Domain Manage

Nominet are consulting on new enhanced privacy services

Discussion in 'Nominet General Information' started by invincible, Apr 26, 2015.

Thread Status:
Not open for further replies.
  1. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    Nominet are consulting on new enhanced privacy services

    Consultation began - 12th March 2015
    Consultion ends - 3rd June 2015

    Round Table Meeting - 30th April 2015, 10am, London

    Full 32 page consultation document - http://www.nominet.org.uk/sites/default/files/contact-data-disclosure-uk-whois.pdf

    Overview - Nominet are consulting about offering new enhanced privacy services. This is in addition to the existing WHOIS address opt-out, currently available for non-trading individuals. They realise that some registrars, usually accredited ones, are making more use of their own privacy services given accredited registrars have the facility to change the registrant details and place domain names into the name of their privacy service. Nominet now estimate that 6500 domain names a month are using some kind of WHOIS privacy (I believe this number is separate from those using WHOIS address opt-out). Nominet are concerned that once domain names are registered to a privacy service they themselves, as the registry, no longer know who the registrant is and cannot contact them because the privacy service becomes the legal registrant. This could be a problem for DRS if the privacy service suffers under the 3 strike rule.

    Nominet offered several possible solutions, numbered i - vii. I am not going to list them all here because on page 19, section XI from paragraph 69 onwards they have recommended their preferred proposal.

    Nominet recommended proposal - (1) amend the existing WHOIS address opt-out so:

    i. The registrant must be an individual; and,
    ii. The domain name must not be used:
    a) to transact with customers (merchant websites);
    b) to collect personal data from subjects (i.e. data controllers as defined in the Data Protection Act);
    c) to primarily advertise or promote goods, services, or facilities.

    and (2) to enable registrar-run privacy services to operate within a contractual framework:

    “83. To qualify, registrars would need to register their privacy service with us and apply for the functionality to be enabled. Registrars would be asked to provide details of the service that they are offering, would require an address for service, and the contact details that they would wish to have published in the register for the privacy service. These contact details would then be auto-populated by our systems at the point of the WHOIS query being returned, if the registration were flagged as being subject to privacy. Registrars would also need to give undertakings in relation to the commitments made to their registrants in using the privacy service – so that registrants are aware of the data that is being published, but that they are still the registrant and responsible for the domain name. Users of the privacy service would still be the registrant and subject to our Terms and Conditions of Domain Name Registration. Registrant contact data would remain subject to the data quality policy and validated in the usual way, even if not disclosed. It is important to note that in the case of .uk domain names that require a UK address for service, registrar privacy services would also be required to provide such an address for their customers (which would not be published in the WHOIS).

    84. If the registry were to proceed with this option, the privacy service functionality would be made available to registrars at no cost. We anticipate that relatively minor systems changes would be necessary for registrars who would wish to use the functionality. We anticipate this to require the use of the standard EPP field, <contact:disclose> as defined in RFC5733. This field would be set against the contact name and address fields. Both disclose fields would need to be set in order to flag privacy, which would result in both name and address being withheld from publication. Similar functionality would also be made available in Web Domain Manager (WDM). Where the preference has been set in these fields, Nominet would also not publish the data in the Registrant Type field (such as Company). This is because data may result in re-identification of the registrant, such as through the publication of a company registration number.

    85. Nominet’s .uk WHOIS would effectively publish only the registrar’s privacy service address, whilst Nominet would also hold the registrant’s actual contact details. This would reduce the incidence of registrars unnecessarily transferring domains to themselves and mitigate the potential for post-expiry issues where a registrant has not received a deletion notification email. As Nominet will continue to have contact data for the registrant we can ensure continuity of service in the event the privacy service stops operating. Using the previous example of shinycleanhouse.co.uk below, the WHOIS could publish data as follows if Andrew Other were to use privacy service, and where data is auto-populated via the registry systems:

    Result of WHOIS query:
    Domain name: shinycleanhouse.co.uk
    Registrant: Name withheld. This registrant is using a privacy
    service.
    Registrant type: Withheld.
    Registrant's address: Registrant’s address is withheld. This registrant is using a
    privacy service.
    Data validation: Registrant contact details validated by Nominet on 10-Dec-2012
    Registrar: Efficient Registrar Limited [Tag = EFF]
    URL: http://www.efficientregistrar.uk
    Relevant dates: Registered on: before Aug-1996
    Expiry date: 06-Dec-2015
    Last updated: 25-Nov-2013
    Registration status: Registered until expiry date.
    Name servers: nom-ns1.nominet.org.uk 213.248.199.16
    nom-ns2.nominet.org.uk 195.66.240.250
    Privacy Service: Privacy Services Limited
    Privacy Service’s address: 81 Rivington Street, London, EC2A 3AY

    86. The returned result would make clear that the registration is being held by a registrant who is using a privacy service, rather than a privacy service acting as the registrant. We would not propose to charge registrars for the provision of functionality to enable sale of privacy services, although registrars would be free to charge if wished.

