Recent Posts
- ICANN must do more to fight internet security threats [Guest Post]
- Bumper batch of dot-brands off themselves for Friday 13th
- .org price cap complaints more like “spam” says Ombudsman
- Botterman is new ICANN chair
- Another victory for Amazon as ICANN rejects Colombian appeal
- Kafka turns in grave as ICANN crowbars “useless” Greek TLD into the root
- Sorry, you still can’t sue ICANN, two-faced .africa bidder told
- Why you should never let a pizza joint apply for your billion-dollar dot-brand
- More than 1,000 new gTLDs a year? Sure!
- Paranoid ICANN opens another root server in China
- A third of the top TLDs are shrinking
- These two ccTLDs drove two thirds of all domain growth in Q2
- .blog registry handover did NOT go smoothly
- Donuts slashes prices on a million domains
- .tech gTLD startups “raise $2 billion”
- Whois killer deadline has passed. Did most registrars miss it?
- CIRA replaces CORE as emergency backup registry
- The Amazon is burning. Is this good news for .amazon?
- China’s MySpace trainwreck sells its gTLD
- Second-level .au names delayed
- ICANN names new directors, replaces Facebook exec
- After getting acquired, bank scraps its dot-brand
- Porn-block retail prices revealed. Wow.
- Registrars could be held liable for US gun violence
- Three-letter .com owned by hospital “hijacked”
- “We’re Irish!” claim Brits as .eu shrinks yet again
- Mystery .vu registry revealed
- Berkens says new gTLDs mostly suck but geos suck hardest
- .gay gets rooted
- Neustar takes control of two new gTLDs
- Epik will sponsor 8chan’s domain, but will not host its site
- EFF becomes second to appeal new .org contract
- CentralNic to pay $3.4 million for iwantmyname
- Google has big, innovative plans for .new
- Amazon and Google have been BEATEN by a non-profit in the fight for .kids
- After more racist shootings, take one guess which registrar 8chan just switched to
- Radix releases huge amount of premium domain data
- ICANN dumps the “Whois” in new Whois tool
- Now auDA loses its CEO too
- Porn blocks could be worth millions to MMX
- Cryptocurrency firms to be banned from .bank
- Cybersquatting cases down a bit in the UK
- Looks like .fans has a new Chinese owner
- Can NameCheap reverse .org price cap scrap?
- Neustar to keep .us for another decade
- MMX to pay $5.1 million to get out of terrible .london deal
- ZADNA boss canned for “misconduct”
- ICANN’s new conferencing software has a webcam security bug
- ICANN explains how .org pricing decision was made
- CEO lost millions on Manhattan apartment deal just days before AlpNames went dark
ICANN must do more to fight internet security threats [Guest Post]
ICANN and its contracted parties need to do more to tackle security threats, write Dave Piscitello and Lyman Chapin of Interisle Consulting.
The ICANN Registry and Registrar constituencies insist that ICANN’s role with respect to DNS abuse is limited by its Mission “to ensure the stable and secure operation of the internet’s unique identifier systems”, therefore limiting ICANN’s remit to abuse of the identifier systems themselves, and specifically excluding from the remit any harms that arise from the content to which the identifiers point.
In their view, if the harm arises not from the identifier, but from the thing identified, it is outside of ICANN’s remit.
This convenient formulation relieves ICANN and its constituencies of responsibility for the way in which identifiers are used to inflict harm on internet users. However convenient it may be, it is fundamentally wrong.
ICANN’s obligation to operate “for the benefit of the Internet community as a whole” (see Bylaws, “Commitments”) demands that its remit extend broadly to how a domain name (or other Internet identifier) is misused to point to or lure a user or application to content that is harmful, or to host content that is harmful.
Harmful content itself is not ICANN’s concern; the way in which internet identifiers are used to weaponize harmful content most certainly is.
Rather than confront these obligations, however, ICANN is conducting a distracting debate about the kinds of events that should be described as “DNS abuse”. This is tedious and pointless; the persistent overloading of the term “abuse” has rendered it meaningless, ensuring that any attempt to reach consensus on a definition will fail.
