October 2019 - Enom BlogEnom Blog |

October, 2019
Archive

Tiered Access Data Disclosure Update

October 30, 2019

GDPR, Industry Insight

Like

Views: 769
It has been more than a year since Tucows, Enom’s parent company, launched our Tiered Access Compliance & Operations portal, sometimes called “Gated Whois,” and it’s been around six months since we shared our first set of statistics on how and by whom this platform is being used. Today’s update brings our statistics current through mid-October 2019. We hope that this data will provide insight into how we handle requests for non-public personal data.

It’s important to remember that these statistics represent disclosure requests by a third party asking for personal data which is not publicly available. Each request is examined by a member of our legal team, who reviews the request and decides what data, if any, should be disclosed based on applicable law and our ICANN obligations. This review can be intensive and time-consuming but is essential to processing the data we’re entrusted with in accordance with our commitment to the protection of personal data.

Data disclosure requests

We received 467 requests for data in the period from February to mid-October 2019 and 2617 requests total to date.
- 36% of requests received in this period resulted in registration data being disclosed to the requestor
- 45% were incomplete and the requestor did not respond to our followup for further information, so no data were disclosed
- 10% were denied, following a determination that the requestor did not have an adequate lawful basis
- 9% of requests resulted in “disclosure” of Whois Privacy information—that is, the same information already publicly available to a requestor
Disclosure request outcomes – Period 2

We are pleased to note that we did not find significant spikes in requests during this reporting period, unlike our previous report where request volumes increased around ICANN meetings, suggesting that some portion of those requests were submitted in order to skew the data towards an argument that disclosure requests are not being processed in a timely or appropriate manner.

Here’s an illustration of the volume requests over time since we’ve launched Tiered Access:

Compared against our last report

Perhaps more interesting than the overall numbers is how the current reporting period compares to the previous one: comparing request and response statistics as users become more accustomed to the new system and have learned how to effectively request data; the comparisons below are percentages.

Disclosure request outcomes compared
- Increase in disclosure of non-public data from 25% to 35% and decrease in incomplete requests from 69% to 45%
  These changes are likely a result of our efforts to work with high-volume requestors to improve the quality of their requests
- Increase in denied requests from just under 5% to just over 11%
  We attribute this to small-volume and single requestors who recently discovered our Tiered Access portal and do not yet understand how to submit a request that allows us to adequately evaluate their legitimate rights against the privacy rights of the registrant. We will work to better describe the request process at the point of access.
- Increase in requests for data where the domain has Whois Privacy enabled from 3% to 9%
  When a domain uses one of our Whois Privacy services, we instruct requestors to submit legal process before disclosing the underlying personal data. We also, however, provide the privacy data, as the email address can be used to contact the registrant directly.
Duplicate requests

We continue to see a significant rate of duplicate requests. These include requests from the same source and from multiple requestors, each purporting to represent the same interests. When we receive a second request from the same requestor, we refer them to our prior correspondence—whether that included a request for more information (most often the case) or disclosed personal data. When we receive a request for the same domain’s data from a different party, we encourage the two parties to work together to determine which one represents the legitimate purposes for the data disclosure. We do this whether the data were previously disclosed or not.

As before, a statistically-significant amount of all requests come from the same single requestor mentioned in our previous report; this is the largest individual requestor using our Tiered Access system. However, their requests have dropped by half—last time we shared stats, this requestor represented nearly 65% of all requests, while for period 2 they make up 30% of all disclosure requests submitted to our Tiered Access system. We have worked with this requestor to refine and improve the quality and type of their requests, which has resulted in a decrease both in requests sent and requests denied.

Although it makes up only a very small percentage of overall requests (1.5%), requests for access to our entire registration database have doubled from period 1 to period 2. The majority of these types of requests come from security researchers.

Who wants data?

As stated above, users of our Tiered Access Compliance & Operations system are vetted by our legal team, and disclosure is limited to those with a demonstrated legitimate legal interest. There are a few broad categories of requestors who typically have a legitimate purpose that would allow us to disclose the data—for example, while we do receive requests that are unsolicited offers to purchase a domain, this is not a legitimate purpose for disclosure, as there are other ways to accomplish the same goal without necessitating disclosure of personal data.

