MENU
  • Enom.com
  • Resellers

Enom Blog

May, 2018
Archive

  • What you should know about ICANN’s May 25th Legal Action

    May 29, 2018

    Announcement, Featured, GDPR, Industry Insight

     Like

    Views: 5752

    Update: The German Court has since denied ICANN’s preliminary injunction. If you’re interested in reading the Court Order you can find it, as well as any related documents, here.


    If you’re one of our reseller partners or someone who follows the domain industry closely, you’re likely aware that on Friday, May 25th, ICANN filed a legal action1 against our European sister company, EPAG, a Tucows-owned Registrar based in Bonn, Germany.

    This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to our contracts. While we look forward to defending our position in court, we also find it important to provide our resellers some context and insight into the dispute. Our position is a registrant-centric one that protects individual rights and the interests of our resellers and registrants.

    The GDPR begins with a statement of its core principle: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.

    In order to have a domain registration system reflective of “data protection by design and default”, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.

    We realized that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.

    ICANN’s goal since discussions about the impact of the GDPR on domain registration began has been to preserve as much of the status quo as possible. This has led ICANN to attempt to achieve GDPR-compliant domain registration via ‘process reduction’, as opposed to Tucows’ approach of starting with the GDPR and rebuilding from the ground up. These two approaches have led to significantly different results, and consequently a need to determine whether ICANN’s insistence on the collection of the full thick Whois data and this data’s transfer to gTLD Registries is in compliance with the GDPR. It is this disagreement and need for legal clarity that is at the heart of the lawsuit filed by ICANN.

    On the 17th of May 2018, the ICANN board passed a ‘Temporary Specification2’, meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.

    With that background in mind, we perceive three core issues with the Temporary Specification that we do not believe are compliant with the GDPR. These issues are the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.

    Personal Data Collection

    Article 5(1)(c) of the GDPR speaks to data minimization: collecting and processing only what personal data is necessary. It is clear to Tucows that we need to continue capturing some information about the domain Registrant—we always want to ensure we have the ability to contact the person legally responsible for the domain. However, in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant.

    That said, in the less common scenario, the Admin or Tech contact does not match the Registrant. In these cases, the mandatory collection of their contact data is problematic because it requires us to store and process personal data belonging to people with whom we have no legal or contractual relationship.

    ICANN will need to prove that the minor, marginally incremental benefit of collecting, processing and transferring Admin and Tech contact data at the request of third parties outweighs the principles of data minimization and lawful processing enshrined in the GDPR. We find the argument that duplicative technical contacts are necessary for the security and stability of the DNS implausible.  We were not convinced this was the case when we first examined the law, and we remain unconvinced following the release ICANN’s Temporary Specification.

    Tucows will continue to ensure that those with legitimate purposes, including law enforcement, intellectual property, and commercial litigation interests will have access to domain registrant information. On a daily basis, we see plenty of important circumstances wherein we find sharing that information to be legally necessary, and this will not change. We collect a contact for the owner of each domain name sold on our platforms, and have the ability to contact the owner. When necessary, we also share that contact with law enforcement and others with a legitimate interest.

    Personal Data Transfer to a Registry

    ICANN’s continuing requirement that registrars transmit all data collected to the relevant registry is counter the GDPR’s principle of use of data only when a legitimate legal basis applies. There are circumstances where this transfer is necessary and reasonable, for example where a TLD has specific registrants requirements such as geographic restrictions.  We are not opposed to these circumstances, but require agreements between ourselves and the registry for the specific collection, processing and transfer of that personal data.

    However, as the registrar, we collect data that we need in order to enter into a contractual relationship with and provide requested services to the registrant. Transfer of that data to a registry is unnecessary—this is proven by the decades-old ‘thin model’ that 140 million .com and .net domains follow.  We don’t feel that the temporary specification offers a robust legal basis for the transfer of data to registries and therefore presents an unacceptable risk under the GDPR.

    Personal Data Display

    ICANN has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field. We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.  

    Desire for Clarity

    Fundamentally, ICANN and Tucows disagree on how the GDPR impacts our contract. The facts and the law as we see them do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data. We look forward to, and welcome the clarity that will come from this legal action, which will allow us to move forward in a manner that protects ourselves, our resellers, and registrants.

