MENU
  • Enom.com
  • Resellers

Enom Blog

  • Content Moderation: How Do We Make the Internet Better from Here?

    February 4, 2021

    Industry Insight

     Like

    Views: 424

    Last Friday, NamesCon hosted a fireside chat with our CEO, Elliot Noss, titled “How do we make the Internet better from here?” The discussion included some reminiscing about Tucows’ early days and how the Internet has evolved, but the main focus was online content moderation, something that we’ve been dealing with for years in our role as a domain registrar, and a topic that’s been very much in the spotlight as of late.

    During the talk, Elliot spoke about how he sees things progressing, which is that in a void of effective governmental regulation, large global platforms will be forced to “move toward clear frameworks” for content moderation that outline “what, why, and when they take down.” In effect, and whether or not it’s what should happen, platforms will be “making law.”

    Elliot also touched on Tucows approach to formalizing our own content framework, and we’re committed to sharing more on this as our thinking evolves.

    Thanks to NamesCon for the invitation and for sharing the resulting video.

    Read More

  • Data Privacy Day 2021: Data Protection by Design

    January 28, 2021

    Advice, GDPR, Industry Insight

     Like

    Views: 276

    January 28 is Data Privacy Day! Privacy a topic we’re hugely passionate about, and we’re really proud of the work we do to protect the personal data we’re entrusted with and to advocate for the privacy rights of domain owners and our resellers. It should go without saying that we approach data protection with great care and consideration year-round, but it’s nice to have a dedicated day when we pause to reflect on why data privacy is so important. I’m taking this as an opportunity to highlight some quick data privacy tips which are ready to be shared with your customers (TikTok video below), recap what Tucows (Enom’s parent company) accomplished in 2020, and provide some insight into our plans for the year ahead.

    Data privacy tips for your customers

    Here are things that all of us should know when sharing our data online, also available in TikTok form.

      1. You have the right to access your data and correct inaccurate information
        Every company you share your data with should have this functionality. Check the app settings or contact them to find out more.
      2. You have the right to know if a company is sharing your data and a right to give or withdraw your consent to share it.
        Privacy settings are super important in controlling which information apps and services can share. Make sure you keep track of them!
      3. If you consented to optional data use, you can withdraw consent at any time.
        When you click “I consent,” that’s not permanent! You can change your mind and take back control of your information.

     

    Data protection by design at Tucows

    We work hard to ensure that high standards of privacy and data protection are present in our products and services from start to finish. But what does this process actually look like?

    Planning

    Data protection begins in the planning phase, where we conduct comprehensive reviews called Data Protection Impact Assessments (DPIAs) for any new product or service we want to introduce that touches personal data. This includes changes and additions to our reseller services, as well as any tools or applications we adopt internally. These Assessments help us identify and document any possible risks to the data, and our methods of mitigating those risks.

    Implementing

    In the product development and implementation phases, and while services are active in our platforms, we follow regulatory requirements for data protection, adhere to industry best practices for security measures, and have robust processes in place to respond to customer privacy concerns and fulfill data subject access requests.

    Review

    We have also put in place a new annual review process for our Data Protection Impact Assessments. This involves looking back at all the services we’ve completed DPIAs for, to see if there were changes to how those products or services handle data or any updates that require further data protection work on our part.

    Tucows’ progress in 2020

    Privacy and data protection work is so essential, but it’s perhaps not the most exciting topic, except to me and my fellow privacy and policy nerds. Nonetheless, we think it’s important to highlight some of the goals we achieved in 2020 related to data protection.

    Creating greater transparency

    The most visible change was the launch of our updated Data Sharing Preferences (a unique URL where domain owners can set their preferences) and Data Sharing Practices pages. These resources now more clearly explain how and why we process personal data. We also now offer translation of these pages into eight languages, helping data subjects access the information in the language that they’re most comfortable reading.

    Advocacy work within ICANN

    Within the ICANN policy development world, we worked hard to ensure that the privacy rights of our domain customers are respected. We continue to advocate for policy changes to promote “data protection by design and default” within the domain name system, such as ensuring that registration data is only disclosed to third parties when there’s a valid legal reason to do so. This cause has been central to our public speaking engagements in 2020, including a recent webinar where we shared domain data disclosure statistics from the registrar and registry community (available here, look for September 22 in the chart).

    Keeping a pulse on global privacy developments

    From the broader international perspective, the biggest change we saw in 2020 was the invalidation of the EU-US Privacy Shield framework, which we blogged about in November.

    Plans for the future

    Looking ahead to 2021, Tucows’ Privacy Team’s goal is to continue the work we started in 2020 in an expanded and enhanced manner. This includes working to improve how we disclose data processing practices and options to users on our platform.

    Our advocacy work with ICANN will remain a priority, specifically ensuring that policy requirements are in alignment with our obligations under data protection regulations, and that when newly-approved policies are implemented they permit adherence to relevant privacy laws.

    Finally, we’re avidly following developments to Canadian privacy law with the incoming Canadian Consumer Privacy Protection Act, and working with our contacts in Canada’s Ministry of Innovation, Science, and Economic Development to advocate for privacy rights in the tech industry.

    If you have any questions about data protection and privacy as they relate to our Domains, Email, and SSL products, get in touch!

    So, that’s what we’re looking forward to in the year to come. How will you celebrate Data Privacy Day? Personally, I plan to eat cake and reset all my passwords.

    Read More

  • Make Business More Personal with .ME

    December 8, 2020

    Industry Insight

     Like

    Views: 545

    sAcross all industries, the COVID-19 pandemic has forced businesses to refresh, rethink, and in some cases, establish for the first time, their online home. Many are looking for ways to infuse their online presence and the customer experience with greater authenticity and empathy. Because creating a sense of community online is more important than ever.

    Today, we’re highlighting the .ME domain extension, a great TLD option for businesses that want to prioritize keeping things personal, real, and human. Here’s what makes .ME great.

    It creates a memorable first impression

    Intense competition, and the many buying options available to consumers today, make it imperative for B2C businesses to offer a high degree of personalization and customization. To gain a competitive advantage and encourage brand loyalty, businesses all over the world are building more personal relationships with consumers.
    It isn’t surprising then, that a growing number of businesses are choosing .ME as their online home. By pairing their brand’s name with this uniquely personal domain extension, they get a powerful asset that can help them make a statement online, get noticed, or, as we’ll see below, shift the focus to the customer.

    .ME lends itself to some marketable domain names

    .ME gives website owners the chance to coin punchy catchphrases that instantly communicate what their business is all about. We can all agree that domains like dress.me, promote.me, count.me, wear.me and choose.me, to name just a few potentials, are super memorable.

    If you want an real life example, take a look at Call.ME or Allow.ME, who have used the .ME extension to turn their brand name and URL into an engaging call to action.

    Call.ME is a simple, clever domain name with a clear purpose. Back in the day, SecurCom acquired the domain Call.ME, transforming the business name and website address of their new service into a call to action. Now, their customers can use a Call.ME domain name when communicating with their friends and colleagues. By turning their company name into a call to action, they created something self-explanatory and easy to remember. Similarly, Allow.ME, a web-based event management system, makes use of a premium domain name that prompts you into action.

    But not all .ME catchphrases are premium domain names. If you’re going for fun and playful branding, the possibilities are endless. Themify.ME, a platform for premium WordPress themes & plugins, and Drupalize.ME, the world’s leading Drupal training service, are great examples of standard domain names that communicate a business’s selling proposition in the website link.

    It works great as a URL shortener

    In fact, a lot of big brands are using it for this purpose. Facebook put its trust in .ME by using fb.me to redirect to the main Facebook website and m.me as a short URL for their Messenger app. Other high-profile companies that use .ME for short URLs include DeviantArt (fav.me), IndieGoGo (igg.me) and AirBNB (abnb.me).

    Why domain resellers should offer .ME

    Alongside the many reasons why .ME appeals to business owners, the extension also offers a few more technical advantages that make it a great (and easy) addition to your TLD lineup.

    It has universal acceptance, which means you can sell it globally

    .ME has a personal meaning in multiple languages and supports over twenty IDN scripts,
    helping businesses from all over the world build their brands online.

    It’s a trusted domain

    The .ME registry monitors the namespace for spam, phishing, malware, and other forms of abuse on a daily basis. Domain holders can also activate DNSSEC for extra protection.

    No restrictions

    .ME keeps the registration process short and simple. It’s easy to implement and register with no restrictions or additional requirements.

    Help your small business customers stand out online

    A domain name is foundational to any business that operates online. It’s the link that their customers click on to arrive at their site. It’s the most important ingredient in word-of-mouth-referrals. It’s important that it be short, catchy, and inviting. With .ME, your customers can get creative and ensure their virtual signpost is real, human, and memorable.

    Oh, and as a cool bonus, it’s worth letting website owners know that .ME likes to feature businesses and individuals who have registered a .ME domain name on The ME Blog. (Always nice to have a backlink!). The blog is also a great resource for everything related to online business, from advice on how to choose a domain name to help in the fields of marketing, development and many more.


    This post was sponsored by the .ME registry.

    Read More

  • Support e-commerce customers with subscription tools

    November 20, 2020

    Fun, Industry Insight

     Like

    Views: 824

    Guest author: Jeff Sass, CMO, .CLUB Domains

    With more people working from home and modifying their brick-and-mortar shopping habits, e-commerce is booming. According to a report by Shopify, global business-to-consumer (B2C) e-commerce sales are expected to reach $4.5 trillion by 2021. And that projection does not take into account the acceleration in online shopping caused by the global pandemic. A July survey of 5,000 consumers in North America and Europe found that 36% of respondents shop online weekly, up from 28% pre-COVID-19. Many Direct-to-Consumer (D2C) e-commerce businesses are reporting record sales for Q2 and Q3 2020, as many physical retailers struggle or adapt by adding an online channel to their business.

    Top Subscription Models for E-Commerce

    One area, in particular, that has seen tremendous growth is subscription services. For e-commerce businesses selling physical products, there are two primary subscription models:

    • subscription boxes (a selection of curated goods that varies with each delivery)
    • “subscribe-and-save” subscriptions (for recurring orders of replenishable items)

    Both models have been experiencing rapid growth and can provide predictable, recurring revenue for the e-commerce businesses that offer them.

    User adoption of subscription models have indeed proven to be a boon for e-commerce businesses, and it looks like the trend is set to continue. According to the Subscription Trade Association’s (SUBTA) 2019 State of the Subscription Commerce Economy Annual Report, by 2023, 75 percent of organizations selling D2C will offer subscription services.

    Thinking Inside the Box

    SUBTA also found that, as of 2018, there were close to 7,000 subscription box companies in the world. Nearly 70% of these companies are based out of the United States. Currently, there are 18.5 million subscription box shoppers in the United States. 35 % of active subscribers have three or more subscriptions, with the median number of subscriptions per active subscriber being two. As for subscribe-and-save, 15% of online shoppers have signed up for one or more subscriptions to receive products on a recurring basis. 

    The top categories for subscription boxes are Grooming, Food, Apparel, Lifestyle, Pets, and Kids. In 2019 Pets and Apparel were the fastest-growing categories in terms of website visitors.

    In the subscribe-and-save model, the top categories include Food, Pets, and Coffee.

    Helping e-commerce businesses offer subscriptions

    If your platform supports e-commerce businesses, especially those that fall into one of the categories listed above, empowering your customers to adopt a subscription model may benefit their businesses while reaffirming you as the provider that makes it all possible.

    Here are some things you might consider:

    1. Provide some inspiration

    The world is full of all kinds of enthusiasts. That means there are all kinds of products that are well-suited for subscriptions. Here are a few stores with subscription models that that might inspire your customers to get creative with their offering:

     

    Loofah.club offers a wide selection of natural loofahs and sponges with subscriptions starting as low as $4.99 a month.

     

    Bookcase.club makes it simple to read great books no matter what your literary preference. Subscribers choose a category and receive new books every month.

     

    TheFragrance.club is a subscription business that makes scents! Choose your delivery frequency and your favourite perfume or cologne, and you are set to always smell great.

    2. Make it easy for your customers to sell subscriptions

    This might mean building the functionality in house or offering easy integration with a third-party provider that can automate subscription payments, billing, and management for your customers.

    3. Suggest some creative TLDs for their subscription service URL

    What makes subscription boxes a success is that they are personalized. And really, every consumer touchpoint is an opportunity to keep things playful and personal. Hosting a subscription service on a creative TLD like .CLUB is a fun way to remind the customer that they are a member, not just a customer.

    If you’re looking for other TLD options that will help your customers build their brand, improve their SEO, and deliver a memorable online experience, check out our full lineup of domain extensions.

    Read More

  • Do Privacy Shield Rulings Impact Enom?

    November 3, 2020

    GDPR, Industry Insight, News, Uncategorized

     Like

    Views: 1619

    If you follow data privacy news, you may have heard that the EU-US Privacy Shield was invalidated recently, and as an Enom reseller, you might be wondering how that affects our services. TL;DR: It doesn’t.

    We’ll get into the details of Privacy Shield, what it was used for, and what happens now that it’s been invalidated, but essentially, it let U.S.-based businesses lawfully transfer the personal data of EU individuals to the US by signing on to a series of privacy and data protection commitments.

    Now that the EU-US Privacy Shield is no longer an option, companies transferring data will have to look into the other possibilities remaining to them under the GDPR. This is something you may already be looking at for your own business; for your Enom domain reseller services, we’ve got it covered.

    What does the GDPR say about cross-border data transfer?

    When we think about the GDPR and other data privacy laws, we tend to think they restrict or entirely prevent the use of personal data in the name of privacy. That’s not entirely incorrect—a big part of protecting personal data is limiting its use—but it’s also not the whole story. Another aim of the GDPR is to allow or even enable the transfer of personal data, as long as the data remains protected. When the data remains within the EU, it stays under the direct purview of the GDPR, and so ensuring that it remains protected is fairly straightforward, since the same rules apply both before and after the transfer. But what about when sending data out of the EU?

    The GDPR offers three basic options for how to transfer data to a “third country” outside the EU.

    Option 1: an “adequacy decision”

    The European Commission can review a country’s data protection laws and determine that they offer an adequate level of protection for personal data. The Commission maintains a list of countries with adequacy status; Canada is included, but only for data protected under Canadian privacy law (which does not cover personal data being processed by the government! Oh, Canada—room for improvement!)

    Option 2: appropriate safeguards

    The second option for transferring data is referred to as “appropriate safeguards,” which includes the Standard Contractual Clauses, a pre-approved contract provided by the European Commission which can be appended to any agreement.

    Option 3: derogations

    Derogations are exceptions for certain circumstances, which should only be used rarely and as a last resort.

    What was the EU-US Privacy Shield? What happened to it?

    The EU-US Privacy Shield was a special type of adequacy decision, a framework set up by the European Commission and the US Department of Commerce which US-based businesses could commit to follow. It provided assurances related to data protection and data subject rights that are similar to what we are familiar with from the GDPR; once a business signed on to those commitments, they became legally binding and enforceable. These commitments included:

    • providing transparent information to individuals about rights related to their data
    • providing dispute resolution for individuals who brought complaints related to how their data is handled
    • meeting purpose limitation and data retention obligations and requirements around accountability

    Now that the EU-US Privacy Shield has been invalidated, businesses can no longer rely on it as an adequacy decision. Instead, any transfer of data from the EU into the US needs to be protected by some other method—either appropriate safeguards or derogations. We know that derogations are limited, generally to be used for one-time transfers or exceptional circumstances.

    So where does that leave businesses who need to transfer data, including domain providers? They will have to add the proper assurances into their contracts, typically by use of standard contractual clauses—which is what we have done since 2018.

    How does Enom handle cross-border data transfer without the Privacy Shield?

    Lucky for us, it’s not a problem. We don’t have to make any changes to how we protect data when transferring it to the US because we don’t rely on the EU-US Privacy Shield framework.

    The Privacy Shield framework was only available to American companies, which right away excludes two of Tucows’ (our parent company) main domain businesses. Enom is American, but OpenSRS is a Canadian company, and Ascio is European. Enom could have signed on to the Privacy Shield framework, but Tucows wanted a single approach to apply to all their businesses.

    When we built out our processes for GDPR compliance, we adopted Standard Contractual Clauses provided by the European Commission to govern how we protect personal data.

    The Standard Contractual Clauses have been incorporated into our contracts with our resellers, vendors, and other service providers via a Data Processing Addendum. This means that when domain registration data is sent to registries or data centers in the US these contractual commitments can be relied on to govern how the data is handled and to ensure that each data subject’s rights are always respected. Specifically, through the Data Processing Addendum, we commit to complying with GDPR obligations, including confidentiality and information security controls, cooperation with supervisory authorities, and appointing a Data Protection Officer. The Addendum also documents our obligations related to ongoing testing and review of security measures, the reasons we process data, and what third-party providers we work with. We closely watch for any updates to the Standard Contractual Clauses, as we want to remain current with any standards provided by the European Commission.

    What do I need to do as a reseller?

    For the data processed related to our services, absolutely nothing! You’ve already accepted our Reseller Agreement, so it’s all handled. If you want to learn more, though, you can look for yourself to see the Standard Contractual Clauses in our Data Processing Addendum (which is incorporated into our Reseller Agreement by reference), and you can compare them to the version published by the Commission.

    You can also consult your own data protection counsel. This blog post is intended to be helpful and to share with you how we view data protection at Enom, but it is not intended as legal advice and should not be seen as a replacement for independent legal counsel.

    Read More

  • Whois History and Updated Tiered Access Statistics

    September 17, 2020

    GDPR, Industry Insight

     Like

    Views: 2145

    keys on surface.

    The Internet as we know it may be fairly new, but that short history doesn’t mean it’s not also filled with cycles and repetition.

    Back in 2003, ICANN convened the Whois Task Force, intended to improve the ability of Whois services to contribute to the stability and security of the Internet while balancing the need to protect the privacy of the personal data involved. The Task Force’s goals of defining the purposes of Whois services overall—and of specific points of contact—as well as determining what data should be public and how to provide access as needed to nonpublic data, is remarkably similar to the work done in the EPDP, which was recently tasked with updating ICANN policy to adhere to the GDPR and other relevant privacy and data protection legislation while ensuring lawful disclosure of registration data where necessary.

    In 2005, in that same Task Force, the RrSG proposed the creation of an “Operational Point of Contact” to help address a specific issue:

    the amount of data that ICANN requires registrars to display in the Whois is facilitating all sorts of undesirable behaviours like renewal scams, data-mining, phishing, identity theft, and so on.

    The RrSG proposal was intended to enable contact with the relevant person responsible for the domain while also maintaining the privacy of personal data—again, similar to what the EPDP would later attempt—but other groups on the Task Force focused instead on limiting data protection to only a small subset of domain owners in order to retain as much access as possible.

    The Final Task Force Report on Whois Services, from 2007, gained support from the registrar and registry stakeholder groups (RrSG) and the non-commercial stakeholder group, but did not receive the business or intellectual property constituencies’ support.  The policy development world seems stuck in a loop, with the EPDP’s final report likely fated to end identically, despite our hopes that the ICANN Community will be able to break that cycle.

    Abusive use of publicly-available domain registration data, which RrSG members call out regularly, including in the early ‘00s and again in the EPDP, takes many different forms. Although it’s been some time since they’ve popped up in the news, those who follow the domain industry will know of Brandon Gray Internet Services, also known as NameJuice or Domain Registry of America. Their history of gathering Whois data to spam registrants with emails disguised as domain name renewal notices is well-documented1, as is the damage done to domain owners and other Internet users. Typical complaints centered around registrants not knowing who their domain provider is or why a domain has been transferred away from their preferred registrar, paying for services that were unnecessary or nonexistent, and inability to manage domains after the transfer was completed. This began early in our Internet history, when domain owners were less experienced in managing services and had fewer data privacy and protection rights—or at least lower awareness around how to exercise those rights. In recent years, NameJuice has managed to stay under the radar, carefully crafting their solicitations to remain within the bounds of “marketing” and to avoid legal and compliance action.

