zip already looks dodgy
- Progress made on next new gTLD round rules
- Brands ask for cheaper ICANN fees
- ICANN salary porn: 2022 edition
- Tucows and GoDaddy see weakness in big-ticket aftermarket sales
- Another registrar seemingly vanishes
- Verisign “pleased” at ICANN’s .web call
- .hiphop returns to GoDaddy after Uniregistry snub
- Danish national registry changes its name. Don’t laugh.
- ICANN signs Whois’ death warrant in new contracts
- Verisign WILL get .web, ICANN rules
- Verisign narrows domain growth guidance
- Epik exodus topped 100,000 domains in January
- Nominet looking for another director
- CentralNic expects revenue up 24% in Q1
- Epik CEO tries to wriggle out of $327,000 refund lawsuit
- Travel gTLD registry dumps three strings — NOT dot-brands
- Worried about governments seizing .com domains? Too late
- Epik’s meltdown is a ticking time-bomb for ICANN
- Epik customer exodus started when Monster quit
- ICANN wants more newbies on its board
- AcornDomains bought by conference organizer
- Uniregistry successor makes big pricing changes on two TLDs
- ICANN to crowd-source CEO search
- Verisign’s .net contract up for public comment
- About 6,000 .au domains remain contested
- New gTLDs — implementation talks to start next month
- Epik sued over financial meltdown
- ChatGPT maker files UDRP on .com match
- Costerton drops rap album to attract Gen Z to ICANN
- .food registry to dump four dot-brand gTLDs
- Google to drop EIGHT new gTLDs
- .org back-end contract up for grabs
- The end of “do-nothing” ICANN?
- Governments backtracking on closed generics ban
- Radix sold almost $8 million of premiums last year
- .com was a drag on the industry in Q4
- Identity Digital hit by failure of Silicon Valley Bank
- .art links DNS and alt-root ENS
- Brands want new gTLD fast track
- Facebook sues free domains registry for cybersquatting
- Whois disclosure system coming this year?
- Euro registrars merge to form Your.Online
- This is why ICANN is worried about new gTLDs right now
Whois disclosure system coming this year?
ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.
The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.
The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”
That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.
The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.
The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.
It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.
If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.
The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).
ICANN expects to approve Whois Disclosure System next month
ICANN could be offering a centralized system for requesting private domain registration data as early as a year from now, a mere five and a half years after GDPR ruined the global Whois system for many.
The Org recently alluded to its “board’s anticipated January 2023 vote to move forward in implementing the new system to streamline the intake and routing of requests for access to nonpublic gTLD registration data” in a blog post.
It has previously stated that it will take nine months to develop and roll out the system, along with a three-month “ramp-up period”, but that preparatory work may have already started.
The system will be based on CZDS, the service that currently allows people to request zone file data from registries, and cost $3.3 million to develop and run for its anticipated two-year trial period.
Don’t expect it to be called the Whois Disclosure System though. Community feedback has been pretty clear that “disclosure” is an inappropriate word because the system merely manages requests and does not actually disclose anything.
It’s also going to be voluntary for both requesters and registrars/registries for now.
The system was previously known as SSAD Lite, a cut-down version of the community-recommended System for Standardized Access and Disclosure, which ICANN estimated would have cost infinity dollars and take a century to implement.
Registrars CAN charge for Whois, ICANN grudgingly admits
ICANN is powerless to prevent registrars from charging for access to non-public Whois data, the Org has reluctantly admitted.
In a recent advisory, ICANN said it is “concerned” that registrars including Tucows have been charging fees to process requests for data that would otherwise be redacted in the free public Whois.
But it said there’s nothing in the Registrar Accreditation Agreement, specifically the Temporary Specification governing Whois in the post-GDPR world, that bans such services:
While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.
So basic Whois results, with all the juicy info redacted, has to be free, but registrars can bill organizations who ask for the veil to be lifted. ICANN wrote:
ICANN org is concerned that registrars’ imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet
The advisory calls out Tucows’ Tiered Access Compliance and Operations system, TACO, as the primary example of a registrar charging for data, but notes that others are too.
Not long after the advisory was published, Tucows posted an article in which it explained that the fees are necessary to cover the cost of the “thousands” of automated requests it has received in the last four years.
Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement.
Facebook, now Meta, was at first, and may still well be, a frequent bulk filer.
Tucows said that it “frequently” waives its fees upon request for “single-use requestors and private parties”.
Identity Digital publishes treasure trove of abuse data
Identity Digital, the old Donuts, has started publishing quarterly reports containing a wealth of data on reported abuse and the actions it takes in response.
The data for the second quarter, released (pdf) at the weekend, shows that the registry receives thousands of reports and suspends hundreds of domains for DNS abuse, but the number of domains it takes down for copyright infringement is quite small.