    If you have any questions, concerns, or comments about our this legal action or Tucows’ position, feel free to reach out to us at gdpr@tucows.com.

    The content of this post was originally published in Tucows Statement on ICANN Legal Action on tucows.com.


    1https://www.icann.org/news/announcement-2018-05-25-en

    2https://www.icann.org/news/announcement-2018-05-17-en

     

    Read More

  • A Guide to Choosing the Right SSL Certificate

    May 24, 2018

    Advice, Featured, SSL

     Like

    Views: 5824

    A parent preparing a toddler for her first beach vacation and a seasoned kayaker preparing for Zambia’s Ghostrider rapid will not reach for the same life jacket. In the world of digital security, the purposes and specs of the various products are also highly relevant to the consumer, although the differences between them may not be so immediately clear. But in both cases, it’s important that the customer find the right fit. Whether you’re a business owner looking for the right SSL certificate for your own website or a domain provider looking to curate a solid SSL offering for your own customers, here’s what you should know about TLS/SSL certificates and what to look for when selecting a certificate provider.

    What are TLS/SSL Certificates?

    SSL is short for “Secure Sockets Layer,” and SSL certificates are used to secure communications between a website, host, or server and the end users that are connecting to it (or between two machines in a client-server relationship). An SSL certificate confirms the identity of the domain name (for example, ComodoCA.com) that is operating the website and enables encryption of all information between the server and the visitor to ensure the integrity of all the transmitted information.

    Why are TLS/SSL Certificates So Important?

    Identity theft and browser warnings are growing concerns among consumers. Failure to select the right TLS/SSL certificate for your website can erode customer trust and lower your rate of completed transactions, negatively impacting your bottom line.

    How SSL Encryption Works

    Encryption makes use of keys to lock and unlock your information, meaning you need the right key to “open,” or decode, the secured information.

    Each SSL certificate comes with two keys:

    • A public key, which is used to encrypt (scramble) the information.
    • A private key, which is used to decrypt (unscramble) the information and restore it to its original format to make it readable.

    Where Are SSL Certificates Used?

    SSL certificates should be used in any instance where information needs to be transmitted securely. This includes:

    • Communications between your website and your customers’ internet browsers.
    • Internal communications on your corporate intranet.
    • Email communications sent to and from your network (or private email address).
    • Information between internal and external servers.
    • Information sent and received from IoT and mobile devices.

    Determining If a Site Has a Valid SSL Certificate

    A website without an SSL certificate displays “http:// ” before the website address in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” the conventional way to transmit information over the Internet. Most internet users are aware that this indicates a website is not secure and historically have looked for  https:// and a closed padlock symbol in their browser window to confirm that they are on the site of an authenticated organization:

    However, it’s no longer sufficient for business websites to simply enable HTTPS and display the standard padlock symbol to their visitors. Online consumers are demanding assurance that the identity of the website they are visiting has been verified by authentication procedures that are proven to be highly trustworthy. And this assurance is provided in the form of an Extended Validation (EV) SSL certificate. EV certificates display a hard-to-miss green identifier in the URL bar and indicate to the visitor that the website was subjected to extensive scrutiny by the issuing Certificate Authority. The consumer can be confident that they are at a legitimate website, not a phishing website.

    That’s not to say an EV certificate is necessary in every situation. But they can generate a higher level of consumer trust than other options, such Organization Validation (OV) certificates, or Domain Validation (DV) certificates, which undergo far less scrutiny.

    Choosing between EV, OV, and DV Certificates

    Domain Validation (DV) SSL Certificates

    DVs are best for small- to medium-sized businesses seeking cost-effective security with no need to establish site visitor trust. Issuance of a DV certificate simply requires proof of ownership of the associated domain name, which is provided through a simple email validation process. These certificates can be issued in minutes, enable HTTPS, and display a clear indicator, such as the padlock symbol, in internet browsers.

    However, DV certificates do not vet the legitimacy of the organization the website represents and should therefore not be used for e-commerce sites or sites that deal in sensitive information. They are, however, a great option for many internal sites, test servers, and test domains.

