Latest news of the domain name industry

Recent Posts

Kafka turns in grave as ICANN crowbars “useless” Greek TLD into the root

Kevin Murphy, September 9, 2019, Domain Policy

ICANN has finally approved a version of .eu in Greek script, but it’s already been criticized as “useless”.

Yesterday, ICANN’s board of directors rubber-stamped .ευ, the second internationalized domain name version of the European Union’s .eu, which will be represented in the DNS as .xn--qxa6a.

There’s a lot of history behind .ευ, much of it maddeningly illustrative of ICANN’s Kafkaesque obsession with procedure.

The first amusing thing to point out is that .ευ is technically being approved under ICANN’s IDN ccTLD Fast Track Process, a mere NINE YEARS after EURid first submitted its application.

The “Fast Track” has been used so far to approve 61 IDN ccTLDs. Often, the requested string is merely the name of the country in question, written in one of the local scripts, and the TLD is approved fairly quickly.

But in some cases, especially where the desired string is a two-character code, a string review will find the possibility of confusion with another TLD. This runs the risk of broadening the scope of domain homograph attacks sometimes used in phishing.

That’s what happened to .ευ, along with Bulgaria’s Cyrillic .бг and Greece’s own .ελ, which were rejected on string confusion grounds back in 2010 and 2011.

Under pressure from the Governmental Advisory Committee, ICANN then implemented an Extended Process Similarity Review Panel, essentially an appeals process designed to give unsuccessful Fast Track applicants a second bite at the apple.

That process led to Bulgaria being told that .бг was not too similar to Brazil’s .br, and Greece being told that .ελ did not look too much like .EA, a non-existent ccTLD that may or may not be delegated in future, after all.

But the EU’s .ευ failed at the same time, in 2014. The appeals review panel found that the string was confusable with upper-case .EY and .EV.

Again, these are not ccTLDs, just strings of two characters that have the potential to become ccTLDs in future should a new country or territory emerge and be assigned those codes by the International Standards Organization, a low-probability event.

I reported at the time that .ευ was probably as good as dead. It seemed pretty clear based on the rules at the time that if a string was confusable in uppercase OR lowercase, it would be rejected.

But I was quickly informed by ICANN that I was incorrect, and that ICANN top brass needed to discuss the results.

That seems to have led to ICANN tweaking the rules yet again in order to crowbar .ευ into the root.

In 2015, the board of directors reached out to the GAC, the ccNSO and the Security and Stability Advisory Committee for advice.

They dutifully returned two years later with proposed changes (pdf) that seemed tailor-made for the European Union’s predicament.

A requested IDN ccTLD that caused confusion with other strings in only uppercase, but not lowercase (just like .ευ!!!) could still get delegated, provided it had a comprehensive risk mitigation strategy in place, they recommended.

The recommendation was quickly approved by ICANN, which then sent its implementation guidelines (again, tailor-made for EURid (pdf)) back to the ccNSO/SSAC.

It was not until February this year that the ccNSO/SSAC group got back to ICANN (pdf) to approve of its implementation plan and to say that it has already tested it against EURid’s proposed risk-mitigation plan (pdf).

Basically, the process in 2009 didn’t produce the desired result, so ICANN changed the process. It didn’t produced the desired result again in 2014, so the process was changed again.

But at least Greek-speaking EU citizens are finally going to get a meaningful ccTLD that allows them to express their EUishness in their native script, right?

WRONG!

I recently read with interest and surprise a blog post by domainer-blogger Konstantinos Zournas, in which he referred to .ευ as the “worst domain extension ever”.

Zournas, who is Greek, opened my eyes to the fact that “.ευ” is meaningless in his native tongue. It’s just two Greek letters that visually resemble “EU” in Latin script. It’s confusing by design, but with .eu, a ccTLD that EURid already manages.

While not for a moment doubting Zournas’ familiarity with his own language, I had to confirm this on the EU’s Greek-language web site.

