MENU
  • Enom.com
  • Resellers

Enom Blog

GDPR
Category

  • Why We’re Applying GDPR Protections to Registrants Worldwide

    August 8, 2018

    GDPR, Industry Insight

     Like

    Views: 311

    Remember, although we have a great legal team working at Enom, none of what we share here can or should be taken as legal advice.

    Among the world’s leading registrars, Tucows, our parent company, is the only one that has redacted all personal data from the public Whois and announced a data use consent management process for registrants worldwide. In making these changes, we’ve disrupted the status quo and encountered resistance from other industry members who would prefer a more conservative solution. But with our nearly two decades’ experience operating as an accredited domain registrar and supporting a large reseller network, we’ve learned that it is imperative to choose proactive solutions and remain focused on how the industry will develop long-term, rather than default to the most simple or convenient option.

    We’ve said many times before that we believe individuals around the world have a right to the privacy and protection of their personal data. We’ve also made the more practical argument that while the GDPR may apply only to EU-local individuals, other governments have also passed data protection laws, and we expect more to follow suit. Today, we want to talk about why we remain confident in our approach and place it within the necessary context of worldwide data privacy regulations.

    Comparing Regional Privacy Laws

    The GDPR has received a lot of attention not because it’s the only law of its kind, but because of its wide scope of applicability and, perhaps first and foremost, the severity of the penalties for non-compliance. There are other, less well-known laws in countries outside of the EU that establish similar data privacy protections. We’ve looked at a few important examples—Canada’s PIPEDA, California’s new Consumer Privacy Act of 2018, and the 2000 Argentina Personal Data Protection Act—to see how they stack up against the GDPR. You can jump to our summary table, which compares their fundamental concepts and relates them back to Enom’s data-processing practices, or continue on below for a high-level overview of each law.

    California

    The California Consumer Privacy Act of 2018 (AB 375) was signed into law by the state’s Governor on June 29, 2018. This new legislation takes effect in 2020, and many of the protections it extends to Californians will sound familiar to anyone who’s read up on the GDPR. At a high level, the CCP Act aims to ensure:

    1. The right of Californians to know what personal information is being collected about them.
    2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
    3. The right of Californians to say no to the sale of personal information.
    4. The right of Californians to access their personal information.
    5. The right of Californians to equal service and price, even if they exercise their privacy rights (s.2.i).

    The CCP Act has an interesting fundamental difference to the GDPR: the GDPR protects the data, while the CCP Act protects the consumer. The GDPR sets out rights and obligations for Data Controllers, Data Processors, and Data Subjects, while the CCP Act focuses on the rights a consumer has in relation to businesses that process their data. Even with this scope of applicability in mind, it’s very clear that we can expect to see a heightened level of transparency and consumer control over data in California.

    These rights under the California Consumer Privacy Act will, of course, be subject to limitations, and the finer details will no doubt shift as government officials and private interest groups work to tighten up data privacy practices in a way that is not detrimental to the Californian businesses that rely on consumer data, including tech giants like Google and Facebook.

    It’s both fitting and encouraging that California, a hub for technological innovation, is leading the U.S. movement to protect individual privacy in our digital age. And while there may not be policy in development at the federal level just yet, other American states are well on their way to passing modernized data privacy legislation—check out this handy, albeit, slightly outdated, map for more details. It seems likely that some of the important provisions in California’s Consumer Privacy Act will serve as a template for other state governments looking to establish stricter data privacy laws.

    Canada

    Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been in place since 2000, but an accompanying document, “Guidelines for obtaining meaningful consent,” was just released in its final form on May 24, 2018, shortly before the GDPR came into effect. PIPEDA shares a number of similarities with the GDPR, which these new guidelines serve to highlight.

    PIPEDA may not explicitly mention “data minimization,” but it does state that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” (Division 1.3). This idea is echoed and expanded in later sections, including “Principle 5 — Limiting Use, Disclosure, and Retention,” which declares that data “shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.” Much like the GDPR, PIPEDA has a clear aim to curb deceitful or indiscriminate data collection.

    In addition to restricting what data is processed, PIPEDA also calls for a high level of transparency around how and why data is processed. Its “Openness” principle affords individuals the right to request information about an organization’s data processing policies and practices, such as “a description of the type of personal information held by the organization, including a general account of its use” (Sched. 1 4.8.2). PIPEDA also requires organizations to obtain an individual’s consent before processing personal data, and specifies that this consent is “only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting” (Div.1, 6.1).

