Latest news of the domain name industry

Recent Posts

ICANN must do more to fight internet security threats [Guest Post]

ICANN and its contracted parties need to do more to tackle security threats, write Dave Piscitello and Lyman Chapin of Interisle Consulting.

The ICANN Registry and Registrar constituencies insist that ICANN’s role with respect to DNS abuse is limited by its Mission “to ensure the stable and secure operation of the internet’s unique identifier systems”, therefore limiting ICANN’s remit to abuse of the identifier systems themselves, and specifically excluding from the remit any harms that arise from the content to which the identifiers point.

In their view, if the harm arises not from the identifier, but from the thing identified, it is outside of ICANN’s remit.

This convenient formulation relieves ICANN and its constituencies of responsibility for the way in which identifiers are used to inflict harm on internet users. However convenient it may be, it is fundamentally wrong.

ICANN’s obligation to operate “for the benefit of the Internet community as a whole” (see Bylaws, “Commitments”) demands that its remit extend broadly to how a domain name (or other Internet identifier) is misused to point to or lure a user or application to content that is harmful, or to host content that is harmful.

Harmful content itself is not ICANN’s concern; the way in which internet identifiers are used to weaponize harmful content most certainly is.

Rather than confront these obligations, however, ICANN is conducting a distracting debate about the kinds of events that should be described as “DNS abuse”. This is tedious and pointless; the persistent overloading of the term “abuse” has rendered it meaningless, ensuring that any attempt to reach consensus on a definition will fail.

ICANN should stop using the term “DNS abuse” and instead use the term “security threat”.

The ICANN Domain Abuse Activity Reporting project and the Governmental Advisory Committee (GAC) use this term, which is also a term of reference for new TLD program obligations (Spec 11) and related reporting activities. It is also widely used in the operational and cybersecurity communities.

Most importantly, the GAC and the DAAR project currently identify and seek to measure an initial set of security threats that are a subset of a larger set of threats that are recognized as criminal acts in jurisdictions in which a majority of domain names are registered.

ICANN should acknowledge the GAC’s reassertion in its Hyderabad Communique that the set of security threats identified in its Beijing correspondence to the ICANN Board were not an exhaustive list but merely examples. The GAC smartly recognized that the threat landscape is constantly evolving.

ICANN should not attempt to artificially narrow the scope of the term “security threat” by crafting its own definition.

It should instead make use of an existing internationally recognized criminal justice treaty. The Council of Europe’s Convention on Cybercrime is a criminal justice treaty that ICANN could use as a reference for identifying security threats that the Treaty recognizes as criminal acts.

The Convention is recognized by countries in which a sufficiently large percentage domain names are registered that it can serve the community and Internet users more effectively and fairly than any definition that ICANN might concoct.

ICANN should also acknowledge that the set of threats that fall within its remit must include all security events (“realized security threats”) in which a domain name is used during the execution of an attack for purposes of deception, for infringement on copyrights, for attacks that threaten democracies, or for operation of criminal infrastructures that are operated for the purpose of launching attacks or facilitating criminal (often felony) acts.

What is that remit?

ICANN policy and contracts must ensure that contracted parties (registrars and registries) collaborate with public and private sector authorities to disrupt or mitigate:

  • illegal interception or computer-related forgery,
  • attacks against computer systems or devices,
  • illegal access, data interference, or system interference,
  • infringement of intellectual property and related rights,
  • violation of laws to ensure fair and free elections or undermine democracies, and
  • child abuse and human trafficking.

We note that the Convention on Cybercrime identifies or provides Guidance Notes for these most prevalently executed attacks or criminal acts:

  • Spam,
  • Fraud. The forms of fraud that use domain names in criminal messaging include, business email compromise, advance fee fraud, phishing or other identity thefts.
  • Botnet operation,
  • DDoS Attacks: in particular, redirection and amplification attacks that exploit the DNS
  • Identity theft and phishing in relation to fraud,
  • Attacks against critical infrastructures,
  • Malware,
  • Terrorism, and,
  • Election interference.

In all these cases, the misuse of internet identifiers to pursue the attack or criminal activity is squarely within ICANN’s remit.