ID said that it received 3,007 reports covering 3,816 unique domains in the quarter, almost 93% of which related to phishing. The company said the complaints amounted to 0.024% of its total registered domains.
Most cases were resolved by third parties such as the registrar, hosting provider, or registrant, but ID said it suspended (put on “protective hold”) 746 domains during the period. In only 11% of cases was no action taken.
The company’s hitherto opaque “Trusted Notifier” program, which allows the Motion Picture Association and Recording Industry Association of America to request takedowns of prolific piracy sites resulted in six domain suspensions, all as a result of MPA requests.
The Internet Watch Foundation, which has similar privileges, resulted in 26 domains being reported for child sexual abuse material. Three of these were suspended, and the remainder were “remediated” by the associated registrar, according to ID.
The report also breaks down how many requests for private Whois data the company received, and how it processed them. Again, the numbers are quite low. Of requests for data on 44 domains, 18 were tossed for incompleteness, 23 were refused, and only three resulted in data being handed over.
Perhaps surprisingly, only two of the requests related to intellectual property. The biggest category was people trying to buy the domain in question.
This is a pretty cool level of transparency from ID and it’ll be interesting to see if its rivals follow suit.
Whois Disclosure System to cost up to $3.3 million, run for one year
ICANN has published its game plan for rolling out a Whois Disclosure System ahead of next week’s ICANN 75 public meeting in Kuala Lumpur.
The Org reckons the system will take nine months to build and will cost up to $3.3 million to develop and run for two years, although it might wind up getting shut down after just one year.
The Whois Disclosure System, previously known as SSAD Light, is a mechanism whereby anyone with an ICANN account — probably mainly IP lawyers in practice — can request unredacted private Whois data from registrars.
The system is to be built using retooled software from the current Centralized Zone Data Service, which acts as a hub for researchers who want to request zone files from gTLD registry operators.
ICANN’s design paper (pdf), which contains many mock-ups of the likely user interface, describes the new system like this:
Just as in CZDS, a requestor navigates to the WHOIS Disclosure System web page, logs into their ICANN Account, and is presented with a user experience much like the current CZDS. In this experience, requestors can see pending and past requests as well as metadata (timestamps, status, etc.) associated with those requests. For a requestor’s pending requests, they can see all the information related to that request.
Requests filed with the system will be routed to the relevant registrar via the Naming Services Portal, whereupon the registrar can choose how to deal with it. The system doesn’t change the fact that registrars have this discretion.
But the system will be voluntary for not only the requesters — who can still contact the registrar directly if they wish — but also the registrars. One can imagine smaller and frequently abused registrars won’t want the hassle.
The cost of this system will be $2.7 million in staffing costs, with $90,000 in external licensing costs and another $500,000 in contingency costs. Because ICANN has not budgeted for this, it will come from the Supplemental Fund for Implementation of Community Recommendations, which I believe currently has about $20 million in it.
This is far and away cheaper than the full-fat SSAD originally proposed by the GNSO, which ICANN in January estimated could cost up to $27 million to build over five years.
While cheaper, there are still substantial questions remaining about whether it will be popularly used, and whether it will be useful in getting private Whois data into the hands of the people who say they need it.
ICANN is saying that the Whois Disclosure System will run for one year “at which point the data sets collected will be analyzed and presented for further discussion between the GNSO Council and Board”.
The design paper will be discussed at multiple ICANN 75 sessions, starting this weekend.
New ICANN contracts chart the death throes of Whois
Whois is on its death bed, and new versions of ICANN’s standard contracts put a timeline to its demise.
The Org has posted proposed updates to its Registrar Accreditation Agreement and Registry Agreement, and most of the changes focus on the industry-wide transition from the Whois standard to the newer Registration Data Access Protocol.
We’re only talking about a change in the technical spec and terminology here. There’ll still be query services you can use to look up the owner of a domain and get a bunch of redactions in response. People will probably still even refer to it as “Whois”.
But when the new RAA goes into effect, likely next year, registrars and registries will have roughly 18 months to make the transition from Whois to RDAP.
Following the contract’s effective date there’ll be an “RDAP Ramp-up Period” during which registrars will not be bound by RDAP service-level agreements. That runs for 180 days.
After the end of that phase, registrars will only have to keep their Whois functioning for another 360 days, until the “WHOIS Services Sunset Date”. After that, they’ll be free to turn Whois off or keep it running (still regulated by ICANN) as they please.
ICANN’s CEO and the chair of the Registrars Stakeholder Group will be able to delay this sunset date if necessary.
Most registrars already run an RDAP server, following an order from ICANN in 2019. IANA publishes a list of the service URLs. One registrar has already lost its accreditation in part because it did not deploy one.
There’ll be implementation work for some registrars, particularly smaller ones, to come into compliance with the new RAA, no doubt.