    Does this allow for service providers to bury the “nature, purpose and consequences” in the fine print? The word “reasonable” always invites a high degree of subjectivity. But the Office of the Privacy Commissioner of Canada (the “OPC”) released a related document, “Guidelines for obtaining meaningful consent,” which addresses any confusion. It states that “in order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice.” Pretty clear.

    These Guidelines (well-summarized here) also put forth an idea quite reminiscent of the GDPR’s distinction between the legal bases of consent and contract. In Canada, individuals must be offered a clear “yes or no” option to consent to data processing. However, an exception to this rule is the collection or disclosure of personal information that’s required, or to quote directly, “integral to the product or service.” The collection or disclosure of such essential data are referred to as “conditions of service,” and can’t be opted out of without opting not to use the service at all. This is very similar to how contract-based data, those data elements which are required in order to provide the service for which they are collected, do not require explicit consent under the GDPR.

    The OPC also acknowledges that while some individuals may be content with a quick overview of what personal data is being collected, others will want a greater level of detail about their provider’s privacy and data use practices before making a consent choice. Organizations are encouraged to meet the needs of all users by presenting information in a “layered-format”, or some other method that provides the user with control “over how much detail is provided to them.” Our consent management process embodies this idea. We’ve clearly outlined the how, what, and why of our data collection practices, in a manner that avoids bombarding the reader with inaccessible legalese. Those looking to dive deeper can review our Data Use Information page, which we’ve also designed to be accessible to the average reader.

    Argentina

    Argentina’s Personal Data Protection Act is also an older data protection law, in effect since 2000. Argentina was the first Latin American nation designated by the EU as having an “adequate level of data protection” as compared to EU requirements.

    Argentina’s Data Protection Act is easily comparable to the GDPR, particularly in regard to the latter’s data minimization principle and distinctive treatment of consent- and contract-based data. The Argentine law requires that data collected must be “certain, appropriate, pertinent, and not excessive with reference to the scope within and purpose for which such data were secured” (Chapter 2, s.4.1). In addition to restricting what data can be collected, the Act also states that data must only be kept while it is necessary and relevant to the purposes for which it was initially collected—if it ceases to fulfill these requirements, it must be “destroyed” (s.4.4.7).

    These obligations go hand-in-hand with consent requirements: data processing is not permitted without the consent of the individual whose data is being processed, except in certain defined circumstances. The most notable exception to this requirement is the processing of data that arises “from a contractual relationship,” and which is necessary to develop or fulfill that contract. Here again, the consent request cannot be buried in the fine print. It must appear in a “prominent and express manner” (s.5.1).

    Argentina is currently working to create updated data protection regulations, which will be “heavily based upon the GDPR.” Thus far, we’ve only been able to locate a Spanish-language version of the updated draft bill, so we are relying on secondary sources for insight into how it compares to its EU equivalent. In a 2017 IAPP article, GDPR matchup: Argentina’s draft Data Protection Act, Pablo A. Palazzi and Andres Chomczyk provide a solid overview of the changes being made in an effort to bring the Argentine Law in line with the EU Regulation. Their review of the draft bill notes the introduction of “new legal bases” for data processing, including, “legitimate interest,” and the addition of “sections on child consent, data breaches, accountability, privacy by design, the duty to have a data protection officer and mandatory impact studies,” all of which closely resemble the GDPR’s data protection methods.

    It seems we can expect the updated Argentine law to mirror many of the GDPR’s fundamental components and, according to Palazzi and Chomczyk, even its scope of applicability; the draft outlines “new ways to determine whether an entity or certain data processing is subject to Argentine Law, quite similar to the criteria found in the GDPR.”

    We’re eager to view the new law in its final form and learn when it will take effect. The law in place at this time already includes many safeguards to ensure a high level of transparency and individual control around data collection, so in some ways, we don’t expect anything truly surprising from its successor, especially if the new version does indeed follow closely the GDPR. Our GDPR implementation efforts will likely prove sufficient to meet any updated Argentine requirements as well.

    Evolving Global Data Privacy Standards

    The policy revision efforts underway in Argentina speak to the GDPR’s global impact. Not only do the Regulation’s data processing requirements apply to organizations outside the EU that process the data of EU locals, the GDPR also serves as a standard, perhaps particularly for countries who wish to maintain or establish adequacy status with the EU.

    Just before this blog post went to “print,” India took a major step toward data privacy reform with the release of a report, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,” that’s to serve as a draft data protection bill. In a recent Data Protection Committee press conference, Ravi Shankar Prasad, Union Minister for Law and Justice & Information Technology, Government of India, noted that India’s Supreme Court “would like Indian’s data protection law to become some kind of model for the…world…” (4m20s).