He’s right, the Greek for “European Union” is “Ευρωπαϊκής Ένωσης”, so the sensible two-letter IDN ccTLD would be .ΕΈ (those are Greek characters that look a bit like Latin E).

That would have almost certainly failed the ICANN string similarity process, however, as .ee/EE is the current, extant ccTLD for Estonia.

In short (too late), it seems to have taken ICANN the best part of a decade, and Jesus H Christ knows how many person-hours, to hack its own procedures multiple times in order to force through an application for a TLD that doesn’t mean anything, can’t be confused with anything that currently exists on the internet, and probably won’t be widely used anyway.

Gratz to all involved!

Sorry, you still can’t sue ICANN, two-faced .africa bidder told

Kevin Murphy, September 9, 2019, Domain Policy

Failed .africa gTLD applicant DotConnectAfrica appears to have lost its lawsuit against ICANN.

A California judge has said he will throw out the portions of DCA’s suit that had not already been thrown out two years ago, on the grounds that DCA was talking out of both sides of its mouth.

DCA applied for .africa in 2012 but lost out to rival applicant ZA Central Registry because ZACR had the backing of African governments and DCA did not.

It filed an Independent Review Process complaint against ICANN in 2013 and won in 2015, with the IRP panel finding that ICANN broke its own bylaws by paying undue deference to Governmental Advisory Committee advice.

It also emerged that ICANN had ghost-written letter of government support on behalf of the African Union, which looked very dodgy.

DCA then sued ICANN in 2016 on 11 counts ranging from fraud to breach of contract to negligence.

The Los Angeles Superior Court decided in 2017 that five of those charges were covered by the “covenant not to sue”, a broad waiver that all new gTLD applicants had to sign up to.

But the remaining six, relating to ICANN’s alleged fraud, were allowed to go ahead.

ICANN relied in its defense on a principle called “judicial estoppel”, where a judge is allowed to throw out a plaintiff’s arguments if it can be shown that it had previously relied on diametrically opposed arguments to win an earlier case.

The judge has now found that estoppel applies here, because DCA fought and won the IRP in part by repeatedly claiming that it was not allowed to sue in a proper court.

It had made this argument on at least seven occasions during the IRP, Judge Robert Broadbelt found. He wrote in his August 22 ruling (pdf):

DCA’s successfully taking the first position in the IRP proceeding and gaining significant advantages in that proceeding as a result thereof, and then taking the second position that its totally inconsistent in this lawsuit, presents egregious circumstances that would result in a miscarriage of justice if the court does not apply the doctrine of judicial estoppel to bar DCA from taking the second position in this lawsuit. The court therefore exercises its discretion to find in favor of ICANN, and against DCA, on ICANN’s affirmative defense of judicial estoppel and to bar DCA from bringing or maintaining its claims against ICANN alleged in the [First Amended Complaint] in this lawsuit.

In other words, ICANN’s won.

The case is not yet over, however. DCA still has an opportunity to object to the ruling, and there’s a hearing scheduled for December.

The Amazon is burning. Is this good news for .amazon?

Kevin Murphy, August 26, 2019, Domain Policy

With the tide of international opinion turning against Brazil due to the ongoing forest fires in the Amazon, could we see governments change their tune when it comes to Amazon’s application for .amazon?

A much higher number of forest fires than usual are currently burning in the region, largely in Brazil, which critics led by environmentalists and French president Emmanuel Macron have blamed on relaxed “slash and burn” farming policies introduced by new Brazilian president Jair Bolsonaro.

The rain forest is an important carbon sink, said to provide 20% of the world’s oxygen. The more of it is lost, the harder it is to tackle climate change, the argument goes.

It’s been an important topic at the Macro-hosted G7 summit, which ends today. Even the bloody Pope has weighed in.

Arguably, the stakes are nothing less than the survival of human civilization and life on Earth itself.

