Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay

Coronavirus may have claimed another victim at ICANN — closure on talks designed to reopen private Whois data to the likes of law enforcement and trademark owners.

In a remarkable U-turn, the Governmental Advisory Committee, which has lit a series a fires under ICANN’s feet on this issue for over a year, late last week urged that the so-called Expedited Policy Development Process on Whois should not wrap up its work in June as currently planned.

This would mean that access to Whois data, rendered largely redacted worldwide since May 2018 due to the GDPR regulation in Europe, won’t be restored to those who want it as quickly as they’ve consistently said that they want it.

Surprisingly (or perhaps not), pro-access groups including the Intellectual Property Constituency and Business Constituency sided with the GAC’s request.

In an email to the EPDP working group’s mailing list on Thursday, GAC chair Manal Ismail indicated that governments simply don’t have the capacity to deal with the issue due to the coronavirus pandemic:

In light of the COVID-19 pandemic, and its drastic consequences on governments, organizations, private sector and individuals worldwide, I would like to express our serious concerns, as GAC leaders, that maintaining the current pace of work towards completion of Phase 2 by mid-June could jeopardize the delivery, efficacy and legitimacy of the EPDP’s policy recommendations.

While recognizing that the GAC has continually advised for swiftly completing policy development and implementing agreed policy on this critical public policy matter, we believe that given the current global health emergency, which puts many in the EPDP and the community under unprecedented stress (for example governments has been called to heightened duties for the continuity of essential public services), pressing important deliberations and decisions in such a short time frame on already strained participants would mean unacceptably sacrificing the product for the timeline.

We understand there are budget and human resources considerations involved in the completion of Phase 2 of the EPDP. However, we are all living through a global health pandemic, so we call on the EPDP Team to seriously reassess its course and expectations (be it on the duration of its calls, the turn-around time of reviews, its ultimate timeline and budget) emulating what numerous governments, global organizations, and households are doing to adapt during these challenging times across the world.

In April last year, before the EPDP group had even formally started its current phase of talks, Ismail wrote to ICANN to say the GAC expected the discussions to be more or less wrapped up by last November and that the new policy be implemented by this April.

Proponents of the access model such as Facebook have taken to suing registrars for not handing over Whois data in recent months, impressing the need for the issue to be urgently resolved.

So to now request a delay beyond June is a pretty big U-turn.

While Ismail later retracted her request for delay last Thursday, it was nevertheless discussed by the working group that same day, where the IPC, the BC and the ALAC all expressed support for the GAC’s position.

The registrars and registries, the non-commercial users and the ISPs were not supportive.

Delay might be tricky. For starters, hard-sought neutral working group chair Janis Karklins, has said he can’t continue working on the project beyond June 30, and the group has not secured ICANN funding for any further extensions to its work.

It will be up to the GNSO Council to decide whether to grant the extension, and the ICANN board to decide on funding.

The working group decided on Thursday to ask the Council for guidance on how to proceed.

What’s worrying about the request, or at least the IPC and BC’s support of it, is that coronavirus may just be being deployed as an excuse to extend talks because the IP owners don’t like the proposal currently on the table.

“The reality is we’re looking at a result that is… just not going to be sufficient from our perspective,” MPAA lawyer Frank Journoud, an IPC rep on the working group, said on its Thursday call. “We don’t want the perfect to be the enemy of the good, but right now we’re not even going to get to good.”

The current state of play with the working group is that it published its initial report (pdf) for public comment in February.

The group is recommending something called SSAD, for Standardized System for Access and Disclosure, in which a central gateway provider, possibly ICANN itself, would be responsible for granting Whois access credentials and fielding requests to the relevant registries and registries.

The almost 70 comments submitted before the March 23 deadline have been published in an unreadable, eye-fucking Google spreadsheet upon which transparency-loving ICANN may as well have hung a “Beware of the Leopard” sign. The staff summary of the comments is currently nine days late.

Facebook WILL sue more registrars for cybersquatting

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.
Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.
In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.
In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.
Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.
The complaint is very similar to one filed against OnlineNIC (pdf) in October.
And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.
Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.
Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.
The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.
Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.
Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.
The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

DI Leaders Roundtable #3 — What did you think of ICANN 66?