    For those interested, France’s Commission Nationale de l’Informatique et des Libertés maintains a global map existing privacy law (check it out!), which may look quite different even five years from now.

    A Comparison of Data Privacy Laws and Enom’s GDPR Changes

    To contextualize our recent changes in relation to the GDPR, California’s Consumer Privacy Act, Canada’s PIPEDA, and Argentina’s Personal Data Protection Act, we’ve put together this comparison chart. As you’ll see, many of the core concepts remain the same across borders. This confirms our position that our recent updates demonstrate a proportionate and forward-thinking approach to the rapidly-shifting landscape of global data privacy regulation.

    Reflecting on Our GDPR Changes

    We could have applied our GDPR processes to EU-locals only, allowing resellers who don’t offer services to clients in the EU to proceed with business as usual, unconcerned with the GDPR. But that solution would not only have put our resellers and us at risk of improperly processing the personal data of EU-local individuals, it was also not a viable long-term option. Data privacy standards around the world are evolving and not in a direction that supports the unnecessary collection of personal data or the continued display of unredacted personal data in the public Whois directory without the data subject’s clear and specific consent. If the laws we reviewed today are any indication of where things are headed, Enom and our reseller partners can feel confident that our GDPR implementation work has positioned us all to meet and adapt to changing data privacy requirements.

    Our decision to redact data from the public Whois, even before ICANN confirmed this as an appropriate response to the GDPR, was part of larger move towards a gated Whois solution. In designing our “Tiered Access Directory”, we’ve done our best to balance individual privacy and the rights of registrants with those of law enforcement and other community members. Our consent management process establishes a high level of transparency about what data we collect and why and provides registrants an easy means of revoking consent and submitting data use disclosure requests. These changes may cause some friction in the short term but we are confident they will help us meet the long-term needs of our resellers and ensure we’re protecting their businesses as well as our own.

    On a less practical note, our parent company, Tucows, maintains a long-time commitment to “lobby, agitate, and educate to promote and protect an open Internet around the world.” Part of ensuring that the Internet remains free and open is ensuring that basic individual rights, including control over one’s personal information, continue to be protected as personal data becomes more ubiquitous and easy to share than ever before. The laws we’ve looked at here take varied approaches to addressing this challenge but also share some important similarities and reflect values that are becoming more and more universal: greater transparency on the part of organizations and greater control for individuals.

    Read More

  • Enom’s Tiered Access Directory (gated Whois)

    June 19, 2018

    Announcement, Featured, GDPR, Industry Insight

     Like

    Views: 775

    Over the past few months, we’ve talked quite a bit about the concept of our Tiered Access registration directory, also referred to by its informal title, “gated Whois”. This has sparked many questions from our reseller partners and other interested parties who are curious about how the system works, who may have access, and what the accreditation process looks like. Today, we’ll address these topics and discuss why we believe a gated Whois system is the best solution for our platform, our resellers, and our registrants.

    Why are we implementing a gated Whois?

    As we’ve written before, in updating our platform to achieve GDPR compliance, we used data privacy laws as our starting point. We worked from the ground up to design processes that we believe comply with those laws and their underlying principles, and adhere to our contractual requirements with ICANN and other TLD registries to the fullest extent possible. The changes we made, including the decision to remove contact data from the public Whois, are necessary to protect ourselves and our reseller partners from the possible legal repercussions of improperly processing or exposing personal data. Furthermore, we believe this change to the public Whois makes sense — data protection should be extended to all domain owners, and we don’t see any legal basis or justifiable need to publicly display unredacted contact data.

    That said, we acknowledge that, in many cases, third parties may have a real, justifiable need to access a registrant’s personal data, and these legitimate interests are also provided for within the GDPR’s definition of “lawful processing”. By restricting the general public’s access to personal data and introducing our Tiered Access registration data directory, we are complying with the GDPR and extending its protections to all registrants on our platform while ensuring that those with a legitimate legal basis have access to the data they need in order to protect the public and exercise their own rights.

    Who will have access and how will they be accredited?

    Through a rigorous authentication process, Tucows will ensure that only those with a legitimate interest are given access to the gated Whois system and that this access is restricted to only those data elements that the user needs. Parties with a “legitimate interest” may include law enforcement agents, members of the security community, and commercial litigators.

    At present, we are actively responding to requests for accreditation from members of those communities. In the near future, interested parties will be able to click an application link on tieredaccess.com to submit an email with the required application information. This will include the requestor’s first and last name, organization, and email address, which specific domains they want to access, and the requested duration of access. They will also be asked to provide any other pertinent details such as the legal basis for the request.

