A small delegation from Tucows attended ICANN64 in Kobe, Japan, and we want to share a few quick highlights about the progress made in some key areas.
RDAP Working Group
RDAP, everyone’s favorite new registration data access protocol, is now in the implementation phase. This means that registrars and registries must implement RDAP according to the documented profile requirements by August 26, 2019.
As we’ve mentioned before, Tucows has already implemented the original version, so we’re now reviewing the final profile to understand what minor updates are needed. The RDAP Working Group recognizes that the current profile is based on the Temp Spec and will need to be modified to align with the policy coming out of the EPDP. As members of the RDAP Working Group, we’ll be participating in that process and making sure we’re on top of any further changes.
Access to Whois Registration Data
ICANN’s Technical Study Group on Access to Registration Data, which we’ll refer to as the “TSG,” met with several different groups during ICANN64 to present information about their work and answer questions from the community.
ICANN CEO Göran Marby’s idea seems to be that if the EDPB signs off on this Model, registrars and registries could follow it when providing Personal Data to ICANN for disclosure to third parties, and this would bring a reasonable expectation of “diminished liability.” However, many of us are concerned that the EDPB will not be able to base any decision off the TSG’s Model — they would most likely also require the accompanying Policy. This policy does not exist yet — it will come out of the EPDP Phase 2 work — and until it does, any request to have the EDPB review the Model is premature and ineffective.
Additionally, as we were reminded by Cathrin Bauer-Bulst from the European Commission, any statement by the EDPB that the Model is acceptable could easily be retracted in the future; it’s not a guarantee of legality. The TSG team has a face-to-face meeting planned for mid-April to finalize their report, after which it will be handed back to ICANN’s CEO.
Phase 2 of the EPDP & next steps for the IRT
The EPDP team met four times over the course of the ICANN64 conference, primarily focusing on planning for Phase 2 of their work: the creation of a Standard Access Model for disclosure of non-public registration data.
There was also discussion about convening an Implementation Review Team to bring the Phase 1 recommendations into reality and how to bridge the Implementation Gap period between when the Temp Spec expires (May 25 2019) and when the EPDP recommendations become mandatory policy (February 29 2020).
The team is still looking for a new Chair, as Kurt Pritz stepped down following the end of Phase 1. His admirable leadership and calm in the face of contentious issues will be difficult to replace. In the coming days, the EPDP team will continue to work with ICANN leadership to determine exactly how to proceed with these next steps. The Tucows team will be an active voice in that discussion, and we will keep our resellers up-to-date as things develop.
ICANN’s Expedited Policy Development Process (EPDP) team has issued theirPhase 1 Final Report, marking the end of this stage of the project. The recommendations from this Report will become mandatory as of February 29, 2020, but contracted parties (registrars and registries) are permitted to implement them sooner. We’re still determining what specific changes we’ll need to make, but here’s an overview of the expected operational impacts that you should be aware of.
Changes to which data elements are required for ICANN-regulated TLDs
The EPDP team has recommended that:
the Admin contact no longer be used at all
the Tech contact be entirely optional and minimized: only name, phone number, and email address.
Needless to say, we are pleased with this outcome. For months now, Tucows has argued against the continued mandatory collection of Admin and Tech contact data, as it violates the GDPR’s requirement for data minimization. We still allow our reseller partners to pass along these data sets, but we only use them if the registry specifically requires them; if they do not, we simply hold these data on our platform and do not share them with the registry or data escrow provider.
How is OpenSRS handling this change?
OpenSRS will need to delete the Admin contacts we hold for existing domains, unless it’s used for a TLD where the registry contractually requires an Admin contact. Before we delete any data, however, we’ll make sure that the registries have made the required changes on their side. This will ensure that no registrations fail at the registry level due to “missing data.” An additional point to consider is that some domains registered under the 2009 RAA rules do not have any associated Registrant contact info, because at the time the domain ownership information was stored in the Admin contact fields. We’ll ensure that the domain owner information is up to date before removing any of the Admin contact data.
What should resellers do?
We’re doing our best to minimize any work these changes could create for resellers. Right now, our suggestion is to audit which fields you currently list as mandatory in any signup and domain update forms that you provide to your customer base. You may need to make some adjustments and be ready to implement them once the recommendations outlined above are officially required. We’ll provide plenty of notice before implementing changes on our end.