And this is a story about domain names. Sorry. This is a blog about domain names. My hands are tied.

Amazon the company has been fighting governments over its application for .amazon, along with the Chinese and Japanese translations, for over six years.

ICANN’s Governmental Advisory Committee was responsible for killing off .amazon in 2013 after it decided by consensus that Amazon’s application should not proceed.

That decision was only reached after the US, under the Obama administration, decided to abstain from discussions.

The US had been protecting Amazon by blocking GAC consensus, but changed its tune partly in order to throw a bone to world leaders, including then-president of Brazil Dilma Rousseff, who were outraged by CIA analyst Edward Snowden’s revelations of widespread US digital espionage.

After ICANN dutifully followed the GAC advice and rejected Amazon’s gTLD applications, Amazon appealed via the Independent Review Process and, in 2017, won.

The IRP panel ruled that the GAC’s objection had no clear grounding in public policy that could be gleaned from the record. It told ICANN to re-open the applications and evaluate them objectively.

Ever since then, the GAC’s advice to ICANN has been that it must “facilitate a mutually acceptable solution” between Amazon and the eight nations of the Amazon Cooperation Treaty Organization.

ICANN has been doing just that, or at least attempting to, for the last couple of years.

But the two parties failed to come to an agreement. ACTO wants to have essential veto power over Amazon’s use of .amazon, whereas Amazon is only prepared to offer lists of protected names, a minority position in any policy-setting body, and some sweeteners.

In May this year, ICANN’s board of directors voted to move .amazon along towards delegation, noting that there was “no public policy reason” why it should not.

In June, the government of Colombia filed a Request for Reconsideration with ICANN, demanding it reevaluate that decision.

The RfR was considered by ICANN’s Board Accountability Measures Committee at its meeting August 14, but its recommendation has not yet been published. I’m expecting it to be posted this week.

There’s still opportunity for the GAC to cause mischief, or act as a further delay on .amazon, but will it, in light of some country’s outrage over Brazil’s policy over the rain forest?

One could argue that if the nation that has the largest chunk of Amazon within its borders seems to have little regard to its international importance, why should its claim to ownership of the string “amazon” get priority over a big brand that has offered to protect culturally significant words and phrases?

Remember, as the example of the US in 2012/13 shows us, it only takes one government to block a GAC consensus. If Brazil or Peru continue to pursue their anti-Amazon path, could France throw a spanner in the works, smoothing .amazon’s road to delegation?

Anything’s possible, I suppose, but my feeling is that most governments back ACTO’s position largely because they’re worried that they could find themselves in a similar position of having to fight off an application for a “geographic” string in the next gTLD application round.

ICANN names new directors, replaces Facebook exec

Kevin Murphy, August 20, 2019, Domain Policy

ICANN’s Nominating Committee has picked two new directors to join the board of directors this November.

They are: Mandla Msimang, a South African technology policy consultant, and Ihab Osman, a serial director who ran Sudan’s ccTLD two decades ago but whose main current gig appears to be managing a Saudi Arabian dairy company.

Dutch domain industry figure Maarten Botterman, who had a stint heading Public Interest Registry, has been reappointed for his second three-year term.

But Tunisian Khaled Koubaa, head of public policy for North Africa at Facebook, who joined the board with Botterman in 2016 and also previously worked for PIR, is not being asked to return.

Msimang and Osman replace Koubaa and Cherine Chalaby, the current Egyptian-born chair, who after nine years on the board is term-limited.

Basically, it’s two Africans out, two Africans in.

In a statement, NomCom chair Damon Ashcraft noted that the committee had received 56 applications from Africa, more than any other region. Only two applications were received from North Americans.

This is perhaps unsurprising. NomCom had been duty-bound to pick at least one African, in order to maintain ICANN’s bylaws-mandated geographic balance, but there were no spots available for North Americans.