    What data will be displayed in the Tiered Access Directory?

    There are three factors, that in combination, determine what contact data will be visible to an accredited Tiered Access user by default: the user’s permission access level, the registrant’s data use consent settings, and whether the domain is privacy-protected.

    Permission Access Levels for Accredited Users

    In designing our gated Whois system, we started from the principle of data minimization and determined that a Tiered Access directory was the best way to protect the privacy of our customers while providing parties with legitimate interest access to relevant registrant data. At a high level there are three permission access tiers, and within each we can further restrict permissions by many different factors.

    Through conversations with stakeholders, we determined three major categories of requestors: law enforcement, commercial litigation interests, and security researchers. We then examined the various personal data points we collect and identified those which are most pertinent to the above-mentioned parties. We have done our best to balance individual privacy and the rights of registrants with the rights of law enforcement and the people they protect, the rights of commercial litigators and their clients, and the need for a safe and secure Internet.

    Tier One – Law Enforcement Authorities

    Users within this tier must be a member of a law enforcement authority with jurisdiction over Tucows or one of its companies, and are provided access to the widest range of registrant data available through our Tiered Access system. Our aim is to supply these parties with data elements that may be relevant to a legal investigation while still respecting the registrant’s privacy and consent choices.

    Please Note: For the small subset of ccTLDs whose registries contractually require the admin and tech contact info, a portion of those datasets may be included in tier-one results.

    Tier Two – Commercial Litigators

    Access for users within this tier will be limited to those elements deemed necessary to exercise their clients’ rights to pursue legal action against the owner of a domain registered on our platform.

    Tier Three – Security Community Members

    Users belonging to this tier provide a valuable public service by examining trends in online criminal activity, helping to make the Internet safer for everyone. They may only view a limited set of information because, while they inarguably play an important role in online security, they have no official jurisdiction or legal authority.

    Data Use Consent Settings and Whois Privacy Status

    For domains without Whois Privacy protection, the Tiered Access system (gated Whois) can display the following data:

    • Data that we require by contract: registrant name, country, email, and organization (if applicable)
    • Data that the registry requires by contract
    • Data which we have consent from the registrant to process

    This means that, in instances where the registry does not contractually require any data elements and we do not have consent to process any additional elements, only the minimum data that we require contractually will be shown.

    Tip: Through a quick search on our Data Use Information Page, you can determine which data are processed as per the registry’s contract and which are processed by consent.

    For domains with Whois Privacy protection, the Tiered Access system will only display the Whois Privacy contact data, just as it appears for privacy-protected domains in the public Whois. It’s also important to note that the process to reveal the underlying ownership information has not changed with the introduction of a gated Whois; we would still require the tiered-access-accredited party to provide a court order, subpoena, or similar legal justification before our Compliance team would provide the underlying contact data. In short, all the benefits of Whois Privacy carry over into our gated Whois system.

    Further Customizing User Access

    As we outlined above, the actual data elements visible by default to any accredited user of the Tiered Access system depend not only on the data use consent settings and privacy status of the domain, but also on the accredited user’s permission access level. On top of these controlling factors, we can also place additional custom restrictions on a user’s account.

    Our Tiered Access system uses the Registration Data Access Protocol (RDAP), developed by the Internet Engineering Task Force as an eventual replacement for the current WHOIS protocol. One of the essential benefits of using RDAP is that it allows us to define user access options at a very granular level. We can, for example, restrict the number of domains a user can query per day, the data fields returned by each query, which specific domains can be queried, and which data elements are returned in the response. We can also set the specific duration for which a user’s account remains active.

    This means that some users may have access to the full set of registrant data we hold, restricted only based on the registrant’s data use consent settings and the Whois Privacy status of the domain. For other users, it may be that only the registrant’s email address, only the registrant’s name and country, or, perhaps, only contract-based data, will be shared.

    What’s important to take away is this: our high-level tiers are a starting point; we have the flexibility to customize as needed and make adjustments as we find the best way to balance the rights of multiple parties.

    How will the Tiered Access system be accessed?

    The sign-in portal is available at tieredaccess.com. This page also includes an explanation of the Tiered Access registration directory and some information about who may be accredited. Over the next few phases, we’ll add an option to apply for access, a link to the applicable Terms and Conditions, and a public Whois lookup option, allowing the page to function as a Whois directory for both the public and gated versions of the service.

    Will resellers have access to the Tiered Access system?

