ICANN splits $9 million new gTLD ODP into nine tracks

ICANN has added a little more detail to its plans for the Operational Design Phase for the next round of the new gTLD program.

VP and ODP manager Karen Lentz last night blogged that the project is being split into nine work tracks, each addressing a different aspect of the work.

She also clarified that the ODP officially kicked off January 3, meaning the deadline for completion, barring unforeseen issues, is November 3. The specific dates hadn’t been clear in previous communications.

The nine work tracks are “Project Governance”, “Policy Development and Implementation Materials”, “Operational Readiness”, “Systems and Tools”, “Vendors”, “Communications and Outreach”, “Resources, Staffing, and Logistics”, “Finance”, and “Overarching”.

Thankfully, ICANN has not created nine new acronyms to keep track of. Yet.

Pro-new-gTLD community members observing how ICANN’s first ODP, which addressed Whois reform, seemed to result in ICANN attempting to kill off community recommendations may be worried by how Lenzt described the new ODP:

The purpose of this ODP, which began on 3 January, is to inform the ICANN Board’s determination on whether the recommendations are in the best interests of ICANN and the community.

I’d be hesitant to read too much into this, but it’s one of the clearest public indications yet that subsequent application rounds are not necessarily a fait accompli — the ICANN board could still decide force the community to go back to the drawing board if it decides the current recommendations are harmful or too expensive.

I don’t think that’s a likely outcome, but the thought that it was a possibility hadn’t seriously crossed my mind until quite recently.

Lentz also refers to “the work required to prepare for the next round and subsequent rounds”, which implies ICANN is still working on the assumption that the new gTLD program will go ahead.

The ICANN board has give Org 10 months and a $9 million budget, paid out of 2012-round application fee leftovers, to complete the ODP. The output will be an Operational Design Assessment, likely to be an enormous document, that the board will consider, probably in the first half of next year, before implementation begins.

Crain named ICANN CTO

ICANN veteran John Crain has been named the Org’s new chief technology officer.

He’s replacing David Conrad, who he’s been subbing in for since Conrad left at the end of September.

Crain has been with ICANN for 20 years and was most recently chief security, stability, and resiliency officer.

ICANN trying to strangle SSAD in the crib?

ICANN is trying to kill off or severely cripple Whois reform because it thinks the project stands to be too expensive, too time-consuming, and not fit for purpose.

That’s what many long-time community members are inferring from recent discussions with ICANN management about the Standardized System for Access and Disclosure (SSAD), a proposed method of normalizing how people request access to private, redacted Whois data.

The community has been left trying to read the tea leaves following a December 20 briefing in which ICANN staff admitted they have failed to even approximately estimate how well-used SSAD, which has been criticized by potential users as pointless, might be.

During the briefing, staff gave a broad range of implementation times and cost estimates, saying SSAD could take up to four years and $27 million to build and over $100 million a year to operate, depending on adoption.

The SSAD idea was thrown together in, by ICANN standards, super-fast time with a super-tenuous degree of eventual consensus by a cross-community Expedited Policy Development Process working group.

One of the EPDP’s three former chairs, Kurt Pritz, a former senior ICANN staffer who’s been heavily involved in community work since his departure from the Org in 2012, provided his read of the December webinar on a GNSO Council discussion this week.

“I’ve sat through a number of cost justification or cost benefit analyses in my life and got a lot of reports, and I’ve never sat through one that more clearly said ‘Don’t do this’,” Pritz said.

GNSO liaison to the Governmental Advisory Committee Jeff Neuman concurred moments later: “It seemed that we could imply from the presentation that that staff was saying ‘Don’t do it’… we should require them to put that in writing.”

“It was pretty clear from the meeting that ICANN Org does not want to build the SSAD. Many people in the community think its estimates are absurdly inflated in order to justify that conclusion,” Milton Mueller of the Internet Governance Project recently wrote of the same webinar.

These assessments seem fair, to the extent that ICANN appears seriously averse to implementing SSAD as the recommendations are currently written.

ICANN repeated the December 20 cost-benefit analysis in a meeting with the GAC this week, during which CEO Göran Marby described the limitations of SSAD, and how it cannot override privacy laws such as the GDPR:

It’s not a bug, it’s a feature of GDPR to limit access to data…

The SSAD is a recommended system to streamline the process of requesting data access. It cannot itself increase access to the data, as this is actually determined by the law. And so, in practice, the SSAD is expected to have little to no impact on the contracted parties’ ultimate disclosure or nondisclosure response to requests… it’s a ticketing system with added functionality.