    87. Privacy services that continue to register as the registrant would be free to do so within the existing terms of the Registrar Agreement. They would however do so at their own risk, taking on any liabilities associated with being the registrant and being contracted as a registrant with Nominet."

    Questions related to this section:

    Are there any specific standards that registrars should be asked to meet in order to provide a privacy service? For example (tick any that apply):
    a. acting as an address for service for the registrant
    b. being required to respond to or transmit abuse complaints from third
    parties to the registrant
    c. being required to reveal contact details on receipt of a Dispute
    Resolution Service complaint from a third party
    d. provide their own contact details to be published in the WHOIS
    e. highlight the availability of the opt-out to registrants
    f. Other?
    Are there process or technical issues in separating collection from publication of
    contact data in the way we have suggested that Nominet should be aware of?

    Please explain with details about whether this would affect registrants, registrars, WHOIS users, or other stakeholders.

    Whilst noting that the proposed privacy services framework would not apply to Self-Managed Tag users where domains must be connected to the registrant, should the framework be restricted only to Nominet Channel Partner and Accredited Channel Partner Tag holders?

    If you believe the framework should not be restricted, and that other parties should be permitted to operate privacy services, please explain why and provide comments on how Nominet could identify, monitor, and enforce the framework
    for third parties.

    End note from me:
    There's a lot more in the 32 page document but I've tried to sum it up in an abbreviated fashion above. Clearly Nominet prefer the idea of operating a free of charge privacy service that Channel Partner and Accredited Channel Partner registrars, but not self managed ones, sign up to use. Nominet still get all the registrant data, provided by the registrar, and can therefore contact the registrant if need be. In return Nominet populate the WHOIS output with privacy service details which present the contact details of the respective privacy service instead. This still enables registrars to sell privacy services as value added services, as some have already been doing.

    I couldn't find any reference to the PRSS and whether the real registrant details or the privacy service details would be return as a result of a PRSS query, so that is something I will be asking for more information about.

    I am also interested in exploring whether it should be possible for parties other than registrars to offer privacy services.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. ABCV United Kingdom

    ABCV Active Member

    Joined:
    Jul 2009
    Posts:
    404
    Likes Received:
    5
    Seems very reasonable and I would definitely support and welcome this idea.
     
  4. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    Round Table Meeting - 30th April 2015, 10.30am, London. That's today. Anyone, other than me, registered to attend? :)
     
  5. wizard

    wizard Well-Known Member

    Joined:
    Dec 2007
    Posts:
    1,929
    Likes Received:
    22
    Nope just you have fun :D
     
  6. bb99 United Kingdom

    bb99 Well-Known Member

    Joined:
    Mar 2005
    Posts:
    1,598
    Likes Received:
    38
    Invincible, perhaps you would be so kind as to let us know how the round table went tomorrow? Ta.
     
  7. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    I attended the WHOIS consultation roundtable meeting last Thursday morning in London and found the meeting to be useful. There was quite a lot of scope to discuss things openly with others at the event and I appreciated the chance to do that rather than just addressing one chair person.

    I’ll try to summarise some of the points that I remember, particularly ones that might be of most interest to AD members.

    As previously detailed Nominet, the .uk registry, are proposing to offer a privacy service to existing registrars which would allow them to receive the true registration details for any domain names registered by a registrar offering such a service and has flagged registrant domain name(s) as privacy protected.

    At the moment some accreddited channel partner registrars that offer WHOIS privacy services are doing so by taking over the domain names of their registrants and make their privacy service company (almost always a different company to the actual registrar) the legal registrant of the domain names. As a result Nominet don’t know who the actual registrant of these privacy protected domain names are which prevents them corresponding with those registrants. Potential ramifications include being unable to timely notify them of a DRS, being able to assist the registrant with any related issues and being able to step in if a registrar or privacy service went out of business. Nominet would prefer to be able to do this although Nominet aren’t precluding the continued operation of privacy services as they are currently operated.