    We have no plans to provide our reseller partners access to the gated Whois, but, if you’re one of our resellers, this shouldn’t be cause for concern — the data that appear in Tiered Access for any domains in your account are accessible to you through the Domains tab of the Control Panel or the GetContacts API command. Also, keep in mind that with the new domain transfer process, the gaining registrar no longer has to send the initial Form of Authorization to the registrant email address, which has historically been retrieved from the contact details in the public Whois.

    Finding a Balance

    Much of the debate over the concept of a gated Whois system has focused around finding a balance between protecting individual privacy and ensuring that those using domains to perpetrate malicious activities can be held accountable. A recent Techdirt article described the debate’s central question as, “which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information?” As a registrar, our central concerns are compliance with law and protecting the data we process. However, we also believe that, as far privacy laws permit, those who play an essential role in keeping the Internet safe should have access to the data they require in order to do so. Our Tiered Access system is a solution that accomplishes both objectives.

    Read More

  • GDPR Checklist for Enom Resellers

    May 17, 2018

    Advice, Announcement, Featured, GDPR, Uncategorized

     Like

    Views: 2497

    Any time there’s a dramatic shift in our industry, we focus on minimizing the impact on our resellers and providing you as much information and assistance as possible. Admittedly, our GDPR communications work has proven fairly challenging, in part because we’ve simply never seen a shift quite as dramatic as that prompted by the GDPR. While we wanted to equip our resellers with specifics about our implementation plan and a concrete list of action-items right from the get-go, developing long-term solutions that both achieved GDPR compliance and established processes in which registries, registrars, and resellers can play their specific, essential roles required considerable collaborative efforts from players across our industry.

    There’s still much work to be done, but today we’re happy to be able to offer a concrete list of GDPR action-items for Enom Resellers and helpful resources in the form of flowcharts, example landing pages, and FAQs. We’re even happier to say that the to-do list is a short one which will likely require minimal work on your end.

    Having said that, we must remind you that legal counsel is an essential part of any comprehensive GDPR compliance strategy. This checklist is not legal advice, and ensuring its completion by no means guarantees your compliance with the GDPR. Speak with a lawyer who is familiar with your business and equipped to judge whether your internal practices achieve compliance.

    Reseller Action-Items

    Most of these items will necessitate adjustments on your end. You may determine that some do not require action on your part, but all are significant and important for our clients to understand.

    1. Make Sure You’re Familiar with Our Newly Introduced Consent Management Process

    Moving forward, Enom will reach out to end-users to request their consent to process certain pieces of personal information. This “Consent Management” flow involves the sending of a request email which contains a link to the registrant’s unique Data use consent settings page. This Data Use Consent Settings page serves as the registrant’s means to view their settings, manage their settings, and withdraw consent, should they choose to do so. It also contains a link to the Data use information page, which provides more information about how personal data is processed.

    To the registrant, it’s a straightforward experience that makes clear Enom’s relationship with their Registration Service Provider (Reseller). We recommend you take a look at these samples, so you’re aware of what this process will involve for your customers:

    Consent management sample flow – new registration
    Consent management sample flow – consent choice change

    Resellers will be able to view the GDPR consent status for each domain they have under management from the Domain Control Panel, within their Enom reseller account. If you’d like more information on why we require the end-user’s consent to process certain personal data, please check out our Consent blog post.

    2. Understand How to Provide Your Customers Access to Their Data Consent Settings Page

    According to the GDPR, “It shall be as easy to withdraw as to give consent.” With this in mind, we’ve provided our resellers two straightforward options to email a registrant the URL for the registrant’s Data Use Consent Settings page upon request:

    • Option 1: Via the API using the SendConsentEmail command
      Resellers can use this command to integrate into their own end-user portal an option for users to request that the Data Use Consent Settings page URL be sent to the registrant email.
    • Option 2: Via the soon-to-be-available “Send Consent Email” option in your Enom reseller account.
      Resellers can use this new button in the “Domain Control Panel” section of your Enom reseller account to send out the Data Use Consent Settings page URL to the registrant email listed for any domain in their account.

    Please note: both of these options will be available as of Monday, May 28, 2018.

    3. Ensure You’re Prepared for Our Updated Domain Transfer Process

    Once the public Whois “goes dark” in the days leading up to May 25, 2018, Enom will begin using a new process for domain transfers. The end result will be a process that creates a more streamlined experience for domain owners, while continuing to be secure against domain theft. Moving forward, when an inbound registrar transfer is ordered, we will submit the transfer directly to the registry instead of waiting for the Form of Authorization to be completed.