Changes to which data are displayed in the public Whois
The public Whois record will continue to be mostly redacted. However, the EPDP has recommended that registrars display the registrant state and country fields. We’ll soon begin work to reflect this change in the Whois data output for all domains under our accreditation.
Special case: publishing registrant Organization Whois data
In theory, the Organization field holds non-personal data, so displaying it in the public Whois should not be an issue. In reality, however, the Organization field frequently does contain personal data. For this reason, the EPDP team has recommended that the Organization field should be published, but only in a way that avoids the accidental exposure of personal data.
So, how will this be accomplished?
Registrars have been asked to contact all existing domain owners to confirm whether or not they want their Organization info published. If the registrant opts in, the registrar can then publish the Organization data. If the registrant does not opt into publication, or does not respond at all, the data in the Organization field can either be kept on file with the registrar but redacted from the public Whois, or deleted entirely.
What should resellers do?
For the long-term, the EPDP team recommends a more proactive approach where a “disclosure, disclaimer or confirmation” is presented to domain owners as they enter data into the Organization field. This notice would explain both options and give the registrant the opportunity to decide if they want this information published or not. If you collect data through an online sign-up form, you may want to consider how to incorporate this notice. We’re considering how to best implement this recommendation in a way that will be clear to domain owners and represent a minimal workload for our resellers.
Changes to which domain name contact data are shared
Much of the heavy lifting here has been done. As part of our initial GDPR implementation last year, we did a full audit of our TLD offerings to determine which data elements should be shared with the registry by default, as required under our contract with the registry, and which should only be shared if the domain owner gives their explicit consent to do so.
Over the next few months, we expect to receive updated contracts from all the ICANN-accredited registries we work with. Depending on what the various registry contracts include, we may make adjustments to our data processing framework. We could end up sharing more or less data by default for specific TLDs, and may stop the collection of some “optional” data elements.
What should resellers do?
These adjustments will not create any work for you, the reseller, but you should be aware that some of the TLD-specific data sharing settings will be adjusted. You can always refer to Tucows’ Data Use Information page for details about the legal basis for processing the data we collect for any TLD.
Next steps
Hopefully, this review has left you with a good sense of what to expect over the coming months. We’ll have more updates as the EPDP team begins Phase 2 (Standard Access Model, formally referred to as the “Unified Access Model”) and works through the Implementation Review Team (IRT) process, which will turn these Phase 1 recommendations into actual policy.
Earlier this morning, our parent company, Tucows Inc. released some exciting news: we’ve officially acquired Ascio Technologies, another wholesale domain registrar that, like Enom, is dedicated to supporting a growing reseller network.
Enom and our sister brands, OpenSRS and EPAG, are thrilled to welcome Ascio to the Tucows family. The venture further solidifies Tucows’ position as the leading global wholesale domain registrar and is a natural step in expanding what we believe to be the best reseller-focused domains business in the industry.
The Ascio acquisition not only adds 1.8 million domains under management, but a thriving network of 500 resellers that fits squarely within Tucows’ core customer profile: ISPs, web hosting companies, and website builders. The move to acquire Ascio makes sense precisely because its business is so complementary to Enom’s. It will support Tucows’ efforts to scale and leverage synergies, while remaining focused on serving a specific customer base and investing in a platform and services that benefit resellers across all Tucows wholesale brands, Enom included.
Moving forward, it will be business as usual for all brands, Ascio included, as Tucows works to leverage the strengths of all brands to improve the business as a whole. Tucows has always been reseller-focused — it’s in our DNA — and this acquisition, much like that of Enom itself in 2017, is a testament to Tucows’ continued commitment to, and investment in, its wholesale domains business.
Tucows’ Tiered Access Compliance & Operations portal (which we commonly refer to as a “Tiered Access Directory” or “gated Whois”) launched at the end of May 2018. With its launch, our public Whois “went dark.” From that date forward, all personal registrant data has been redacted from the public Whois by default, and made accessible only via the gated Whois.
Most people saw this is a good thing—registrants deserve to have their personal information protected. A few argued that the change would impede efforts to identify and take legal action against cyber criminals and trademark or copyright violations. We’ve always advocated that a balance could be reached.
Now, eight months into our Tiered Access program, we’re looking back at the data access requests to see what the numbers reveal about how the system is working out.