    Nominet are proposing to offer a WHOIS masking facility to accredited channel partner and channel partner registrars which would afford those registrars that chose to sign up to use it with the facility to ask Nominet to mask registrant details when a WHOIS and PRSS query was made against a domain name registration that had been flagged by a registrar as privacy protected.

    The registrar would agree to send Nominet the true registration details but flagged with privacy protected and Nominet would identify that flag and mask it from WHOIS and the PRSS. Any kind of privacy services will make domain name acquisition more difficult for anyone wishing to make contact with a registrant unless some way of contacting the registrant is made available which masks the registrant details. An example of a gTLD privacy service which has facilities to allow domain name registrants to be contacted is the Tucows OpenSRS "contactprivacy.com" (T&Cs).

    I raised the question about why the Nominet privacy service wasn’t going to be made available to Self Managed ("SM") registrars and whether it could be because I presumed some SM's might quite like to hide their home address using a free Nominet privacy service and then make use of their paid postal redirection service (such as the one many currently use in Truro) as the correspondence address listed for their own WHOIS privacy service instead. That way general correspondence would go to the WHOIS privacy service address and Nominet correspondence such as notifications of DRS would go to the registrants main (home) address.

    I also said I presumed that it wasn’t being offered to SM registrars because Nominet (and everyone else presumably) already knows who each SM registrar is. However, as I pointed out, each SM registrar can have up to four (possibly five depending how one looks at it) associated registrants that might want still wish to avail themselves of a privacy service.

    I wondered about asking for the formal facility for SM registrars to add an email address into the WHOIS but perhaps this consultation is the time to ask for it if it is desired by any? Would Self Managed registrars want WHOIS privacy as proposed and/or the function to add an email address into the WHOIS?

    I suggested that registrar signing up for a Nominet privacy service should have to meet some standards and that Nominet should mystery shop the registrars that use such a product to ensure they continue to meet it. Registrars should have to state their customer obligations in respect of postal correspondence, therefore if they file it in the wastepaper basket, or keep hold of it and scan it to email, or post it on then they should say and publish any additional costs that might be associated with forwarding it on.

    Finally I stated that I don’t believe that registrars alone should be permitted to offer a Nominet privacy service because other entities might be able to offer a quality service without wishing to be registrars. Most registrars I am aware of create a separate legal entity to act as their privacy service rather than simply transfer privacy protected domain names into the name of their registrar because doing so would be commercial suicide. Given they do this, and in my opinion are therefore spinning off the privacy service into a third party that may or may not be operated by the same people operating the registrar, why shouldn’t Nominet allow third parties that meet a standard to become privacy providers alone?

    I'd appreciate comments. Have tried to embolden what I think will be of interest to members here.
     
  8. bonusmedia United Kingdom

    bonusmedia Well-Known Member Exclusive Member

    Joined:
    Oct 2012
    Posts:
    1,112
    Likes Received:
    75
    Interesting stuff.

    Personally I'm not worried about hiding ownership but I can see where it would be useful.

    Were charges discussed? I agree with you that allowing other (accredited) entities to provide this makes sense as it should result in greater competition and lower costs.

    As you say it may make acquisition more difficult, but I'm assuming that the vast majority of registrants won't use it - and those who do are probably not open to selling.
     
  9. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    At the moment a number of Self Managed ("SM") registrars make use of PO Box, Mailboxes Etc or mailing addresses in Truro (ScanMyPost) to hide their home addresses and be compliant with the registration T&Cs. I feel that the Nominet proposed privacy service might be of interest to SM registrars (currently the group Nominet are not proposing to offer the free facility to) because they would be able to list their PO Box, Mailboxes Etc or other as the address for their privacy service. External correspondence would go to it. Nominet correspondence would go to the real registrant. What do SM registrars think of this?

    Nominet are proposing to provide the service for free but only to channel partner and accredited channel partner registrars . The registrar still has to operate the privacy service itself and will charge for it. SM registrars would have negligible cost beyond any PO Box/mailing service they currently make use of.

    I also feel that third parties other than registrars should be able to offer privacy through Nominets proposal, as well as Address For Service.

    Perhaps if Nominet mandated that a URL to a contact web form was published in the WHOIS for every privacy protected domain name which allowed those enquiring about a domain name to fill in their details and have it forwarded by email to the registrant, there'd be less risk?

    Perhaps also allowing SM registrars to officially place an email address in the WHOIS for domain names held within their accounts would also be desirable? If so now is the time to ask.
     
  10. blacknight Ireland

    blacknight Active Member

    Joined:
    Apr 2007
    Posts:
    127
    Likes Received:
    1
Thread Status:
Not open for further replies.

Share This Page