    You can check out our blog for the full details, but here’s a snapshot of the updated process:

    4. Enom Is Moving to a Gated Whois System

    For the full scoop, refer back to our Whois Changes blog post; for today, just keep in mind that after that go-live date, most public whois servers will cease the publication of personal data, and providers will start offering a “gated” or “tiered access” Whois system. Enom resellers don’t need to make any changes — your own clients’ data will continue to appear in your Enom reseller account, and we’ll take care of making sure the public Whois output is fully compliant with privacy regulations, so you’re good to go.

    These changes are also summarized in this quick PDF.

    5. Our Updated Reseller Agreement Now Requires That Resellers Process Data in a GDPR-Compliant Manner

    Hopefully, you’re well on your way to compliance with the GDPR. Enom has updated our Reseller Agreement to include information about the consent management process and the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions. We encourage you to familiarize yourself with all the recent GDPR-related changes we’ve made to our Reseller Agreement by taking a look the updated version.

    6. We’ve Updated Our Agreement with Registrants

    Our Domain Registration Agreement serves as the service contract between Enom and the domain owner (registrant). We don’t expect the GDPR-related updates to this agreement to be reseller-impacting, these changes primarily relate to the registrant’s consent management flow and the data retention and erasure policy. Keep in mind that all resellers need to display this updated agreement to customers as part of the domain registration process.

    Reseller Resources

    All important Enom resources relating to the GDPR can be found in our central GDPR knowledge base article, but for convenience, we’ve also listed them below. We hope the following resources help our reseller partners assist your clients with GDPR-related changes:

    Overview

    Our GDPR Webinar
    Central GDPR knowledge base article and FAQ

    Specific Platform & Process Changes

    Consent Management

    Consent management sample flow – consent choice change
    Consent management sample flow – new registration
    Consent management FAQ

    End-user consent request emails – The means by which we send the Data Use Consent Settings page URL (see below) to the registrant.
    Data use consent settings pages – The location from which a registrant can set, view, and update their consent preferences or revoke consent.

    Domain Transfers

    Transfer process changes infographic – a before and after GDPR comparison

    Whois Changes

    Whois Changes Overview PDF
    Whois Changes FAQ

    API Changes

    A new SendConsentEmail command has been introduced.

    Contract Changes

    Updated Reseller Agreement
    Updated Domain Registration Agreement
    Data Processing Addendum

    And there you have it. We appreciate that for those resellers affected by the GDPR, achieving compliance has involved a great deal of internal work, in addition to that required to accommodate the changes Enom is making to our platform. And while we’ve made every effort to keep this Reseller Checklist short and easy-to-implement, we know, as members of that same complex registry-registrar-reseller channel in which you operate, that small changes made by one player can have a big impact on others. We view our GDPR implementation work as essential to ensuring that the Enom platform evolves to meet the long-term needs of our resellers and the demands of a highly interconnected internet ecosystem. Greater control over one’s personal data is a good thing, and we’re happy to be able to extend to all users on our platform the rights and protections outlined in the GDPR.

    Read More

  • Important Changes to our Legal Agreements

    May 10, 2018

    Announcement, GDPR

     Like

    Views: 757

    We appreciate the work that our reseller partners have done, alongside our own, to come into compliance with the GDPR. In support of that work, please review our updated Reseller Agreement and Domain Registration Agreement. These updated contracts will go into effect 25 May, 2018.

    These changes primarily relate to the registrant’s consent management flow and include the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions.

    We also understand that ICANN will be adopting a standard Data Processing Addendum, which would apply to its role with us (and you), our role (and yours) with gTLD registries, and our role (and yours) with data escrow providers. We were hoping to make this available to you along with our updated agreement, but in the interests of time and the need to achieve compliance on the set schedule, we are using our own data processing addendum instead for the present.

    If, as we anticipate, ICANN develops and issues to registries and registrars a new binding policy under the terms of our Registrar Accreditation Agreement, with a mandatory or recommended DPA, we will likely amend certain terms of our Master Services Agreement and the associated exhibits to conform to industry standards and assure contractual compliance with ICANN.

    We also anticipate that gTLD and ccTLD registries will continue to amend their contracts in the days and weeks ahead, so please ensure that you are always pointing your users to the most current version of the relevant registry terms and conditions, as referenced in our Domain Registration Agreement.

    Should any additional changes be required in this rapidly evolving area, we will inform you via our blog and newsletter.