While Marby stressed he was not criticizing the EPDP working group, that’s still a pretty damning assessment of its output.

Marby went on to reiterate that even if SSAD came into existence, people wanting private Whois data could still request it directly from registries and registrars, entirely bypassing SSAD and its potentially expensive (estimated at up to $45) per-query fees.

It seems pretty clear that ICANN staff is not enthused about SSAD in its current form and there’s a strong possibility the board of directors will concur.

So what does the policy-making community do?

There seems to be an emerging general acceptance among members of the GNSO Council that the SSAD proposals are going to have to be modified in some way in order for them to be approved by the board.

The question is whether these modifications are made preemptively, or whether the GNSO waits for more concrete feedback from Org and board before breaking out the blue pen.

Today, all the GNSO has seen is a few PowerPoint pages outlining the top-line findings of ICANN’s Operational Design Assessment, which is not due to be published in full until the board sees it next month.

Some Council members believe they should at least wait until the full report is out, and for the board to put something on the record detailing its reservations about SSAD, before any changes are made.

The next update on SSAD is an open community session, likely to cover much of the same ground as the GAC and GNSO meetings, scheduled for 1500 UTC on January 18. Details here.

The GNSO Council is then scheduled to meet January 20 for its regular monthly meeting, during which next steps will be discussed. It will also meet with the ICANN board later in the month to discuss its concerns.

ICANN trying to water down its transparency obligations

ICANN? Trying to be less transparent? Surely not!

The Org has been accused by some of its community members of trying to shirk its transparency obligations with proposed changes to its Documentary Information Disclosure Policy.

The changes would give ICANN “superpowers” to deny DIDP requests, and to deny them without explanation, according to inputs to a recently closed public comment period.

The DIDP is ICANN’s equivalent of a Freedom of Information Act, allowing community members to request documentation that would not be published during the normal course of business.

It’s often used, though certainly not exclusively so, by lawyers as a form of discovery before they escalate their beefs to ICANN accountability mechanisms or litigation.

It already contains broad carve-outs that enable ICANN to refuse disclosure if it considers the requested info too sensitive for the public’s eyes. These are the Defined Conditions for Nondisclosure, and they are used frequently enough that most DIDPs don’t reveal any new information.

The proposed new DIDP broadens these nondisclosure conditions further, to the extent that some commentators believe it would allow ICANN to deny basically any request for information. New text allows ICANN to refuse a request for:

Materials, including but not limited to, trade secrets, commercial and financial information, confidential business information, and internal policies and procedures, the disclosure of which could materially harm ICANN’s financial or business interests or the commercial interests of its stakeholders who have those interests.

The Registries Stakeholder Group noted that this is “broader” than the current DIDP, while the At-Large Advisory Committee said (pdf) it “essentially grants ICANN the right to refuse any and all requests”.

ALAC wrote that “rejecting a request because it includes commercial or financial information or documents an internal policy makes a mockery of this DIDP policy”.

Jeff Reberry of drop-catch registrar TurnCommerce concurred (pdf), accusing ICANN of trying to grant itself “superpowers” and stating:

Extremely generic terms such as “confidential business information” and “commercial information” were added. Frankly, this could mean anything and everything! Thus, ICANN has now inserted a catch-all provision allowing it to disclose nothing.

Other comments noted that the proposed changes dilute ICANN’s responsibility to explain itself when it refuses to release information.

Text requiring ICANN to “provide a written statement to the requestor identifying the reasons for the denial” has been deleted from the proposed new policy.

A collection of six lawyers, all prolific DIDP users, put their names to a comment (pdf) stating that “the change results in less transparency than the current DIDP”.

The lawyers point out that requests that are denied without explanation would likely lead to confusion and consequently increased use of ICANN’s accountability mechanisms, such as Requests for Reconsideration. They wrote:

Simply stated, the Revised Policy allows ICANN to obscure its decision-making and will ultimately cause disputes between ICANN and the Internet community — the complete opposite of the “accountable and transparent” and “open and transparent processes” required by ICANN’s Bylaws.

One change that didn’t get much attention in the public comments, but which certainly leapt out to me, concerns the turnaround time for DIDP responses.

Currently, the DIDP states that ICANN “will provide a response to the DIDP request within 30 calendar days from receipt of the request.”

In practice, ICANN treats this obligation like one might treat a tax return or a college essay — it almost provides its response exactly 30 days after it receives a request, at the last possible moment.