ICANN should stop using the term “DNS abuse” and instead use the term “security threat”.
The ICANN Domain Abuse Activity Reporting project and the Governmental Advisory Committee (GAC) use this term, which is also a term of reference for new TLD program obligations (Spec 11) and related reporting activities. It is also widely used in the operational and cybersecurity communities.
Most importantly, the GAC and the DAAR project currently identify and seek to measure an initial set of security threats that are a subset of a larger set of threats that are recognized as criminal acts in jurisdictions in which a majority of domain names are registered.
ICANN should acknowledge the GAC’s reassertion in its Hyderabad Communique that the set of security threats identified in its Beijing correspondence to the ICANN Board were not an exhaustive list but merely examples. The GAC smartly recognized that the threat landscape is constantly evolving.
ICANN should not attempt to artificially narrow the scope of the term “security threat” by crafting its own definition.
It should instead make use of an existing internationally recognized criminal justice treaty. The Council of Europe’s Convention on Cybercrime is a criminal justice treaty that ICANN could use as a reference for identifying security threats that the Treaty recognizes as criminal acts.
The Convention is recognized by countries in which a sufficiently large percentage domain names are registered that it can serve the community and Internet users more effectively and fairly than any definition that ICANN might concoct.
ICANN should also acknowledge that the set of threats that fall within its remit must include all security events (“realized security threats”) in which a domain name is used during the execution of an attack for purposes of deception, for infringement on copyrights, for attacks that threaten democracies, or for operation of criminal infrastructures that are operated for the purpose of launching attacks or facilitating criminal (often felony) acts.
What is that remit?
ICANN policy and contracts must ensure that contracted parties (registrars and registries) collaborate with public and private sector authorities to disrupt or mitigate:
- illegal interception or computer-related forgery,
- attacks against computer systems or devices,
- illegal access, data interference, or system interference,
- infringement of intellectual property and related rights,
- violation of laws to ensure fair and free elections or undermine democracies, and
- child abuse and human trafficking.
We note that the Convention on Cybercrime identifies or provides Guidance Notes for these most prevalently executed attacks or criminal acts:
- Spam,
- Fraud. The forms of fraud that use domain names in criminal messaging include, business email compromise, advance fee fraud, phishing or other identity thefts.
- Botnet operation,
- DDoS Attacks: in particular, redirection and amplification attacks that exploit the DNS
- Identity theft and phishing in relation to fraud,
- Attacks against critical infrastructures,
- Malware,
- Terrorism, and,
- Election interference.
In all these cases, the misuse of internet identifiers to pursue the attack or criminal activity is squarely within ICANN’s remit.
Registries or registrars should be contractually obliged to take actions that are necessary to mitigate these misuses, including suspension of name resolution, termination of domain name registrations, “unfiltered and unmasked” reporting of security threat activity for both registries and registrars, and publication or disclosure of information that is relevant to mitigating misuses or disrupting cyberattacks.
No one is asking ICANN to be the Internet Police.
The “ask” is to create policy and contractual obligations to ensure that registries and registrars collaborate in a timely and uniform manner. Simply put, the “ask” is to oblige all of the parties to play on the same team and to adhere to the same rules.
This is unachievable in the current self-regulating environment, in which a relatively small number of outlier registries and registrars are the persistent loci of extraordinary percentages of domain names associated with cyberattacks or cybercrimes and the current contracts offer no provisions to suspend or terminate their operations.
This is a guest editorial written by Dave Piscitello and Lyman Chapin, of security consultancy Interisle Consulting Group. Interisle has been an occasional ICANN security contractor, and Piscitello until last year was employed as senior security technologist on ICANN staff. The views expressed in this piece do not necessary reflect DI’s own.
Bumper batch of dot-brands off themselves for Friday 13th
It’s Friday 13th tomorrow, and to celebrate the occasion no fewer than 13 dot-brands have opted to take the easy way out and self-terminate.