The main tracked requestor types are “commercial litigation”, who need access to personal data in order to bring a legal claim of rights against the registrant; law enforcement, carrying out an investigation or in the course of their work; and security researchers, who use certain aggregate data to identify trends in digital abuse. In the chart below, “other” indicates all other requestors, including Certificate Authorities, resellers, and unaffiliated individuals.

Requests by Requestor Type

Despite recent concerns raised by security researchers—who comprise the bulk of requests for access to our entire database—the significant majority of all disclosure requests continue to come from commercial litigation interests. We continue to work with security researchers to develop ways for them to access the information they need while protecting the personal data of our customers.

Since law enforcement historically had unrestricted access to the entire registration database, when a law enforcement officer from a jurisdiction we operate in indicates a need for data that would previously have been public, we do disclose the data to them. Law enforcement officers from other jurisdictions must still show legitimate purpose.

Ongoing work

The attitude we have seen throughout this process indicates a culture of entitlement to private personal data and a frustration about the requestor’s obligation to prove that they have a legitimate basis to access personal registrant data.

In February 2019, the Registrar Stakeholder group published recommended minimum requirements for requesting non-public registration data. This valuable resource has been slow to gain traction in the community of requestors, though we continue to educate requestors individually. Our follow-ups, asking for information sufficient to show legitimate purpose, continue to be ignored, indicating to us that our responses to disclosure requests are unmonitored and that those disclosure requests themselves may be spurious or automated.

We work on an ongoing basis both with trade groups and individual requestors to emphasize the importance of balancing rights—the requestor’s right to personal data necessary to defend their legitimate rights against our customers’ right to privacy. Our work includes participation in the EPDP, an effort at ICANN to solidify the rules surrounding how disclosure of personal data should proceed.

We believe that we have developed a viable disclosure model—an opinion shared by trade groups who have indicated that the Tucows Tiered Access Compliance & Operations platform is an industry standard—and are happy to share additional details with other data custodians and with requestors to improve and harmonize the process across the industry. I will be at ICANN 66 in Montreal and available to discuss.
Read More
Our Ongoing Commitment to Combatting DNS Abuse

October 18, 2019

Announcement, Featured, News

Like

Views: 856

Abuse is a significant problem on the Internet today and, as a provider of Internet infrastructure services, we constantly consider what role we should play in combatting this issue. We actively investigate and respond to reports of abuse, but like other registrars and registries, we’ve been alone in developing our approach—until now.

Abuse has been a growing topic of conversation in our industry. Today, several major registrars and registries released a DNS Abuse Framework defining what types of abuse to the domain name system (DNS) we are the appropriate parties to take action on. It’s our hope that this commitment by DNS providers to address abuse on our platforms will help establish industry-wide standards that both protect free speech and ensure that the Internet remains free and open while keeping malicious online activity in check.

What is DNS Abuse? On the surface that should be easy to answer: it’s abusive use of the domain name system. But as you get into the details, there are often more questions than answers. Who decides what is abusive? Who should respond when it happens? As a domain name registrar, our obligations are spelled out in the Registrar Accreditation Agreement (RAA), but although we must “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse,” (RAA 3.18.1) the RAA doesn’t provide a specific definition either of abuse or of what steps are reasonable.

For some registries, Specification 11 of their respective Registry Agreements provides more assistance, referring to specific types of behavior as security threats: pharming, phishing, malware, and botnets. Until now, however, there has not been a consistent, common understanding of how to define abuse, meaning we haven’t been able to come to an agreement on who should respond when it happens.

This new DNS Abuse Framework proposes a shared definition of DNS abuse, relying on the Internet & Jurisdiction Policy Network’s definitions of the four behaviors listed in the Registry Agreement plus spam (but only when spam email is used as a delivery mechanism for another type of abuse, such as malware). This Framework also considers additional types of abuse that DNS providers should respond to—even if we are not required to do so under our respective contracts. Reaching a common agreement about what constitutes DNS abuse is a crucial component of any industry-wide efforts to mitigate that abuse.

We encourage all Enom resellers to read through the Framework and become familiar with these types of abuse. To help, here’s a summary.

Malware is software that is installed on a device, such as a computer or smartphone, without the owner’s consent and for malicious purposes (that’s where the “mal” comes from). This includes things like viruses or spyware.

Botnets are networks of malware-infected computers, controlled remotely.

Phishing is the term for a fraudulent or copycat email that tricks users into thinking it’s legitimate in order to obtain personal data or financial information such as credit card numbers.