    Abusive use of domain registration data took the form of bulk scraping of publicly-available data from the Whois system; this data was then packaged and sold by enterprising cybercriminals to both security researchers with valid purpose and those seeking to use it for purely commercial purposes. Because security researchers benefited from this arrangement, they kept their heads in the sand about the accumulation of the data—one of the first instances of cybercrime tools for hire.

    When unrestricted access to Whois data was terminated in May 2018, these data aggregators continued to sell previously-collected data. This mass processing of historic and ongoing registration data is illegal. Even data that is public may only be processed in a manner compliant with data protection regulations, including the GDPR; this means that the organization doing the processing must have a legal basis to do so and make sure the data subject (the registrant) is fully informed.

    Scraping is specifically prohibited in registrars’ terms of service for Whois data, yet security researchers, commercial litigators, and other parties seem eager to use such illicitly-obtained personal data while continuing to fight for access to information that was obtained through cybercrime.

    Tucows is not blameless; we should have more aggressively prosecuted these “WhoWas” service providers2 while they were at the peak of their scraping and selling of this data, instead of merely implementing technical means to attempt to prevent their criminal activity (including rate limiting and requiring CAPTCHAs for lookups). While we did send cease and desist letters on multiple occasions, when these were ignored we did not take any additional action. We regret not having done so, especially as these companies continue to sell access to customers’ personal data to their complicit clients.

    At this point, since registration data is mostly redacted unless and until the domain owner decides to make it public, bulk gathering up of registration data is a decreasing concern but is still very much on our radar.

    This history should be kept in mind when reviewing this or any of our prior blog posts3 discussing the reasonable disclosure of previously-public Whois data. It is within the context of this profligate access to and abuse of Whois data that the flood of access requests registrars have received must be understood.

    Responses to Denial Requests

    Recently, the rhetoric from professional data requestors has shifted toward allegations of incorrect denials. Since we began tracking requests over two years ago, Tucows has denied only 241 requests, or 7% of all requests. We do not count abandoned requests as denials, as others do. Since May 2018, 51% of all requests are abandoned following our reasonable requests for additional information; this rate has dropped with each period.

    Most often, requests ask for all data we have, including information that was never publicly available and information that relevant courts have deemed to be illegal to share. When we respond to a request for “Registrant, Admin, Tech-C, Billing, and all other domains owned by the registrant”, we consider that to be a request for “previously-public Whois data”. Billing information would require a subpoena and reverse Whois lookups have never been a function of the Whois database, despite the criminal services discussed above.

    Of those 241 denials, vanishingly few of them have been disputed by the requestor—the handful of times it has happened, when our Legal team discussed the concern with the requestor, the end result was no disclosure. This tells us that our request review process is working properly, allowing us to filter out invalid requests and ensure that only those requestors who actually demonstrate a legitimate need for the data and commit to handling it with appropriate protections are able to obtain personal data.

    More complaints have been about the data we disclose being inaccurate. We do not specifically track this, but this type of response has been coming in often enough that we are working on providing an easy way of reporting a Whois inaccuracy to us—rather than having to report to ICANN to then convey to us. This will be available from within our TACO system, since only people with access to non-public personal data would be able to indicate that the information may be incorrect; this will include the standard process of suspension of the domain in the event of no response from the registrant within the ICANN-mandated time frame.

    Recent Tiered Access Statistics

    The statistics provided below are for the period beginning 1 March 2020 and ending 31 August 2020 (Period 4).

    Requests for Data Disclosure

    In Period 4, Tucows received 527 disclosure requests; our overall total since we began tracking this in May 2018 is 3,4004.

     

    75% of requests resulted in disclosure of domain registration data

    This represents an increase of 13% compared to Period 3, which itself was double the rate of Period 2. As we discussed in the Period 3 report, this indicates improvement in the quality of the requests that we receive.

    9% of requests were incomplete and, when we asked for additional information, the request was abandoned

    This is a drop from the previous period and can likely be attributed to our ongoing outreach efforts and each requestor’s increasing familiarity with the process. We are beginning to see new requestors who already know to follow the RrSG-Recommended Minimum Required Information for a Whois Data Request. The part of the request most frequently missing is an assurance to only use the data for lawful purposes and to destroy the data after it is no longer needed.

    11% of requests were denied, following a determination that the requestor did not have an adequate lawful basis

    This remains concerningly high. Unlike abandoned requests, where asking for additional information results in the requestor deciding not to follow up with the request, denied requests represent a failure of the requestor to adequately evaluate the legal implications of their request. As discussed in our Privacy and Lawful Access to Personal Data blog post, the primary reason that requests get denied is that no human reviewed the requests before they were submitted. The requests are for domains that may match all or part of a trademark but represent no threat to the mark for a variety of reasons. Our job is to balance the rights of the requestor—usually an intellectual property owner or its representative—against the data protection and privacy rights of the registrant. Where a review of the domain—even the content hosted on it—results in confirmation that there is no danger to the mark, the balance favors privacy.

    4% of requests were for domains with an active Whois Privacy service, so only the publicly-available privacy service data were disclosed

    While we are pleased to see this number reduced compared to the last period, we see some repeat requestors regularly asking for data they know to be behind one of our Whois Privacy services. This seems to be an attempt at “checking a legal box”: they are not asking for data they don’t know to be concealed, but rather, they are specifically not asking for the concealed data in the manner that they know will result in its disclosure, allowing them to indicate to their customers that they’ve gone through the process of requesting data but were “denied” without having to take the time and expense to file the actual paperwork that would result in its disclosure. We continue to reserve the right to blocklist requestors that regularly abuse our request process.

    Requested vs. Disclosed

     

    As mentioned above, the increase in disclosure rates for this reporting period shows improvement in the quality of the requests that we receive.

    Compared Against Previous Reporting Periods

     

    Requests Over Time

    Here’s an illustration of the total volume of requests Tucows has received since the launch of our Tiered Access platform:

     

    The number of requests appears to have stabilized, concurrent with the increase in quality of requests, a positive trend indicative of the industry as a whole settling into the new data protection landscape.

    Disclosure Request Outcomes, Compared

     

    We are pleased to note that the rate of incomplete and abandoned requests continues to drop.

    Duplicate Requests

     

    Duplicate requests have decreased, which we like to see, but an interesting new type of duplicative request that we have begun to see is that the owner of the intellectual property is reaching out to request data disclosure months or even years after the same data were already disclosed to a party claiming to be a representative of that owner. This is not tracked and currently remains rare but is an interesting insight into the relationships between professional data aggregators and the intellectual property owners they purport to represent.

    Categories of Requestors

    As readers of this blog series will know, we have grouped requestors into four main categories for tracking purposes. The main tracked requestor types are:

    • commercial litigation, which request disclosure of personal data in order to bring a legal claim of rights against the registrant;
    • law enforcement, carrying out an investigation or otherwise in the course of their work;
    • security researchers, who use certain aggregate data to identify trends in digital abuse; and
    • other, which includes Certificate Authorities, resellers, private individuals, and sometimes even the registrants themselves.

    At 84% of total requests, commercial litigation remains overwhelmingly the most frequent requestor type and, within that requestor type, professional data aggregators are the largest part. We are seeing a slight increase in Law Enforcement requests, up to 12% in Period 4.

    We look forward to continuing to provide legally permissible access to non-public domain name registration data, including tracking the statistics for future review and insight into our industry.

     


    1 Further reading:

    • Brandon Gray Internet Services Inc. Litigation
    • ICANN Notice of breach of registrar accreditation agreement
    • ICANN Notice of suspension of registrar’s ability to create new registered names or initiate inbound transfers of registered names
    • Ontario registrar stopped from selling dot ca domains
    • Domain registry of America get slapped in UK
    • ASA Adjudication on Domain Registry of America

    2 DomainTools has the dubious distinction of being the most well-known of these PII-aggregators but is by no means the only. WhoisXMLAPI, who.is, and WHOXY also sell current and former personal data to their customers and, in some cases, operate an extortion scheme whereby a registrant can request exemption from this illegal sale.

    3 You can find data for Period 1 in Enom’s Tiered Access Directory: eight months later, for Period 2 in Tiered Access Data Disclosure Update, and for Period 3 in Privacy and Lawful Access to Personal Data at Tucows.

    4 “Total” numbers for a period may change after the period is reported because, although we have mostly successfully educated requestors about how to submit requests, we sometimes find requests that were misrouted—we deal with these when they are discovered but we count them as of the date of request, potentially changing numbers after we have reported them in a blog post. The impact is minor, so we do not feel the need to update prior posts but felt it prudent to indicate why the numbers might be slightly different if you’re comparing across posts.

    Read More

  • Increase Domain Sales with Branded Links Integration

    September 8, 2020

    Advice, Industry Insight, New TLDs

     Like

    Views: 1667

    What is a branded link?

    While brands are the most important assets for modern companies, links are the foundation of the web. Every time someone clicks, taps, or swipes, there is a link. A link is a bridge between the message and the content, the most relevant call-to-action of online communications. When brands meet links, you get branded links—short URLs created with three elements: your brand (company name or product name), a relevant TLD (there are hundreds of new TLDs to choose from), and a unique keyword.

    Branded links are the evolutionary product of traditional links and the already-popular short URLs (created using URL shorteners). They are the most effective and efficient way to share and manage links.

    Why you should use branded links

    A branded link is trustworthy, memorable, pronounceable, secure, and allows you to do some pretty nifty things. For instance, you can change the destination URL or route traffic based on the person who clicks it (by language or the date or time, for example).

    A branded link is traceable, it improves the click-through rate up to 39% and increases the deliverability of emails and SMS.

    Rebrandly offers a short and sweet summary of the power of branded links:

    Rebrandly’s been a pioneer in the world of branded links since 2005 and now helps
    550,000+ companies brand their links, including huge names like Lamborghini, Indeed, Intuit, Ferrero and Puma.

    If you’d like to learn more, check out their guide to link management.

    How to increase domain sales with branded links

    Until now, domain names were employed quite exclusively for websites/blogs, and emails.
    Today there is a third use: branded links.

    This is a great opportunity for your customers to improve their brand visibility and maximize the effectiveness of the links they share. As a domain reseller, it’s also a great opportunity for you to offer an innovative and useful service for free. You’ll sell more domains and provide real value.

    Using Rebrandly as a reseller

    With Rebrandly, you can offer branded links at no additional cost to you or your customers. Rebrandly doesn’t charge any sort of fee or commission.

    All your customer has to do is to register a domain name with you (no commission to Rebrandly required). And all you have to do is integrate with Rebrandly.

    Here’s how it works:

    When a customer buys a new domain name for their website you can suggest purchasing a second domain (same name but different TLD) for their branded links. For example, they might buy company.com for their website and company.buzz for their social, or company.press for their PR content.

    Rebrandly itself has multiple domains which they use for very specific purposes:

    • Rebrandly.video for their youtube channel and to share video content
    • Rebrandly.buzz for social media sharing
    • Rebrandly.press to share the news with journalists and bloggers
    • Rebrandly.support for support tickets and to share links to FAQs
    • Rebrandly.link for general branded links
    • Rebrandly.click to enhance call-to-action links
    • Rebrandly.fun for sharing jokes and fun stories internally to their team
    • Rebrandly.download to share downloadable big files
    • Rebrandly.academy to share their knowledge base
    • Rebrandly.sale to share offers to potential customers
    • Rebrandly.blog to share blog articles

    That’s 11 domain names only for branded links, in addition to their .COM corporate site. Many companies have similar needs, making branded links a practical upsell opportunity.

    What you (and your customers) can do with Rebrandly

    Rebrandly incorporates a bunch of smart features that help you get granular with your campaigns and link tracking.

    Multiple domain management

    You can manage up to 1000 domains in a single account, and Rebrandly will automatically activate an SSL certificate for each — even if the domain was purchased from another provider. The platform allows you to manage the 404-page redirect and the main domain redirect.

    UTM and link parameter builder

    Urchin Tracking Module (UTM) parameters are used by marketers to track the effectiveness of online marketing campaigns across traffic sources and publishing media. Rebrandly lets you create UTM parameters, and even more advanced parameters, in a fast and efficient way.

    Puma, the well-known shoe and sportswear brand, uses Rebrandly’s parameter builder across all their marketing and affiliate teams in order to build trackable and measurable links that interact directly with their business intelligence tools.

    Link routing

    Dynamic link routing lets you send your audience to different destination URLs based on factors like the date, language, and user location. Lamborghini, the luxury car company, shares dynamic branded links on their social media using Rebrandly. The person who clicks on the link is redirected to specific content based on their location.

    Link retargeting

    Link retargeting involves inserting your retargeting pixel code – be it Facebook, Google, Twitter, or otherwise – inside of a short link so that anyone that clicks on the link is added to your retargeting pixel. With Rebrandly, you can “fire” a retargeting pixel directly within a link, whether it points to your website or not. Learn more

    Deep linking

    This allows brands to route traffic to a mobile application installed on a user’s phone. This advanced feature improves mobile user experience and increases conversion rates. Telecom companies like ThreeMobile use this feature especially when they send mass SMS communications.

    Workspaces and roles

    With Rebrandly, it’s possible to create unlimited workspaces with various role profiles and access levels for individual employees. Saint Gobain, a French multinational corporation with offices in 67 countries and over 170,000 employees worldwide, uses Rebrandly to give global departments the freedom to create custom short URLs organized by nation. Employees can share branded links for portfolios, product catalogs, documents, email signatures, and business cards. They’ve also widely adopted the solution for showcasing their various products.

    Are you using generic short URLs or branded links?

    Or, just as importantly, could your customers be using branded links to support their marketing efforts? You can start by getting creative with the TLD options you pitch to your customers, introducing them to the use cases of branded links, and, perhaps, integrating with Rebrandly to offer them a link-management solution.

    Read More

  • Why You Should Consider .SHOP

    August 25, 2020

    Fun, Industry Insight, New TLDs, Uncategorized

     Like

    Views: 1506

    The .SHOP domain extension sells itself. There are currently 670,000+ .SHOP registrations worldwide, and more than 51,000 active online shops hosted on this top-level-domain (TLD). Recently, .SHOP saw a surge in registrations, as existing businesses moved online, and people started new ventures in a shifting COVID-19 economy.

    Here, we’ll take a look at how people are using .SHOP domains — including some COVID-19 success stories — and why .SHOP is a strong choice for resellers and website owners.

    Why use .SHOP for your online store name?

    .SHOP is one of those new domain extensions that just makes sense. It’s purpose and benefits seem clear. But it comes with a few upsides that aren’t immediately obvious:

    You’ll help your brand stand out in a cluttered ecommerce space. Building a brand in an online landscape that gets more competitive every day is challenging, and small efforts add up. Your .SHOP domain could catch a potential customer’s eye in the sea of .COM/CA/local-TLD search results. And it emphasizes that you sell what they’re looking for.

    Relatedly, you’ll be including an SEO keyword right in your URL.

    .SHOP is playful and still has a novelty factor that can make your website stand out in the minds of visitors. Your site might even be the first .SHOP they’ve stumbled upon!

      It’s short and easy to pronounce, which makes for a catchy, memorable website name. This is super important for word-of-mouth referrals and advertising.

    “Shop” is a word commonly understood by non-English speakers, which makes it an excellent choice for global companies.

     

    Why include .SHOP in your new domain extensions offering?

    When curating a TLD lineup, it’s important to be selective and choose options that will resonate with your customers. You’ve got an opportunity to surprise them with a .COM alternative they didn’t even know existed! .SHOP is a great TLD to offer because:

    In many cases, you’re enabling your customer to turn their brand into their URL — just think how many stores include “shop” in their name.

    .SHOP is competitively priced (and currently on sale!) as an affordable .COM alternative.

    It’s easy to market because its purpose is clear.

      There’s a huge potential market and room for growth as more businesses, entrepreneurs, and hobbyists hop online.

    It has global appeal and will perform well in different markets.

     

    How are .SHOP domain names being used for ecommerce?

    Between March and June of 2020, new .SHOP registrations with shopping carts more than doubled among Tucows domain registrants.

    Line graph showing a doubling in .SHOP domain registrations with a shopping cart between March and June 2020.

    Tucows’ new .SHOP registrations with a shopping cart (Q1 2019 – Q2 2020)

    But .SHOP has seen steady growth since its launch in 2016. It’s used by entrepreneurs, mom-and-pops, SMBs, and large corporations for a variety of ecommerce purposes.

    Serving local customers via online stores during COVID-19

    During these difficult times, many people are making an extra effort to support their community by shopping local. An online presence that lets customers purchase and order products from home is now a must-have for independent businesses who once relied on brick and mortar traffic.

    In the interest of supporting local, we wanted to highlight a couple Canadian small businesses that have built their online presence on a .SHOP domain:

    Vancouver-based mysistersclosetvancouver.shop is a social enterprise business that sells used clothes in support of Battered Women’s Support Services. They used their website to bring their offline inventory online and to safely accept used clothing donations during the COVID crisis.

    Also in response to COVID, Kitchener-based baker, Chantelle Villeneuve. moved her business online with bonapatreat.shop to allow for delivery, pickup, and online sales. She’s since reopened the physical shop, but continues to serve customers with her new online presence.

    Separating your ecommerce function from your corporate website

    Businesses with established company websites are choosing .SHOP domains as a dedicated space for online sales while continuing to use their existing domain for corporate or product information.

    Take for example, Arrowine, a Virginian wine retailer that has long promoted their brick and mortar store using arrowine.com. When COVID-19 hit, they registered arrowine.shop for online ordering, with contactless pick-up in the store’s parking lot.

    He may not have a “corporate” website, but Fritz Meinecke, a German youtuber with 941, 000 subscribers, launched his online merch shop using fritzmeinecke.shop — a move that speaks to the domain extension’s global appeal.

    Which leads us to our next point…

    Cross-border ecommerce

    Many businesses who start out operating locally will turn to a more global domain choice like .SHOP once they shift their focus to include other markets.

    Netherlands-based Superfood guru actually made the switch from .NL to .SHOP after their SEO agency advised them to use ‘.shop’ for their Dutch domain name and ‘.shop/en’ for the English one.

    Etsy, Amazon, and other marketplaces

    Businesses who sell products on platforms such as Etsy and Amazon are benefiting from using a crisp, clean .SHOP domain to point to their marketplace page. Once they set up their own online store, these .SHOP users can simply direct their domain to their new site. This ensures that they don’t lose customers when they make the switch.

    Services for ecommerce businesses

    Choosing a .SHOP domain is also a great way to signal to your audience that your product is targeted to ecommerce businesses. We have seen webshop builders, like obodo.shop, and other ecommerce services developed on .SHOP domain names.

    Presenting your customer with new domain extensions that make sense

    Website owners have a confounding number of domain extensions to choose from. If you can point them to a TLD that serves their brand and reflects their purpose or niche, it’s a win for both of you. This can take the form of great content that highlights TLDs specific to their industry, or a smart name search tool that will deliver fresh, marketable domain ideas.

    We think .SHOP is an intuitive fit for anyone looking to grow an online business. And pssst…if offering great prices on domains is your priority, check out our full TLD lineup or log in to view out our full list of domain extensions on sale.

     


    This post was sponsored by .SHOP.

    Read More

  • How to Win by Treating Your Customers as Members

    August 13, 2020

    Featured, Fun, Industry Insight

     Like

    Views: 1747

    Guest author: Jeffrey Sass, CMO, .CLUB Domains


     

    There is a reason American Express made the phrase “Membership has its privileges” famous. The brand had the right idea to focus on the benefits of membership to attract and retain customers. We are tribal by nature. It is in our DNA to want to belong to a community — to be a part of something bigger than ourselves. It is why clubs of all kinds have been around for thousands of years. It is why we choose to live in neighborhoods, communities and cities.