There’ll also be changes needed for third-party software and services that leverage Whois in some way, such as in the security field or even basic query services. Anyone not keeping track of ICANN rules could be in for a sharp shock in a couple of years.
The contracted parties have been negotiating these changes behind closed doors for almost three years. It’s been almost a decade since the last RAA was agreed.
The contracts are open for public comment until October 24.
Whois Disclosure System likely over a year away
ICANN lifted the curtain a little on its fetal Whois Disclosure System this week, but the news is not good if you’re champing at the bit for a usable system for requesting private Whois data from registrars.
The system, formerly referred to as SSAD Lite, will take “seven to nine months” to develop after ICANN staff gets the green light from its board, staffers told a small GNSO volunteer working group on a Wednesday conference call.
That timetable assumes the staffers working on it are 100% devoted to developing the system, rather than sharing their time between competing projects, they quickly clarified.
This raises the specter of months-long delays to the other big, already-delayed, ICANN work-in-progress — the next new gTLD application round.
The responsible staffers plan to publish a design document for the Whois Disclosure System around ICANN 75 next month, but whether the board will give its immediate approval is not clear.
We’re probably looking at at least a year before there’s a system in place that IP lawyers, security researchers and the like can log into, request data, and be disappointed.
And that’s despite the fact that the system will be built using existing technology — namely the CZDS or Centralized Zone Data Service, which has be in use for many years allowing people to request zone files from gTLD registries.
During this week’s webinar, staffers described how, like CZDS, there will be two user interfaces: one for the data requester, one for the data holder. The system will simply act as an intermediary between the two.
It will use ICANN’s existing accounts system, so there will be no user vetting beyond email address verification. There’ll be no integration with registrars’ existing ticketing systems, and any communications between registrar and requester will have to take place via email.
There’ll also be no billing function, because the system will be free to use by all parties and completely voluntary. While registrars are contractually bound to respond to Whois data requests, there’s no such obligation to use the Whois Disclosure System to do so.
Staffers admitted on the call that they’re a bit stumped about how to encourage registrars to sign up when the system goes live.
Feds warn of Covid risk from “dark” Whois
The US Food and Drug Administration has escalated its beef with ICANN, warning that inaccessible Whois data is making it harder to tackle bogus Covid-19 “cures” and the country’s opioid crisis.
Catherine Hermsen from the FDA’s Office of Criminal Investigations wrote to ICANN CEO Göran Marby last week to complain that some registrars do not adequately respond to abuse complaints and that ICANN ignores follow-up complaints from government agencies.
She doubled down on the FDA’s previous complaint that ICANN’s inaction may be because it is funded by the industry, but back-pedaled on previous insinuations that ICANN’s leadership were putting their own big salaries ahead of public safety.
The beef started in early June, when an organization called Coalition for a Secure & Transparent Internet — basically a front for the likes of DomainTools and other companies whose business models are threatened by privacy legislation — held a one-sided webinar entitled “The Threat of a Dark WHOIS”.
On that webinar, Daniel Burke, chief of the FDA’s Investigative Services Division, lamented the lack of cooperation his agency gets when requesting private Whois data from “certain” registrars, and pointed to cases where the FDA’s inability to quickly get fake pharma sites, including those related to Covid-19, shut down have led to deaths.
He also said that complaints to ICANN about non-compliant registrars fall on deaf ears, to the point that it no longer bothers complaining, and suggested that ICANN and domain companies are financially incentivized to be uncooperative.
Burke quoted the writer Upton Sinclair: “It is difficult to get a man to understand something when his salary depends on his not understanding it.”
“I have found that’s the case with my interactions with ICANN and certain registries and registrars,” Burke said. “They just don’t want to listen… it’s a money-maker for them right now, it’s not profitable for them to deal with it.”
Marby also “spoke” on the CSTI webinar, but his brief intervention was actually just an out-of-context snippet — the “GDPR is not my fault!” T-shirt speech — taken from a recording of an ICANN webinar back in January and presented — dishonestly in my opinion — as if it had been filmed as a contribution to the CSTI discussion.
His inability to directly respond to Burke live led him to write to the FDA (pdf) a couple of weeks later to dispute some of his claims.
First, Marby said the the FDA does not need to obtain a subpoena to get access to Whois data. Registrars are obliged to respond to “legitimate interest” requests, when balanced against the privacy rights of the registrant, he said. He added:
In a few instances, government agencies have submitted complaints to ICANN Contractual Compliance regarding registrars’ refusal to provide non-public registration data. These agencies were ultimately successful in gaining access to the requested data without having to obtain a subpoena or lawful order.
Second, Marby disputed the financial motivation claims, writing: “ICANN’s leadership’s salaries are in no way tied to or dependent upon domain name registrations.”
Third, he offered a (pretty weak, in my view) defense against the claim that ICANN ignores complaints from government agencies, pointing out: “ICANN is not political and, therefore, takes actions to ensure that the workings of the Internet are not politicized.”