Pharming is the use of DNS redirection to bring Internet users to a different website than the one they intended to visit, in order to obtain personal data or financial information or install malware.

Spam is unsolicited email; it is included in our definition of DNS abuse when it’s used as part of the delivery method for these other types of abuse, such as malware or phishing.

As one of the collaborators of and signatories to this Framework, the Tucows family of registrars is committed to taking action when our services are used for these malicious purposes. As a community of stakeholders all seeking to provide safe and reliable Internet services, we’ve come together to find the most effective and appropriate means to mitigate these significant concerns. Since rules vary from jurisdiction to jurisdiction and there is no single global standard, we hope that this Framework helps to provide one. Having a consistent, industry-wide approach will help make responding to abuse faster and more successful, and this Framework can help those who encounter abuse online to know where to best direct their concerns so they’ll be addressed promptly.

Read More
Meet the New .ORG

October 10, 2019

Uncategorized

Like

Views: 666

.ORG has a new look! It’s the same trusted domain you know and love, but with a new, bold visual identity. We sat down with PIR, the registry behind the .ORG TLD, to learn a little more about their rebrand and how they’re gearing up to make .ORG even more impactful.

There are quite a few elements that define a brand, and a great deal of thought was put into developing a new identity that visually, verbally, and emotionally speaks to who .ORG is and how PIR wants to connect to the .ORG community and the world. You can see it in their new logo and refreshed website — both feature exciting and energetic colors, bright imagery, and design elements that reflect .ORG’s impact worldwide, with more than 10 million domains under management.

But a new look is only the tip of the iceberg; the “new .ORG” refers to more than a logo or color palette. It’s been a banner year for .ORG in more ways than one.

A New Leader

In December of 2018, .ORG welcomed a new leader — Jonathon Nevett — as President and Chief Executive Officer. Jon has brought decades of domain expertise and an impressive track record of industry leadership that has been (and continues to be) instrumental to the ongoing growth of .ORG. As Jon himself says, “I’m honored to be at the helm of such an impactful organization and want to do everything I can during my tenure to enhance the .ORG domain.”

A Focus on Quality

.ORG has always been one of the world’s most trusted domains, and one of the areas of focus for .ORG in 2019 (and beyond) is in upholding its reputation for being safe, secure, and trustworthy. Programs such as the recently implemented Quality Performance Index (QPI) initiative are designed to improve the quality of the .ORG name space by encouraging registrars and resellers to help ensure that the .ORG domain remains the best place for mission-based organizations to bring their ideas to life.

Highlighting .ORGs In Action

While .ORG has been used by some of the world’s most impactful non-profit organizations, the domain truly is for anyone who wants to do great things online. This year, .ORG will begin to shine a light on the forward-looking businesses, professional associations, civic groups, nonprofits, clubs and families who are all making their inspirations a reality using .ORG. The .ORG Story Program has launched with five unique stories of .ORGs who are making a difference in their communities and the world — and the story collection will continue to grow over the coming months.

In addition to sharing these incredible stories, .ORG will also be hosting its first annual .ORG Impact Awards (OIAs) on the evening of October 10th in Washington, DC. The .ORG Impact Awards program provides recognition to .ORGs that are connecting communities, making a difference in the world, and leveraging the internet for transformative change. This first annual program celebrates .ORG domain name users of all kinds and causes for their accomplishments in community mobilization, marketing and outreach, and mission achievement.

Another major focus area for .ORG starting this year is providing educational opportunities that will empower .ORG community members to successfully leverage the Internet to achieve their myriad of missions and goals. The inaugural .ORG Community Forum, held on the morning of October 10th in Washington DC, brings together the .ORG community to collaboratively explore common areas of interest and find ways to navigate through critical challenges facing .ORGs today.

Some Things Never Change

While there sure is quite a bit that’s new with .ORG, some things always stay the same. For more than 30 years, .ORG has established a long-standing reputation as a best-in-class domain, particularly when it comes to domain security, trust, and reliability. And you can be certain that .ORG will continue to build on this impressive legacy – and remain the best place for anyone to build a trusted online identity.

Read More

Support

Report Abuse
Help Center
Contact Us

Resources

WHOIS Lookup
Maintenance Alerts
Developers

Products & Services

Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2020 Enom Blog |