    Being part of a community has never been easier or more powerful than it is today thanks to the Internet, and more specifically, thanks to the millions of websites on the so-called worldwide web. When you choose a domain name, hosting plan, and set up your own online presence, whether for business or personal use, you are joining one of the largest clubs ever – the club of website owners. And as a website owner, you are in a very unique and powerful position to attract visitors and customers, and create your own online community around your interests, your passions, your products, or services.

    There is a growing trend for eCommerce businesses to focus on memberships and subscriptions. According to a February 2018 report by McKinsey & Company, “The subscription e-commerce market has grown by more than 100 percent a year over the past five years. The largest such retailers generated more than $2.6 billion in sales in 2016, up from a mere $57 million in 2011.”

    And that trend continues. It makes perfect sense for eCommerce businesses and online sites of all types to treat their visitors and customers as members. Every eCommerce platform and most content-driven websites encourage visitors to establish an account and log in when they visit. If people are going to give you their name and email address, they are effectively joining your club. Your visitors and customers are members of your club, so treat them as such. Offer them the “privileges” that Amex espouses. Make them feel special for joining your community. There are a number of ways this can be done, and here are a few simple ones:

    • Share exclusive content that only members receive.
    • If you sell something, offer members special deals, and early access to new products or services. Occasionally include some added-value items in their orders for free as a member benefit.
    • Make sure your support team makes every interaction with a member memorable, putting the member’s needs first.
    • Encourage members to provide feedback and testimonials, and reward them for doing so — and LISTEN to them and let them know their feedback is appreciated.
    • Shine a light on your members in your Social Media marketing (as appropriate).

    In general, just imagine how you would want to be treated as a member of a club, and treat your visitors and customers the same way. Just as you enjoy feeling wanted and appreciated, so will your visitors and customers when they feel like they are a member of your “club.”

    And, if you are looking for a domain name that truly expresses the community of your website or business, a domain ending in .CLUB may be a great choice. You’d be joining the countless other creative businesses and individuals that have chosen .CLUB for their online home. Take for example, Firstleaf.club, a company that has built a large community around wine by offering a customized wine club experience.

     

    First Leaf Wine Club's website homepage.

    Unlike most wine clubs where every member is sent the same selection of wines, Firstleaf chooses your wines based on your personalized profile, and lets you rate the wines you receive. Then they customize future orders just for you, based on your likes and dislikes. As a result, Firstleaf has consistently been rated among the top wine clubs and has been featured in articles in Forbes, Huffington Post, Newsweek, Entertainment Tonight, NBC News, and many more. Clearly, the personalized treatment they give their members is leading to great success.

    Picture of the firstleaf.club homepage.

    So, as you think about growing your online community and retaining and re-engaging your customers, think about them as members of your club. You don’t have to be as big as American Express to show your customers and fans that, indeed, membership has its privileges.


     

    Is. CLUB a good fit for you or your customers?

    .CLUB has many uses outside of eCommerce, and its potential for subscription-based retailers is really intriguing. Plus, you can now get .CLUB on promotion for just $6. If you’re interested in exploring some other creative domain options, check Enom’s our full TLD lineup.

    Read More

  • SSL Certificate Validity Periods Reduced to 1 Year

    July 2, 2020

    News, SSL

     Like

    Views: 2662

    man holds lock in his hand.

    Back in February of this year, Apple announced that as of September 1, 2020, its Safari browser will no longer trust newly registered SSL certificates with validity periods of two years. Two-year certificates registered up until August 31, 2020, will be trusted, but those registered on or after September 1, 2020, will not. To prevent incompatibility with specific browsers, Enom will implement a one-year max on SSL certificates in our system, as of August 15, 2020. Below we provide a bit of background information behind this change and, most importantly, outline what it means for Enom resellers.

    Why are SSL/TLS validity periods being reduced to 1 year?

    In the lead up to this change, there’d been for years an ongoing discussion in the Certificate Authority/Browser community around validity periods. On the one hand, shorter validity periods improve security by reducing the window of exposure if a certificate is compromised, and ensuring certificate holders are regularly updating their information (company name, address, active domains, etc). On the other hand, shorter validity periods mean more work for certificate users.

    Just a few years ago, the maximum validity period was reduced from three years to two. Back in August of 2019, ballot SC22, which proposed a further reduction to one year, failed to pass at the CA/Browser Forum (the industry’s self-governing body). Apple then made the independent decision to enforce this new maximum as part of their “ongoing efforts to improve web security” for Safari users. And when one of the major browsers imposes a change, the industry accommodates.

    How will this change SSL/TLS registrations on Enom?

    As of August 15 Enom will only offer one-year validity periods for all our SSL certificates. Here’s what this will look like:

    1. As of August 15, the Enom Control Panel will only provide the option to register certificates for one year
    2. As of August 15, all API requests to register (PurchaseService) or update an SSL must be submitted with a NumYears value of 1, or must omit the NumYears value entirely. Submitting a period value other than 1 will generate an error.

    Engaging with your Customers

    While this change may create a bit more work for website admins, it also creates a great opportunity for you to reach out to your customers and sync up about their SSL and security needs. Some may want to take advantage of the current two-year period and repurchase their certificates prior to August 15.

    Read More

  • A Great Domain for Freelancers and Entrepreneurs? Try .ME

    June 22, 2020

    Featured, Fun, Industry Insight

     Like

    Views: 2051

    Today, personal websites function as a calling card that can help your customers showcase an online portfolio, house their resume or blog, and find creative ways to establish their personal brand.

    .ME is a great option for entrepreneurs, hobbyists, and professionals looking to do any of the above. And as more and more of these potential customers hop online, adding .ME to your lineup is a no-brainer.

    Why you should add .ME to your TLD lineup

    .ME is easy to market

    .ME simply makes sense for “about me” pages, online portfolios, freelance business websites, and professional profile pages. Plus, the .ME registry provides tons of resources for those looking to build a personal brand — content that you can draw from in your marketing efforts.

    .ME has big market potential

    Having a stand-out online presence is becoming increasingly critical for freelancers and professionals looking to showcase their work or grow their businesses. .ME gives you a great option to offer this growing segment. There are no restrictions for the TLD, and “Me” is a word commonly understood by non-English speakers, which gives it a broad, global appeal.

    It’s competitively priced (and currently on sale!)

    .ME is competitively priced against popular legacy TLDs (.COM, . NET, .BIZ and .ORG), and right now, you can take advantage of $10 promo pricing.

    .ME is a solid .COM alternative

    Some people are able to snag theirfirstandlastname.com, but the vast majority of us don’t have a terribly unique moniker. .ME provides a short, fresh alternative when your customer’s .COM is taken.

    .ME domains are memorable

    We all want our websites to stand out and stick in the minds of our visitors. .ME has a novelty factor that causes people to take note. Plus, most of us would agree that websites that feel personal are often more memorable. What’s more personal that .ME?

    .ME shows solid customer stickiness

    .ME has a high renewal rate. The majority of .ME registrants hold their registration for many years. Customer stickiness can be further improved by combining the domain purchase with value-added services, like SSL and Email.

    Marketing .ME domains to your customers

    Getting creative with .ME domain names

    Website owners can use their .ME to create a space that says “this is who am I and what I want people to know about me.” Some .ME registrants demonstrate the value of simply using their name alone, like medical illustrator, chinamimichaels.me. Others opt for a playful approach that takes advantage of keywords, like UK blogger, thelondoner.me.

    In both cases, .ME supports the site owner’s goal of telling their story and presenting their work in a professional, yet unique and individual way.

    But .ME is also employed in more surprising ways by big names like PayPal. Check out their creative use of paypal.me to simplify transactions for their users.

    .ME resources you can use

    The .ME team actively helps new freelancers, recent grads and small businesses to get online and stay connected to the world. Transitioning from a full-time job or directly from the classroom to a freelance career can be stressful, and often these customers spend a lot of time researching their next steps.

    The .ME blog is full of resources and advice on personal branding and how to launch a freelance career. Whether it’s tips on choosing the right domain or which elements to include in a freelance portfolio, the .ME blog is full of content that can be used to help support your customers.

    Read More

  • Bandzoogle: website builder for musicians

    June 1, 2020

    Featured, Fun, Industry Insight, Resellers

     Like

    Views: 1995

    Bandzoogle CEO Stacey Bedfor plays guitar in her home.

    Stacey Bedford, CEO of Bandzoogle

    The Enom team has enough musically inclined members to form at least two in-house rock bands, so we’re geeking out pretty hard about highlighting Bandzoogle on our blog. The Montreal-based SaaS company calls itself the easiest all-in-one professional website platform for musicians and bands. They target a unique vertical, one that their team is hugely passionate about, and they really know their customers: their platform is very much created for musicians, by musicians.

    Here, Bandzoogle CEO, Stacey Bedford, provides some insight into how and why they’ve been so successful in supporting their customers and steadily growing the company.

    What features are you most proud of? Which do the musicians that use your platform rave about?

    Bandzoogle's Technical Support Manager, Adam, sits in his at-home production studio.

    Bandzoogle’s Technical Support Manager, Adam, is also a music producer.

    Commission-free direct-to-fan sales tools. Bandzoogle provides musicians with the eCommerce tools necessary to sell anything you can imagine: digital goods like albums, singles, EPs, song sheets, tickets, download codes or videos; physical goods like merch, CDs, or vinyl; and services like music lessons. You can even sell recurring subscriptions by tier and set up a crowdfunding campaign or preorders.

    Bandzoogle does not take a cut of any sales, and we have a SaaS model. This is just one component of the tools we offer as an all-in-one platform. Regardless of our robust toolset, our members absolutely adore our customer support team. They’re your band’s roadie, your web tech. Our response time and quality of support is the best on the planet. Best of all, most of our team members are musicians.

    How are you supporting your artists during COVID-19?

    Within the first month of the pandemic, our team launched commission-free live streaming ticket sales, event ticket refunds, a tip jar feature, transaction history exports and filtering, and a comprehensive guide to musician resources during a pandemic. Every week, our team meets to discuss what has changed in the last week and how we can help. We have quickly adapted our processes to stay on top of artists’ needs.

    To what does Bandzoogle attribute your success?

    There are a few things I can note here as being key to our success. As you can see, we are constantly building new features and designs that are relevant to artists today. But more than that, we always put our staff and members’ needs first. We have grown into a sizable company but we’ve never strayed from our core values.

    At Bandzoogle, our members can expect a very high level of service and an honest partner. It is a streamlined set of pro features, but you’re dealing with a small family vibe.

    Lastly, we’re fully bootstrapped— we’ve never taken external funding, and we’ve always made decisions on our own terms, without putting a focus on turning profits. Doing the right thing by our members has resulted in great success.

    How do you build an artist community and connect with your customers?

    We do a lot of proactive outreach with our customers. This includes webinars, free website reviews (even for non-members), member meetups in different cities, and you’ll also see some of us at different music tech events. We are a small team with a big reach. Part of that reach includes teaming up with other music verticals that hold the same strong values, like CD Baby, Bandsintown, Bandcamp, Soundcloud, and ASCAP.

    Meaningful relationships with ethical music businesses are important to our business model; as a business, you won’t get very far if you don’t venture off the island. Building bridges is important to grow your artist community and connect with your customers.

    What have been your major milestones as a company?

    The Bandzoogle team poses for a group photo at one of their annual retreats.

    An otherwise remote team, the Bandzoogle staff gets together for annual retreats.

    Our members’ success is our success: last month, our members hit 62 million dollars in commission-free sales. In May, we also grew to 50,000 paid active users, with additional thousands of active trial members on any given day. Another huge milestone was growing our executive team. We have a fairly flat organizational chart, but we promoted Colin Mitchell to CTO and Dave Cool to VP of Strategic partnerships. We are leading this incredible group of individuals and for me, it’s a huge win to be able to foster so much professional growth within our small team of 29.

    Are there any .COM alternatives that you guys like or that resonate with musicians?

    As bricks and mortar stores become less pertinent, .COM TLDs have become a scarce resource. You’ll see many artists soon find out that long-winded .COMs leave too much room for user error, and alternative TLDs can be less costly and easier to remember.

    Because of this, we see many artists branching out and using .ROCKS, .BAND, and some old, trusted, but still available, .ORG and .NET options for their band. Bandzoogle plans include many TLD options across all 3 plans, from $9.95 to $14.95 per month.

    Are there any exciting plans for the future you’d like to share?

    I can tell you that the world is changing rapidly, and, for any business, finding a way to monetize globally is paramount today. We’ll see so many advancements in the tools available to both businesses and artists over the next year, it’ll be a different landscape. Businesses that are adaptable will do well, but it’s about to be a wild ride.

    Read More

  • Avoiding COVID-19 Cyberattacks with Security Best-Practices

    April 28, 2020

    Advice, Featured, SSL

     Like

    Views: 3114

    security lock and credit cards on keyboard

    Most of us that work in Tech are familiar with security best-practices, but for many people, including your customers, being thrust into working remotely and conducting more daily activity online can bring with it security risks. Now is a great time to support your customers with tips on how to stay secure online and avoid COVID-related cyberattacks.

    We’ve partnered with one of our trusted Security providers, Digicert, to provide you content that can be easily recycled and shared with your customers.

    Staying safe online, during COVID-19 and beyond

    The ugly reality is that cybercriminals will exploit any vulnerability they can find. During the COVID-19 pandemic, many people are increasingly active on social media, email, apps and SMS (texting) as we look to stay connected with one another and alert to new information. Some malicious parties are taking advantage of this by using these technologies as a means to distribute malware. Often, these scams involve fraudsters impersonating healthcare officials or organizations.

    What can you do to stay safe?

    1. Be suspicious of emails and messages about COVID-19 by:

    • Inspecting the subject line and sender. If you don’t know the sender, or the subject line seems odd, don’t open the message and most importantly, do not click on any links.
    • Subject lines about a cure or vaccine for COVID-19 are most definitely scams. Don’t open the message.

    2. Look for common signs of fraudulent emails. These include:

    • Poor grammar or spelling
    • Poor design
    • Unreliable contact information
    • No Terms and Conditions provided
    • Deals that seem too good to be true
    • Suspicious forms of payment (like sending money to a random PayPal account or paying with cryptocurrency)

    3. Don’t download unknown email attachments

    For example, the map below — made to look similar to a legitimate map created by Johns Hopkins University — was circulated by scammers via email. The map often included links to malicious sites disguised as official communication.

     

    4. Get familiar with known scams related to COVID-19

    The Canadian Anti-Fraud centre is keeping an up-to-date list of known scams, and we encourage you to check for similar resources being provided by your local government.

    5. Keep your browser up-to-date and watch for security indicators

    One easy way to protect yourself is to ensure you’re using the latest available version of your browser. We also recommend checking that the websites you are browsing are encrypted with SSL.

    Digicert has a great guide on how to identify authorized sites. This is particularly important if you are providing any kind of personal information or making a financial transaction.

    6. Always check for additional trust indicators

    Asking yourself a few of the following questions can help you better determine whether a website is trustworthy:

    • Do they have Terms and Conditions or a return policy listed?
    • Do they have a secure site seal?
    • Are there grammar and spelling mistakes?
    • Do they have reviews?
    • Do they have a social media following?
    • Is there contact information listed in case you need to get in touch with the company about your order?
    • If you arrive at a website via a link contained in an email, take extra care sure to make sure the site you’re on is the company’s official website – not an imposter.

     

    Questions like these do not guarantee that a site isn’t a scam, but they are helpful guides in determining whether or not you should trust a site.

    The reality is, it’s impossible to completely safeguard against online threats. But just like handwashing and social distancing offer a basic line of defence against COVID-19, the best-practices outlined above will help protect you and minimize risk online during these challenging times.

    Read More

  • Tucows Approaches to COVID Related Domain Registration

    April 9, 2020

    Industry Insight, News

     Like

    Views: 23398

    From an early point in the current global crisis, it was clear to Tucows (Enom’s parent company) that we were going to need to do something new and different in how we responded to COVID-19 related domain registrations. Many of these domains are registered for good, helpful purposes, such as community organization, dissemination of healthcare information, and recording people’s experiences through this pandemic. Others, however, purport to sell COVID-19 cures, vaccines, or tests, none of which are legitimately available on the market today and all of which pose a significant health risk to the general public.

    This blog post is going to run through the what, why, and how of our response to problematic or abusive COVID-19 related domain names and provide suggestions as to how our resellers and other hosting and CMS companies can help.

    Before we dive in, we want to emphasize that this global pandemic is an exceptional situation, requiring Tucows to explore approaches we would not consider in other circumstances.

    In helping to develop the DNS Abuse Framework, Tucows spent substantial time considering how domain names may be used to cause a threat to human life, and this work has been immensely valuable within the context of the COVID-19 pandemic. It is also important to note that our response to each and every issue that we find is contextual and dependent on the specific circumstances. We expect to return to our regular procedures as the pandemic and corresponding risks subsides.

     

    Our actions

    There are three major components to our COVID-19 related activities: identification, assessment for harm, and stakeholder engagement.

    Identification

    Tucows uses a relatively simple keyword search on all domains registered since December 2019 to flag relevant domains for manual review. We are also matching domain names on our platform to a number of externally-sourced COVID-19 related blocklists. Every day, members of our Compliance teamwork through our list of COVID-19 related registrations.

    Assessment for Harm

    As we mentioned above, a considerable number of COVID-19 related domain registrations are doing good and important things. We’ve seen many official websites from communities, hospitals, and other organizations come online over the past few weeks. Often, it is faster and easier for these organizations to use the website builder products offered by our reseller partners than for these organizations to host and build a site on their own infrastructure.

    As Tucows is primarily concerned with domain names that represent threats to human life, we are prioritizing looking for those that resolve to websites purporting to sell COVID-19 tests or cures. We are deeply worried about the possibility that someone could take a fake test and then, based on those results, continue to spread COVID-19 in their community, endangering many others. We have found very few of these sites so far, but when we do, we ask the registrant for documentation that proves their legitimacy and authorization to sell. This is very similar to our standard practice for addressing reports of harmful online pharmaceuticals.

    At this time, we have yet to see a site offering an unambiguous (albeit fake) cure that presents a risk of imminent human harm. We have seen cure-adjacent sites, purporting, for example, the (dubious) benefits of high-doses of vitamin C and the practice of alternative medicine. We’ve flagged these for review, but have not removed them from the DNS at this time.

    Other types of Harm

    We have also seen a number of COVID-19 phishing, botnet, and malware abuse issues; fortunately, we already have clear and well-established practices for dealing with these. For reports of misinformation, disinformation, price gouging, or fraud, we are working with regulators and law enforcement wherever possible to address these websites as we do not have the appropriate tools or experience to assess these independently.

    Engagement with Stakeholders

    An important component to all of the above has been communicating consistently with a variety of different stakeholders. This has included a number of our reseller partners who have seen large numbers of COVID-19 registrations. It has also included conversations with different law enforcement agencies, governments, and regulators. Our goal in these conversations is both to be transparent in what we can and cannot do and to ensure that the work of assessing website content is handled by those who are appropriately trained and empowered to do so wherever possible.

     

    Why Review?

    At least one major registrar has effectively blocked incoming COVID-19 related domain registrations. Tucows has chosen not to do this for a number of reasons; the primary one is that the Internet is an immensely powerful tool, especially in times of crisis where coordination is essential. The amazing sharing of information, mashups of data, official sites and even art that we’ve seen in our review is a daily reminder that allowing for creation is important. We think it’s important that registrants are able to respond as they see fit to the crisis, without impediment or delay. This approach vastly increases our burden and puts us in the uncomfortable position of having to assess the level of harm represented by a COVID-related domain and the website to which it resolves. However, we feel these circumstances are exceptional and are determined to do our part.