Registries or registrars should be contractually obliged to take actions that are necessary to mitigate these misuses, including suspension of name resolution, termination of domain name registrations, “unfiltered and unmasked” reporting of security threat activity for both registries and registrars, and publication or disclosure of information that is relevant to mitigating misuses or disrupting cyberattacks.

No one is asking ICANN to be the Internet Police.

The “ask” is to create policy and contractual obligations to ensure that registries and registrars collaborate in a timely and uniform manner. Simply put, the “ask” is to oblige all of the parties to play on the same team and to adhere to the same rules.

This is unachievable in the current self-regulating environment, in which a relatively small number of outlier registries and registrars are the persistent loci of extraordinary percentages of domain names associated with cyberattacks or cybercrimes and the current contracts offer no provisions to suspend or terminate their operations.

This is a guest editorial written by Dave Piscitello and Lyman Chapin, of security consultancy Interisle Consulting Group. Interisle has been an occasional ICANN security contractor, and Piscitello until last year was employed as senior security technologist on ICANN staff. The views expressed in this piece do not necessary reflect DI’s own.

Comment Tagged: , , , , ,

Bumper batch of dot-brands off themselves for Friday 13th

Kevin Murphy, September 12, 2019, Domain Registries

It’s Friday 13th tomorrow, and to celebrate the occasion no fewer than 13 dot-brands have opted to take the easy way out and self-terminate.

ICANN has published a bumper list of contracted brand registries that have informed the organization that they no longer wish to run their gTLDs.

Adding themselves to the dot-brand deadpool are: .ladbrokes, .warman, .cartier, .piaget, .chrysler, .dodge, .mopar, .srt, .uconnect, .movistar, .telefonica, .liason and .lancome.

That brings the total of self-terminated new gTLDs to date to 66.

The imminent demise of .cartier and .piaget is perhaps notable, as it means luxury goods maker Richemont has now abandoned ALL of the nine dot-brands it originally applied for.

Richemont, an enthusiastic early adopter of the new gTLD concept, applied for 14 strings in total back in 2012.

The only ones it has left are generics — .watches along with the the Chinese translation .手表 and the Chinese for “jewelry”, .珠宝, none of which have been launched and in all likelihood are being held defensively.

It’s the same story with L’oreal, the cosmetics company. It also applied for 14 gTLDs, mostly brands, but abandoned all but .lancome prior to contracting.

With .lancome on its way out, L’oreal only owns the generics .skin, .hair, .makeup and .beauty, at least one of which is actually being used.

Also of note is the fact the car company Chrysler is dumping five of its six gTLDs — .chrysler, .dodge, .mopar, .srt and .uconnect — leaving only .jeep (unused) still under contract.

Clearly, Chrysler is not as keen on dot-brands as some of its European competitors, which have been among the most prolific users.

Telefonica’s abandonment of .movistar and .telefonica also means it’s out of the gTLD game completely now, although its Brazilian subsidiary still owns (and uses) .vivo.

Betting company Ladbrokes only ever owned .ladbrokes, though it did unsuccessfully apply for .bet also.

Rounding off the list is .warman, a brand of — and I’m really not making this up — industrial slurry pumps. The pumps are made by a company called Weir, which uses global.weir as its primary web site. So that’s nice.

As far as I can tell, none of the gTLDs that are being killed off had ever been used, though each registry will have paid ICANN six-figure fees since they originally contracted.

6 Comments Tagged: , , , , , , , , , , , , , , , , , ,

.org price cap complaints more like “spam” says Ombudsman

Kevin Murphy, September 11, 2019, Domain Policy

ICANN’s Ombudsman has sided with with ICANN in the fight over the lifting of price caps on .org domains, saying many of the thousands of comments objecting to the move were “more akin to spam”.

Herb Waye was weighing in on two Requests for Reconsideration, filed by NameCheap and the Electronic Frontier Foundation in July and August after ICANN and Public Interest Registry signed their controversial new registry agreement.

NameCheap wants ICANN to reverse its decision to allow PIR to raise .org prices by however much it chooses, while the EFF complained primarily about the fact that the Uniform Rapid Suspension anti-cybersquatting measure now appears in the contract.

In both cases, the requestors fumed that ICANN seemed to “ignore” the more than 3,200 comments that were filed in objection back in April, with NameCheap calling the public comment process a “sham”.

But Waye pointed to the fact that many of these comments were filed by people using a semi-automated web form hosted by the pro-domainer Internet Commerce Association.