The revised DIDP gives ICANN the new ability to extend this deadline for another 30 days, and I don’t think it’s unreasonable to assume, given past behavior, that ICANN will try to exploit this power whenever it’s advantageous to do so:

In the event that ICANN org cannot complete its response within that 30-calendar-day time frame, ICANN org will inform the requestor by email as to when a response will be provided, which shall not be longer than an additional 30 calendar days, and explain the reasons necessary for the extension of time to respond.

The predictably Orwellian irony of all of the above proposed changes is that they come in response to a community review called the Cross-Community Working Group on Enhancing ICANN Accountability Work Stream 2 (WS2), which produced recommendations designed to enhance accountability and transparency.

Whether they are adopted as-is or further revised to address community concerns is up to the ICANN board of directors, which is of course advised by the staff lawyers who drafted the proposed revisions.

ICANN staff’s summary of the seven comments submitted during the public comment period is due next week.

A decade after the last new gTLD round, Marby starts the clock on the next one

The next new gTLD application is moving a step closer this month, with ICANN chief Göran Marby promising the launch of its Operational Design Phase.

But it’s still unclear whether the ODP has officially started, and many community members are angry and frustrated that the process is taking too long, some 10 years after the last application window opened.

Marby published a blog post December 20 stating “the org has advised the Board that it is beginning the ODP”, but he linked to a December 17 letter (pdf) that told the board “the org is now transitioning to launch the ODP formally as of January”.

We’re well into January now, so does that mean the ODP has officially started? It’s not clear from what ICANN has published.

It seems either ICANN doesn’t yet want to pin down an exact date for the ODP being initiated, which starts the clock on its deadline for completion, or it’s just really bad at communications.

In September, the board gave Marby $9 million and 10 months for the ODP to come up with its final output, an Operational Design Assessment.

The project is being funded from the remaining application fees from the 2012 application round, rather than ICANN’s regular operations budget.

The text of the resolution gives the deadline as “within ten months from the date of initiation, provided that there are no unforeseen matters that could affect the timeline”.

Assuming the “date of initiation” is some point this month, the ODA would be therefore due to be delivered before the end of November this year, barring “unforeseen matters”.

The document would then be considered by the ICANN board, a process likely to be measured in a handful of months, rather than weeks or days, pushing a final decision on the next round out into the first quarter of 2023.

For avoidance of doubt, that’s the decision about whether or not to even have another new gTLD round.

As a reminder, the 2012 round Applicant Guidebook envisaged a second application round beginning about a year after the first.

Naturally, many would-be applicants are incredibly frustrated that this stuff is taking so long, none more so than the Brand Registry Group, which represents companies that want to apply for dot-brand gTLDs and the consultants that want to help them do so.

Overlapping with ICANN’s December 17 letter to the board, BRG president Karen Day wrote to ICANN (pdf) to complain about the lack of progress and the constant extensions of the runway, saying:

The constant delay and lack of commitment to commencing the next round of new gTLDs is unreasonable and disrespectful to the community that has worked diligently… these delays and lack of commitments to deliver the community’s work is an increasing pattern which risks disincentivizing the volunteer community and threatens the multistakeholder model

Day asked the board to provide more clarity about the ODP’s internal milestones and possible delaying factors, and called for future work to begin in parallel with the ODP in order to shorten the overall roadmap.

It’s worth noting that the ODP may wind up raising more questions than it answers, delaying the next round still further.

It’s only the second ODP ICANN has conducted. The first, related to Whois privacy reform, ended in December (after delays) with a report that essentially shat all over the community’s policy work, predicting that it would take several years and cost tens of millions of dollars to implement for potentially very little benefit.

The board is expected to receive that first ODP’s report in February and there’s no telling what conclusions it will reach.

While Marby has publicly indicated that he’s working on the assumption that there will be another new gTLD round, the ODP gives ICANN a deal of power to frustrate and delay that eventuality, if Org is so inclined.

Whois reform to take four years, cost up to $107 million A YEAR, and may still be pointless

ICANN’s proposed post-GDPR Whois system could cost over $100 million a year to run and take up to four years to build, but the Org still has no idea whether anyone will use it.

That appears to be the emerging conclusion of ICANN’s very first Operational Design Phase, which sought to translate community recommendations for a Standardized System for Access and Disclosure (SSAD) into a practical implementation plan.

