Nominet are consulting on new enhanced privacy services Consultation began - 12th March 2015 Consultion ends - 3rd June 2015 Round Table Meeting - 30th April 2015, 10am, London Full 32 page consultation document - http://www.nominet.org.uk/sites/default/files/contact-data-disclosure-uk-whois.pdf Overview - Nominet are consulting about offering new enhanced privacy services. This is in addition to the existing WHOIS address opt-out, currently available for non-trading individuals. They realise that some registrars, usually accredited ones, are making more use of their own privacy services given accredited registrars have the facility to change the registrant details and place domain names into the name of their privacy service. Nominet now estimate that 6500 domain names a month are using some kind of WHOIS privacy (I believe this number is separate from those using WHOIS address opt-out). Nominet are concerned that once domain names are registered to a privacy service they themselves, as the registry, no longer know who the registrant is and cannot contact them because the privacy service becomes the legal registrant. This could be a problem for DRS if the privacy service suffers under the 3 strike rule. Nominet offered several possible solutions, numbered i - vii. I am not going to list them all here because on page 19, section XI from paragraph 69 onwards they have recommended their preferred proposal. Nominet recommended proposal - (1) amend the existing WHOIS address opt-out so: i. The registrant must be an individual; and, ii. The domain name must not be used: a) to transact with customers (merchant websites); b) to collect personal data from subjects (i.e. data controllers as defined in the Data Protection Act); c) to primarily advertise or promote goods, services, or facilities. and (2) to enable registrar-run privacy services to operate within a contractual framework: “83. To qualify, registrars would need to register their privacy service with us and apply for the functionality to be enabled. Registrars would be asked to provide details of the service that they are offering, would require an address for service, and the contact details that they would wish to have published in the register for the privacy service. These contact details would then be auto-populated by our systems at the point of the WHOIS query being returned, if the registration were flagged as being subject to privacy. Registrars would also need to give undertakings in relation to the commitments made to their registrants in using the privacy service – so that registrants are aware of the data that is being published, but that they are still the registrant and responsible for the domain name. Users of the privacy service would still be the registrant and subject to our Terms and Conditions of Domain Name Registration. Registrant contact data would remain subject to the data quality policy and validated in the usual way, even if not disclosed. It is important to note that in the case of .uk domain names that require a UK address for service, registrar privacy services would also be required to provide such an address for their customers (which would not be published in the WHOIS). 84. If the registry were to proceed with this option, the privacy service functionality would be made available to registrars at no cost. We anticipate that relatively minor systems changes would be necessary for registrars who would wish to use the functionality. We anticipate this to require the use of the standard EPP field, <contact:disclose> as defined in RFC5733. This field would be set against the contact name and address fields. Both disclose fields would need to be set in order to flag privacy, which would result in both name and address being withheld from publication. Similar functionality would also be made available in Web Domain Manager (WDM). Where the preference has been set in these fields, Nominet would also not publish the data in the Registrant Type field (such as Company). This is because data may result in re-identification of the registrant, such as through the publication of a company registration number. 85. Nominet’s .uk WHOIS would effectively publish only the registrar’s privacy service address, whilst Nominet would also hold the registrant’s actual contact details. This would reduce the incidence of registrars unnecessarily transferring domains to themselves and mitigate the potential for post-expiry issues where a registrant has not received a deletion notification email. As Nominet will continue to have contact data for the registrant we can ensure continuity of service in the event the privacy service stops operating. Using the previous example of shinycleanhouse.co.uk below, the WHOIS could publish data as follows if Andrew Other were to use privacy service, and where data is auto-populated via the registry systems: Result of WHOIS query: Domain name: shinycleanhouse.co.uk Registrant: Name withheld. This registrant is using a privacy service. Registrant type: Withheld. Registrant's address: Registrant’s address is withheld. This registrant is using a privacy service. Data validation: Registrant contact details validated by Nominet on 10-Dec-2012 Registrar: Efficient Registrar Limited [Tag = EFF] URL: http://www.efficientregistrar.uk Relevant dates: Registered on: before Aug-1996 Expiry date: 06-Dec-2015 Last updated: 25-Nov-2013 Registration status: Registered until expiry date. Name servers: nom-ns1.nominet.org.uk 18.104.22.168 nom-ns2.nominet.org.uk 22.214.171.124 Privacy Service: Privacy Services Limited Privacy Service’s address: 81 Rivington Street, London, EC2A 3AY 86. The returned result would make clear that the registration is being held by a registrant who is using a privacy service, rather than a privacy service acting as the registrant. We would not propose to charge registrars for the provision of functionality to enable sale of privacy services, although registrars would be free to charge if wished. 87. Privacy services that continue to register as the registrant would be free to do so within the existing terms of the Registrar Agreement. They would however do so at their own risk, taking on any liabilities associated with being the registrant and being contracted as a registrant with Nominet." Questions related to this section: Are there any specific standards that registrars should be asked to meet in order to provide a privacy service? For example (tick any that apply): a. acting as an address for service for the registrant b. being required to respond to or transmit abuse complaints from third parties to the registrant c. being required to reveal contact details on receipt of a Dispute Resolution Service complaint from a third party d. provide their own contact details to be published in the WHOIS e. highlight the availability of the opt-out to registrants f. Other? Are there process or technical issues in separating collection from publication of contact data in the way we have suggested that Nominet should be aware of? Please explain with details about whether this would affect registrants, registrars, WHOIS users, or other stakeholders. Whilst noting that the proposed privacy services framework would not apply to Self-Managed Tag users where domains must be connected to the registrant, should the framework be restricted only to Nominet Channel Partner and Accredited Channel Partner Tag holders? If you believe the framework should not be restricted, and that other parties should be permitted to operate privacy services, please explain why and provide comments on how Nominet could identify, monitor, and enforce the framework for third parties. End note from me: There's a lot more in the 32 page document but I've tried to sum it up in an abbreviated fashion above. Clearly Nominet prefer the idea of operating a free of charge privacy service that Channel Partner and Accredited Channel Partner registrars, but not self managed ones, sign up to use. Nominet still get all the registrant data, provided by the registrar, and can therefore contact the registrant if need be. In return Nominet populate the WHOIS output with privacy service details which present the contact details of the respective privacy service instead. This still enables registrars to sell privacy services as value added services, as some have already been doing. I couldn't find any reference to the PRSS and whether the real registrant details or the privacy service details would be return as a result of a PRSS query, so that is something I will be asking for more information about. I am also interested in exploring whether it should be possible for parties other than registrars to offer privacy services.