    Read More

  • Changes to the Domain Transfer Process

    April 30, 2018

    Announcement, GDPR, Industry Insight, Uncategorized

     Like

    Views: 2477

    TL;DR
    The registrar transfer process for gTLDs needs to change once the public Whois “goes dark”. The end result will be a process that creates a more streamlined experience for domain owners, while continuing to be secure against domain theft. Moving forward, when an inbound registrar transfer is ordered, we will submit the transfer directly to the registry instead of waiting for the Form of Authorization to be completed.

    Upcoming Changes to the Domain Transfer Process

    Among the most noticeable and significant changes to result from the domain industry’s implementation of the GDPR are those to the Whois system. As we’ve written in past blog posts, as of May 25, 2018, Enom and many other domain registrars and registries will cease the display of personal data in the public Whois.

    The industry discussion around the effects of the Whois “going dark” has largely focused on the possible lack of access that law enforcement or the security community members may have to Whois data, the potential problems this presents, and how parties with legitimate legal interest in the data may still be able to obtain it. However, the impact of the change goes beyond the simple ability for a person to look up a domain’s contact data. There are automated processes and systems which rely on access to the public Whois contact details in order to function, and we need to make accommodations for these processes as well.

    The most significant impacted process, which we are working hard to ensure is not interrupted by these changes, is the registrar transfer process. Here, we’ll provide details about how we will modify the transfer process to accommodate new, heightened privacy measures for the handling of registrant contact data, and we’ll suggest some changes that our resellers may want to undertake. Ultimately, the updated transfer process will not only provide a work-around for the lack of a publicly displayed contact email, but will result in a simpler, more streamlined experience for the domain owner while continuing to protect against unauthorized transfers and ensure the privacy of personal data.

    The Domain Transfer Process Today

    Let’s start with a review of the registrar transfer process as it stands today. For reference, we’ve provided a flow chart which compares the current and updated transfer processes.

    Step 1

    The domain owner works with their current (losing) registrar to unlock the domain and obtain the transfer authorization code, also called an EPP Code. This step will remain the same even after the transfer process is updated since the current registrar can and should verify that the person unlocking the domain and requesting the authorization code truly has the authority to do so.

    Step 2

    Once the domain has been prepared for transfer, the domain owner works with the new registration service provider to initiate the transfer. Here at Enom, we’ve always required the authorization code to initiate inbound transfer orders. Contact information may also be provided as part of the transfer order; if this information is not included, the Enom system will automatically use the account contact info for the domain transfer.

    Step 3

    In the current transfer process, the gaining registrar sends the initial Form of Authorization (FOA) to the domain transfer contact email, which they acquire from the public Whois. The domain transfer contact email may be either the registrant or the administrative contact; at Enom, our current practice is to send the FOA to both contacts. This FOA must be responded to within five days, and the transfer will only proceed if it is approved at this stage (Step 3a). Once the transfer contact approves the transfer, the gaining registrar submits the transfer order to the registry, who then notifies the current registrar (Step 3b).

    Step 4

    The current (losing) registrar sends a secondary FOA, which is optional for the domain transfer contact to complete. If the domain transfer contact does not respond to it within five days, the transfer will proceed automatically at the end of this five-day period. Alternatively, the domain transfer contact can choose to use this step to cancel the transfer or confirm it again.

    Step 5

    The registry operator completes the transfer process by moving the domain to the gaining registrar’s credential, typically renewing the domain for one year. At this time, the domain is usually locked for 60 days, although standard procedure may differ among registries.

    How Will Transfers Work Post-GDPR?

    At present, the gaining registrar initiates a domain transfer by sending an FOA to the domain contact email, but once the public Whois “goes dark,” registrars may not be able to identify the contact email for a domain that isn’t under their accreditation. The question becomes, how can we securely and efficiently process a domain registrar transfer without a publicly accessible domain contact email? Many registrars have been thinking about this as part of their GDPR compliance work and have taken a collaborative approach to finding an industry-standard solution.

    The TechOps Subcommittee of the Registrar and Registry Stakeholder Groups has proposed modifications to the current transfer process which are intended to resolve this issue; their March 8 letter can be read on the ICANN website. Enom will proceed with the changes to the inbound transfer process as described in that letter, to ensure that the inter-registrar transfer process continues to operate smoothly after contact data is no longer available via the public Whois.

     

    Keeping Domain Transfers Secure

    In the Enom platform, there will be no required changes to how resellers initiate inbound transfers (Step 2), since both the contact data and the transfer authorization code are already required. The only real change is that, in cases where we are the gaining registrar, once the transfer order has been submitted in our system we will move directly to submitting the transfer request to the registry (Step 3b). We are making the required change to deprecate the initial Form of Authorization, with no action needed by our resellers.