It’s time for the third in the series of DI Leaders Roundtables, in which I pose a single question to a selection of the industry’s thought leaders.
With ICANN 66 taking place a couple of weeks ago in Montreal, Canada, a multitude of topics came under public discussion, among them: DNS abuse, the .amazon gTLD application, access to Whois data and geographic names protections.
So, this time around, I asked:

What was your biggest takeaway from ICANN 66?

And this, in no particular order, is what they said:
Frank Schilling, CEO, Uniregistry

What a great industry… So many stable players with fresh ideas. Innovators who cross pollinate and stay with the industry in spite of the fact that there is no new gold and obvious money-making opportunity at the moment. Many stable operators trying new things and growing the industry from the inside out.

Michele Neylon, CEO, Blacknight

There weren’t any big surprises at ICANN 66. As I expected there were a couple of topics that many people were focussed on and they ignored pretty much everything else.
The biggest single topic was “abuse”. It’s not a “new” topic, but it’s definitely one that has come to the fore in recent months.
Several of us signed on to a “framework to address abuse” in the run up to the ICANN meeting and that, in many respects, may have helped to shift the focus a little bit. It’s pretty clear that not all actors within the eco system are acting in good faith or taking responsibility for their actions (and inactions). It’s also pretty clear that a lot of us are tired of having to pay the cost for other people’s lack of willingness to deal with the issues.
Calls for adding more obligations to our contracts are not welcome and I don’t think they’ll help deal with the real outliers anyway.
There’s nothing wrong in theory with offering cheap domain names but if you consciously choose to adopt that business model you also need to make sure that you are proactive in dealing with fraud and abuse.

Ben Crawford, CEO, CentralNic

That M&A has become the dominant business activity in the domain industry.

Milton Mueller, Professor, Georgia Tech

My takeaways are shaped by my participation on the EPDP, which is trying to build a “standardized system of access and disclosure” for redacted Whois data. The acronym is SSAD, but it is known among EPDP aficionados as the “So-SAD.” This is because nearly all stakeholders think they want it to exist, but the process of constructing it through an ICANN PDP is painful and certain to make everyone unhappy with what they ultimately get.
The big issue here concerns the question of where liability under the GDPR will sit when private data is released through a So-SAD. Registrars and registries would like to fob off the responsibility to ICANN; ICANN tells the world that it wants responsibility to be centralized somehow in a So-SAD but ducks, dodges and double-talks if you ask it whether ICANN org is willing to take that responsibility.
ICANN’s CEO, who fancies himself a European politician of sorts, has driven the EPDP team batty with a parallel process in which he ignores the fact that the EPDP team has all stakeholders represented, lawyers from contracted parties and data users, and privacy experts on it, as well as formal legal advice from Bird and Bird. Instead he feels compelled to launch a parallel process in which ICANN org goes about trying to make proposals and then ask European authorities about them. He has asked a bunch of techies unaware of the policy issues to design a So-SAD for us and is now badgering various European agencies for “advice” and “guidance” on whether such a system could centralize legal responsibility for disclosure decisions. The parallel process, known as the Strawberry team, was featured in the public meeting on Whois reform as if it was of equal status as the formally constituted EPDP.
But a great ICANN 66 takeaway moment occurred during that moment. The European Commission’s Pearce O’Donoghue told the assembled multitudes that a SoSAD “WOULD NOT…REMOVE THE LIABILITY OF THE DATA CONTROLLER, WHICH IS THE REGISTRAR OR THE REGISTRY. SO WE WOULD HAVE A QUESTION AS TO WHETHER IT IS ACTUALLY WORTH THAT ADDED COMPLEXITY.” So, bang, the request for European advice blew up right in Goran Marby’s face. Not only did he get a critical piece of advice on the most important issue facing the SoSAD and the EPDP, but he got it without going through the elaborate parallel process. No doubt there is now furious behind the scenes lobbying going on to reverse, change or step back from O’Donoghue’s comment. Marby has been quoted (and directly seen, by this writer) as claiming that with the submission of the Strawberry team’s formal request for “guidance” from the European Data Protection Board being submitted, he is now “done” with this. Let’s hope that’s true. My takeaway: ICANN org and all of its fruity concoctions needs to get out of the way and let the PDP work.
The final EPDP-related takeaway is that the biggest decision facing the EPDP as it makes policy for the So-SAD is who makes the disclosure decision: registrars who hold the data, or ICANN? Everyone agrees with centralizing the process of requesting data and hooking up to a system to receive it. But who makes the decision is still contested, with some stakeholders wanting it to be ICANN and others wanting it to reside with the contracted parties. It seems obvious to me that it has to be the registrar, and we should just accept that and get on with designing the So-SAD based on that premise.