The Big Picture
We have received more than 2100 data access requests since our Tiered Access system started last May, and of these requests:
Just over 25% resulted in applicable registration data being provided to the requestor
Only a small percentage of requests get denied: 4.6%, as of 13 February 2019
13% of all requests are duplicates
65% of all requests came on behalf of a single requestor; only 21% of these requests resulted in the provision of data, as the majority did not provide sufficient legitimate purpose, nor did the requestor respond to our request for more information
Perhaps surprisingly, 70% of data access requests are not fulfilled because the requestor did not respond to Tucows’ requests for additional information (including assurances regarding who the requestor was, how the data would be handled, and why the data were needed). For example, some requests failed to include the requestor’s own identity, their legal basis to access the information, or even which specific domain name they’re asking about. In all cases, we reply promptly to ask for the missing information but, so far, for 70% of the requests we have received, that information was never provided.
The vast majority of requests—just over 90%—come from commercial litigation interests and relate to a suspected intellectual property (copyright or trademark) infringement. The remaining 10% are spread across other types of requestors, including law enforcement, security researchers, registries, the registrants themselves, and third-parties interested in purchasing specific domains.
92% of requests were made by commercial litigation interests, mostly trademark interests (85%) but also some copyright (4%: fewer than 100 total copyright-related requests)
Within the “trademark” category, 76% of all requests are on behalf of a single entity. The next highest entity requestor accounts for only 7% of trademark requests.
Law enforcement requests account for less than 2% of all requests—this does not include warrants, as the intent of a gated Whois is to provide data which what had previously been publicly available; requests for additional information still require a warrant or subpoena
Fewer than 1% were requests from security researchers, one of the major groups who have expressed concerned about the loss of public Whois
Interestingly, we have had only a single request that appears to be related to illegitimate pharmaceuticals being sold online and zero requests related to terrorism. These are categories that we were led to believe we would receive a high volume of requests for.
Requests from ICANN Compliance
There are also a significant number of requests for personal data that we’ve excluded from the stats and total number referenced above: those made by ICANN Compliance. These were not included because, although ICANN Compliance has requested personal data from us in relation to complaints filed by third-parties, they have not yet demonstrated a legitimate purpose for processing that data. Since the introduction of our Tiered Access system in May, no Tucows-owned registrar has shared any personal registration data with ICANN Compliance; we have discovered that we can successfully help ICANN’s compliance investigation of registrant or third-party requests without disclosing any personal data to ICANN. We are always looking for innovative solutions that allow us all to rethink the traditional way of doing things.
What do these numbers tell us?
We see significant spikes of requests surrounding ICANN meetings:
These spikes and the prevalence of certain requestors strongly suggests an attempt to skew the data to create an argument against the loss of public Whois data. Regardless of that attempt, however, what we clearly see is a system working the way that it should: when sufficient legitimate interest is shown and assurances regarding the handling of data are made, the process of providing personal data is smooth.
The sky didn’t fall. The dire predictions that commercial litigation, law enforcement, and security research interests made prior to our GDPR implementation did not come to pass. Our Tiered Access team is able to respond to requests in a timely manner and to provide access to registration data when the requestor can demonstrate their legal basis for access. The system works well.
The future of Tiered Access
There remains much to be done regarding Tiered Access. The “Technical Study Group on Access to Non-Public Registration Data”, a recently-created group of ten members hand-picked by the ICANN Board, is engaged in technical work on Tiered Access, although not the thornier legal or policy challenges. There is a lot of work happening in the ICANN Community as well. The Expedited Policy Development Process (EPDP) Team work has not yet been finalized; a Registrar Constituency document outlining guidelines for requesting registrant data will be published soon; and there are ongoing informal discussions among registrars and other interests intended to streamline access and make it less difficult and confusing.
The EPDP’s Phase 1 Final Report, which will focus on data collection and, later, its Phase 2—which will be focused on a Standard Access Model—may affect what we collect and disclose in the future. We won’t know what the Tiered Access system will look like long-term until there is clarity around these items, which are still very much up in the air. That said, we’re in a position to adapt our system to meet the ICANN Community’s final requirements. In the meantime, we’ve created a solution that achieves an effective balance between protecting registrants’ right to privacy and providing legitimate third-parties timely access to the data they’re legally entitled to.