He also pointed out that ICANN operates a system called DNSTICR which monitors reports of DNS abuse related to the pandemic and alerts the relevant registries and registrars.
The problem here is that ICANN’s definition of abuse is pretty narrow and does not extend to web sites that sell industrial bleach as a Covid cure. That would count as “content” and ICANN is not the “content police”.
That’s pretty much what Hermsen says in the latest missive (pdf) in this row.
DNS security threats such as malware and phishing, however, were not what SA Burke was referring to in his presentation. Given the agency’s public health mission, FDA has been working during the pandemic to protect Americans from unproven or fraudulent medical products claiming to treat, cure, prevent, mitigate or diagnose COVID-19…
Given your stated concerns regarding COVID-19-related malware and phishing activity, we trust that you are equally concerned about registrars who may not be following the [Registrar Accreditation Agreement’s] requirements to “investigate” and “respond appropriately” following receipt of notifications about abuse, particularly complaints reporting activity involving COVID-19-related fraud or activity exacerbated the current opioid addiction crisis — especially in light of ICANN’s singular ability to enforce the terms of RAAs.
She also comes back, splitting hairs in my opinion, on the ICANN salaries claim, stating: “SA Burke was not referring to ICANN’s leadership salaries… SA Burke was referring more generally to the substantial source of funding ICANN receives from domain name registries and registrars.”
ICANN has just started work on a Whois Disclosure System that, while pretty weak, may make it slightly easier for government agencies to obtain the data they want.
New gTLDs WILL be delayed by Whois work
The next round of new gTLD applications will be delayed by ICANN’s work on Whois reform, ICANN chair Maarten Botterman confirmed today.
In a letter to his GNSO Council counterpart Philippe Fouquart, Botterman states that the new gTLDs Operational Design Phase, which was due to wrap up in October, will have to proceed with an “extended timeline”.
This is because the GNSO has pushed the concept of a Whois Disclosure System, previously known as SSAD Light and meant to provide the foundations of a system for access private Whois data, and ICANN needs time to design it.
Botterman wrote (pdf):
there is an overlap in org resources with the relevant expertise needed to complete these efforts. As a result, work on the [Whois] design paper will impact existing projects. While SubPro [new gTLDs] ODP work will not stop during this period, we anticipate that an extended timeline will be required to account for the temporary unavailability of resources allocated to the design paper work.
Botterman did not put a length of time to these delays, but previous ICANN estimates have talked about six weeks. GNSO members had worried that this estimate might be a low-ball that could be extended.
ICANN had given the GNSO the option to choose to delay Whois work to complete the SubPro ODP, but it could not come to an agreement on which project was more important, and seemed to resent even being asked.
New gTLDs or Whois access? What’s more important?
Should ICANN focus its resources on getting the next round of new gTLDs underway, or making some baby steps towards a post-GDPR system of Whois access?
That’s a question the community is going to have to address when ICANN 74 rolls around next month, after the ICANN board presented it with a divisive question on two of the industry’s most pressing issues that split the GNSO Council along predictable lines at its monthly meeting last week.
It turns out that ICANN doesn’t have the resources to both design a new “SSAD Light” system for handling Whois requests and also carry on its new gTLDs Operational Design Phase, “SubPro”, at the same time.
If the community wants ICANN staff to start work on SSAD Light, work will be paused on the ODP for at least six weeks, ICANN has said. If they want the system also built, the delay to new gTLDs could be much, much longer.
Intellectual property lawyers are of course keen to at least start undoing some of the damage caused by privacy legislation such as GDRP, while registries and consultants are champing at the bit for another expansion of the gTLD space.
This split was reflected on the Council’s monthly call last week, where registry employees Maxim Alzoba, Kurt Pritz and Jeff Neuman were opposed by IP lawyers Paul McGrady and John McElwaine.
“Six weeks is a sneeze in a hurricane,” McGrady said. “We are right on the cusp of taking first steps to solve a problem that has plagued the Community since GDPR came out. I don’t think a six-week delay on SubPro, which again we’re years into and it looks like will be years to go, is a material change to SubPro… a very minor delay seems well worth it.”
At this point, ICANN is still planning to have the SubPro ODP wrapped up in October, thought it has warned that there could be other unforeseen delays.
Neuman warned that even a six-week pause could provide more than six weeks delay to SubPro. Staff can’t just down tools on one project and pick up again six weeks later without losing momentum, he said.
Pritz seemed to echo this concern. The Registries Stakeholder Group hasn’t finished discussing the issue yet, he said, but would be concerned about anything that caused “inefficiencies” and “switching costs”.
The discussion was pretty brief, and no votes were taken. It seems the conversation will pick up again in The Hague when ICANN meets for its short mid-year public meeting on June 13.
Recent Comments