     

    Steps our resellers can take

    Hosting companies, CMS providers, and ecommerce platforms are in a better position than domain registrars to address content-related issues. Tucows resellers who offer these services may have the ability to remove specific pages or items from online stores whereas registrars have only one very blunt tool: we can take down the domain. To this end, we are also encouraging our resellers to monitor their registrations and platforms for COVID-19 related content. Now is an excellent time to review your Terms of Service and consider how you might apply them in the current circumstances. If you’re a Tucows reseller and would like assistance identifying COVID-19 related registrations, please reach out via help@enom.com.

     

    Report COVID-19 Related Abuse

    If you would like to report a COVID-19 related domain registered with Tucows that appears to be problematic, please submit an abuse complaint here: https://tucowsdomains.com/report-abuse/

    Lastly, like all complicated problems, COVID-19 requires a regular review of our processes and iterating where possible in a very short amount of time. We, like you, very much look forward to a return to normalcy.

    Read More

  • Enom’s Response to COVID-19

    March 17, 2020

    Announcement

     1

    Views: 1983

    The health and safety of our customers, partners, and employees are of the highest priority to Enom. With the heightened concerns about the spread of the COVID-19 virus (Coronavirus) and the unpredictable nature of the virus, we have taken precautionary steps to reduce its potential impact across our offices globally.

    We want to assure you that we are fully prepared to continue providing uninterrupted services and that your services continue to receive dedicated attention from our team of engineers around the clock.

    We have restricted business travel and in light of that, we have requested that our staff work from home wherever possible. Even with our work-from-home policy in effect, the Enom team remains available for remote meetings, and there will be no change to our business and technical support hours.

    We continue to keep a close eye on the recommendations of the Centers for Disease Control (CDC) and the World Health Organization (WHO) as they pertain to the latest developments on COVID-19. In following their guidelines, Enom is taking the following additional measures to reduce the likelihood of impact:

    1. Extended remote and distributed workforce – you have the same access to your sales or customer care rep for assistance.
    2. Business continuity measures in place and contingency staff at the ready.
    3. Implementation of travel guidelines and remote work options for our employees.
    4. In the event that the situation worsens, Tucows (our parent company) has a comprehensive pandemic disaster response plan in place to ensure business continuity.

    We are doing everything in our control to ensure your critical services are fully operational and safe while you focus on keeping your employee base and their respective family members healthy.

    We encourage you to also read Tucows COVID-19 Statement.

    As always, the Enom Support team will be there to provide help whenever it is needed. Contact our customer support team by calling 1-855-600-0886 or by emailing help@enom.com.

    Read More

  • Privacy and Lawful Access to Personal Data at Tucows

    March 13, 2020

    GDPR, Industry Insight

     Like

    Views: 1574

    keys on surface.

    Tucows provides reasonable, lawful access to non-public registration data; this means constantly working to balance the privacy rights of registrants against the rights of third parties, most of which, in our experience, are related to intellectual property rights (90% of all requests). In addition to the usual statistics, this update also includes a deep dive into actual examples of some problematic disclosure requests, a discussion of the reasoning behind denials, and what this means for the industry conversation about disclosure requests.

    These ongoing updates are intended to provide insight into the disclosure requests Tucows receives and to serve as useful data for discussion as our industry moves toward a holistic policy governing the disclosure of private data.

    Tiered Access Statistics

    The statistics discussed below include data through the end of February 2020 (“Period 3”). Each request is a request for personal data regarding the registrant of a domain where that information is not publicly available. A member of the Compliance and Legal team reviews every request individually to balance the rights of the data subject and the legitimate interests of the requestor to determine whether and how much data should be disclosed; this includes consideration of Tucows’ contractual requirements as well as applicable laws—both privacy laws and intellectual property laws. This work is time-consuming and intense but there’s no other way to make sure that we’re making the right decisions about when to disclose the personal data we’re entrusted with.

     

    Requests for Data Disclosure

    Tucows received 238 requests for data in Period 3 (from mid-October 2019 to the end of February 2020), and 2,864 requests in total since the Tiered Access portal went live in May 2018.

    Previously, data for Period 1 was discussed in Tucows’ Tiered Access Directory: a look at the numbers and for Period 2 in Tiered Access Data Disclosure Update.

     

    Disclosure Request Outcomes – Period 3

    62% of requests received in this period resulted in registration data being disclosed to the requestor

    This rate of disclosure is about double what it was in the previous two periods (24% in Period 1 and 36% in Period 2), indicating higher quality requests. This is likely related to the use of the RrSG Minimum Required Information for Whois Data Requests, which was drafted by ICANN’s Registrar Stakeholder Group (RrSG) to help standardize requests for domain data disclosure. Requests that use this format are easier to review (all of the required information is included in a predictable format) and deficiencies are simple to communicate to the requestor. It may also be due to Tucows’ outreach efforts to educate requestors about this format. This higher rate should be considered illustrative of success and a positive movement toward appropriate disclosure of personal data to parties with a legitimate purpose.

     

    17% of requests were incomplete and the requestor did not respond to our followup for further information, so no data were disclosed

    Despite formal outreach and personalized responses to each request, a significant number of requests are incomplete and responses seeking further information are ignored by the requestor. This is because either there is no party on the other end to review responses that do not include data (the request is automated and not appropriately monitored) or there was no reason to make the request in the first place and pushback had the correct effect of preventing unnecessary disclosure of personal data.

     

    6% of requests for data were denied, following a determination that the requestor did not have an adequate lawful basis

    This represents a decrease from the previous period but is level with Period 1 and the overall rate of denied disclosure requests.

     

    12% of requests resulted in “disclosure” of Whois privacy information—that is, the same placeholder information already publicly available to a requestor

    Parties experienced with our data disclosure request process have recently begun to specifically request data for domains clearly indicated in the public Whois as using Tucows’ Whois privacy services. In some cases, this has been accompanied by a dropoff in requests for the personal data of registrants without Whois privacy. In other cases, there has been no dropoff in requests for non-Whois privacy domains but the format of the request has changed, indicating that the requestor is aware of the fact that there is Whois privacy on the domains but is attempting to get the underlying data without submitting a subpoena, as is Tucows’ current process.

     

    Requested vs. Disclosed

    Compared Against Previous Reporting Periods

     

    Requests Over Time

    Here’s an illustration of the total volume of requests Tucows has received since the launch of Tiered Access:

    The number of requests appears to have stabilized, concurrent with the increase in quality of requests. Again, this is a positive trend as both requestors and the Tucows family of registrars have acclimated to the new privacy legal landscape.

    Disclosure Request Outcomes, Compared

    It may seem counterintuitive but an increase in disclosure rates means that request quality overall is improving and signals a positive move toward appropriate disclosure.

    Duplicate Requests

    Additional information on duplicate requests can be found in Tucows’ Tiered Access Directory: a look at the numbers (for Period 1) and Tiered Access Data Disclosure Update (for Period 2).

     

    Categories of Requestors

    As noted above and in previous blog posts, disclosure of registration data is only granted when the requestor has demonstrated a legal basis to access the data. While requestors can be categorized into a few broad groups, inclusion in a certain group does not determine if and which data are disclosed. Each request is—and must be—evaluated on its individual merits. Requestors therefore are grouped below solely for analysis’ sake. The main tracked requestor types are:

    • commercial litigation, which request disclosure of personal data in order to bring a legal claim of rights against the registrant
    • law enforcement, carrying out an investigation or otherwise in the course of their work
    • security researchers, who use certain aggregate data to identify trends in digital abuse
    • other, which includes Certificate Authorities, resellers, private individuals, and sometimes even the registrants themselves.

     

    Requests by Requestor Type

    As you can see, Commercial Litigation has made up the bulk of requests since Tucows began tracking this data. Typically, these requestors are either companies that are created specifically to request this type of information on behalf of large corporate clients or are lawyers hired or employed primarily to request this type of information.

    Also included in this category, however, are individual rights holders attempting to protect their rights (sometimes intellectual property, sometimes personal privacy rights) without the advantage of a company or a lawyer devoted to that purpose. Especially in light of the Preliminary Recommendations found in the EPDP Phase 2 Team’s Initial Report, it is important to ensure that individual rights holders continue to have a reasonable means of requesting the information necessary to protect their rights.

    The rate of requests by Security Researchers is deceptively low because it is counted differently. Most requests are counted by the number of domains requested; when a request is received for the entire database, however, that is counted as just one request, not millions. Some Law Enforcement requests fall into this category, as do nearly all requests from Security Researchers. We currently do not allow unfettered access to our database to anyone and are working with representatives of both groups to come up with a means of providing the data necessary to conduct their investigations while protecting the privacy rights of individuals.

    The Importance of Human Review


    We regularly receive requests for disclosure of registration data which we deny after reviewing the request, the requestor, and the relevant data (including the domain name itself and any content that may be hosted there). In the interests of transparency and advancing industry discussion on this topic, we’ll share some real-life examples of denied requests along with the reasoning behind our decision below. For some of these, the domain names in question are relevant and therefore the requestor may become evident. We should emphasize that, due to the sheer volume of requests from certain requestors, a trademark or corporation may appear more than once. This should not be taken to mean that all requests from these requestors are invalid or are treated differently than any other requestor; the domain names are simply used as examples.

    It is concerning that these invalid requests which, upon meaningful review, are readily apparent as invalid even to a layperson, continue to be submitted. This underscores the fact that any attempt at automation will result in numerous false positives and that meaningful human review is essential prior to disclosure.

    These requests fall into three broad categories: duplicates, an issue with the allegedly infringed trademark, or fair use. As the majority of disclosure requests Tucows has received to date are for alleged trademark infringement, the examples below may fall primarily into that category; again, it should not be assumed that this is the only type of invalid request.

    Duplicate Requests

    Prior posts (Period 1 and Period 2) have addressed the matter of duplicates and, as there has been a statistically-significant dropoff in duplicate requests, it will not be discussed here.

    Issues with the Request

    Many disclosure requests include a list of all trademarks potentially infringed by a specific domain or set of domains; this is not ideal as the domain name must be compared to the list rather than to a single trademark that is being infringed and it is often not apparent to the reviewer which trademark is the issue. This lack of specificity also suggests that the request originates from an automated system.

    A shocking number of disclosure requests relate to domains not registered with the Tucows family of registrars—sometimes these domains are not registered at all. We have even received a disclosure request alleging trademark infringement for a domain that predated the trademark’s registration. These issues point to the limitations of automation and the necessity of meaningful human review, which we’d like to see more of on the requestors’ side.

    Fair Use

    The final category, fair use, includes multiple examples that are obvious to a layperson as non-infringing. Not included here are edge cases that ought to be adjudicated by a competent authority (whether at UDRP or in a local court).

    petrolexcompany.com
    Here, the domain includes the full trademark “Rolex” but is in use by a different company whose registered name (Petrolex) includes that trademark.

    instantmonogram.com
    letsfacethebook.com
    In each of these cases, the domain name contains the whole trademark separated by additional characters (“Insta[…]gram” or “Face[…]book”) but bears no relation to any infringement of it. While these domains no longer have any hosted content, at the time of review, they were in use by a company specializing in personalized t-shirts and other apparel and by a biblical outreach group, respectively. Both of these are clearly fair use and should never have resulted in a request for data disclosure.

    boucheriefacedeboeuf.com
    lincolnstainedglass.com
    zharfambook.com
    These do not contain the full trademark but only portions of it or portions of misspellings previously adjudicated at UDRP (here, “f…bo” and “insta”). The domains boucheriefacedeboeuf.com and zharfambook.com remain active, in use by a butcher and what appears to be a literacy site. While lincolnstainedglass.com no longer has any hosted content, at the time of review, a small stained glass company was using it for their business. Again, these are clearly fair use upon meaningful human review.

    addictedtofacebook.org
    banned-by-facebook.com
    divestfacebook.com
    facebooksucks.org
    protestfacebook.org
    saynotoinstagram.com
    While each of these domains uses the full trademark (“Facebook” or “Instagram”), they nevertheless evince an indication that the domain is or will be used to discuss grievances with the company in question. Tucows takes no position on the merits of these discussions but notes that trademark use should not be used as a cudgel against speech.

     

    The Tucows process for disclosing data remains aligned with industry best practices and we continue to be actively involved at ICANN both to closely align our processes with expected policy outcomes and to ensure that the rights of all individuals are respected in those policies. We look forward to continuing to share these statistics on a regular basis to contribute to broader industry understanding of the registration data disclosure landscape.

    Read More

  • Tucows Celebrates 20 Years in the Domain Industry

    January 22, 2020

    Featured, Fun

     Like

    Views: 3367

    As of this month, our parent company, Tucows, has officially been in the domains business for 20 years. They introduced OpenSRS (Enom’s then-rival, now-sister company) in 2000, not long after Enom was born. Tucows lifers share a lot of nostalgia for this era; though Tucows has grown to become the largest wholesale registrar and ventured successfully into Fibre Internet and Mobile, a unique fondness for OpenSRS’ early years remains. So what made those early years so cool? Michael Goldstein, Director of Marketing at the time, laid it out for us:


    I am intentionally googling none of my recollections about the early days of OpenSRS so they will almost certainly be romanticized, exaggerated or just plain wrong. A few themes jump out at me.

     

    We felt like we were part of a revolution

    In a little corner of the world, Network Solutions was an evil empire. A government-sanctioned monopoly was getting fat and greedy and the product that they controlled (domain names) was quickly becoming more crucial to many millions more end-users around the globe. The channel (Web hosts, ISPs, IT consultants) was overcharged and underappreciated. We believed so strongly that these managed service providers (as we liked to call them at the time) knew the end users best and would take the best care of them if they just got the tools and pricing they needed.

    It was fun to be a hero to that very narrow target. It was fun to offer a 70% price break from what Network Solutions was charging. It was fun to witness hypergrowth. In fact, you could argue that our unspoken tagline, “OpenSRS, we’re not Network Solutions!” was so successful, Tucows has really just imitated that same model and re-lived that sort of revolution again and again. Hover, we’re not GoDaddy! Ting, we’re not AT&T or Comcast!

     

    We really enjoyed ourselves

    Vintage OpenSRS advertisement.When trends and forces are all delivering customers to your doorstep, it’s pretty easy to think you are clever. We ran magazine ads that said, “You can get a lesser product, lousy service and a bad attitude. But it’ll cost 3 times more.” (Oh, fun fact! Andy Berndt, the guy who wrote that ad for us as a freelance copywriter, is now in charge of all creative output at Google as founder and Managing Director of their internal Creative Lab. He also played Duke basketball for a season as a walk on.)

     

    We couldn’t get enough cow references

    Winner, Donny Simonton, poses with Tucows' two cows at ISPCon in San Diego.We built the .MOO top-level domain to demonstrate our registry management solution. I also personally gave away two cows at ISPCon in San Diego to celebrate our two-millionth (I think!) domain name registration. The prize was actually a choice between two cows, a year supply of milk or the cash equivalent. We bet heavily on the winner taking the cash.

    I rented the cows from a nearby dairy farmer for just one hour and paraded them across the plaza outside the conference center to chants of Who Let The Cows Out! (If that reference isn’t immediately familiar to you, I’m not going to explain it.) If I remember right, we intended to also highlight the winning registered domain name in our promotional materials and media outreach but chose not to because it was pretty shockingly pornographic (like the thousand domains registered before and after it). Good times.

     

    We weren’t thinking about 25 million domains

    Everything we did was done to quickly solve a problem or seize an opportunity. We listened well. We hustled. But we never expected that we would be using the things we built twenty years later. We certainly never imagined that we would eventually acquire and integrate half the other challengers that launched at the same time we did. Now we’re all growneded up. We are building an integrated platform that can accommodate over 25 million domain names and over 40,000 managed service providers (or whatever we call them these days) around the world. We proudly offer a huge selection of TLDs, from .ABOGADO to .ZONE. We talk about scale and efficiency. We brainstorm and measure site usability. I think we ultimately do a better job for our customers today than we did back then. I don’t think we’ll ever be quite as cool 😎.

    Read More

  • Hostnet: Finding Success with New TLDs

    December 9, 2019

    Fun, Industry Insight, New TLDs

     Like

    Views: 2741

    Founded in 1999 by two students offering web-design services, Hostnet has grown into one of the largest and most customer-friendly hosting providers in the Netherlands. Today, they offer domain names, website hosting, a website builder, and other business services to a growing number of customers. Since 2000, they’ve used Tucows to power domain registrations and management for a large part of their business.

    Here’s a snapshot of our conversation with Bas Schouten, Product Manager (Domains), Hostnet BV. We touch on Hostnet’s successful journey and how their partnership with Tucows (Enom’s parent company) has helped them create value for end-customers and capture growing business opportunities.

     

    1. Tell us about your journey from a two-man web design company to the Hostnet of today?

    In the beginning, Hostnet was selling hosting and domain names from an attic. This was back in the days when customers placed their orders via fax. Needless to say, it involved a lot of manual work. A lot has changed over the years. For one thing, orders are no longer sent via fax, but via the Hostnet webshop. Requesting and registering a domain name is now automatic. But we’ve also expanded our product offering. In addition to hosting and domain names, we’ve added solutions such as email, Microsoft Office 365, and various other Managed Services.

    In 20 years we have become one of the largest and most customer-friendly hosting providers in the Netherlands. During this time, we grew to a 50-person, then 100-person company. Along the way, there have been milestones in the number of registered domains and active hosting packages we have under management.

     

    2. What role has Tucows played in this journey?

    Hostnet has been a Tucows reseller since 2000—nearly 20 years. Tucows is our valued partner in areas such as domain registration and SSL certificates. By working together with Tucows, Hostnet has been able to offer registrations under multiple top-level domains (TLDs) since 2000. Tucows also helped us effectively expand our top-level domain offering when the new TLDs became available, starting in 2014.

     

    3. What’s your perspective on new top-level domains? How have they impacted your business, and how do your customers perceive them?

    With the right marketing, new top-level domains can be the biggest opportunity (growth rate wise) at this time, which is great. I think, in general, customers like new domains, although there are many new extensions that are just too long/niche to be actively used. The beauty of new extensions such as .SITE, .ONLINE and .TECH—all of which are popular in the Netherlands—is that domains in these zones are so valuable when the more traditional options (like .NL or .COM) are already taken. This has already begun to happen to a large extent.

     

    4. Which domain extensions do you think most resonate with the Netherlands market?

    I’d say .ONLINE and .SITE are quite popular in the Netherlands. In fact, .ONLINE is currently Hostnet’s best performing new domain extension and tops the charts in terms of sales volume and growth rate. I believe that .ONLINE is the largest new extension in the Netherlands.

    With the eCommerce market booming, we are also seeing a good uptake for .STORE, with live websites from our customers growing consistently on this extension.

    Other than that, .NL and .COM are well-known in this region.

     

    5. How have you taken advantage of Tucows’ promotional TLD pricing? What success or changes have you seen as a result of TLD promotions?

    We have made the most of Tucows’ promotions mostly by reducing the pricing to our customers for those TLDs, in some cases paired with marketing initiatives such as Social Media posts or mentions in newsletters. In addition, some registry partners, such as Radix, consistently put forth content that has helped us keep the offers fresh and exciting for our customers. These efforts, in most cases, contributed to a significant rise in sales.

     

    6. If you could select a few new TLDs to recommend to other companies not currently selling them, which ones would you pick and why?

    My recommendations would definitely include .ONLINE, .STORE, .SITE, .SHOP and .APP. All of these are great TLDs. .ONLINE and .SITE are more generic, while the other three clearly state what they’re used for.