SSAD is supposed to make it easier for people like trademark owners and law enforcement to request personal information from Whois records that is currently redacted due to privacy laws such as GDPR.

The ODP, which was originally meant to conclude in September but will now formally wrap up in February, has decided so far that SSAD will take “three to four years” to design and build, costing between $20 million and $27 million.

It’s calculated the annual running costs at between $14 million and $107 million, an eye-wateringly imprecise estimate arrived at because ICANN has pretty much no idea how many people will want to use SSAD, how much they’d be prepared to pay, and how many Whois requests they will likely make.

ICANN had previously guesstimated startup costs of $9 million and ongoing annual costs around the same level.

The new cost estimates are based on the number of users being anywhere between 25,000 and three million, with the number of annual queries coming in at between 100,000 and 12 million.

And ICANN admits that the actual demand “may be lower” than even the low-end estimate.

“We haven’t been able to figure out how big the demand is,” ICANN CEO Göran Marby told the GNSO Council during a conference call last month.

“Actual demand is unknowable until well after the launch of the SSAD,” an ICANN presentation (pdf) states. The Org contacted 11 research firms to try to get a better handle on likely demand, but most turned down the work for this reason.

On pricing, the ODP decided that it would cost a few hundred bucks for requestors to get accredited into the system, and then anywhere between $0.45 and $40 for every Whois request they make.

Again, the range is so laughably broad because the likely level of demand is unknown. A smaller number of requests would lead to a higher price and vice versa.

Even if there’s an initial flurry of SSAD activity, that could decline over time, the ODP concluded. In part that’s because registries and registrars would be under no obligation to turn over records, even if requestors are paying $40 a pop for their queries.

It’s also because SSAD would not be mandatory — requestors could still approach contracted parties directly for the info they want, for low or no cost, if they think the price of SSAD is too high or accreditation requirements too onerous.

“There’ll always be a free version of this for everybody,” Marby said on the conference call.

In short, it’s a hell of a lot of money for not much functionality. There’s a better than even chance it could be a huge waste of time and money.

An added complication is that the laws that SSAD is supposed to address, mainly GDPR, are likely to change while it’s being implemented. The European Union’s NIS2 Directive stands to move the goalposts on Whois privacy substantially, and not uniformly, in the not-too-distant future, for example.

This is profoundly embarrassing for ICANN as an organization. Created in the 1990s to operate at “internet speed”, it’s now so bloated, so twisted up it its own knickers, that it’s getting lapped by the lumbering EU legislative process.

The ODP is set to submit its final report to ICANN’s board of directors in February. The board could theoretically decide that it’s not in the interest of ICANN or the public to go ahead with it.

Marby, for his part, seems to be thinking that there could be some benefit from a centralized hub for submitting Whois requests, but that it should be simpler than the current “too complex” proposal, and funded by ICANN.

My take is that ICANN is reluctant to move ahead with SSAD as it’s currently proposed, but because top-down policy-making is frowned upon its hands are tied to make the changes it would like to see.

Hamburg to have second crack at hosting ICANN meeting

The City of Hamburg is to try again to bring in the ICANN crowd, after getting cancelled due to the pandemic last year.

German ccTLD registry DENIC, along with the city and local trade group eco, is taking a run at being selected as the host for ICANN 78, currently penciled in for October 2023, the company said this week.

It had been picked to host ICANN 69 in October 2020, but pandemic travel restrictions scuppered that opportunity.

The last six public ICANN meetings have been online-only, as will next March’s ICANN 73, which had been due to take place in Puerto Rico.

Hamburg’s chances would have to be said to be strong. Three other cancelled host cities — Kuala Lumpur, The Hague and Cancun — have already been confirmed for meetings in 2022 and 2023.

Of course, the ultimate decision-maker is a nucleic acid molecule wearing a spiky protein coat.

ICANN budget: staff bloat making a comeback

ICANN plans to ramp up its headcount starting next year to support the development of the new gTLD program.

Newly published budgeting documents show that average headcount is expected to rise to 406 for the year ending June 30, 2022, from 395 at the end of this June, with an even steeper increase to 448 a year later.

That’s after several years in which staffing levels have been fairly stable, even sometimes declining a little.

The main culprit is the Operational Design Phase for the next new gTLD round(s), which is expected to kick off soon.

ICANN expects to hire or assign nine people to manage the ODP before the end of June 2022, ramping that up to an average of 22 over the following year. The amount of non-ODP operational staff is expected to rise by 28 over the same period.

