MENU
  • Enom.com
  • Resellers

Enom Blog

September, 2020
Archive

  • Whois History and Updated Tiered Access Statistics

    September 17, 2020

    GDPR, Industry Insight

     Like

    Views: 2146

    keys on surface.

    The Internet as we know it may be fairly new, but that short history doesn’t mean it’s not also filled with cycles and repetition.

    Back in 2003, ICANN convened the Whois Task Force, intended to improve the ability of Whois services to contribute to the stability and security of the Internet while balancing the need to protect the privacy of the personal data involved. The Task Force’s goals of defining the purposes of Whois services overall—and of specific points of contact—as well as determining what data should be public and how to provide access as needed to nonpublic data, is remarkably similar to the work done in the EPDP, which was recently tasked with updating ICANN policy to adhere to the GDPR and other relevant privacy and data protection legislation while ensuring lawful disclosure of registration data where necessary.

    In 2005, in that same Task Force, the RrSG proposed the creation of an “Operational Point of Contact” to help address a specific issue:

    the amount of data that ICANN requires registrars to display in the Whois is facilitating all sorts of undesirable behaviours like renewal scams, data-mining, phishing, identity theft, and so on.

    The RrSG proposal was intended to enable contact with the relevant person responsible for the domain while also maintaining the privacy of personal data—again, similar to what the EPDP would later attempt—but other groups on the Task Force focused instead on limiting data protection to only a small subset of domain owners in order to retain as much access as possible.

    The Final Task Force Report on Whois Services, from 2007, gained support from the registrar and registry stakeholder groups (RrSG) and the non-commercial stakeholder group, but did not receive the business or intellectual property constituencies’ support.  The policy development world seems stuck in a loop, with the EPDP’s final report likely fated to end identically, despite our hopes that the ICANN Community will be able to break that cycle.

    Abusive use of publicly-available domain registration data, which RrSG members call out regularly, including in the early ‘00s and again in the EPDP, takes many different forms. Although it’s been some time since they’ve popped up in the news, those who follow the domain industry will know of Brandon Gray Internet Services, also known as NameJuice or Domain Registry of America. Their history of gathering Whois data to spam registrants with emails disguised as domain name renewal notices is well-documented1, as is the damage done to domain owners and other Internet users. Typical complaints centered around registrants not knowing who their domain provider is or why a domain has been transferred away from their preferred registrar, paying for services that were unnecessary or nonexistent, and inability to manage domains after the transfer was completed. This began early in our Internet history, when domain owners were less experienced in managing services and had fewer data privacy and protection rights—or at least lower awareness around how to exercise those rights. In recent years, NameJuice has managed to stay under the radar, carefully crafting their solicitations to remain within the bounds of “marketing” and to avoid legal and compliance action.

    Abusive use of domain registration data took the form of bulk scraping of publicly-available data from the Whois system; this data was then packaged and sold by enterprising cybercriminals to both security researchers with valid purpose and those seeking to use it for purely commercial purposes. Because security researchers benefited from this arrangement, they kept their heads in the sand about the accumulation of the data—one of the first instances of cybercrime tools for hire.

    When unrestricted access to Whois data was terminated in May 2018, these data aggregators continued to sell previously-collected data. This mass processing of historic and ongoing registration data is illegal. Even data that is public may only be processed in a manner compliant with data protection regulations, including the GDPR; this means that the organization doing the processing must have a legal basis to do so and make sure the data subject (the registrant) is fully informed.

    Scraping is specifically prohibited in registrars’ terms of service for Whois data, yet security researchers, commercial litigators, and other parties seem eager to use such illicitly-obtained personal data while continuing to fight for access to information that was obtained through cybercrime.

    Tucows is not blameless; we should have more aggressively prosecuted these “WhoWas” service providers2 while they were at the peak of their scraping and selling of this data, instead of merely implementing technical means to attempt to prevent their criminal activity (including rate limiting and requiring CAPTCHAs for lookups). While we did send cease and desist letters on multiple occasions, when these were ignored we did not take any additional action. We regret not having done so, especially as these companies continue to sell access to customers’ personal data to their complicit clients.

    At this point, since registration data is mostly redacted unless and until the domain owner decides to make it public, bulk gathering up of registration data is a decreasing concern but is still very much on our radar.