     

    7. Other than pricing, what value do you think new TLDs bring to your customers?

    New extensions definitely offer a lot more options to choose from and allow people to register a domain that may be unavailable under the more conventional .NL and .COM TLDs. More importantly, new domain extensions are an opportunity to state more clearly what your website or product is all about.

     

    8. What aspects of your business are you most proud of?

    I am most proud of the exceptional service we provide to our customers. We’re professionals who are reachable by phone, chat, and email most of the week and are committed to assisting our customers with any problem, as thoroughly as possible. Hostnet is definitely a customer-first business and that has significantly contributed to our growth and success over the last two decades.


     This post was sponsored by Radix. Many of their TLDs, including the super popular .ONLINE, .STORE, and .TECH are on sale now through Enom. Learn more.

    Read More

  • Highlights from ICANN66 Montreal

    November 25, 2019

    GDPR, Industry Insight, News

     Like

    Views: 3213

    Montreal in November is not as bad as it sounds; the weather is crisp and clear, the snow isn’t too deep yet, and it doesn’t get dark until a reasonable time in the evening. It’s still not my top choice for a travel destination at this time of year, but the ICANN conference definitely made it all worthwhile. For those who couldn’t make it out to Montreal, here are the highlights.

    How best to handle DNS abuse

    While changes necessitated by the GDPR were a hot topic at ICANN66, we were pleased to see a lot of discussion about DNS Abuse and how best to address it. Front and centre in these conversations was the “Framework to Address Abuse”, a document signed by Tucows and other major registrars and registries hoping to standardize our industry’s approach to DNS Abuse. In that Framework, Tucows and our co-signatories proposed a definition of DNS Abuse that we believe is correct and appropriately limited, while also describing a set of non-DNS Abuse categories on which we would, nonetheless, take action. The plenary session on DNS Abuse was the most well-attended session at any ICANN meeting so far.

    It’s impossible to summarize such a broad topic and intense discussion (you can, however, watch the whole thing online!), but here are the key takeaways:

    • DNS Abuse is a topic that the community is working to address
    • There’s concern around who should respond to Abuse and how to do so in a proportional manner
    • There are already tools in place that ICANN Compliance could use to help in this effort

    We’re committed to working within our space to address Abuse, and we look forward to collaborating with other groups in the domain name industry as this work continues.

     

    You guessed it… the GDPR

    The impact of the GDPR and other data privacy regulations on the Domain Name System remained a primary focus for ICANN66. Both the Expedited Policy Development Process (EPDP) team (the group that works to determine what the permanent replacement to ICANN’s Temp Spec must include and address) and the Implementation Review Team (the group responsible for transforming the EPDP’s Phase 1 recommendations into Consensus Policy) made good use of the opportunity for face-to-face meetings.

     

    Work from the EPDP team

    The EPDP team is in Phase 2 of their work, developing a System for Standardized Access and Disclosure (SSAD) by which third-parties can obtain non-public gTLD registration data. It’s a large project, and the work is divided up into a series of “building blocks,” each examining different aspects of this system, such as accreditation (for third-parties in search of data), data retention requirements, and auditing.

    We think this is a useful approach, but some core questions remain unanswered, including the fundamental one: who is the entity making the disclosure decision? 

    When a third-party requests access to registration data, will that be relayed to the relevant registrar or registry operator, or will the SSAD operator make that determination? Could a standalone SSAD operator have all the relevant information needed to appropriately decide if the request should be fulfilled or denied? Could a registrar or registry operator provide data to be disclosed via the SSAD while remaining compliant with data protection laws? As the building blocks get finalized these underlying open issues are brought to the forefront, and we’re getting closer to the point where the EPDP can’t continue its work without these answers.

    To that end, ICANN has set up a “Strawberry Team,” a group of ICANN staff working in parallel to the EPDP team. Just before ICANN66, they sent a proposed model for registration data disclosure to the European Data Protection Board, asking for feedback.

    There’s a general sense of frustration among EPDP members around the lack of communication about this; the team had asked ICANN to share any proposals or models with them before sending it out to groups like the Data Protection Board, and that didn’t happen here. There’s also concern that this work should be happening within the multistakeholder model rather than alongside it.

    Ultimately, if the European Data Protection Board (EDPB) provides advice, that can only be a good thing. However, as we wrote following ICANN64 in Kobe, it’s important to remember that any statement by the EDPB that the model is acceptable could easily be retracted in the future; it’s not a guarantee of legality. Instead, decisions around how to update ICANN contracts and Consensus Policies should be made by the ICANN Community, who are able to take relevant local laws and regulations into account while considering the policies our industry needs.

     

    Work from the Implementation Review Team

    Alongside the EPDP’s Phase 2 work, the Implementation Review Team (IRT) is in the midst of transforming the EPDP’s Phase 1 Recommendations into a “gTLD Registration Data Policy.” Once complete, this gTLD Registration Data Policy will replace the Temp Spec and permanently modify ICANN’s Registrar Accreditation Agreement (as well as other ICANN policies) to bring them into compliance with the GDPR and other data protection laws.

    This new policy will cover:

    • data collection
    • transfer of data from registrar to registry
    • transfer of data to data escrow provider
    • publication of registration data
    • logging
    • data retention requirements

    This gTLD Registration Data Policy will also include a section on “Reasonable Requests for Lawful Disclosure of Non-Public Registration Data.” You may be wondering how this ties into the EPDP team’s Phase 2 work developing a System for Standardized Access and Disclosure (SSAD): would they not go hand in hand? The difference is that the IRT’s Policy will govern how requests for data are handled when made directly to individual registrars or registry operators, while the SSAD is intended to be a standalone unified system with a single point of contact and operator.

    There is not yet an expected date for when the new gTLD Registration Data Policy will become effective, but we will keep you posted as things develop.

     

    Tucows’ involvement in the ICANN Community

    The Tucows team also presented on panels and attended sessions on a variety of other topics. We discussed expectations for RDAP, the successor to the Whois protocol, based on outcomes of the EPDP and IRT; we worked with the joint registrar and registry “TechOps” team on a set of topics, including best practices for transfer authorization codes.

    ICANN meetings are a unique combination of exhausting and exhilarating. Participants from all around the world come together to work on specific topics, with hundreds of sessions to choose from, and the public forums are always fascinating. We continue to work hard to make sure that the concerns of our customers and their registrants are represented at this important venue.

    Read More

  • Tiered Access Data Disclosure Update

    October 30, 2019

    GDPR, Industry Insight

     Like

    Views: 3459

    keys on surface.

    It has been more than a year since Tucows, Enom’s parent company, launched our Tiered Access Compliance & Operations portal, sometimes called “Gated Whois,” and it’s been around six months since we shared our first set of statistics on how and by whom this platform is being used. Today’s update brings our statistics current through mid-October 2019. We hope that this data will provide insight into how we handle requests for non-public personal data.

    It’s important to remember that these statistics represent disclosure requests by a third party asking for personal data which is not publicly available. Each request is examined by a member of our legal team, who reviews the request and decides what data, if any, should be disclosed based on applicable law and our ICANN obligations. This review can be intensive and time-consuming but is essential to processing the data we’re entrusted with in accordance with our commitment to the protection of personal data.

     

    Data disclosure requests

    We received 467 requests for data in the period from February to mid-October 2019 and 2617 requests total to date.

    • 36% of requests received in this period resulted in registration data being disclosed to the requestor
    • 45% were incomplete and the requestor did not respond to our followup for further information, so no data were disclosed
    • 10% were denied, following a determination that the requestor did not have an adequate lawful basis
    • 9% of requests resulted in “disclosure” of Whois Privacy information—that is, the same information already publicly available to a requestor

     

    Disclosure request outcomes – Period 2

    We are pleased to note that we did not find significant spikes in requests during this reporting period, unlike our previous report where request volumes increased around ICANN meetings, suggesting that some portion of those requests were submitted in order to skew the data towards an argument that disclosure requests are not being processed in a timely or appropriate manner.

    Here’s an illustration of the volume requests over time since we’ve launched Tiered Access:

    Compared against our last report

    Perhaps more interesting than the overall numbers is how the current reporting period compares to the previous one: comparing request and response statistics as users become more accustomed to the new system and have learned how to effectively request data; the comparisons below are percentages.

     

    Disclosure request outcomes compared

    • Increase in disclosure of non-public data from 25% to 35% and decrease in incomplete requests from 69% to 45%
      These changes are likely a result of our efforts to work with high-volume requestors to improve the quality of their requests
    • Increase in denied requests from just under 5% to just over 11%
      We attribute this to small-volume and single requestors who recently discovered our Tiered Access portal and do not yet understand how to submit a request that allows us to adequately evaluate their legitimate rights against the privacy rights of the registrant. We will work to better describe the request process at the point of access.
    • Increase in requests for data where the domain has Whois Privacy enabled from 3% to 9%
      When a domain uses one of our Whois Privacy services, we instruct requestors to submit legal process before disclosing the underlying personal data. We also, however, provide the privacy data, as the email address can be used to contact the registrant directly.

     

    Duplicate requests


    We continue to see a significant rate of duplicate requests. These include requests from the same source and from multiple requestors, each purporting to represent the same interests.  When we receive a second request from the same requestor, we refer them to our prior correspondence—whether that included a request for more information (most often the case) or disclosed personal data. When we receive a request for the same domain’s data from a different party, we encourage the two parties to work together to determine which one represents the legitimate purposes for the data disclosure. We do this whether the data were previously disclosed or not.

    As before, a statistically-significant amount of all requests come from the same single requestor mentioned in our previous report; this is the largest individual requestor using our Tiered Access system. However, their requests have dropped by half—last time we shared stats, this requestor represented nearly 65% of all requests, while for period 2 they make up 30% of all disclosure requests submitted to our Tiered Access system. We have worked with this requestor to refine and improve the quality and type of their requests, which has resulted in a decrease both in requests sent and requests denied.

    Although it makes up only a very small percentage of overall requests (1.5%), requests for access to our entire registration database have doubled from period 1 to period 2. The majority of these types of requests come from security researchers.

     

    Who wants data?

    As stated above, users of our Tiered Access Compliance & Operations system are vetted by our legal team, and disclosure is limited to those with a demonstrated legitimate legal interest. There are a few broad categories of requestors who typically have a legitimate purpose that would allow us to disclose the data—for example, while we do receive requests that are unsolicited offers to purchase a domain, this is not a legitimate purpose for disclosure, as there are other ways to accomplish the same goal without necessitating disclosure of personal data.

    The main tracked requestor types are “commercial litigation”, who need access to personal data in order to bring a legal claim of rights against the registrant; law enforcement, carrying out an investigation or in the course of their work; and security researchers, who use certain aggregate data to identify trends in digital abuse. In the chart below, “other” indicates all other requestors, including Certificate Authorities, resellers, and unaffiliated individuals.

     

    Requests by Requestor Type


    Despite recent concerns raised by security researchers—who comprise the bulk of requests for access to our entire database—the significant majority of all disclosure requests continue to come from commercial litigation interests. We continue to work with security researchers to develop ways for them to access the information they need while protecting the personal data of our customers.

    Since law enforcement historically had unrestricted access to the entire registration database, when a law enforcement officer from a jurisdiction we operate in indicates a need for data that would previously have been public, we do disclose the data to them. Law enforcement officers from other jurisdictions must still show legitimate purpose.

     

    Ongoing work

    The attitude we have seen throughout this process indicates a culture of entitlement to private personal data and a frustration about the requestor’s obligation to prove that they have a legitimate basis to access personal registrant data.

    In February 2019, the Registrar Stakeholder group published recommended minimum requirements for requesting non-public registration data. This valuable resource has been slow to gain traction in the community of requestors, though we continue to educate requestors individually. Our follow-ups, asking for information sufficient to show legitimate purpose, continue to be ignored, indicating to us that our responses to disclosure requests are unmonitored and that those disclosure requests themselves may be spurious or automated.

    We work on an ongoing basis both with trade groups and individual requestors to emphasize the importance of balancing rights—the requestor’s right to personal data necessary to defend their legitimate rights against our customers’ right to privacy. Our work includes participation in the EPDP, an effort at ICANN to solidify the rules surrounding how disclosure of personal data should proceed.

    We believe that we have developed a viable disclosure model—an opinion shared by trade groups who have indicated that the Tucows Tiered Access Compliance & Operations platform is an industry standard—and are happy to share additional details with other data custodians and with requestors to improve and harmonize the process across the industry. I will be at ICANN 66 in Montreal and available to discuss.

    Read More

  • Our Ongoing Commitment to Combatting DNS Abuse

    October 18, 2019

    Announcement, Featured, News

     Like

    Views: 3356

    Abuse is a significant problem on the Internet today and, as a provider of Internet infrastructure services, we constantly consider what role we should play in combatting this issue. We actively investigate and respond to reports of abuse, but like other registrars and registries, we’ve been alone in developing our approach—until now.

    Abuse has been a growing topic of conversation in our industry. Today, several major registrars and registries released a DNS Abuse Framework defining what types of abuse to the domain name system (DNS) we are the appropriate parties to take action on. It’s our hope that this commitment by DNS providers to address abuse on our platforms will help establish industry-wide standards that both protect free speech and ensure that the Internet remains free and open while keeping malicious online activity in check. 

    What is DNS Abuse? On the surface that should be easy to answer: it’s abusive use of the domain name system. But as you get into the details, there are often more questions than answers. Who decides what is abusive? Who should respond when it happens? As a domain name registrar, our obligations are spelled out in the Registrar Accreditation Agreement (RAA), but although we must “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse,” (RAA 3.18.1) the RAA doesn’t provide a specific definition either of abuse or of what steps are reasonable.

    For some registries, Specification 11 of their respective Registry Agreements provides more assistance, referring to specific types of behavior as security threats: pharming, phishing, malware, and botnets. Until now, however, there has not been a consistent, common understanding of how to define abuse, meaning we haven’t been able to come to an agreement on who should respond when it happens.

    This new DNS Abuse Framework proposes a shared definition of DNS abuse, relying on the Internet & Jurisdiction Policy Network’s definitions of the four behaviors listed in the Registry Agreement plus spam (but only when spam email is used as a delivery mechanism for another type of abuse, such as malware). This Framework also considers additional types of abuse that DNS providers should respond to—even if we are not required to do so under our respective contracts. Reaching a common agreement about what constitutes DNS abuse is a crucial component of any industry-wide efforts to mitigate that abuse. 

    We encourage all Enom resellers to read through the Framework and become familiar with these types of abuse. To help, here’s a summary.

    Malware is software that is installed on a device, such as a computer or smartphone, without the owner’s consent and for malicious purposes (that’s where the “mal” comes from). This includes things like viruses or spyware.

    Botnets are networks of malware-infected computers, controlled remotely.

    Phishing is the term for a fraudulent or copycat email that tricks users into thinking it’s legitimate in order to obtain personal data or financial information such as credit card numbers.

    Pharming is the use of DNS redirection to bring Internet users to a different website than the one they intended to visit, in order to obtain personal data or financial information or install malware.

    Spam is unsolicited email; it is included in our definition of DNS abuse when it’s used as part of the delivery method for these other types of abuse, such as malware or phishing.

    As one of the collaborators of and signatories to this Framework, the Tucows family of registrars is committed to taking action when our services are used for these malicious purposes. As a community of stakeholders all seeking to provide safe and reliable Internet services, we’ve come together to find the most effective and appropriate means to mitigate these significant concerns. Since rules vary from jurisdiction to jurisdiction and there is no single global standard, we hope that this Framework helps to provide one. Having a consistent, industry-wide approach will help make responding to abuse faster and more successful, and this Framework can help those who encounter abuse online to know where to best direct their concerns so they’ll be addressed promptly.

    Read More

  • Meet the New .ORG

    October 10, 2019

    Uncategorized

     Like

    Views: 2475

    .ORG has a new look! It’s the same trusted domain you know and love, but with a new, bold visual identity. We sat down with PIR, the registry behind the .ORG TLD, to learn a little more about their rebrand and how they’re gearing up to make .ORG even more impactful.

    There are quite a few elements that define a brand, and a great deal of thought was put into developing a new identity that visually, verbally, and emotionally speaks to who .ORG is and how PIR wants to connect to the .ORG community and the world. You can see it in their new logo and refreshed website — both feature exciting and energetic colors, bright imagery, and design elements that reflect .ORG’s impact worldwide, with more than 10 million domains under management.

    But a new look is only the tip of the iceberg; the “new .ORG” refers to more than a logo or color palette. It’s been a banner year for .ORG in more ways than one.

    A New Leader

    In December of 2018, .ORG welcomed a new leader — Jonathon Nevett — as President and Chief Executive Officer. Jon has brought decades of domain expertise and an impressive track record of industry leadership that has been (and continues to be) instrumental to the ongoing growth of .ORG. As Jon himself says, “I’m honored to be at the helm of such an impactful organization and want to do everything I can during my tenure to enhance the .ORG domain.”

    A Focus on Quality

    .ORG has always been one of the world’s most trusted domains, and one of the areas of focus for .ORG in 2019 (and beyond) is in upholding its reputation for being safe, secure, and trustworthy. Programs such as the recently implemented Quality Performance Index (QPI) initiative are designed to improve the quality of the .ORG name space by encouraging registrars and resellers to help ensure that the .ORG domain remains the best place for mission-based organizations to bring their ideas to life.

    Highlighting .ORGs In Action

    While .ORG has been used by some of the world’s most impactful non-profit organizations, the domain truly is for anyone who wants to do great things online. This year, .ORG will begin to shine a light on the forward-looking businesses, professional associations, civic groups, nonprofits, clubs and families who are all making their inspirations a reality using .ORG. The .ORG Story Program has launched with five unique stories of .ORGs who are making a difference in their communities and the world — and the story collection will continue to grow over the coming months.

    In addition to sharing these incredible stories, .ORG will also be hosting its first annual .ORG Impact Awards (OIAs) on the evening of October 10th in Washington, DC.  The .ORG Impact Awards program provides recognition to .ORGs that are connecting communities, making a difference in the world, and leveraging the internet for transformative change. This first annual program celebrates .ORG domain name users of all kinds and causes for their accomplishments in community mobilization, marketing and outreach, and mission achievement.

    Another major focus area for .ORG starting this year is providing educational opportunities that will empower .ORG community members to successfully leverage the Internet to achieve their myriad of missions and goals. The inaugural .ORG Community Forum, held on the morning of October 10th in Washington DC, brings together the .ORG community to collaboratively explore common areas of interest and find ways to navigate through critical challenges facing .ORGs today.

    Some Things Never Change

    While there sure is quite a bit that’s new with .ORG, some things always stay the same. For more than 30 years, .ORG has established a long-standing reputation as a best-in-class domain, particularly when it comes to domain security, trust, and reliability. And you can be certain that .ORG will continue to build on this impressive legacy – and remain the best place for anyone to build a trusted online identity.

     

    Read More

  • The Importance of Authentication in SSL

    July 23, 2019

    Advice, SSL

     Like

    Views: 3220

    Update: Our latest Digicert Webinar covers the importance of authentication in SSL, and how it’s a key factor in properly marketing and selling certificates:


    Browsers have evolved to offer a better user experience and greater attention to security. Perhaps most importantly, they now display a security warning to users when they land on a website that lacks encryption:

    This is a step forward to a safer Internet, but encryption is only part of the security equation. 

    Without a means to verify the owner of that website, the user can’t be sure who they are sending their information to. 

    When SSL certificates were first introduced, they served both these critical purposes:  

    1.  Encrypting the data in transit

    2.  Authenticating the website to which the data is being sent

    They were issued by a small handful of Certificate Authorities (CAs), accredited and compliant third parties able to provide both encryption and authentication of your website. 