Jothan Frakes, Executive Director, Domain Name Association

A few: WHOIS (or Lookup) remains challenging territory, registries and registrars > are not inactive about addressing abuse while avoiding becoming content police, and poutine is delicious.

Christa Taylor, CMO, MMX

From my perspective, the biggest takeaway is the level of industrious efforts, transformation and passion throughout the industry. Every meeting and dinner consisted of a broad range of organizations and people with diverse perspectives on industry topics resulting in thought-provoking debates or conceptual brainteasers. Compared to a year ago, the conversations have materially changed — impacted from industry consolidations, system updates and developments along with organizational transitions to streamline business in one method or another. While there is still plenty of work ahead of us, both within the industry and ICANN, it’s satisfying to reflect and realize that progress is being achieved, cooperation benefits all and no matter how long the tunnel might be, there is light.

DI Leaders Roundtable #2 — Should we kill off “Whois”?

Should we stop using the word “Whois” to describe registration data lookup services?
That’s the question I posed for the second DI Leaders Roundtable.
I’m sure you’re all very well aware that the Registration Data Access Protocol (RDAP) is the imminent replacement for the Whois protocol, as the technical method by which domain registrant contact information is stored, transmitted and displayed.
ICANN also regularly refers to Registration Data Directory Services (RDDS) as a protocol-independent blanket term covering the concept of looking up Whois or RDAP data.
You may also recall that ICANN, which is ostensibly a technical body, appears to bedeprecating the word “Whois” in favor of “Lookup” on its own web-based query service.
ICANN has a track record of introducing new acronyms to describe already well-understood functions. The IANA has technically been called “Public Technical Identifiers” for years, but does anyone actually call it “PTI”? No, everyone still talks about “IANA”.
So I wanted to know:

Should we continue to call it “Whois” after the technical transition to RDAP is complete? Will you continue to refer to “Whois”? Should we change to a different word or acronym? Should the industry standardardize its language one way or the other?

There seems to be a general consensus that “Whois” ain’t going anywhere.
The responses, in no particular order.
Jothan Frakes, Executive Director, Domain Name Association

The term WHOIS won’t quickly leave the zeitgeist due to the decades of its use as a description of the lookup process. Lookup is somewhat confusing, as there is DNS Query lookup that works across the resolution system, and WHOIS Lookup that works to find registrant info via the registration system. As far as the term “Lookup” as the label for the new normal that is poised to replace WHOIS? It is better than the acronym “RDDS”. The general public probably would not assume that RDDS is a way to find out about a domain owner or registration information, because it sounds like it involves dentistry (DDS) if one is not following the ICANN world as close as insiders. Despite the evolutionary path the basic function seems to be on, it is likely that WHOIS continues to be what the nickname for the lookup process called, regardless of the support technology layers below it not literally being WHOIS.

Frank Schilling, CEO, Uniregistry

WHOIS IS DEAD, LONG LIVE WHOIS.
The echo of “Whois” will live long after Whois is dead and gone. The very nature of its replacement word “Lookup” ensures that the information hungry public will expect more fulsome data than ICANN intends the word to provide. There will continue to be services who try to engineer a Whois hack and provide accurate underlying data for paying customers. Whois is going to outlive all of us. Even those who diet, exercise, and eat organic food.

Dave Piscitello, Partner, Interisle Consulting Group

Just as most of the world isn’t familiar with new TLDs, most have no appreciation for the differences between Whois and RDAP. The term “Whois” is convenient, memorable, and embedded. It also represents a service to most users, not a protocol, so if we do “standardize” we should use “RDS”. While we sort out the disastrous effects of ICANN’s Temp Spec policy on both investigators and victims of DNS abuse, most parties involved with educating policy makers and legislators should continue to use Whois for consistency’s sake.

Christa Taylor, CMO, MMX

As the old adage goes, “Don’t fix what’s not broken.” While “Whois” may have lost some of its luster due to GDPR I prefer to retain the term — it’s simple, representative of the information it provides and avoids adding any confusion especially for people outside of ICANN. Employing standardized language is, of course, logical and after twenty years of using “Whois” it is the accepted term both inside and outside the industry.