As far as comments go for ICANN, 3200+ appears to be quite a sizeable number. But, seeing as how the public comments can be filled out and submitted electronically, it is not unexpected that many of the comments are, in actuality, more akin to spam.

With this eyebrow-raising comparison fresh in my mind, I had to giggle when, a few pages later, Waye writes (emphasis in original):

I am charged with being the eyes and ears of the Community. I must look at the matter through the lens of what the Requestor is asking and calling out. The Ombuds is charged with being the watchful eyes of the ICANN Community. The Ombuds is also charged with being the alert “ears” of the Community — with listening — with making individuals, whether Requestors or complainants or those just dropping by for an informal chat, feel heard.

Waye goes on to state that the ICANN board of directors was kept well-briefed on the status of the contract negotiations and that it had been provided with ICANN staff’s summary of the public comments.

He says that allowing ICANN’s CEO to execute the contract without a formal board vote did not go against ICANN rules (which Waye says he has “an admittedly layman’s understanding” of) because contractual matters are always delegated to senior staff.

In short, he sees no reason for ICANN to accept either Request for Reconsideration.

The Ombudsman is not the decision-maker here — the two RfRs will be thrown out considered by ICANN’s Board Accountability Mechanisms Committee at its next meeting, before going to the full board.

But I think we’ve got a pretty good indication here of which way the wind is blowing.

You can access the RfR materials and Waye’s responses here.

6 Comments Tagged: , , , , , , , , , , ,

Botterman is new ICANN chair

Kevin Murphy, September 10, 2019, Domain Policy

ICANN has announced that Maarten Botterman has been selected as its new chair.

He, along with newly selected vice chair León Felipe Sánchez Ambia, will take their seats after a formal board vote to come at the end of ICANN’s annual general meeting in Montreal next month.

Botterman replaces Cherine Chalaby, who has been in the role for two years. Chalaby is term-limited, having joined the board nine years ago, and will leave ICANN after Montreal.

Chris Disspain and Ron da Silva also stood for the chair, Chalaby said in a blog post last night. Becky Burr stood unsuccessfully for vice chair.

Disspain, currently vice chair, has stepped aside immediately to be replaced for the next month by Botterman. Disspain’s nine years come to an end next year.

Botterman is Dutch, based in Rotterdam, where he works as an “independent strategic advisor” at his own company, GNKS Consult.

He’s also on the board of the non-profit NLnet Foundation, which funds internet research, and is a former chair of Public Interest Registry, which runs .org.

He’s got a background in the Dutch government and the European Commission.

He was put on the board by the Nominating Committee three years ago and renewed for another three years last month. Theoretically, he could stay as ICANN’s chair for the next six years.

1 Comment Tagged: ,

Another victory for Amazon as ICANN rejects Colombian appeal

Kevin Murphy, September 9, 2019, Domain Registries

Amazon’s application for .amazon has moved another step closer to reality, after ICANN yesterday voted to reject an appeal from the Colombian government.

The ICANN board of directors voted unanimously, with two conflict-related abstentions, to adopt the recommendation of its Board Accountability Mechanisms Committee, which apparently states that ICANN did nothing wrong when it decided back in May to move .amazon towards delegation.

Neither the board resolution nor the BAMC recommendation has been published yet, but the audio recording of the board’s brief vote on Colombia’s Request for Reconsideration yesterday can be found here.

As you will recall, Colombia and the seven other governmental members of the Amazon Cooperation Treaty Organization have been trying to stymie Amazon’s application for .amazon on what you might call cultural appropriation grounds.

ACTO governments think they have the better right to the string, and they’ve been trying to get veto power over .amazon’s registry policies, something Amazon has been strongly resisting.

Amazon has instead offered a set of contractual Public Interest Commitments, such as giving ACTO the ability to block culturally sensitive strings, in the hope of calming the governments’ concerns.

These PICs, along with Amazon’s request for Spec 13 dot-brand status, will likely be published for 30 days of public comment this week, Global Domains Division head Cyrus Namazi told the board.

Expect fireworks.

After comments are closed, ICANN will then make any tweaks to the PICs that are necessary, before moving forward to contract-signing with Amazon, Namazi .said.

Comment Tagged: , , , , , , , ,