    This history should be kept in mind when reviewing this or any of our prior blog posts3 discussing the reasonable disclosure of previously-public Whois data. It is within the context of this profligate access to and abuse of Whois data that the flood of access requests registrars have received must be understood.

    Responses to Denial Requests

    Recently, the rhetoric from professional data requestors has shifted toward allegations of incorrect denials. Since we began tracking requests over two years ago, Tucows has denied only 241 requests, or 7% of all requests. We do not count abandoned requests as denials, as others do. Since May 2018, 51% of all requests are abandoned following our reasonable requests for additional information; this rate has dropped with each period.

    Most often, requests ask for all data we have, including information that was never publicly available and information that relevant courts have deemed to be illegal to share. When we respond to a request for “Registrant, Admin, Tech-C, Billing, and all other domains owned by the registrant”, we consider that to be a request for “previously-public Whois data”. Billing information would require a subpoena and reverse Whois lookups have never been a function of the Whois database, despite the criminal services discussed above.

    Of those 241 denials, vanishingly few of them have been disputed by the requestor—the handful of times it has happened, when our Legal team discussed the concern with the requestor, the end result was no disclosure. This tells us that our request review process is working properly, allowing us to filter out invalid requests and ensure that only those requestors who actually demonstrate a legitimate need for the data and commit to handling it with appropriate protections are able to obtain personal data.

    More complaints have been about the data we disclose being inaccurate. We do not specifically track this, but this type of response has been coming in often enough that we are working on providing an easy way of reporting a Whois inaccuracy to us—rather than having to report to ICANN to then convey to us. This will be available from within our TACO system, since only people with access to non-public personal data would be able to indicate that the information may be incorrect; this will include the standard process of suspension of the domain in the event of no response from the registrant within the ICANN-mandated time frame.

    Recent Tiered Access Statistics

    The statistics provided below are for the period beginning 1 March 2020 and ending 31 August 2020 (Period 4).

    Requests for Data Disclosure

    In Period 4, Tucows received 527 disclosure requests; our overall total since we began tracking this in May 2018 is 3,4004.

     

    75% of requests resulted in disclosure of domain registration data

    This represents an increase of 13% compared to Period 3, which itself was double the rate of Period 2. As we discussed in the Period 3 report, this indicates improvement in the quality of the requests that we receive.

    9% of requests were incomplete and, when we asked for additional information, the request was abandoned

    This is a drop from the previous period and can likely be attributed to our ongoing outreach efforts and each requestor’s increasing familiarity with the process. We are beginning to see new requestors who already know to follow the RrSG-Recommended Minimum Required Information for a Whois Data Request. The part of the request most frequently missing is an assurance to only use the data for lawful purposes and to destroy the data after it is no longer needed.

    11% of requests were denied, following a determination that the requestor did not have an adequate lawful basis

    This remains concerningly high. Unlike abandoned requests, where asking for additional information results in the requestor deciding not to follow up with the request, denied requests represent a failure of the requestor to adequately evaluate the legal implications of their request. As discussed in our Privacy and Lawful Access to Personal Data blog post, the primary reason that requests get denied is that no human reviewed the requests before they were submitted. The requests are for domains that may match all or part of a trademark but represent no threat to the mark for a variety of reasons. Our job is to balance the rights of the requestor—usually an intellectual property owner or its representative—against the data protection and privacy rights of the registrant. Where a review of the domain—even the content hosted on it—results in confirmation that there is no danger to the mark, the balance favors privacy.

    4% of requests were for domains with an active Whois Privacy service, so only the publicly-available privacy service data were disclosed

    While we are pleased to see this number reduced compared to the last period, we see some repeat requestors regularly asking for data they know to be behind one of our Whois Privacy services. This seems to be an attempt at “checking a legal box”: they are not asking for data they don’t know to be concealed, but rather, they are specifically not asking for the concealed data in the manner that they know will result in its disclosure, allowing them to indicate to their customers that they’ve gone through the process of requesting data but were “denied” without having to take the time and expense to file the actual paperwork that would result in its disclosure. We continue to reserve the right to blocklist requestors that regularly abuse our request process.

    Requested vs. Disclosed

     

    As mentioned above, the increase in disclosure rates for this reporting period shows improvement in the quality of the requests that we receive.

    Compared Against Previous Reporting Periods

     

    Requests Over Time

    Here’s an illustration of the total volume of requests Tucows has received since the launch of our Tiered Access platform:

     

    The number of requests appears to have stabilized, concurrent with the increase in quality of requests, a positive trend indicative of the industry as a whole settling into the new data protection landscape.