Sandeep Ramchamdani, CEO, Radix Registry

First up, the transition to the RDAP system is much needed given the fundamental flaws of Whois.
It would help in placing some guardrails around customers’ privacy while still providing agencies such as law enforcement authenticated access that they need to do their work.
Whois is a major cause of spam and in the age where privacy is top currency, public, unauthenticated availability of personal data is unacceptable.
It should also smooth out inter-registrar transfers and lower customer frustration while moving out to a different service provider.
When it comes to its name, calling it “RDAP” or “Lookup” would be a branding error. It would cause some confusion and for those not intimately involved in the industry, who may find it hard to discover the new system.
In my mind, keeping the original nomenclature “Whois”, while making it clear that it’s a newer avatar of the same solution would be the way to go.
Can’t think of a better term than “Whois 2.0”.
Very easy to understand that it’s a newer, more advanced iteration of the same product.

Michele Neylon, CEO, Blacknight

Whois was originally a simple little protocol that allowed network operators to contact each other to address technical issues. It predates the usage of domain names or the “web”.
When domains were introduced the same concept was simply transposed over to the new identifiers.
However over the past 20 plus years the way that people viewed Whois has morphed dramatically. The first time I spoke at an ICANN meeting 12 years ago was on the subject of Whois!
Now the term is used both to talk about the technical protocol, which is being replaced in the gTLD space and the data that it is used to store and possibly display. We talk about “Thin Whois”, “Thick Whois” and so many other services and issues linked back to it.
Whois as a protocol is far from perfect, which is why replacing the technical side of it makes a lot of sense.
So with the world slowly moving towards a new technical method for processing domain registration data then maybe we should come up with another word for it. However I’m not sure if there’s much to be gained by doing that.
We are all used to the floppy disk icon to save a document, even if floppy disks are no longer used. With the term “Whois” being part of people’s vocabulary for the nearly a quarter of a century. it’d be pretty hard to find a simple replacement and have people adopt it widely. Sure, in the more technical conversations it makes sense to use more accurate terms like “RDAP”, but the average punter just wants to be able to use a term that they can understand.
Those of us who work with domains and internet technology in our day jobs might care about the “correct” terminology, but we’re in a minority. We all get excited when the mainstream media picks up on a story involving domain names or the DNS and even gets half of it right! If we conjure up some new term that we think is accurate it’ll take years before anyone outside our bubble is comfortable with it. So I don’t think we should.
We should simply accept that “Whois” is a term used to refer to domain registration data no matter what technology under the hood is used to handle it.

Rick Schwartz, domain investor

Hate to give the same basic answer to two questions in a row, but who cares?
Really!! Who cares? Nobody!
This is inside baseball that doesn’t affect anyone on the entire planet except for a handful of domain investors and ICANN etc.
Call it whatever you like just make sure it’s public info.

ICANN enters talks to kill off Whois for good

Whois’ days are numbered.
ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.
It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.
In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.
The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.
When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.
The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.
The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.
Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.
We could be looking at the death of Whois within a year.

Crunch time, again, for Whois access policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.
The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.
Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).
Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.
The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.
The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.
The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).
Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.
Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.
The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.
The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.
So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.
If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.
How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.
There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.
This will be a hot topic at ICANN 66 in Montreal next month.
Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Whois killer deadline has passed. Did most registrars miss it?

The deadline for registrars to implement the new Whois-killer RDAP protocol passed yesterday, but it’s possible most registrars did not hit the target.
ICANN told registrars in February (pdf) that they had six months to start making RDAP (Registration Data Access Protocol) services available.
RDAP is the replacement for the age-old Whois protocol, and provides virtually the same experience for the end user, enabling them to query domain ownership records.
It’s a bit more structured and flexible, however, enabling future services such as tiered, authenticated access.
Despite the August 26 deadline coming and going, ICANN records suggest that as many as three quarter of accredited registrars have not yet implemented RDAP.
The IANA department started publishing the base URLs for registrar RDAP servers recent.
According to this list, there are 2,454 currently accredited registrars, of which only 615 (about 25%) have an RDAP server.
But I’m not convinced this number is particularly useful.
First, just because a registrar’s RDAP server is not listed, does not mean it does not have one.
For example, the two largest registrars, Tucows and GoDaddy, do not have servers on the list, but both are known to have been working on RDAP services for a long time through public pilots or live services. Similarly, some CentralNic registrars have servers listed while others do not.
Second, of the 1,839 accreditations without servers, at least 1,200 are DropCatch.com shells, which tips the scales towards non-compliance considerably.
Still, it seems likely that some registrars did in fact miss their deadline. How stringently ICANN chooses to enforce this remains to be seen.
ICANN itself replaced its “Whois” service with a “Lookup” service last month.
According to Michele Neylon of the registrar Blacknight, contracted parties can also discover RDAP URLs via ICANN’s closed RADAR registrar information portal.
RDAP and Whois will run concurrently for a while before Whois takes its final bow and disappears forever.