    Organization Validation (OV) SSL Certificates

    OV certificates provide the same level of protection as DV certificates but go one step further than simply requiring proof of domain ownership. With an OV certificate, the issuing Certificate Authority confirms the business associated with the domain name is registered and legitimate by checking details such as the business name, location, address, and incorporation or registration information. This makes the OV certificate a more suitable option for public-facing websites that represent companies or organizations.

    Extended Validation (EV) SSL Certificates

    EV certificates provide the highest level of trust by assuring consumers that they are conducting business through a trusted website. For this reason, these certificates have become the industry standard for e-commerce websites. EV SSL certificates trigger high-security web browsers to display a green address bar that includes the name of the company or organization that owns the domain. They also show the name of the issuing Certificate Authority:

    Confirmation of the website’s identity and validation of the organization is carried out according to the rigorous industry guidelines established by the CA/Browser Forum and involves a strict vetting process that is shown to be effective over the course of more than ten years of real-world use.

    EV SSL certificates are essential for large businesses or e-commerce sites as they can enhance credibility by showing discerning consumers that a prospective transaction is with a legitimate recipient and that the site is serious about protecting the data of its customers.

    What to Look for When Choosing a Certificate Authority (CA)

    As the world’s largest commercial Certificate Authority, Comodo CA is proactively monitoring for potential threats and attacks, working hand-in-hand with government agencies, browser providers, and our customers, to ensure it is keeping up with the ever-changing market.

    When evaluating a CA, be sure that it:

    1. Follows CA/B Forum Baseline Requirements.

    This industry group consisting of Certificate Authorities and browser manufacturers developed standards that each CA must meet for its roots to remain trusted in browsers. These include:

    • All information contained within the certificate must be validated to be true through a strict, clearly defined authentication process.
    • Certificates must meet specific minimum levels of cryptographic strength to protect the integrity of the certificate and private key from evolving threats.
    • Certificates must not exceed maximum specified durations.
    • CAs must follow guidelines for CA security, certificate revocation mechanisms, audit requirements, liability, privacy and confidentiality, and delegation of authority.

    2. Conducts Annual Audits – Both WebTrust and SOC 3

    Annual audits are crucial to CA security, yet not every CA makes them a priority. At a minimum, your CA should meet these auditing standards.

    • Maintain membership in the WebTrust program for CAs
      The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. Comodo CA, for example, undergoes an annual audit from Ernst & Young, which validates that:
    • The Certification Authority (CA) discloses its SSL certificate practices and procedures and its commitment to provide SSL certificates in conformity with the applicable CA/Browser Forum Requirements.
    • Subscriber information was properly collected, authenticated and verified.
    • The integrity of keys and certificates is established and protected throughout their life cycles.
    • Logical and physical access to CA systems and data is restricted to authorized individuals.
    • The continuity of key and certificate management operations is maintained.
    • CA systems development, maintenance and operations are properly authorized and performed to maintain CA systems integrity.
    • The Certification Authority maintains effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum.
    • Submit to publish an annual Service Organization Control 3
      The SOC3 report is published to confirm that the security controls for this cloud service have been examined by an independent accountant. Again, as an example, Comodo CA undergoes an annual audit from Ernst and Young, to validate that Comodo CA has maintained effective controls over its system as it relates to four core principles: security availability, processing integrity and confidentiality.

    To sum it up…

    Trust is everything in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website.  The effective implementation of TLS/SSL certificates is a proven tool to help establish customer trust. Check out Enom’s lineup of Comodo Certificates, or browse our full inventory of SSL products.

    Looking to learn more?

    This post was sponsored by Comodo CA, one of our trusted SSL providers. For more information about SSL, and a complete list of their products, visit www.ComodoCA.com.

    Read More

  • GDPR Checklist for Enom Resellers

    May 17, 2018

    Advice, Announcement, Featured, GDPR, Uncategorized

     Like

    Views: 7226

    Any time there’s a dramatic shift in our industry, we focus on minimizing the impact on our resellers and providing you as much information and assistance as possible. Admittedly, our GDPR communications work has proven fairly challenging, in part because we’ve simply never seen a shift quite as dramatic as that prompted by the GDPR. While we wanted to equip our resellers with specifics about our implementation plan and a concrete list of action-items right from the get-go, developing long-term solutions that both achieved GDPR compliance and established processes in which registries, registrars, and resellers can play their specific, essential roles required considerable collaborative efforts from players across our industry.