    Disclosure Request Outcomes, Compared

     

    We are pleased to note that the rate of incomplete and abandoned requests continues to drop.

    Duplicate Requests

     

    Duplicate requests have decreased, which we like to see, but an interesting new type of duplicative request that we have begun to see is that the owner of the intellectual property is reaching out to request data disclosure months or even years after the same data were already disclosed to a party claiming to be a representative of that owner. This is not tracked and currently remains rare but is an interesting insight into the relationships between professional data aggregators and the intellectual property owners they purport to represent.

    Categories of Requestors

    As readers of this blog series will know, we have grouped requestors into four main categories for tracking purposes. The main tracked requestor types are:

    • commercial litigation, which request disclosure of personal data in order to bring a legal claim of rights against the registrant;
    • law enforcement, carrying out an investigation or otherwise in the course of their work;
    • security researchers, who use certain aggregate data to identify trends in digital abuse; and
    • other, which includes Certificate Authorities, resellers, private individuals, and sometimes even the registrants themselves.

    At 84% of total requests, commercial litigation remains overwhelmingly the most frequent requestor type and, within that requestor type, professional data aggregators are the largest part. We are seeing a slight increase in Law Enforcement requests, up to 12% in Period 4.

    We look forward to continuing to provide legally permissible access to non-public domain name registration data, including tracking the statistics for future review and insight into our industry.

     


    1 Further reading:

    • Brandon Gray Internet Services Inc. Litigation
    • ICANN Notice of breach of registrar accreditation agreement
    • ICANN Notice of suspension of registrar’s ability to create new registered names or initiate inbound transfers of registered names
    • Ontario registrar stopped from selling dot ca domains
    • Domain registry of America get slapped in UK
    • ASA Adjudication on Domain Registry of America

    2 DomainTools has the dubious distinction of being the most well-known of these PII-aggregators but is by no means the only. WhoisXMLAPI, who.is, and WHOXY also sell current and former personal data to their customers and, in some cases, operate an extortion scheme whereby a registrant can request exemption from this illegal sale.

    3 You can find data for Period 1 in Enom’s Tiered Access Directory: eight months later, for Period 2 in Tiered Access Data Disclosure Update, and for Period 3 in Privacy and Lawful Access to Personal Data at Tucows.

    4 “Total” numbers for a period may change after the period is reported because, although we have mostly successfully educated requestors about how to submit requests, we sometimes find requests that were misrouted—we deal with these when they are discovered but we count them as of the date of request, potentially changing numbers after we have reported them in a blog post. The impact is minor, so we do not feel the need to update prior posts but felt it prudent to indicate why the numbers might be slightly different if you’re comparing across posts.

    Read More

  • Increase Domain Sales with Branded Links Integration

    September 8, 2020

    Advice, Industry Insight, New TLDs

     Like

    Views: 1668

    What is a branded link?

    While brands are the most important assets for modern companies, links are the foundation of the web. Every time someone clicks, taps, or swipes, there is a link. A link is a bridge between the message and the content, the most relevant call-to-action of online communications. When brands meet links, you get branded links—short URLs created with three elements: your brand (company name or product name), a relevant TLD (there are hundreds of new TLDs to choose from), and a unique keyword.

    Branded links are the evolutionary product of traditional links and the already-popular short URLs (created using URL shorteners). They are the most effective and efficient way to share and manage links.

    Why you should use branded links

    A branded link is trustworthy, memorable, pronounceable, secure, and allows you to do some pretty nifty things. For instance, you can change the destination URL or route traffic based on the person who clicks it (by language or the date or time, for example).

    A branded link is traceable, it improves the click-through rate up to 39% and increases the deliverability of emails and SMS.

    Rebrandly offers a short and sweet summary of the power of branded links:

    Rebrandly’s been a pioneer in the world of branded links since 2005 and now helps
    550,000+ companies brand their links, including huge names like Lamborghini, Indeed, Intuit, Ferrero and Puma.

    If you’d like to learn more, check out their guide to link management.

    How to increase domain sales with branded links

    Until now, domain names were employed quite exclusively for websites/blogs, and emails.
    Today there is a third use: branded links.

