Buying and selling domain names might be much harder this year.
Major changes are coming to Whois and domain name investors might end up holding the short end of the stick.
The impetus for change came not from the community, but from the European Union and its General Data Protection Regulation (GDPR).
ICANN only belatedly started to address the real challenges of this law that will fine companies for disclosing personal information (among many other possible infractions).
The law only applies to European residents’ personal data. But changes to Whois will likely be enacted across the board rather than with precision.
(For background, read this story and listen to this podcast.)
As of right now, it seems that the likely model will be to obscure all Whois data across the globe, not just for individuals in the EU. There will be some sort of gating in which people can request full Whois data.
You can expect law enforcement, intellectual property interests and security firms to get access. They have the deepest pockets or the most influence to push for this access.
What exactly qualifies as an IP interest or security researcher is still up in the air and might require accreditation. Do I qualify as a security researcher when I use Whois history to connect the dots between domains being used for bad activities?
Domain investors don’t have much of a seat at the table. Even though domain investors fund much of ICANN’s budget (which is currently under pressure), domain investors don’t pay the money directly. They pay it to the companies that pay ICANN.
Among the problems domain investors will face from obscured Whois data are:
- Using historical Whois to verify valid ownership of domains before buying them
- Using current Whois info to verify ownership
- Using historical Whois to help recover stolen domains
- Using reverse Whois to understand domain portfolios they are purchasing
- Viewing single Whois records to make purchase inquiries
There are some limited workarounds to these. For example, an obscured Whois record might have a forwarding email address. But any veteran domain investor will tell you that a phone call is often required to connect with someone about selling a domain.
The Whois changes could throw a massive wrinkle in the domain name aftermarket, reducing the ease with which domains are sold and transferred.
All of these details might be resolved in the long run. But the deadline for GDPR compliance is in just two months. And if Whois data looks like this, we’re in trouble.
JZ says
so dumb. i won’t even be able to look up whois of my own domains?!!? thanks a lot europricks.
Zak Muscovitch says
GDPR is a huge issue as Andrew has pointed out. Yesterday ICANN’s CTO said that the ‘GDPR has destroyed Whois and has made our tools illegal’. Well said.
Nevertheless, the Internet Commerce Association is directly participating in the discussion about Accreditation models which is currently underway at ICANN, and we will be providing directly to ICANN and to various working groups, our proposals for accrediting domain name investors and marketplaces who rely upon Whois for their businesses.
Please feel free to reach out to me to share your thoughts and business cases for why Whois access is important to you: zak@InternetCommerce.org.
Andrew Allemann says
Thanks for staying on top of this, Zak and the ICA
JZ says
Why is GDPR allowed to stomp is feet and make everyone bow down to what they want? Why is the entire world being inconvenienced for their laws? its not right.
Mark Thorpe says
Thank you for sticking up for the rights of domain name owners and Investors, Zak.
I voiced my opinion to ICANN over domain name whois blocking.
JZ says
ICANN should use something like this if the are forced to comply with this ridiculous law.
message delivery form for .ca domains
https://services.cira.ca/agree/mdf/index.action
JZ says
i certainly hope there is a way to opt out (though how would you opt out 1000’s of domains at once i’m not sure). and also hope there is still a way to contact domain owners but more than anything is the lack of being able to check on who owns what when buying and selling. you can bet there will be a lot more people scammed because of this. how will i check that the buyer received the domain? how will i see if my domain has renewed properly?
John Berryhill says
There are a couple of possible ways to mitigate the impact on the domain name market.
1. Registrars will be able to switch from charging for privacy to charging for public WHOIS as an opt-in service, so that domain investors can be identified with their domains.
2. Domain purchasers should consider longer domain escrow periods, during which the domain name is held, the nameservers changed, and claims of any potentially aggrieved registrant would be likely to be brought to the attention of the service.
3. A variation of #1 would be for registrars to provide a confirmation service, such that a domain registrant could request that a registrar issue a confirmation to a recipient designated by the registrant to a prospective purchaser prior to a transaction.
4. Registrar-operated listing and exchange services may gain an advantage over non-registrar affiliated services, since a registrar can internally confirm that a domain name is registered to the seller.
Eric Lyon says
Looking at just one angle of this, the age old saying is: “If you haven’t done anything wrong, it doesn’t matter if law enforcement or the government take a peek behind the curtain, you have nothing to worry about”. 🙂 – Now’s the time for some to dot their i’s and cross their t’s, before the new policies take effect. 🙂
some name says
I would recommend all the owners that transferred their domains recently to change their auth code.
Otherwise, with the latest registrars proposal, if the hacker or old owner has the same auth code after selling and domain is unlocked, then they can transfer the domain with no issues.
Crazy times