ICANN has published a bumper list of contracted brand registries that have informed the organization that they no longer wish to run their gTLDs.
Adding themselves to the dot-brand deadpool are: .ladbrokes, .warman, .cartier, .piaget, .chrysler, .dodge, .mopar, .srt, .uconnect, .movistar, .telefonica, .liason and .lancome.
That brings the total of self-terminated new gTLDs to date to 66.
The imminent demise of .cartier and .piaget is perhaps notable, as it means luxury goods maker Richemont has now abandoned ALL of the nine dot-brands it originally applied for.
Richemont, an enthusiastic early adopter of the new gTLD concept, applied for 14 strings in total back in 2012.
The only ones it has left are generics — .watches along with the the Chinese translation .手表 and the Chinese for “jewelry”, .珠宝, none of which have been launched and in all likelihood are being held defensively.
It’s the same story with L’oreal, the cosmetics company. It also applied for 14 gTLDs, mostly brands, but abandoned all but .lancome prior to contracting.
With .lancome on its way out, L’oreal only owns the generics .skin, .hair, .makeup and .beauty, at least one of which is actually being used.
Also of note is the fact the car company Chrysler is dumping five of its six gTLDs — .chrysler, .dodge, .mopar, .srt and .uconnect — leaving only .jeep (unused) still under contract.
Clearly, Chrysler is not as keen on dot-brands as some of its European competitors, which have been among the most prolific users.
Telefonica’s abandonment of .movistar and .telefonica also means it’s out of the gTLD game completely now, although its Brazilian subsidiary still owns (and uses) .vivo.
Betting company Ladbrokes only ever owned .ladbrokes, though it did unsuccessfully apply for .bet also.
Rounding off the list is .warman, a brand of — and I’m really not making this up — industrial slurry pumps. The pumps are made by a company called Weir, which uses global.weir as its primary web site. So that’s nice.
As far as I can tell, none of the gTLDs that are being killed off had ever been used, though each registry will have paid ICANN six-figure fees since they originally contracted.
.org price cap complaints more like “spam” says Ombudsman
ICANN’s Ombudsman has sided with with ICANN in the fight over the lifting of price caps on .org domains, saying many of the thousands of comments objecting to the move were “more akin to spam”.
Herb Waye was weighing in on two Requests for Reconsideration, filed by NameCheap and the Electronic Frontier Foundation in July and August after ICANN and Public Interest Registry signed their controversial new registry agreement.
NameCheap wants ICANN to reverse its decision to allow PIR to raise .org prices by however much it chooses, while the EFF complained primarily about the fact that the Uniform Rapid Suspension anti-cybersquatting measure now appears in the contract.
In both cases, the requestors fumed that ICANN seemed to “ignore” the more than 3,200 comments that were filed in objection back in April, with NameCheap calling the public comment process a “sham”.
But Waye pointed to the fact that many of these comments were filed by people using a semi-automated web form hosted by the pro-domainer Internet Commerce Association.
As far as comments go for ICANN, 3200+ appears to be quite a sizeable number. But, seeing as how the public comments can be filled out and submitted electronically, it is not unexpected that many of the comments are, in actuality, more akin to spam.
With this eyebrow-raising comparison fresh in my mind, I had to giggle when, a few pages later, Waye writes (emphasis in original):
I am charged with being the eyes and ears of the Community. I must look at the matter through the lens of what the Requestor is asking and calling out. The Ombuds is charged with being the watchful eyes of the ICANN Community. The Ombuds is also charged with being the alert “ears” of the Community — with listening — with making individuals, whether Requestors or complainants or those just dropping by for an informal chat, feel heard.
Waye goes on to state that the ICANN board of directors was kept well-briefed on the status of the contract negotiations and that it had been provided with ICANN staff’s summary of the public comments.
He says that allowing ICANN’s CEO to execute the contract without a formal board vote did not go against ICANN rules (which Waye says he has “an admittedly layman’s understanding” of) because contractual matters are always delegated to senior staff.