ICANN dumps the “Whois” in new Whois tool

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.
It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.
The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.
RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.
Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.
The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.
The old site looked like this:

The new site looks like this:

It’s pretty much useless for most domains, if you want to find out who actually owns them.
If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.
That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.
For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.
While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.
Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

Airline hit with $230 million GDPR fine

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.
This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.
About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..
It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.
The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.
Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.
The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.
GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

PwC wants to be your Whois gatekeeper

PricewaterhouseCoopers has built a Whois access system that may help domain name companies and intellectual property interests call a truce in their ongoing battle over access to private Whois data.
Its new TieredAccess Platform will enable registries and registrars to “outsource the entire process of providing access to non-public domain registration data”.
That’s according to IP lawyer Bart Lieben, partner at the Belgian law firm ARTES, who devised the system and is working with PwC to develop it.
The offering is designed to give trademark lawyers access to the data they lust after, while also reducing costs and mitigating domain name industry liability under the General Data Protection Regulation.
TieredAccess would make PwC essentially the gatekeeper for all requests for private Whois data (at least, in the registries plugged into the platform) coming from the likes of trademark owners, security researchers, lawyers and law enforcement agencies.
At one end, these requestors would be pre-vetted by PwC, after which they’d be able to ask for unredacted Whois records using PwC as an intermediary.
They’d have to pick from one of 43 pre-written request scenarios (such as cybersquatting investigation, criminal probe or spam prevention) and assert that they will only use the data they obtain for the stated purposes.
At the other end, registries and registrars will have adopted a set of rules that specify how such requests should be responded to.
A ruleset could say that cops get more access to data than security researchers, for example, or that a criminal investigation is more important than a UDRP complaint.
PwC has created a bunch of templates, but registrars and registries would be able to adapt these policies to their own tastes.
Once the rules are put in place, and the up-front implementation work has been done to plug PwC into their Whois servers, they wouldn’t have to worry about dealing with Whois requests manually as most are today. The whole lot would be automated.
Not even PwC would have human eyes on the requests. The private data would only be stored temporarily.
One could argue that there’s the potential for abusive or non-compliant requests making it through, which may give liability-nervous companies pause.
But the requests and response metadata would be logged for audit and compliance, so abusive users could be fingered after the act.
Lieben says the whole system has been checked for GDPR compliance, assuming its prefabricated baseline scenarios and templates are adopted unadulterated.
He said that the PwC brand should give clients on both sides “peace of mind” that they’re not breaking privacy law.
If a registrar requires an affidavit before releasing data, the assertions requestors make to PwC should tick that box, he said.
Given that this is probably a harder sell to the domain name industry side of the equation, it’s perhaps not surprising that it’s the requestors that are likely to shoulder most of the cost burden of using the service.
Lieben said a pricing model has not yet been set, but that it could see fees paid by registrars subsidized by the fees paid by requestors.
There’s a chance registries could wind up paying nothing, he said.
The project has been in the works since September and is currently in the testing phase, with PwC trying to entice registries and registrars onto the platform.
Lieben said some companies have already agreed to test the service, but he could not name them yet.
The service was developed against the backdrop of ongoing community discussions within ICANN in the Expedited Policy Development Working group, which is trying to create a GDPR-compliant policy for access to private Whois records.
ICANN Org has also made it known that it is considering making itself the clearinghouse for Whois queries, to allow its contracted parties to offload some liability.
It’s quite possible that once the policies are in place, ICANN may well decide to outsource the gatekeeper function to the likes of PwC.
That appears to be what Lieben has in mind. After all, it’s what he did with the Trademark Clearinghouse almost a decade ago — building it independently with Deloitte while the new gTLD rules were still being written and then selling the service to ICANN when the time came.
The TieredAccess service is described in some detail here.