    There’s still much work to be done, but today we’re happy to be able to offer a concrete list of GDPR action-items for Enom Resellers and helpful resources in the form of flowcharts, example landing pages, and FAQs. We’re even happier to say that the to-do list is a short one which will likely require minimal work on your end.

    Having said that, we must remind you that legal counsel is an essential part of any comprehensive GDPR compliance strategy. This checklist is not legal advice, and ensuring its completion by no means guarantees your compliance with the GDPR. Speak with a lawyer who is familiar with your business and equipped to judge whether your internal practices achieve compliance.

    Reseller Action-Items

    Most of these items will necessitate adjustments on your end. You may determine that some do not require action on your part, but all are significant and important for our clients to understand.

    1. Make Sure You’re Familiar with Our Newly Introduced Consent Management Process

    Moving forward, Enom will reach out to end-users to request their consent to process certain pieces of personal information. This “Consent Management” flow involves the sending of a request email which contains a link to the registrant’s unique Data use consent settings page. This Data Use Consent Settings page serves as the registrant’s means to view their settings, manage their settings, and withdraw consent, should they choose to do so. It also contains a link to the Data use information page, which provides more information about how personal data is processed.

    To the registrant, it’s a straightforward experience that makes clear Enom’s relationship with their Registration Service Provider (Reseller). We recommend you take a look at these samples, so you’re aware of what this process will involve for your customers:

    Consent management sample flow – new registration
    Consent management sample flow – consent choice change

    Resellers will be able to view the GDPR consent status for each domain they have under management from the Domain Control Panel, within their Enom reseller account. If you’d like more information on why we require the end-user’s consent to process certain personal data, please check out our Consent blog post.

    2. Understand How to Provide Your Customers Access to Their Data Consent Settings Page

    According to the GDPR, “It shall be as easy to withdraw as to give consent.” With this in mind, we’ve provided our resellers two straightforward options to email a registrant the URL for the registrant’s Data Use Consent Settings page upon request:

    • Option 1: Via the API using the SendConsentEmail command
      Resellers can use this command to integrate into their own end-user portal an option for users to request that the Data Use Consent Settings page URL be sent to the registrant email.
    • Option 2: Via the soon-to-be-available “Send Consent Email” option in your Enom reseller account.
      Resellers can use this new button in the “Domain Control Panel” section of your Enom reseller account to send out the Data Use Consent Settings page URL to the registrant email listed for any domain in their account.

    Please note: both of these options will be available as of Monday, May 28, 2018.

    3. Ensure You’re Prepared for Our Updated Domain Transfer Process

    Once the public Whois “goes dark” in the days leading up to May 25, 2018, Enom will begin using a new process for domain transfers. The end result will be a process that creates a more streamlined experience for domain owners, while continuing to be secure against domain theft. Moving forward, when an inbound registrar transfer is ordered, we will submit the transfer directly to the registry instead of waiting for the Form of Authorization to be completed.

    You can check out our blog for the full details, but here’s a snapshot of the updated process:

    4. Enom Is Moving to a Gated Whois System

    For the full scoop, refer back to our Whois Changes blog post; for today, just keep in mind that after that go-live date, most public whois servers will cease the publication of personal data, and providers will start offering a “gated” or “tiered access” Whois system. Enom resellers don’t need to make any changes — your own clients’ data will continue to appear in your Enom reseller account, and we’ll take care of making sure the public Whois output is fully compliant with privacy regulations, so you’re good to go.

    These changes are also summarized in this quick PDF.

    5. Our Updated Reseller Agreement Now Requires That Resellers Process Data in a GDPR-Compliant Manner

    Hopefully, you’re well on your way to compliance with the GDPR. Enom has updated our Reseller Agreement to include information about the consent management process and the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions. We encourage you to familiarize yourself with all the recent GDPR-related changes we’ve made to our Reseller Agreement by taking a look the updated version.