    But as the Internet grew, so did the number of CAs in the market, and the variety of SSL options. And what was the main differentiating factor among these certificates? The level of authentication they provided.

    Today, SSL products range from free “encryption-only” certificates, which can be registered in a matter of minutes, to Extended Validation (EV) SSL certificates, which, as their name suggests, involve a thorough validation (authentication) process as part of their registration. 

    When choosing an SSL certificate for your site, or helping a customer select one for theirs, your main question should be: what level of authentication do I need? After reading this blog, the answer will be clear.

     

    Minimal Authentication: Domain-Validation (DV) Certificates 

    DV certificates are often described as “encryption-only” because they don’t provide confirmation of who the website owner really is. To register a DV certificate, the website owner simply needs to prove ownership of the domain name(s) they are trying to secure. 

    Think of a DV certificate like a library card: they are easy to obtain and aren’t considered a credible form of identification. 

     

     

    When to use a DV certificate

    These certificates are sufficient if you’re securing a page just to maintain browser compliance (and avoid those warnings), or if you’re hosting a site that purely provides information and you want it done securely.

     

    Basic Authentication: Organization-Validation (OV) Certificates

    Before issuing an Organization-validated certificate, the Certificate Authority vets the organization and individual applying for the certificate. If a website visitor chooses to view the OV certificate, they’ll find this verified company information included in the details. 

    You can think of an OV certificate like a driver’s license: obtaining one involves a bit more hoop-jumping, but they are better trusted as a form of identification. 

     

     

     When to use an OV certificate

    If you collect any basic personal information from your users, for example, login credentials, they’ll likely want to know who they are sending this information to. An OV certificate from a reputable CA may provide sufficient authentication and assurance in these cases. 

    However, Extended Validation certificates (see below) are often a better fit for e-commerce pages or business-critical sites where consumer trust is particularly important.

     

    Advanced Authentication: Extended-Validation Certificates

    Extended-validation (EV) certificates involve the most rigorous authentication process and, consequently, provide the highest level of assurance to website visitors. 

    What’s more, as mentioned above, they do this in a very obvious way: a green address bar that includes the name of the company. Finally, the CA Browser Forum, the SSL industry’s governing body, sets specific guidelines to govern the registration and authentication process for EV certificates. 

    These factors combine to make EV certificates the gold standard, and the assurance they provide becomes ever more essential as the average Internet user becomes savvier and security standards rise. 

    Continuing with our analogy, EV certificates can be thought of as passports: they are internationally recognized as the most trusted way to verify a website owner’s identity.

     

     

    When to use an EV Certificate  

    We recommend using an EV if you’re looking to establish a high level of consumer trust or collecting sensitive information, which could range from login credentials to national identifiers, to credit card information. While not all browsers treat EV certificates the same way, for users, the additional visual cues can inspire trust and confidence to proceed with the transaction or activity.

     

    Looking to better market your SSL lineup?

    Our partners at DigiCert have some great resources to help you educate your customers and help them find the right fit.  Through your partnership with us, you have access to an array of brands and certificate types to help make sure you properly meet the needs of your specific customer for their specific project. You can view our SSL offering here.

     


    This post was sponsored by DigiCert, an Enom partner, and leading Certificate Authority.

     

     

    Read More

  • The Evolution of the Domain Transfer Process

    July 16, 2019

    GDPR, Industry Insight

     Like

    Views: 2988

    people exchanging keys

    ICANN’s Inter-Registrar Transfer Policy (IRTP) defines the procedures and rules for domain name transfers. When it was first introduced in 2004, the Policy was limited to inter-registrar transfers. Over the years, it has been revised by Policy Development Process (PDP) Working Groups and expanded to include governance of domain ownership transfers and a transfer dispute process. But the original rules for inter-registrar transfers remained mostly unchanged until May 2018, when the Temp Spec came into effect, modifying the process for a post-GDPR world where Whois data, which had long been the primary means of transfer verification, was no longer publicly available.

    But the Temp Spec is temporary. So what’s the long-term plan?

    The last few months have been interesting. First, we’re now in the gap between the Temp Spec’s expiration and any formal update to the Transfer Policy. ICANN’s Expedited Policy Development Process (EPDP) team has recommended continuing to use the process outlined in the Temp Spec in the interim. The EPDP team also made several recommendations as to how the Transfer Policy should be modified, which we can expect to see reflected in those updates.

    Secondly, and much to the delight of domain policy enthusiasts (we exist!), the Transfer Policy came due for review by the GNSO Council. This is a standard practice for all ICANN Consensus policies: once a policy has been in place for a number of years, ICANN Staff compiles a report on its effects, which the GNSO Council uses to decide if the policy needs to be modified. This time around, the decision is a pretty clear one—the fact that we’re still following the Temp Spec method instead of the pre-GDPR transfer process points to the need to update the Policy. The Revised Inter-Registrar Transfer Policy Status Report is almost a formality, given the circumstances, but it includes some findings and related suggestions which will hopefully spark data-driven improvements to the Transfer Policy alongside the necessary GDPR-motivated updates.

     

    Recent Transfer Policy changes

    It’s been just over a year since Enom made necessary changes to our domain transfer process, and domains are still moving into and out of our platform smoothly. The biggest difference between our pre- and post-GDPR transfer process is that we are no longer able to use a “Form of Authorization” to confirm a domain owner’s transfer request. Instead, the authcode is used to verify that the request is valid and to initiate the inbound transfer within the registry system. We also now direct all transfer-related messaging to the registrant contact, since we no longer use an administrative contact for gTLDs.

    These changes are in keeping with the Temp Spec and with what we anticipate to be the future of the Transfer Policy. They’re also aligned with the work being done by the registrar and registry joint TechOps team: developing a more streamlined, user-friendly transfer process that remains secure against domain theft.

     

    Transfer Policy Status Report

    The Report discusses the impact that the Temp Spec had on the inter-registrar transfer process, but its overall scope is broader, with a focus on three main goals that transfer-related PDP working groups have been considering since they first began exploring how to improve the transfer process in 2005:

    – Portability

    – Preventing abuse

    – Providing information1

    The related central questions are:

    – Can registrants easily transfer their domain names?

    – Are processes standardized and efficient for registrars?1

     

    Takeaways from the Report

    The Report shows ICANN Compliance has noted a steady decline in the rate of transfer-related Compliance tickets, suggesting that there are fewer overall concerns about the process, perhaps because domain owners have gained experience with it. However, ICANN’s Contractual Compliance metrics do show that transfer issues remain the second-most common reason for people to contact ICANN Compliance, following only Whois inaccuracy concerns. This suggests that there’s room for simplification and further education around the transfer process.

    Another takeaway from the Report is that there was a significant spike in inter-registrar transfers in late 2016, likely caused by registrants changing their registrar just before the new Change of Registrant (COR) process and related lock came into effect. The Report also notes that immediately following the introduction of the COR lock requirement, ICANN Compliance began to receive a significant number of complaints about it.2 This tracks with our own customer service data which indicates frustration and confusion about COR locks generally, and we will be interested to see how COR lock complaint numbers change over time.

    As acknowledged in the Report, ICANN cannot directly track abusive transfers, as such situations are not reported consistently and cannot be independently verified.

     

    ICANN’s suggestions for improvement

    ICANN provides four suggestions for how to enhance the Transfer Policy moving forward, and we have some thoughts on each of them.

    ICANN Suggestion 1: Require registrars to log when a domain owner obtains their transfer authorization code.2

    Our perspective: Logging when an authorization code is retrieved by an end-user is a great idea, although implementation would be complicated. In many domain management interfaces, this code is visible by default on the domain name details page—there is no affirmative request to retrieve the code. So for many resellers and registrars, this requirement would involve significant development work, but that work is well worth doing.

    ICANN Suggestion 2: Provide a process or options to remove the 60-day COR transfer lock to better serve registrants’ needs.2

    Our perspective: The 60-day transfer lock has indeed proven to be a nuisance to both registrars and registrants, and there is some confusion as to whether and how it may be removed after it has been applied. We welcome clarification of the requirements but expect it to be a long process including consideration of whether alternative verification safeguards would become necessary.

    ICANN Suggestion 3: Clarify the Transfer Policy section about when a transfer can be denied due to non-payment.2

    Our perspective: This change would be a useful clarification. The section of the Policy where this is laid out can be confusing and difficult to parse, so making it more straightforward should help registrars more easily understand their rights and obligations in this regard.

    ICANN Suggestion 4: Clarify if the Change of Registrant process is applicable when the real underlying contact info is updated on a domain with an active Whois Privacy service.2

    Our perspective: This has been a topic of discussion between us and ICANN for quite some time. We believe that, if the underlying ownership data on a privacy-protected domain changes, that’s a Change of Registrant. If the purpose of the COR process is to protect domain owners against hijacking, this is just as important for domains using Whois privacy as it is for those without. ICANN, however, argues that privacy-protected domains are effectively owned by the privacy service, and so COR is not applicable. We want this issue to be clarified, but at this point it’s a question of contractual interpretation, which always needs to be approached with care.

    We appreciate that ICANN’s Contractual Compliance team has provided these suggestions and, if the GNSO Council decides that the Transfer Policy needs to be updated, which certainly seems to be the case, we look forward to working with the multistakeholder community to review these and other possible changes to the Policy.

    The future of the IRTP

    We always advocate for processes that keep things simple for the registrant while maintaining a high level of security and accountability. Tucows (our parent company) staff are part of the TechOps team, participating in the group’s efforts towards streamlining the transfer process to make domain transfers easier for domain owners while maintaining security against unauthorized transfers. Our hope is that the transfer process in use today under the Temp Spec will simply be turned into official policy. After all, it’s been in effect for over a year with no demonstrable detriment to domain owners.

    Our Support metrics show that domain transfers make up a significant portion of Support interactions, with most questions focused either on ccTLDs with special processes, or general transfer status requests (“When will my transfer be complete?”). We’re working on providing more information to our customers and resellers via our Knowledge Base, which we hope will help support you through this process.

    The work that we do in the ICANN community is complex, as is its impact on registrants and resellers. It’s important to make sure the decisions we’re making are data-driven, rather than based on gut feelings that could turn out to be incorrect or only accurate for a small portion of users. This report is a great start; we’re glad to see critical review and engagement with the process and hope that the data provided in the Inter-Registrar Transfer Policy Status Report will be taken into consideration as part of future efforts towards updating the Transfer Policy.

     


    1. ICANN Org. “Revised Inter-Registrar Transfer Policy Status Report .” Icann.org, ICANN, Mar. 2019, 4.
    2. ICANN Org. “Revised Inter-Registrar Transfer Policy Status Report .” Icann.org, ICANN, Mar. 2019, 31-32.

    Read More

  • We’ve refreshed our Webmail

    June 19, 2019

    Announcement, Featured, News, Resellers, Uncategorized

     Like

    Views: 4623

    As our Custom Email service grows, we’re working to continually improve the platform while maintaining high availability.

    One essential component of our email solution is our Webmail, which is both used by Enom’s direct customers and included in the email service our reseller partners can package as part of their own lineup.

    So, we’re excited to share that we’re launching a new Webmail! Starting today, users can preview the new Webmail to get familiar with the refreshed interface before its official launch on September 5, 2019.

    What’s new?

    The new Webmail will provide a better email experience. You’ll notice improved workflows and a clean, mobile-responsive interface that makes it easier to send emails, manage contacts, organize important events, and more.

    It’s important to note that the transition to the new Webmail will NOT impact contacts lists, settings, or any other existing mailbox data. The various functionalities and features of Webmail will remain, but their look, location, and how users interact with them, will change.

    What Custom Email users need to know

    On your Webmail login screen, you’ll now find an option to “Use the Webmail Interface Preview.” Simply toggle this on and log in to use the new Webmail interface. If you have any trouble, check out our Webmail Cheat Sheet.

    Over the next few months, we encourage you to get familiar with the refreshed interface. On Sept. 5, 2019, the new Webmail will become the default experience for all users—our old Webmail will be retired.

    We’d love to hear your thoughts on the new Webmail, particularly during this “Preview” period. You’ll find a Feedback option in the sidebar menu of the new interface.

    What resellers need to know

    If you already sell Custom Email…

    The new interface offers an intuitive user experience and will NOT impact your customers’ mailbox data or your own settings or integration. That being said, there are a couple of things we recommend you do to prepare for this change:

      Update your support and marketing resources

    We’ve created a number of resources to help you out. On our Webmail Landing Page, you’ll find everything from reusable communication templates to detailed end-user guides—repurpose these materials as you see fit.

      Let your customers know about the new Webmail

    They’ll now find a “Use the Webmail Interface Preview” toggle option on their Webmail login page. Our White-Label Messaging templates can help you with your communication efforts.

      Make note of the launch timelines

    Today: your users can preview the new Webmail to get familiar with the refreshed interface.

    Sept. 5, 2019: the new Webmail will become the default experience for all users—our old Webmail will be retired.

      Let us know what you think!

    Between now and Sept. 5, our new Webmail’s official launch date, we’ll be collecting feedback to help us improve the interface. Share your thoughts

     

    If you don’t currently sell Custom Email…

    Now is a great time to add email your lineup! Custom Email has all the standard features your customers want, but it costs a lot less than other solutions on the market.

    It offers you the potential to boost revenue and customer loyalty while avoiding the resource and infrastructure costs associated with hosting your own email service. We also make migration easy.

    Want to learn more? Contact our sales team today.

    Read More

  • Top questions from domain name buyers

    May 6, 2019

    Advice, New TLDs, Uncategorized

     Like

    Views: 14620

    People searching for their domain name.

    Guest Author: Alisha Shibli.


    Alisha is a Content Marketing Specialist at Radix, the registry behind some of the most successful new domain extensions, including .STORE and .TECH.

    Please note: The views expressed in this piece are the author’s own and do not necessarily represent those of Enom.



    When it comes to registering a domain name, it’s easy to get overwhelmed. After all, when you’re building a business or starting an online venture, you want to ensure that all factors are working to your advantage. The process of choosing the right domain name is a lot less daunting when you know the basics. So today, we’re tackling some of the most common questions asked by domain name buyers. The information here will also be handy for resellers looking to educate their customers.

    1. What is a domain name and how is it different from a website?

    Websites and domain names are closely related, but they’re two different things. You can think of your website as your house and your domain name as its address. In order for someone to access your website, they need to know its domain name.

    Every domain name has two basic parts: the “top-level domain” (TLD) and the “second-level domain.” For example, in the domain name [yourbrandname].tech, “.TECH” is the TLD and “yourbrandname” is your second-level domain. Together, these form a complete domain name.

    Your domain name will usually include your brand name or the name of a particular sector or product that you’re promoting. When choosing a domain name, you’ll realize there are now numerous TLDs available such as .STORE, .PRESS, .SPACE, .ONLINE, .WEBSITE, .SITE, etc. So, make sure you choose whichever brands your business best.

    2. What should I consider when buying a domain name?

    What some businesses don’t realize is that choosing a domain name is one of the most important decisions they make when establishing their online presence. The domain name is more than just a glorified IP address. It is important for search engines and for customers. Moreover, it is an incredible branding tool, which is why it is crucial to choose a name that adds value to your business and will help you stay relevant even a decade later.

    Here are a few factors to keep in mind when choosing a domain name for your business:

    • Buy domain names that are easy to spell and remember. Avoid using misspelled words. A unique spelling may seem creative, but such domain names fail to be radio friendly—a very important factor in the voice search era.
    • Keep your domain name as short as possible. Anything more than 18 characters is too long. For example, [healthysnack].store is a better domain name than [healthysnacks-store].com.
    • Avoid using hyphens and numbers in your domain name. They are just extra characters for your customers to remember. A user might forget to add the hyphen or get confused between the numerical “6” and the word “six”.
    • Make sure to do your homework and check global databases to ensure that your domain name isn’t trademarked or copyrighted. This will help if you plan to expand your business to other countries in the future.
    • Consider leveraging new, descriptive TLDs to brand your business and act as a home for different marketing and sales endeavors. For example, Emirates has emirates.com as its commercial website and emirates.store as its online merchandise store.  

    3. If I have multiple domain names, how can I use them together?

    You don’t just have to stick to one domain name! Using multiple TLDs in interesting ways can create memorable customer interactions with your brand, or, perhaps, promote your personal side-project alongside your primary business. Here are some of the many ways one can make use of new domain names:

    • Primary Domain: Use a domain name to create an online identity for your business. For example, louder.online or stronger.tech
    • Professional Email ID: Use a domain name to make a strong first impression with a unique email id. For example, [firstname]@[brand].online.
    • Branded URL Shortener: Use a domain name to enhance brand visibility and build trust with every link that you share online. For example, [yourbrandname].tech/contest looks more official than “https://bit.ly/2taRHVV”.
    • Domain Redirect: Use a domain name to make an important inner page easily accessible by creating a deep-link. For example, kindle.store redirects to Amazon’s Kindle store.
    • Product Launches: Use a domain name to attract customers to your new product, store upgrades or seasonal promotions. For example, if you are introducing a new car and want to position it as a “fun” car, you can launch it on [carname].fun.
    • Personal Brand: Use a domain name to build an attractive online persona for yourself. For example, terrene.space is the portfolio website of a freelance photographer, writer, graphic designer & illustrator, Ana Petre.
    • Vanity: Use a new domain name to share your social media profile. For example, [yourname].tech could forward to one of your social media profiles.
    • Blog / Press Page: Use a domain name to make your brand gain visibility online with a [brandname].press. For example, cars.mclaren.press is McLaren’s official media site.

    4. How can I decide between a ccTLD, geoTLD, gTLD, or nTLD?

    Let’s first clarify the difference between these terms.

    Generic top-level domains (gTLD) are, as their name suggests, generic. They have a broad application based on the purpose of the website. For example, .COM (commercial), .ORG (organization), .NET (networks), .EDU (education), etc.

    Country code top-level domains (ccTLD) are regulated by a specific country and are best used to target customers within that country. Some examples include. US, .CA (Canada).TR (Turkey) .IN (India), .CO.UK, .AE (UAE), .DE (Germany), .FR (France), etc.

    GeoTLDs are similar, but they are tied to a specific region, rather than a country. City extension like .NYC or .LONDON as well as options like .AFRICA and .ASIA exist.

    New generic top-level domains (nTLD), which are sometimes just referred to as “new TLDs”  are recently launched generic domain extensions.

    They tend to be more industry- or product-specific, so their adoption has the potential to make the Internet more organized and business-friendly. Some other examples of nTLDs include .STORE for eCommerce and retail, .TECH for technology, .FUN for leisure, .PRESS for media and news.

    Plus, there are many with universal appeal, like .ONLINE, .SITE, etc. In fact,  .ONLINE and .SITE have become so popular that over 1 million domain names have been registered on each of these extensions so far. And these nTLDs are still relatively new, you are likely to find that your perfect domain name is available on one of them!

    In summary

    When it comes to choosing the right domain extension for your domain name, you need to look at the nature and purpose of your business. For example, if you have a tech business, then a .TECH domain would be an ideal choice.

    With the information above, you are well-equipped to make an informed choice. Get started with a search for your perfect domain name.

    Read More

  • Updates from ICANN64 – Kobe, Japan

    April 8, 2019

    Industry Insight, News

     Like

    Views: 5109

    A small delegation from Tucows attended ICANN64 in Kobe, Japan, and we want to share a few quick highlights about the progress made in some key areas.

    RDAP Working Group

    RDAP, everyone’s favorite new registration data access protocol, is now in the implementation phase. This means that registrars and registries must implement RDAP according to the documented profile requirements by August 26, 2019.

    As we’ve mentioned before, Tucows has already implemented the original version, so we’re now reviewing the final profile to understand what minor updates are needed. The RDAP Working Group recognizes that the current profile is based on the Temp Spec and will need to be modified to align with the policy coming out of the EPDP. As members of the RDAP Working Group, we’ll be participating in that process and making sure we’re on top of any further changes.