    This is a great opportunity for your customers to improve their brand visibility and maximize the effectiveness of the links they share. As a domain reseller, it’s also a great opportunity for you to offer an innovative and useful service for free. You’ll sell more domains and provide real value.

    Using Rebrandly as a reseller

    With Rebrandly, you can offer branded links at no additional cost to you or your customers. Rebrandly doesn’t charge any sort of fee or commission.

    All your customer has to do is to register a domain name with you (no commission to Rebrandly required). And all you have to do is integrate with Rebrandly.

    Here’s how it works:

    When a customer buys a new domain name for their website you can suggest purchasing a second domain (same name but different TLD) for their branded links. For example, they might buy company.com for their website and company.buzz for their social, or company.press for their PR content.

    Rebrandly itself has multiple domains which they use for very specific purposes:

    • Rebrandly.video for their youtube channel and to share video content
    • Rebrandly.buzz for social media sharing
    • Rebrandly.press to share the news with journalists and bloggers
    • Rebrandly.support for support tickets and to share links to FAQs
    • Rebrandly.link for general branded links
    • Rebrandly.click to enhance call-to-action links
    • Rebrandly.fun for sharing jokes and fun stories internally to their team
    • Rebrandly.download to share downloadable big files
    • Rebrandly.academy to share their knowledge base
    • Rebrandly.sale to share offers to potential customers
    • Rebrandly.blog to share blog articles

    That’s 11 domain names only for branded links, in addition to their .COM corporate site. Many companies have similar needs, making branded links a practical upsell opportunity.

    What you (and your customers) can do with Rebrandly

    Rebrandly incorporates a bunch of smart features that help you get granular with your campaigns and link tracking.

    Multiple domain management

    You can manage up to 1000 domains in a single account, and Rebrandly will automatically activate an SSL certificate for each — even if the domain was purchased from another provider. The platform allows you to manage the 404-page redirect and the main domain redirect.

    UTM and link parameter builder

    Urchin Tracking Module (UTM) parameters are used by marketers to track the effectiveness of online marketing campaigns across traffic sources and publishing media. Rebrandly lets you create UTM parameters, and even more advanced parameters, in a fast and efficient way.

    Puma, the well-known shoe and sportswear brand, uses Rebrandly’s parameter builder across all their marketing and affiliate teams in order to build trackable and measurable links that interact directly with their business intelligence tools.

    Link routing

    Dynamic link routing lets you send your audience to different destination URLs based on factors like the date, language, and user location. Lamborghini, the luxury car company, shares dynamic branded links on their social media using Rebrandly. The person who clicks on the link is redirected to specific content based on their location.

    Link retargeting

    Link retargeting involves inserting your retargeting pixel code – be it Facebook, Google, Twitter, or otherwise – inside of a short link so that anyone that clicks on the link is added to your retargeting pixel. With Rebrandly, you can “fire” a retargeting pixel directly within a link, whether it points to your website or not. Learn more

    Deep linking

    This allows brands to route traffic to a mobile application installed on a user’s phone. This advanced feature improves mobile user experience and increases conversion rates. Telecom companies like ThreeMobile use this feature especially when they send mass SMS communications.

    Workspaces and roles

    With Rebrandly, it’s possible to create unlimited workspaces with various role profiles and access levels for individual employees. Saint Gobain, a French multinational corporation with offices in 67 countries and over 170,000 employees worldwide, uses Rebrandly to give global departments the freedom to create custom short URLs organized by nation. Employees can share branded links for portfolios, product catalogs, documents, email signatures, and business cards. They’ve also widely adopted the solution for showcasing their various products.

    Are you using generic short URLs or branded links?

    Or, just as importantly, could your customers be using branded links to support their marketing efforts? You can start by getting creative with the TLD options you pitch to your customers, introducing them to the use cases of branded links, and, perhaps, integrating with Rebrandly to offer them a link-management solution.

    Read More

FEATURED POSTS

  • How to Win by Treating Your Customers as Members

    August 13, 2020

  • A Great Domain for Freelancers and Entrepreneurs? Try .ME

    June 22, 2020

  • Bandzoogle: website builder for musicians

    June 1, 2020

  • security lock and credit cards on keyboard

    Avoiding COVID-19 Cyberattacks with Security Best-Practices

    April 28, 2020

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support

Report Abuse
Help Center
Contact Us

Resources

WHOIS Lookup
Maintenance Alerts
Developers
Products & Services

Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2021 Enom Blog |