As we’ve said before, while it marks a big change in the domain space, the introduction of our Tiered Access Compliance and Operations system is a move in the right direction, in step with evolving privacy laws across the globe. Tucows remains committed to protecting registrant privacy and applauds the efforts underway by various governments to establish privacy-by-default standards.
If you sell .EU domains to UK residents, you may already be aware of an announcement made by the European Commission last March on the future of .EU domains registered to UK organizations and individuals. In short, once the UK officially withdraws from the European Union, individuals with an address in the UK and Gibraltar, and UK companies without a presence elsewhere in the EU, will no longer meet the eligibility requirements.
Much to the disappointment of the domain community, the European Commission has decided against “grandfathering” the 300,000 .EU domains already registered with a GI or GB country code, an action which would have allowed existing owners to renew their domains indefinitely, despite the country code no longer being eligible. We would have appreciated a more creative solution than existing registrants simply losing their right to ownership. Regardless, it’s time to start preparing affected registrants for this change.
No one knows how Brexit will proceed, but in late January 2019, EURid, the .EU registry, released details on how it would approach this transition. There are three possible scenarios:
Hard Brexit: The UK leaves the EU with no deal on March 30, 2019.
Soft Brexit: The UK leaves the EU on or after December 31, 2020, following a planned transitional period.
Soft Brexit with .EU Provisions: The UK leaves the EU with a planned transitional period, and the deal includes provisions for .EU domains.
Below you’ll find what each of these three scenarios would mean for .EU registrants based in the .UK.
Scenario 1 — In the event of a “hard Brexit”
If the UK leaves the EU on March 30, 2019, without having reached a withdrawal agreement, here’s what will happen. You can also jump to the summary table below.
Starting at March 30, 2019, 00:00 CET (March 29, 2019, 19:00 EDT), EURid will immediately stop allowing new registrations of .EU domains using a GB (Great Britain) or GI (Gibraltar) country code. For existing domains, EURid will no longer allow registrant transfers to GB or GI residents.
In March 2019, EURid will contact existing registrants who have listed a postal address with a GB or GI country code, giving them “the possibility to demonstrate their compliance with the .eu regulatory framework by updating their contact data.” For organizations, this would involve indicating a legally established entity in one of the eligible EU27 or EEA Member States. For individuals, this would involve updating their residence to a physical address located in one of the EU27 or EEA Member States.
The registrant may also choose to transfer the domain name to an EU resident.
Between March 30, 2019, at 00:00 CET (March 29, 2019, 19:00 EDT / 21:00 GMT time), when registrants are officially notified, and May 30, 2019, at 00:00 CEST (May 29, 2019, at 18:00 EDT), the registry will lock the impacted domains to prevent the following actions:
Registrant transfer (Ownership Change) to a non-EU registrant (Only Ownership Changes to an EU registrant will be permitted)
Explicit renew
Auto-renew (ineligible domains will automatically enter Withdrawn status)
During this two-month window, UK registrants who wish to keep their domain active must update their contact info to satisfy the eligibility requirements or transfer the domain to an EU resident.
On May 30, 2019, at 00:00 CEST (May 29, 2019, at 18:00 EDT), any registrant who has failed to demonstrate their eligibility will have their domain placed in Withdrawn status — the domain won’t resolve (and any linked services will become inactive), but the registration record will remain on file with the registry. At this point, the registrant is still able to reactivate their domain by updating their registration data to satisfy the eligibility requirements, thereby removing the Withdrawn status.
On March 30, 2020, at 00:00 CET (March 29, 2020, 19:00 EDT), all ineligible domains in Withdrawn status will be deleted and made available for registration.
We know this is quite a lot to keep in mind, so here is a summary of the “hard Brexit” key dates and events:
Scenario 1 summary table.
Domains belonging to EU citizens living in the UK
There are, no doubt, many EU27 citizens who reside in the UK and own a .EU domain name. These registrants, though still EU citizens post-Brexit, would become ineligible on March 30, 2019, as the current EURid policy determines eligibility based on the physical address of the registrant.
However, the EU Commission has announced policy changes which would allow EU citizens based in the UK to regain eligibility. The registrants would, therefore, lose their eligibility upon the UK’s withdrawal from the EU on March 30 2019, but would likely become eligible again once the new .EU regulatory framework comes into force later this year. Unfortunately, it’s not yet clear how long of a gap there will be between the UK’s withdrawal from the EU and the implementation of updated .EU policy.