    Access to Whois Registration Data

    ICANN’s Technical Study Group on Access to Registration Data, which we’ll refer to as the “TSG,” met with several different groups during ICANN64 to present information about their work and answer questions from the community.

    Leading up to the conference, they were focused on developing a “straw man” technical model that uses RDAP to operationalize the EPDP’s upcoming “Standard Access” (Phase 2) Model. The TSG team members confirmed that they do not plan to build the system they are designing; instead, the objective was to create a Model that can be presented to the European Data Protection Board (EDPB) for review and feedback.

    ICANN CEO Göran Marby’s idea seems to be that if the EDPB signs off on this Model, registrars and registries could follow it when providing Personal Data to ICANN for disclosure to third parties, and this would bring a reasonable expectation of “diminished liability.” However, many of us are concerned that the EDPB will not be able to base any decision off the TSG’s Model — they would most likely also require the accompanying Policy. This policy does not exist yet — it will come out of the EPDP Phase 2 work — and until it does, any request to have the EDPB review the Model is premature and ineffective.

    Additionally, as we were reminded by Cathrin Bauer-Bulst from the European Commission, any statement by the EDPB that the Model is acceptable could easily be retracted in the future; it’s not a guarantee of legality. The TSG team has a face-to-face meeting planned for mid-April to finalize their report, after which it will be handed back to ICANN’s CEO.

    Phase 2 of the EPDP & next steps for the IRT

    The EPDP team met four times over the course of the ICANN64 conference, primarily focusing on planning for Phase 2 of their work: the creation of a Standard Access Model for disclosure of non-public registration data.

    There was also discussion about convening an Implementation Review Team to bring the Phase 1 recommendations into reality and how to bridge the Implementation Gap period between when the Temp Spec expires (May 25 2019) and when the EPDP recommendations become mandatory policy (February 29 2020).

    The team is still looking for a new Chair, as Kurt Pritz stepped down following the end of Phase 1. His admirable leadership and calm in the face of contentious issues will be difficult to replace. In the coming days, the EPDP team will continue to work with ICANN leadership to determine exactly how to proceed with these next steps. The Tucows team will be an active voice in that discussion, and we will keep our resellers up-to-date as things develop.

    Read More

  • ICANN Updates: EPDP Phase 1 Final Report

    April 3, 2019

    Announcement, GDPR, Industry Insight

     1

    Views: 2759

    woman looks over EPDP Phase 1 Final Report

    ICANN’s Expedited Policy Development Process (EPDP) team has issued their Phase 1 Final Report, marking the end of this stage of the project. The recommendations from this Report will become mandatory as of February 29, 2020, but contracted parties (registrars and registries) are permitted to implement them sooner. We’re still determining what specific changes we’ll need to make, but here’s an overview of the expected operational impacts that you should be aware of.

    Changes to which data elements are required for ICANN-regulated TLDs

    The EPDP team has recommended that:

    • the Admin contact no longer be used at all
    • the Tech contact be entirely optional and minimized: only name, phone number, and email address.

    Needless to say, we are pleased with this outcome. For months now, Tucows has argued against the continued mandatory collection of Admin and Tech contact data, as it violates the GDPR’s requirement for data minimization. We still allow our reseller partners to pass along these data sets, but we only use them if the registry specifically requires them; if they do not, we simply hold these data on our platform and do not share them with the registry or data escrow provider.

    How is OpenSRS handling this change?

    OpenSRS will need to delete the Admin contacts we hold for existing domains, unless it’s used for a TLD where the registry contractually requires an Admin contact. Before we delete any data, however, we’ll make sure that the registries have made the required changes on their side. This will ensure that no registrations fail at the registry level due to “missing data.” An additional point to consider is that some domains registered under the 2009 RAA rules do not have any associated Registrant contact info, because at the time the domain ownership information was stored in the Admin contact fields. We’ll ensure that the domain owner information is up to date before removing any of the Admin contact data.

    What should resellers do?

    We’re doing our best to minimize any work these changes could create for resellers. Right now, our suggestion is to audit which fields you currently list as mandatory in any signup and domain update forms that you provide to your customer base. You may need to make some adjustments and be ready to implement them once the recommendations outlined above are officially required. We’ll provide plenty of notice before implementing changes on our end.  

    Changes to which data are displayed in the public Whois

    The public Whois record will continue to be mostly redacted. However, the EPDP has recommended that registrars display the registrant state and country fields. We’ll soon begin work to reflect this change in the Whois data output for all domains under our accreditation.

    Special case: publishing registrant Organization Whois data

    In theory, the Organization field holds non-personal data, so displaying it in the public Whois should not be an issue. In reality, however, the Organization field frequently does contain personal data. For this reason, the EPDP team has recommended that the Organization field should be published, but only in a way that avoids the accidental exposure of personal data.

    So, how will this be accomplished?

    Registrars have been asked to contact all existing domain owners to confirm whether or not they want their Organization info published. If the registrant opts in, the registrar can then publish the Organization data. If the registrant does not opt into publication, or does not respond at all, the data in the Organization field can either be kept on file with the registrar but redacted from the public Whois, or deleted entirely.

    What should resellers do?

    For the long-term, the EPDP team recommends a more proactive approach where a “disclosure, disclaimer or confirmation” is presented to domain owners as they enter data into the Organization field. This notice would explain both options and give the registrant the opportunity to decide if they want this information published or not. If you collect data through an online sign-up form, you may want to consider how to incorporate this notice. We’re considering how to best implement this recommendation in a way that will be clear to domain owners and represent a minimal workload for our resellers.

    Changes to which domain name contact data are shared  

    Much of the heavy lifting here has been done. As part of our initial GDPR implementation last year, we did a full audit of our TLD offerings to determine which data elements should be shared with the registry by default, as required under our contract with the registry, and which should only be shared if the domain owner gives their explicit consent to do so.

    Over the next few months, we expect to receive updated contracts from all the ICANN-accredited registries we work with. Depending on what the various registry contracts include, we may make adjustments to our data processing framework. We could end up sharing more or less data by default for specific TLDs, and may stop the collection of some “optional” data elements.

    What should resellers do?

    These adjustments will not create any work for you, the reseller, but you should be aware that some of the TLD-specific data sharing settings will be adjusted. You can always refer to Tucows’ Data Use Information page for details about the legal basis for processing the data we collect for any TLD.

    Next steps

    Hopefully, this review has left you with a good sense of what to expect over the coming months. We’ll have more updates as the EPDP team begins Phase 2 (Standard Access Model, formally referred to as the “Unified Access Model”) and works through the Implementation Review Team (IRT) process, which will turn these Phase 1 recommendations into actual policy.

    Read More

  • Why We’re Applying GDPR Protections to Registrants Worldwide

    August 8, 2018

    GDPR, Industry Insight

     Like

    Views: 7425

    Remember, although we have a great legal team working at Enom, none of what we share here can or should be taken as legal advice.


    Among the world’s leading registrars, Tucows, our parent company, is the only one that has redacted all personal data from the public Whois and announced a data use consent management process for registrants worldwide. In making these changes, we’ve disrupted the status quo and encountered resistance from other industry members who would prefer a more conservative solution. But with our nearly two decades’ experience operating as an accredited domain registrar and supporting a large reseller network, we’ve learned that it is imperative to choose proactive solutions and remain focused on how the industry will develop long-term, rather than default to the most simple or convenient option.

    We’ve said many times before that we believe individuals around the world have a right to the privacy and protection of their personal data. We’ve also made the more practical argument that while the GDPR may apply only to EU-local individuals, other governments have also passed data protection laws, and we expect more to follow suit. Today, we want to talk about why we remain confident in our approach and place it within the necessary context of worldwide data privacy regulations.

    Comparing Regional Privacy Laws

    The GDPR has received a lot of attention not because it’s the only law of its kind, but because of its wide scope of applicability and, perhaps first and foremost, the severity of the penalties for non-compliance. There are other, less well-known laws in countries outside of the EU that establish similar data privacy protections. We’ve looked at a few important examples—Canada’s PIPEDA, California’s new Consumer Privacy Act of 2018, and the 2000 Argentina Personal Data Protection Act—to see how they stack up against the GDPR. You can jump to our summary table, which compares their fundamental concepts and relates them back to Enom’s data-processing practices, or continue on below for a high-level overview of each law.

    California

    The California Consumer Privacy Act of 2018 (AB 375) was signed into law by the state’s Governor on June 29, 2018. This new legislation takes effect in 2020, and many of the protections it extends to Californians will sound familiar to anyone who’s read up on the GDPR. At a high level, the CCP Act aims to ensure:

    1. The right of Californians to know what personal information is being collected about them.
    2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
    3. The right of Californians to say no to the sale of personal information.
    4. The right of Californians to access their personal information.
    5. The right of Californians to equal service and price, even if they exercise their privacy rights (s.2.i).

    The CCP Act has an interesting fundamental difference to the GDPR: the GDPR protects the data, while the CCP Act protects the consumer. The GDPR sets out rights and obligations for Data Controllers, Data Processors, and Data Subjects, while the CCP Act focuses on the rights a consumer has in relation to businesses that process their data. Even with this scope of applicability in mind, it’s very clear that we can expect to see a heightened level of transparency and consumer control over data in California.

    These rights under the California Consumer Privacy Act will, of course, be subject to limitations, and the finer details will no doubt shift as government officials and private interest groups work to tighten up data privacy practices in a way that is not detrimental to the Californian businesses that rely on consumer data, including tech giants like Google and Facebook.

    It’s both fitting and encouraging that California, a hub for technological innovation, is leading the U.S. movement to protect individual privacy in our digital age. And while there may not be policy in development at the federal level just yet, other American states are well on their way to passing modernized data privacy legislation—check out this handy, albeit, slightly outdated, map for more details. It seems likely that some of the important provisions in California’s Consumer Privacy Act will serve as a template for other state governments looking to establish stricter data privacy laws.

    Canada

    Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been in place since 2000, but an accompanying document, “Guidelines for obtaining meaningful consent,” was just released in its final form on May 24, 2018, shortly before the GDPR came into effect. PIPEDA shares a number of similarities with the GDPR, which these new guidelines serve to highlight.

    PIPEDA may not explicitly mention “data minimization,” but it does state that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” (Division 1.3). This idea is echoed and expanded in later sections, including “Principle 5 — Limiting Use, Disclosure, and Retention,” which declares that data “shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.” Much like the GDPR, PIPEDA has a clear aim to curb deceitful or indiscriminate data collection.

    In addition to restricting what data is processed, PIPEDA also calls for a high level of transparency around how and why data is processed. Its “Openness” principle affords individuals the right to request information about an organization’s data processing policies and practices, such as “a description of the type of personal information held by the organization, including a general account of its use” (Sched. 1 4.8.2). PIPEDA also requires organizations to obtain an individual’s consent before processing personal data, and specifies that this consent is “only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting” (Div.1, 6.1).

    Does this allow for service providers to bury the “nature, purpose and consequences” in the fine print? The word “reasonable” always invites a high degree of subjectivity. But the Office of the Privacy Commissioner of Canada (the “OPC”) released a related document, “Guidelines for obtaining meaningful consent,” which addresses any confusion. It states that “in order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice.” Pretty clear.

    These Guidelines (well-summarized here) also put forth an idea quite reminiscent of the GDPR’s distinction between the legal bases of consent and contract. In Canada, individuals must be offered a clear “yes or no” option to consent to data processing. However, an exception to this rule is the collection or disclosure of personal information that’s required, or to quote directly, “integral to the product or service.” The collection or disclosure of such essential data are referred to as “conditions of service,” and can’t be opted out of without opting not to use the service at all. This is very similar to how contract-based data, those data elements which are required in order to provide the service for which they are collected, do not require explicit consent under the GDPR.

    The OPC also acknowledges that while some individuals may be content with a quick overview of what personal data is being collected, others will want a greater level of detail about their provider’s privacy and data use practices before making a consent choice. Organizations are encouraged to meet the needs of all users by presenting information in a “layered-format”, or some other method that provides the user with control “over how much detail is provided to them.” Our consent management process embodies this idea. We’ve clearly outlined the how, what, and why of our data collection practices, in a manner that avoids bombarding the reader with inaccessible legalese. Those looking to dive deeper can review our Data Use Information page, which we’ve also designed to be accessible to the average reader.

    Argentina

    Argentina’s Personal Data Protection Act is also an older data protection law, in effect since 2000. Argentina was the first Latin American nation designated by the EU as having an “adequate level of data protection” as compared to EU requirements.

    Argentina’s Data Protection Act is easily comparable to the GDPR, particularly in regard to the latter’s data minimization principle and distinctive treatment of consent- and contract-based data. The Argentine law requires that data collected must be “certain, appropriate, pertinent, and not excessive with reference to the scope within and purpose for which such data were secured” (Chapter 2, s.4.1). In addition to restricting what data can be collected, the Act also states that data must only be kept while it is necessary and relevant to the purposes for which it was initially collected—if it ceases to fulfill these requirements, it must be “destroyed” (s.4.4.7).

    These obligations go hand-in-hand with consent requirements: data processing is not permitted without the consent of the individual whose data is being processed, except in certain defined circumstances. The most notable exception to this requirement is the processing of data that arises “from a contractual relationship,” and which is necessary to develop or fulfill that contract. Here again, the consent request cannot be buried in the fine print. It must appear in a “prominent and express manner” (s.5.1).

    Argentina is currently working to create updated data protection regulations, which will be “heavily based upon the GDPR.” Thus far, we’ve only been able to locate a Spanish-language version of the updated draft bill, so we are relying on secondary sources for insight into how it compares to its EU equivalent. In a 2017 IAPP article, GDPR matchup: Argentina’s draft Data Protection Act, Pablo A. Palazzi and Andres Chomczyk provide a solid overview of the changes being made in an effort to bring the Argentine Law in line with the EU Regulation. Their review of the draft bill notes the introduction of “new legal bases” for data processing, including, “legitimate interest,” and the addition of “sections on child consent, data breaches, accountability, privacy by design, the duty to have a data protection officer and mandatory impact studies,” all of which closely resemble the GDPR’s data protection methods.

    It seems we can expect the updated Argentine law to mirror many of the GDPR’s fundamental components and, according to Palazzi and Chomczyk, even its scope of applicability; the draft outlines “new ways to determine whether an entity or certain data processing is subject to Argentine Law, quite similar to the criteria found in the GDPR.”

    We’re eager to view the new law in its final form and learn when it will take effect. The law in place at this time already includes many safeguards to ensure a high level of transparency and individual control around data collection, so in some ways, we don’t expect anything truly surprising from its successor, especially if the new version does indeed follow closely the GDPR. Our GDPR implementation efforts will likely prove sufficient to meet any updated Argentine requirements as well.

    Evolving Global Data Privacy Standards

    The policy revision efforts underway in Argentina speak to the GDPR’s global impact. Not only do the Regulation’s data processing requirements apply to organizations outside the EU that process the data of EU locals, the GDPR also serves as a standard, perhaps particularly for countries who wish to maintain or establish adequacy status with the EU.

    Just before this blog post went to “print,” India took a major step toward data privacy reform with the release of a report, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,” that’s to serve as a draft data protection bill. In a recent Data Protection Committee press conference, Ravi Shankar Prasad, Union Minister for Law and Justice & Information Technology, Government of India, noted that India’s Supreme Court “would like Indian’s data protection law to become some kind of model for the…world…” (4m20s).

    For those interested, France’s Commission Nationale de l’Informatique et des Libertés maintains a global map existing privacy law (check it out!), which may look quite different even five years from now.

    A Comparison of Data Privacy Laws and Enom’s GDPR Changes

    To contextualize our recent changes in relation to the GDPR, California’s Consumer Privacy Act, Canada’s PIPEDA, and Argentina’s Personal Data Protection Act, we’ve put together this comparison chart. As you’ll see, many of the core concepts remain the same across borders. This confirms our position that our recent updates demonstrate a proportionate and forward-thinking approach to the rapidly-shifting landscape of global data privacy regulation.

    Reflecting on Our GDPR Changes

    We could have applied our GDPR processes to EU-locals only, allowing resellers who don’t offer services to clients in the EU to proceed with business as usual, unconcerned with the GDPR. But that solution would not only have put our resellers and us at risk of improperly processing the personal data of EU-local individuals, it was also not a viable long-term option. Data privacy standards around the world are evolving and not in a direction that supports the unnecessary collection of personal data or the continued display of unredacted personal data in the public Whois directory without the data subject’s clear and specific consent. If the laws we reviewed today are any indication of where things are headed, Enom and our reseller partners can feel confident that our GDPR implementation work has positioned us all to meet and adapt to changing data privacy requirements.

    Our decision to redact data from the public Whois, even before ICANN confirmed this as an appropriate response to the GDPR, was part of larger move towards a gated Whois solution. In designing our “Tiered Access Directory”, we’ve done our best to balance individual privacy and the rights of registrants with those of law enforcement and other community members. Our consent management process establishes a high level of transparency about what data we collect and why and provides registrants an easy means of revoking consent and submitting data use disclosure requests. These changes may cause some friction in the short term but we are confident they will help us meet the long-term needs of our resellers and ensure we’re protecting their businesses as well as our own.

    On a less practical note, our parent company, Tucows, maintains a long-time commitment to “lobby, agitate, and educate to promote and protect an open Internet around the world.” Part of ensuring that the Internet remains free and open is ensuring that basic individual rights, including control over one’s personal information, continue to be protected as personal data becomes more ubiquitous and easy to share than ever before. The laws we’ve looked at here take varied approaches to addressing this challenge but also share some important similarities and reflect values that are becoming more and more universal: greater transparency on the part of organizations and greater control for individuals.

    Read More

  • Why Choose an EV SSL Certificate?

    June 13, 2018

    Advice, Featured, SSL

     Like

    Views: 5528

    Identity theft and browser warnings are growing concerns among consumers. And while you may think enabling SSL on your website will allay these fears, failure to select the right TLS/SSL certificate can erode customer trust. To regain trust, site owners need an easy, reliable way to show customers that transactions are secure and that the site operator is who it says it is. But with the variety of TLS/SSL certs available – DV, OV, or EV – figuring out the best certificate for your business can be confusing. There are major differences in how domains are validated, and the following outline provides some key insights as to which certificate to select for your specific needs.

    Domain Validation (DV) SSL Certificates

    DV certificates prove ownership of the actual domain through a simple email validation process. DV certificates can be issued in minutes, show trust indicators in browsers (like the padlock icon), and enable HTTPS.

    However, DV certificates do not vet the legitimacy of an organization and should not be used for e-commerce sites. Accordingly, DV certificates are best for internal sites, test servers, test domains, and for small to medium-sized businesses seeking cost-effective security.

    Organization Validation (OV) SSL Certificates

    OV certificates provide the same level of protection as DV certificates but go one step further. With an OV certificate, the Certificate Authority (CA) confirms the business is registered and legitimate, checking details such as business name, location, address, and incorporation or registration information, making these certificates more suitable for public-facing websites.

    An OV certificate will also enhance a website’s reputation, providing customers greater assurance in conducting e-commerce transactions.

    Extended Validation (EV) SSL Certificates

    EV SSL certificates provide the highest level of trust, giving customers greater confidence that they are conducting business through trusted websites. EV SSL certificates are the industry standard for e-commerce websites. An EV SSL certificate triggers high-security web browsers to display an organization’s name in a green address bar and show the name of the Certificate Authority that issued it:

    EV SSL certificates confirm site identity and validate the organization according to rigorous industry guidelines established by the CA/Browser Forum, including a strict vetting process using techniques that have been proven reliable in protecting the internet’s most valuable online businesses for more than ten years.