ICANN currently advertises 31 open positions on its web site, having added eight listings just this week.

This chart shows the expected growth:

At the time of the last new gTLD application round, in 2012, ICANN had 152 staffers, nine of whom were assigned to new gTLD project — and that was after the programs rules had already been developed, implemented and the application window opened and closed.

ICANN budget: no more new gTLDs before 2028

ICANN is not accounting for any revenue from a future round of new gTLDs in its just-published budget, which plots out the Org’s finances all the way through 2028.

The budget, which I gave a high-level summary of here, even predicts that dozens of 2012-round new gTLDs will disappear over the next six years.

The Org is predicting that there will be 1,091 gTLDs on the internet by the end of its fiscal 2027 (that is, June 30, 2028) down by 58 or 5% from July 2022.

Given that it’s only expecting to lose four gTLDs in FY23, this projection implies a speeding up of the rate at which gTLDs start cancelling their contracts or going out of business in the later part of the five-year budget.

The forecast comes with a big asterisk, however. A footnote reads:

These scenarios do not assume any further TLD delegations arising from the resumption of the New gTLD Program. While there is ongoing work and an intent to launch a subsequent round, the timing of its release remains unclear and potential impact(s) on funding indeterminate. Given this, ICANN org has deemed it prudent not to assume any prospective impacts from a subsequent round across the described scenarios.

In other words, ICANN is not yet ready to commit to a runway for the next application round, subsequent delegations and eventual revenue.

As I reported Monday, the next round is unlikely to be approved until the fourth quarter of next year at the earliest, and my view is that 2024 is the soonest the next application window could open.

I don’t think we can read too much into the fact that ICANN isn’t budgeting for any next-round impact on funding until after 2027.

If you’re pessimistic, you could infer that ICANN believes it’s at least a possibility that the next round could take that long, or not be approved at all, but the safer bet is probably that it merely lacks visibility and is acting in its usual risk-averse manner.

ICANN budget: mild optimism amid maturing industry

ICANN thinks the domain industry, including the new gTLD industry, is maturing and will continue to grow, in its just-published draft budget for fiscal 2023.

The Org is predicting growing transactions across the board, as well as an increase in the number of accredited registrars and a slowing decline in the number of contracted gTLDs.

ICANN is expecting funding of $152 million for FY23, which includes the $4 million bung it negotiated with Verisign as part of the deal to allow the company to raise .com prices.

That’s up from the $149.1 million is expects to receive in the current fiscal year.

As usual, the bulk of the funding comes from gTLD transaction fees — the taxes registrants pay through their registrars and registries whenever they register, renew or transfer a domain name.

Legacy gTLD transaction fees are expected to amount to $93.1 million, up 3% on a forecast of $90.1 million in the current year, while new gTLD transaction fees are expected to rise modestly from $9.5 million to $9.9 million, a 4% increase.

Transactions in legacy gTLDs are expected to be 201.2 million, versus 193.6 million in the current year.

New, post-2012 gTLDs are expected to process 25.8 million transactions, up from 24.8 million, of which 21.1 million will be billable, up from 20.3 million. New gTLDs only pay transaction fees after 50,000 domains under management.

ICANN is expecting to lose four registries in FY23 — this almost always means dot-brands that cancel their contracts — with the total declining from a June 2022 total of 1,149 to 1,145 a year later. This will have a modest impact on fixed registry fees.

But the Org is once again expecting to see an increase in the number of registrars paying fixed accreditation fees, up by 28 to 2,447 at the end of FY23.

Accompanying the budget, ICANN has published some industry trend analysis (pdf) outlining some of the assumptions behind the budget forecasts.

Basically, the document describes what regular readers already know — many domain companies benefited from pandemic-related lockdowns driving small businesses online, but overall industry volumes were driven down by low-cost new gTLDs experiencing huge junk drops.

For ICANN’s purposes, factors such as customer quality and pricing are irrelevant. A spammer registering 1,000 domains in bulk pays ICANN the same amount in fees as 1,000 small businesses building their first web sites.

The document reads:

Taken as a whole, DUMs failed to expand in the past twelve months ending in mid-2021. While this decline is at least partly attributable to lower promotional activity among some of the largest new gTLDs which could be reinitiated in the future, it nonetheless points to an industry that has shifted from a period of rapid expansion to one that is now witnessing steady maturation.

The draft ICANN budget covers the 12 months beginning July 1, 2023, and is now open for public comment before possible revisions and final approval.