    6. We’ve Updated Our Agreement with Registrants

    Our Domain Registration Agreement serves as the service contract between Enom and the domain owner (registrant). We don’t expect the GDPR-related updates to this agreement to be reseller-impacting, these changes primarily relate to the registrant’s consent management flow and the data retention and erasure policy. Keep in mind that all resellers need to display this updated agreement to customers as part of the domain registration process.

    Reseller Resources

    All important Enom resources relating to the GDPR can be found in our central GDPR knowledge base article, but for convenience, we’ve also listed them below. We hope the following resources help our reseller partners assist your clients with GDPR-related changes:

    Overview

    Our GDPR Webinar
    Central GDPR knowledge base article and FAQ

    Specific Platform & Process Changes

    Consent Management

    Consent management sample flow – consent choice change
    Consent management sample flow – new registration
    Consent management FAQ

    End-user consent request emails – The means by which we send the Data Use Consent Settings page URL (see below) to the registrant.
    Data use consent settings pages – The location from which a registrant can set, view, and update their consent preferences or revoke consent.

    Domain Transfers

    Transfer process changes infographic – a before and after GDPR comparison

    Whois Changes

    Whois Changes Overview PDF
    Whois Changes FAQ

    API Changes

    A new SendConsentEmail command has been introduced.

    Contract Changes

    Updated Reseller Agreement
    Updated Domain Registration Agreement
    Data Processing Addendum

    And there you have it. We appreciate that for those resellers affected by the GDPR, achieving compliance has involved a great deal of internal work, in addition to that required to accommodate the changes Enom is making to our platform. And while we’ve made every effort to keep this Reseller Checklist short and easy-to-implement, we know, as members of that same complex registry-registrar-reseller channel in which you operate, that small changes made by one player can have a big impact on others. We view our GDPR implementation work as essential to ensuring that the Enom platform evolves to meet the long-term needs of our resellers and the demands of a highly interconnected internet ecosystem. Greater control over one’s personal data is a good thing, and we’re happy to be able to extend to all users on our platform the rights and protections outlined in the GDPR.

    Read More

  • Important Changes to our Legal Agreements

    May 10, 2018

    Announcement, GDPR

     Like

    Views: 4666

    We appreciate the work that our reseller partners have done, alongside our own, to come into compliance with the GDPR. In support of that work, please review our updated Reseller Agreement and Domain Registration Agreement. These updated contracts will go into effect 25 May, 2018.

    These changes primarily relate to the registrant’s consent management flow and include the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions.

    We also understand that ICANN will be adopting a standard Data Processing Addendum, which would apply to its role with us (and you), our role (and yours) with gTLD registries, and our role (and yours) with data escrow providers. We were hoping to make this available to you along with our updated agreement, but in the interests of time and the need to achieve compliance on the set schedule, we are using our own data processing addendum instead for the present.

    If, as we anticipate, ICANN develops and issues to registries and registrars a new binding policy under the terms of our Registrar Accreditation Agreement, with a mandatory or recommended DPA, we will likely amend certain terms of our Master Services Agreement and the associated exhibits to conform to industry standards and assure contractual compliance with ICANN.

    We also anticipate that gTLD and ccTLD registries will continue to amend their contracts in the days and weeks ahead, so please ensure that you are always pointing your users to the most current version of the relevant registry terms and conditions, as referenced in our Domain Registration Agreement.

    Should any additional changes be required in this rapidly evolving area, we will inform you via our blog and newsletter.

    Read More

FEATURED POSTS

  • How to Win by Treating Your Customers as Members

    August 13, 2020

  • A Great Domain for Freelancers and Entrepreneurs? Try .ME

    June 22, 2020

  • Bandzoogle: website builder for musicians

    June 1, 2020

  • security lock and credit cards on keyboard

    Avoiding COVID-19 Cyberattacks with Security Best-Practices

    April 28, 2020

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support

Report Abuse
Help Center
Contact Us

Resources

WHOIS Lookup
Maintenance Alerts
Developers
Products & Services

Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2021 Enom Blog |