    EV SSL certificates are a good choice for businesses, as these certificates can enhance credibility by showing suspecting consumers that sites are legitimately what they purport to be and that a business is serious about protecting the data of its customers.

    Summed up, for the greatest level of website security, EV SSL certificates are the best choice.

    Find Out More

    This post was sponsored by Comodo CA, one of our trusted SSL providers. For more information about SSL, and a complete list of their products, visit www.ComodoCA.com.

    Read More

  • A Guide to Choosing the Right SSL Certificate

    May 24, 2018

    Advice, Featured, SSL

     Like

    Views: 5831

    A parent preparing a toddler for her first beach vacation and a seasoned kayaker preparing for Zambia’s Ghostrider rapid will not reach for the same life jacket. In the world of digital security, the purposes and specs of the various products are also highly relevant to the consumer, although the differences between them may not be so immediately clear. But in both cases, it’s important that the customer find the right fit. Whether you’re a business owner looking for the right SSL certificate for your own website or a domain provider looking to curate a solid SSL offering for your own customers, here’s what you should know about TLS/SSL certificates and what to look for when selecting a certificate provider.

    What are TLS/SSL Certificates?

    SSL is short for “Secure Sockets Layer,” and SSL certificates are used to secure communications between a website, host, or server and the end users that are connecting to it (or between two machines in a client-server relationship). An SSL certificate confirms the identity of the domain name (for example, ComodoCA.com) that is operating the website and enables encryption of all information between the server and the visitor to ensure the integrity of all the transmitted information.

    Why are TLS/SSL Certificates So Important?

    Identity theft and browser warnings are growing concerns among consumers. Failure to select the right TLS/SSL certificate for your website can erode customer trust and lower your rate of completed transactions, negatively impacting your bottom line.

    How SSL Encryption Works

    Encryption makes use of keys to lock and unlock your information, meaning you need the right key to “open,” or decode, the secured information.

    Each SSL certificate comes with two keys:

    • A public key, which is used to encrypt (scramble) the information.
    • A private key, which is used to decrypt (unscramble) the information and restore it to its original format to make it readable.

    Where Are SSL Certificates Used?

    SSL certificates should be used in any instance where information needs to be transmitted securely. This includes:

    • Communications between your website and your customers’ internet browsers.
    • Internal communications on your corporate intranet.
    • Email communications sent to and from your network (or private email address).
    • Information between internal and external servers.
    • Information sent and received from IoT and mobile devices.

    Determining If a Site Has a Valid SSL Certificate

    A website without an SSL certificate displays “http:// ” before the website address in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” the conventional way to transmit information over the Internet. Most internet users are aware that this indicates a website is not secure and historically have looked for  https:// and a closed padlock symbol in their browser window to confirm that they are on the site of an authenticated organization:

    However, it’s no longer sufficient for business websites to simply enable HTTPS and display the standard padlock symbol to their visitors. Online consumers are demanding assurance that the identity of the website they are visiting has been verified by authentication procedures that are proven to be highly trustworthy. And this assurance is provided in the form of an Extended Validation (EV) SSL certificate. EV certificates display a hard-to-miss green identifier in the URL bar and indicate to the visitor that the website was subjected to extensive scrutiny by the issuing Certificate Authority. The consumer can be confident that they are at a legitimate website, not a phishing website.

    That’s not to say an EV certificate is necessary in every situation. But they can generate a higher level of consumer trust than other options, such Organization Validation (OV) certificates, or Domain Validation (DV) certificates, which undergo far less scrutiny.

    Choosing between EV, OV, and DV Certificates

    Domain Validation (DV) SSL Certificates

    DVs are best for small- to medium-sized businesses seeking cost-effective security with no need to establish site visitor trust. Issuance of a DV certificate simply requires proof of ownership of the associated domain name, which is provided through a simple email validation process. These certificates can be issued in minutes, enable HTTPS, and display a clear indicator, such as the padlock symbol, in internet browsers.

    However, DV certificates do not vet the legitimacy of the organization the website represents and should therefore not be used for e-commerce sites or sites that deal in sensitive information. They are, however, a great option for many internal sites, test servers, and test domains.

    Organization Validation (OV) SSL Certificates

    OV certificates provide the same level of protection as DV certificates but go one step further than simply requiring proof of domain ownership. With an OV certificate, the issuing Certificate Authority confirms the business associated with the domain name is registered and legitimate by checking details such as the business name, location, address, and incorporation or registration information. This makes the OV certificate a more suitable option for public-facing websites that represent companies or organizations.

    Extended Validation (EV) SSL Certificates

    EV certificates provide the highest level of trust by assuring consumers that they are conducting business through a trusted website. For this reason, these certificates have become the industry standard for e-commerce websites. EV SSL certificates trigger high-security web browsers to display a green address bar that includes the name of the company or organization that owns the domain. They also show the name of the issuing Certificate Authority:

    Confirmation of the website’s identity and validation of the organization is carried out according to the rigorous industry guidelines established by the CA/Browser Forum and involves a strict vetting process that is shown to be effective over the course of more than ten years of real-world use.

    EV SSL certificates are essential for large businesses or e-commerce sites as they can enhance credibility by showing discerning consumers that a prospective transaction is with a legitimate recipient and that the site is serious about protecting the data of its customers.

    What to Look for When Choosing a Certificate Authority (CA)

    As the world’s largest commercial Certificate Authority, Comodo CA is proactively monitoring for potential threats and attacks, working hand-in-hand with government agencies, browser providers, and our customers, to ensure it is keeping up with the ever-changing market.

    When evaluating a CA, be sure that it:

    1. Follows CA/B Forum Baseline Requirements.

    This industry group consisting of Certificate Authorities and browser manufacturers developed standards that each CA must meet for its roots to remain trusted in browsers. These include:

    • All information contained within the certificate must be validated to be true through a strict, clearly defined authentication process.
    • Certificates must meet specific minimum levels of cryptographic strength to protect the integrity of the certificate and private key from evolving threats.
    • Certificates must not exceed maximum specified durations.
    • CAs must follow guidelines for CA security, certificate revocation mechanisms, audit requirements, liability, privacy and confidentiality, and delegation of authority.

    2. Conducts Annual Audits – Both WebTrust and SOC 3

    Annual audits are crucial to CA security, yet not every CA makes them a priority. At a minimum, your CA should meet these auditing standards.

    • Maintain membership in the WebTrust program for CAs
      The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. Comodo CA, for example, undergoes an annual audit from Ernst & Young, which validates that:
    • The Certification Authority (CA) discloses its SSL certificate practices and procedures and its commitment to provide SSL certificates in conformity with the applicable CA/Browser Forum Requirements.
    • Subscriber information was properly collected, authenticated and verified.
    • The integrity of keys and certificates is established and protected throughout their life cycles.
    • Logical and physical access to CA systems and data is restricted to authorized individuals.
    • The continuity of key and certificate management operations is maintained.
    • CA systems development, maintenance and operations are properly authorized and performed to maintain CA systems integrity.
    • The Certification Authority maintains effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum.
    • Submit to publish an annual Service Organization Control 3
      The SOC3 report is published to confirm that the security controls for this cloud service have been examined by an independent accountant. Again, as an example, Comodo CA undergoes an annual audit from Ernst and Young, to validate that Comodo CA has maintained effective controls over its system as it relates to four core principles: security availability, processing integrity and confidentiality.

    To sum it up…

    Trust is everything in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website.  The effective implementation of TLS/SSL certificates is a proven tool to help establish customer trust. Check out Enom’s lineup of Comodo Certificates, or browse our full inventory of SSL products.

    Looking to learn more?

    This post was sponsored by Comodo CA, one of our trusted SSL providers. For more information about SSL, and a complete list of their products, visit www.ComodoCA.com.

    Read More

  • GDPR Checklist for Enom Resellers

    May 17, 2018

    Advice, Announcement, Featured, GDPR, Uncategorized

     Like

    Views: 7232

    Any time there’s a dramatic shift in our industry, we focus on minimizing the impact on our resellers and providing you as much information and assistance as possible. Admittedly, our GDPR communications work has proven fairly challenging, in part because we’ve simply never seen a shift quite as dramatic as that prompted by the GDPR. While we wanted to equip our resellers with specifics about our implementation plan and a concrete list of action-items right from the get-go, developing long-term solutions that both achieved GDPR compliance and established processes in which registries, registrars, and resellers can play their specific, essential roles required considerable collaborative efforts from players across our industry.

    There’s still much work to be done, but today we’re happy to be able to offer a concrete list of GDPR action-items for Enom Resellers and helpful resources in the form of flowcharts, example landing pages, and FAQs. We’re even happier to say that the to-do list is a short one which will likely require minimal work on your end.

    Having said that, we must remind you that legal counsel is an essential part of any comprehensive GDPR compliance strategy. This checklist is not legal advice, and ensuring its completion by no means guarantees your compliance with the GDPR. Speak with a lawyer who is familiar with your business and equipped to judge whether your internal practices achieve compliance.

    Reseller Action-Items

    Most of these items will necessitate adjustments on your end. You may determine that some do not require action on your part, but all are significant and important for our clients to understand.

    1. Make Sure You’re Familiar with Our Newly Introduced Consent Management Process

    Moving forward, Enom will reach out to end-users to request their consent to process certain pieces of personal information. This “Consent Management” flow involves the sending of a request email which contains a link to the registrant’s unique Data use consent settings page. This Data Use Consent Settings page serves as the registrant’s means to view their settings, manage their settings, and withdraw consent, should they choose to do so. It also contains a link to the Data use information page, which provides more information about how personal data is processed.

    To the registrant, it’s a straightforward experience that makes clear Enom’s relationship with their Registration Service Provider (Reseller). We recommend you take a look at these samples, so you’re aware of what this process will involve for your customers:

    Consent management sample flow – new registration
    Consent management sample flow – consent choice change

    Resellers will be able to view the GDPR consent status for each domain they have under management from the Domain Control Panel, within their Enom reseller account. If you’d like more information on why we require the end-user’s consent to process certain personal data, please check out our Consent blog post.

    2. Understand How to Provide Your Customers Access to Their Data Consent Settings Page

    According to the GDPR, “It shall be as easy to withdraw as to give consent.” With this in mind, we’ve provided our resellers two straightforward options to email a registrant the URL for the registrant’s Data Use Consent Settings page upon request:

    • Option 1: Via the API using the SendConsentEmail command
      Resellers can use this command to integrate into their own end-user portal an option for users to request that the Data Use Consent Settings page URL be sent to the registrant email.
    • Option 2: Via the soon-to-be-available “Send Consent Email” option in your Enom reseller account.
      Resellers can use this new button in the “Domain Control Panel” section of your Enom reseller account to send out the Data Use Consent Settings page URL to the registrant email listed for any domain in their account.

    Please note: both of these options will be available as of Monday, May 28, 2018.

    3. Ensure You’re Prepared for Our Updated Domain Transfer Process

    Once the public Whois “goes dark” in the days leading up to May 25, 2018, Enom will begin using a new process for domain transfers. The end result will be a process that creates a more streamlined experience for domain owners, while continuing to be secure against domain theft. Moving forward, when an inbound registrar transfer is ordered, we will submit the transfer directly to the registry instead of waiting for the Form of Authorization to be completed.

    You can check out our blog for the full details, but here’s a snapshot of the updated process:

    4. Enom Is Moving to a Gated Whois System

    For the full scoop, refer back to our Whois Changes blog post; for today, just keep in mind that after that go-live date, most public whois servers will cease the publication of personal data, and providers will start offering a “gated” or “tiered access” Whois system. Enom resellers don’t need to make any changes — your own clients’ data will continue to appear in your Enom reseller account, and we’ll take care of making sure the public Whois output is fully compliant with privacy regulations, so you’re good to go.

    These changes are also summarized in this quick PDF.

    5. Our Updated Reseller Agreement Now Requires That Resellers Process Data in a GDPR-Compliant Manner

    Hopefully, you’re well on your way to compliance with the GDPR. Enom has updated our Reseller Agreement to include information about the consent management process and the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions. We encourage you to familiarize yourself with all the recent GDPR-related changes we’ve made to our Reseller Agreement by taking a look the updated version.

    6. We’ve Updated Our Agreement with Registrants

    Our Domain Registration Agreement serves as the service contract between Enom and the domain owner (registrant). We don’t expect the GDPR-related updates to this agreement to be reseller-impacting, these changes primarily relate to the registrant’s consent management flow and the data retention and erasure policy. Keep in mind that all resellers need to display this updated agreement to customers as part of the domain registration process.

    Reseller Resources

    All important Enom resources relating to the GDPR can be found in our central GDPR knowledge base article, but for convenience, we’ve also listed them below. We hope the following resources help our reseller partners assist your clients with GDPR-related changes:

    Overview

    Our GDPR Webinar
    Central GDPR knowledge base article and FAQ

    Specific Platform & Process Changes

    Consent Management

    Consent management sample flow – consent choice change
    Consent management sample flow – new registration
    Consent management FAQ

    End-user consent request emails – The means by which we send the Data Use Consent Settings page URL (see below) to the registrant.
    Data use consent settings pages – The location from which a registrant can set, view, and update their consent preferences or revoke consent.

    Domain Transfers

    Transfer process changes infographic – a before and after GDPR comparison

    Whois Changes

    Whois Changes Overview PDF
    Whois Changes FAQ

    API Changes

    A new SendConsentEmail command has been introduced.

    Contract Changes

    Updated Reseller Agreement
    Updated Domain Registration Agreement
    Data Processing Addendum

    And there you have it. We appreciate that for those resellers affected by the GDPR, achieving compliance has involved a great deal of internal work, in addition to that required to accommodate the changes Enom is making to our platform. And while we’ve made every effort to keep this Reseller Checklist short and easy-to-implement, we know, as members of that same complex registry-registrar-reseller channel in which you operate, that small changes made by one player can have a big impact on others. We view our GDPR implementation work as essential to ensuring that the Enom platform evolves to meet the long-term needs of our resellers and the demands of a highly interconnected internet ecosystem. Greater control over one’s personal data is a good thing, and we’re happy to be able to extend to all users on our platform the rights and protections outlined in the GDPR.

    Read More

  • The nTLD Reseller Starter Guide: Which new gTLDs should I offer?

    November 14, 2017

    Uncategorized

     Like

    Views: 8385

    If you currently sell or are considering selling domain names as part of a business, you may have asked this question to yourself before. The huge variety of gTLDs out there can turn the task of curating a lineup that makes sense for your business into a rather daunting undertaking. Instead of getting bogged down by all the variables that could weigh into your final decision, I suggest you focus on the handful of key considerations that really matter. The questions below will help you better evaluate TLDs and equip you to make smart choices as you expand or refocus your offering. And in case you still feel stuck, we’ve included a list of extensions you might consider.

    Is the TLD easy to implement?

    Most of the new gTLDs fall into the “easy-to-implement” category, free to be registered by anyone, anywhere, much like a .COM. Others have strict registration requirements, such as a local presence in their associated geographic area, or an affiliation with a particular professional group. If you ever need to verify whether an extension you’re considering is restricted, take a quick look at our TLD reference chart.

    The TLDs we’ll highlight in this post are all easy to implement, but that’s not to say you should steer clear of those that are restricted. In fact, offering restricted TLDs can be a great way to cater to a niche market. For example, many firms might find the credibility of a .LAW extension advantageous. Similarly, the appeal of geoTLDs like .NYC, .BARCELONA, or .BERLIN among local citizens make them a great choice if you attract a significant volume of customers in any of these cities. If you think you’re likely to sell a high volume of a certain restricted extension, the payoff may well be worth the extra implementation efforts involved. It really comes down to knowing your audience and presenting them with options they are likely to find meaningful.

    Is there a high level of interest in the TLD?

    Unless you’re catering to a highly specific market, you’ll benefit from starting with TLDs that have wide appeal. This appeal can be generated by both the generic nature of the extension (.WEBSITE or .ONLINE), or its specificity (.CLOUD, .BLOG, .SHOP, .STORE or .DESIGN). Note that each of those last five extensions has an unambiguous meaning that resonates with a huge number of potential buyers.

    This doesn’t mean a small TLD offering shouldn’t include more niche extensions. Again, the level of interest your customers show for a particular TLD will always depend on who your customers are. I had a musician friend, for example, that was thrilled to launch her new business with a .STUDIO name. And I’m willing to bet there are a lot of artists out there who might be open to a similar departure from the traditional, more corporate-sounding extensions.

    Does the pricing make sense?

    Most potential nTLD buyers compare new possibilities to .COM alternatives. So presenting them with fresh, viable options in a similar price range is smart. There are many solid performers, with broad applications, that fall into this category. Of course, this isn’t to say that a high price tag should deter you from offering an extension that seems particularly well-suited to your customer base.

    It’s also not just the initial purchase price you should be aware of. Simple and predictable pricing structures are an important factor in building an enduring customer base. So while offering TLDs with substantial first-year discounts might translate into increased registrations, you could find yourself unpleasantly surprised by relatively low renewal rates. A customer who purchases a domain on promotion might not be put off by a slightly higher renewal fee. But there are numerous registries that present enticing first-year TLD price tags in the .COM range, with renewal fees that might be 10x greater. These kinds of discrepancies not only deter savvy buyers from making the initial purchase, and put a dent in your renewal rates, but also place you at risk of angering customers who are caught totally off guard by the increase.

    In short, it’s advantageous to offer first-year promotional prices, as they can be a real incentive to potential buyers. But it’s also important to make sure you’re transparent about the renewal price, displaying it clearly within your purchase flow. For those who sell domains as a part of a larger bundle or package, the renewal price, and the margin it allows for, should be factored into your pricing structure.

    Is the renewal rate and customer quality fairly high?

    It’s been a few years since the launch of the first nTLDs, which means we’re now in a much better position to evaluate their long-term potential. When determining the value of a new extension, look into its renewal rate and whether its registrations are, generally, being used in a meaningful way. Arguably, there’s a link between the two.

    That latter point is what I mean by “customer quality”. If you’re a hosting provider or CMS business, you stand to make more money off customers who are actually using their domains. They’re certainly far more likely to show interest in email, SSL and hosting services. They’re also more likely to renew. Not to mention, there’s a case to be made that websites that have valuable content, and employ a new TLD, effectively function as an advertisement for the extension itself. That certainly can’t hurt an extension’s organic growth over time.

    In this regard, .BLOG is a standout – according to ntldstats, only 27% of its registrations are “parked”, a term applied to any domain “in use as a parking page [displaying ads], or without any content.” To put this number in perspective, the average parked page percentage for the TLDs we highlight in the chart below is roughly 53%.

    Still feeling a little lost?

    That’s fair! The paradox of choice is a powerful thing. Here are some suggestions that might serve as good place to start. Judging them based on the checklist above, these TLDs don’t necessarily score high across the board, but they are all easy-to-implement and offer the potential to target a sizable audience – some because of their generic nature and global recognizability, and others because of their appeal to a specific, but substantial, market.

    To reinforce my early point: while we haven’t focused on geoTLDs in this post, they represent a sizable portion of the nTLD pie. Depending on your target market, they can be incredibly profitable.

    If you’re ready to explore what options might work best for your business, you can view all available TLDs at enom.com.

    Read More

1 2 … 22 Next »

FEATURED POSTS

  • How to Win by Treating Your Customers as Members

    August 13, 2020

  • A Great Domain for Freelancers and Entrepreneurs? Try .ME

    June 22, 2020

  • Bandzoogle: website builder for musicians

    June 1, 2020

  • security lock and credit cards on keyboard

    Avoiding COVID-19 Cyberattacks with Security Best-Practices

    April 28, 2020

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support

Report Abuse
Help Center
Contact Us

Resources

WHOIS Lookup
Maintenance Alerts
Developers
Products & Services

Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2021 Enom Blog |