In short, he sees no reason for ICANN to accept either Request for Reconsideration.
The Ombudsman is not the decision-maker here — the two RfRs will be thrown out considered by ICANN’s Board Accountability Mechanisms Committee at its next meeting, before going to the full board.
But I think we’ve got a pretty good indication here of which way the wind is blowing.
You can access the RfR materials and Waye’s responses here.
Botterman is new ICANN chair
ICANN has announced that Maarten Botterman has been selected as its new chair.
He, along with newly selected vice chair León Felipe Sánchez Ambia, will take their seats after a formal board vote to come at the end of ICANN’s annual general meeting in Montreal next month.
Botterman replaces Cherine Chalaby, who has been in the role for two years. Chalaby is term-limited, having joined the board nine years ago, and will leave ICANN after Montreal.
Chris Disspain and Ron da Silva also stood for the chair, Chalaby said in a blog post last night. Becky Burr stood unsuccessfully for vice chair.
Disspain, currently vice chair, has stepped aside immediately to be replaced for the next month by Botterman. Disspain’s nine years come to an end next year.
Botterman is Dutch, based in Rotterdam, where he works as an “independent strategic advisor” at his own company, GNKS Consult.
He’s also on the board of the non-profit NLnet Foundation, which funds internet research, and is a former chair of Public Interest Registry, which runs .org.
He’s got a background in the Dutch government and the European Commission.
He was put on the board by the Nominating Committee three years ago and renewed for another three years last month. Theoretically, he could stay as ICANN’s chair for the next six years.
Another victory for Amazon as ICANN rejects Colombian appeal
Amazon’s application for .amazon has moved another step closer to reality, after ICANN yesterday voted to reject an appeal from the Colombian government.
The ICANN board of directors voted unanimously, with two conflict-related abstentions, to adopt the recommendation of its Board Accountability Mechanisms Committee, which apparently states that ICANN did nothing wrong when it decided back in May to move .amazon towards delegation.
Neither the board resolution nor the BAMC recommendation has been published yet, but the audio recording of the board’s brief vote on Colombia’s Request for Reconsideration yesterday can be found here.
As you will recall, Colombia and the seven other governmental members of the Amazon Cooperation Treaty Organization have been trying to stymie Amazon’s application for .amazon on what you might call cultural appropriation grounds.
ACTO governments think they have the better right to the string, and they’ve been trying to get veto power over .amazon’s registry policies, something Amazon has been strongly resisting.
Amazon has instead offered a set of contractual Public Interest Commitments, such as giving ACTO the ability to block culturally sensitive strings, in the hope of calming the governments’ concerns.
These PICs, along with Amazon’s request for Spec 13 dot-brand status, will likely be published for 30 days of public comment this week, Global Domains Division head Cyrus Namazi told the board.
After comments are closed, ICANN will then make any tweaks to the PICs that are necessary, before moving forward to contract-signing with Amazon, Namazi .said.
Recent Comments
Your comment has nothing to do with what I said. Post your self promotion elsewhere (I see you are doing this on other b... read more
These violations are criminal and should be brought forth in court.... read more
He's right. Icann should just have emailed all 10 million .org domain owners and asked them if they wanted to get rid of... read more
They got stitched by registries and advisors, a bit like Y2Kwhere some can be convinced that they need to protect themse... read more
A white dutch man putting forward a white dutch man.. who is surprised?... read more
Thanks, Kevin. Appreciate it. If it's at all helpful, the scan is indeed of a trademark registration certificate from... read more
If I had known there was a Chinese translation of jewelry, I would have added it to my Luxury new gTLD report ... read more
Talk about ICANN's unprofessionalism and petty vindictiveness. Grow up, boys. We are all in this together.... read more
Um...what the puck were they thinking to begin with? I have no sympathy for idiots who foolishly ventured into the sewa... read more
Companies are waking up to the fact that .brands are a confusing mess and a huge waste of money!... read more