Scenario 2 — In the event of a “soft Brexit”
If the UK were to leave the EU on or after 31st December 2020, following a planned transitional period, EURid’s plan would be similar to the “hard Brexit” plan, but with an extended timeline. Here’s what would happen (summary table below):
In December 2020, EURid will contact existing registrants who have listed a postal address have with a GB or GI country code, giving them “the possibility to demonstrate their compliance with the .eu regulatory framework by updating their contact data.” Once again, for organizations, this would involve indicating a legally established entity in one of the eligible EU27 or EEA Member States. For individuals, this would involve updating their residence to a physical address located in one of the EU27 or EEA Member States.
The registrant could also choose to transfer the domain name to an EU resident.
Between January 1, 2021, at 00:00 CET (December 31, 2020, at 18:00 EST), when registrants receive their final notice, and March 2, 2021, at 00:00 CET (March 1, 2021, at 18:00 EST)the registry will lock the impacted domains to prevent the following actions:
Registrant transfer (Ownership Change) to a non-EU registrant (Only Ownership Changes to an EU registrant will be permitted)
Explicit renew
Auto-renew (ineligible domains will automatically enter Withdrawn status)
During this two-month window, registrants who wish to keep their domain active must update their contact info to satisfy the eligibility requirements or transfer the domain to an EU resident.
On March 2, 2021, at 00:00 CET (March 1, 2021, at 18:00 EST), any registrant who has failed to demonstrate their eligibility will have their domain placed in Withdrawn status — the domain won’t resolve (and any linked services will become inactive), but the registration record will remain on file with the registry. At this point, the registrant is still able to reactivate their domain by updating their registration data to satisfy the eligibility requirements, thereby removing the Withdrawn status.
On 1 January 2022, at 0:00 CET (December 31, 2021, at 18:00 EST), all ineligible domains in Withdrawn status will be deleted and made available for registration.
Here is a summary of the “soft Brexit” key dates and events:
Scenario 2 summary table.
Domains belonging to .EU citizens living in the UK
As mentioned above, an updated .EU regulatory framework that will allow for .EU domains to be registered by EU citizens living in the UK will come into effect in 2019. Therefore, EU citizens living in GB or GI would NOT become ineligible as a result of a “soft Brexit.” Depending on how EURid implements the new policy directive from the EU Commission, EU citizens living outside of the EU could potentially be required to actively validate their eligibility in order to maintain their registration.
Scenario 3 — If provisions are made for .EU domains
In the event of a “soft Brexit” where the deal includes provisions for .EU domains, EURid would forgo the transition plans outlined in the scenarios above and instead adopt whatever transition plan the provisions call for.
Preparing for this change
The OpenSRS team is exploring how best to approach this situation and find solutions to minimize the impact on registrants. If you sell .EU domains we strongly encourage you to sign up for our.EU-Brexit Updates, an email series we will use to share developments, recommendations for resellers, and information about our own action plan, including how resellers can identify domains in Withdrawn status via the Control Panel and API.
Have you already given this situation some thought? If you’d like to share your approach, ask questions about this change, or provide feedback, please get in touch.
In the meantime, we have a few recommendations for our affected reseller partners.
1. Consider restricting multi-year renewals and registrations for .EU domains. This will help avoid situations where a UK customer pays a sizable renewal fee, only to lose their .EU domain a few months later.
2. Consider displaying a warning to registrants during the registration process It’s important that before registering a .EU domain, your UK-based customers are made aware of the impending change to the domain’s eligibility requirements. We recommend displaying a warning to customers attempting to register a .EU domain using a GB or GI address.
3. Keep in mind that the registry could contact your customers as early as March 23, 2019. We recommend preparing to contact your affected customers before March 23, 2019, so that, in the event of a hard Brexit, the notice from the registry doesn’t come as a surprise. Over the next couple of weeks, we’ll provide more information that will help to inform your communications.
3. Advise those registrants who can to update their information to meet the eligibility requirements as soon as possible. This will ensure their domain(s) does not fall into Withdrawn status and become inactive.
Once again, if you sell .EU domains, we highly encourage you to subscribe to our .EU-Brexit Updates series to stay up-to-date as things develop.