    Registrar transfers for many ccTLDs already follow a process very close to this, where the authorization code for an unlocked domain is all that’s required before submitting the transfer to the registry. Making this change across the board allows us to ensure that inbound transfers continue to function for all domains coming into our platform.

    Another security measure that we would encourage registrants to take is to keep the domain locked, using the “ClientTransferProhibited” status, at all times unless specifically intending to transfer to another registrar. As a registration service provider, you can help your customers maintain their domain security in several ways, including requiring strong account passwords, enabling 2-factor authentication, and locking domains by default until otherwise requested by the domain owner.

     

    Additional Changes We’re Making at Enom

    Moving forward, whenever a transfer into Enom is completed, the domain’s contact data will be updated to match that which was used for the transfer order. This is currently optional, but will become mandatory; we will no longer be able to rely on the registry-provided contact data to be correct and not include placeholder information, because other registrars may no longer share registrant contact data with registries. In cases where the owner contact is new to our platform, the registrant verification process will begin as soon as the transfer is complete.

    To better illustrate the streamlined transfer process, we have created this diagram:

    Enom Transfer process before & after

    Is This Really OK?

    Adjusting the inter-registrar transfer process in response to GDPR-related industry changes is a priority for Enom. We believe that domain owners should continue to be able to choose their registrar and move between registrars at their discretion, as long as sufficient security measures to protect against domain theft remain in place. Absent an ICANN-approved transfer policy modification, our best option is to conform with this model proposed by leading registrars, including Enom.

    The modified transfer process meets our requirements around security and anti-theft: only the authorized domain contact has the ability to unlock the domain and obtain the transfer authorization code, and only they may approve the transfer away from the current registrar.  

    We can already point to examples of the transfer process working as it is described here, in use today. Most ccTLDs, .CA and .DE, to name a few, currently follow a process like the one we’ve outlined above, where the authorization code is required to initiate the transfer, but there is no Form of Authorization requirement for the gaining registrar.

    And from the client’s perspective, this is just one less step for them to complete as part of the transfer process, making it easier for them to move to their preferred service provider. This change is something registrants have asked about for years, and it removes one of the barriers to transferring registrars without compromising the domain’s security.

     

    How Does This Relate to the Consent Management Process?

    There is, of course, a connection between this updated transfer process and the newly introduced consent management process — any domain coming into our system must have a consent settings profile that lets us know how to handle all personal data related to that domain. Transferring from one registrar to another, or from one Enom reseller to another reseller, will thus trigger a consent request to the domain owner, just like a new registration would.

    Enom resellers who use the “pushdomain” API command or the “push” option in the Control Panel to move domains between distinct reseller accounts should keep this in mind so that clients are not surprised by consent requests resulting from a domain push.

     

    When is This Happening, and How Should I Prepare?

    We will adopt this new domain transfer process when our other GDPR-related changes go live, on or shortly before May 25, 2018. We appreciate that this will require our resellers to educate their support staff and we hope this post serves as a valuable resource.

    While we cannot speak for other registrars or registry operators, who will no doubt soon be announcing their own plans for handling domain transfers in a post-GDPR world, we’d like to again emphasize the fact that the model we are following was born from the collaborative efforts of leading registrars, ourselves included, and has already proven to be secure and efficient when used for ccTLDs. It is our hope that other registrars will plan to follow this model, and that eventually ICANN and the community-led policy development process will bring us to an industry-wide standard; at such time as ICANN provides a working and mandatory transfer policy, we will certainly comply with it to the fullest extent that we are able. That said, our primary concern is that domain owners on our platform maintain full control over their private information, products and services, and the ability to select the registrar or service provider that they prefer, while we remain compliant with data privacy laws and ensure the appropriate levels of security are in place. These transfer process changes are significant, necessary, and ultimately create a streamlined process that benefits registrants, resellers, and registrars.

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • Tiered Access Directory (gated Whois) (Published on Jun. 19, 2018)
    • GDPR Checklist for Enom Resellers (Published on May. 17, 2018)
    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

1 2 3 Next »

FEATURED POSTS

  • Enom’s Tiered Access Directory (gated Whois)

    June 19, 2018

  • What you should know about ICANN’s May 25th Legal Action

    May 29, 2018

  • A Guide to Choosing the Right SSL Certificate

    May 24, 2018

  • GDPR Checklist for Enom Resellers

    May 17, 2018

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support
Report Abuse
Help Center
Contact Us

 Resources
WHOIS Lookup
Maintenance Alerts
Developers
Products & Services
Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2018 Enom Blog |