Replacing one male director with one female may also go some way to appease critics — including the ICANN board itself — who have claimed that the board needs to be more gender balanced.

The switch means that, after November, the eight NomCom appointees on the board will be evenly split in terms of gender. However, only seven out of the total 20 directors will be women.

The other directors are selected by ICANN’s various supporting organizations and advisory committees.

NomCom received applications from 42 women and 85 men this year.

ICANN has not yet published the official bios for the two new directors, but here’s what the internets has to say about about them.

Mandla Msimang. Msimang’s career appears to show her playing both hunter and gamekeeper in the South African telecommunications market, first working for the national regulator, and later for leading mobile phone operator Cell C. In 2007 she founded Pygma Consulting, a boutique IT consultancy, which she still runs.

Ihab Osman. Osman’s day job appears to be general manager of NADEC New Businesses, a unit of Nadec, a foods company partly owned by the Saudi government. He’s also president of the US-Sudan Business Council, which seeks to promote trade between the two countries. He has a long career in telecommunications, and from 1997 until 2002 was in charge of Sudan’s .sd ccTLD.

Both new directors will take their seats at the end of ICANN’s annual general meeting in Montreal this November.

There’s no word yet on who’s taking over as chair.

Registrars could be held liable for US gun violence

Kevin Murphy, August 20, 2019, Domain Policy

A US presidential candidate has come out in support of amending the law to make domain name companies liable when customers use their services to incite violence.

Beto O’Rourke, a former member of Congress, stated last week that he wants to amend the Communications Decency Act to hold providers of “domain name servers” liable “where they are found to knowingly promote content that incites violence”.

He’s believed to be the first among the swarm of 2020 Democratic presidential hopefuls to lay out a plan to combat online hate speech.

The proposed amendments to Section 230 of the CDA are part of a sweeping package of reforms O’Rourke is proposing in order to tackle gun violence and domestic terrorism in the US.

He comes from El Paso, Texas, which was the target of a race-based terrorist attack a couple of weeks ago.

He’s also pushing for stricter gun controls, such as compulsory licensing and training.

But I’m not going to get into that stuff here. This is a blog about domain names. I’m British, so you can probably guess what my opinion on guns is.

In terms of online content, O’Rourke’s plan seems primarily aimed at getting the big social media platforms to more heavily moderate the content produced by their users.

But it specifically calls out domain name companies also:

Beto would require large internet platforms to adopt terms of service to ban hateful activities, defined as those that incite or engage in violence, intimidation, harassment, threats, or defamation targeting an individual or group based on their actual or perceived race, color, religion, national origin, ethnicity, immigration status, gender, gender identity, sexual orientation or disability. These companies also would be required to put in place systems designed to identify and act on content violating the terms of service. Platforms must be transparent when they block content and provide for an appeal process in order to guard against abuse.

Beto supports amending Section 230 of the CDA to remove legal immunity from lawsuits for large social media platforms that fail to change their terms of service and put in place systems as described above. Informational service providers of all sizes, including domain name servers and social media platforms, also would be held liable where they are found to knowingly promote content that incites violence.

Should registrars be worried about this?

If the legal test was that registrars “knowingly promote content that incites violence”, that seems like a pretty high bar.

I’m not convinced even Epik, which has come under fire for providing domain services to the likes of Stormfront and 8chan — both of which O’Rourke cites in his policy — “knowingly promotes” incitements to violence.

That’s not to say that registrars couldn’t find themselves prosecuted or sued anyway, of course.

O’Rourke is not a current front-runner in the Democrat presidential pack. While still in the race, he’s towards the bottom of the top 10, polls suggest.

What O’Rourke’s policy statement does suggest is that the regulation of online speech could become a significant issue in the 2020 election, and that the domain name industry in the US could find itself a political football in an extremely divisive game.

Can NameCheap reverse .org price cap scrap?

Kevin Murphy, July 25, 2019, Domain Policy

NameCheap has taken it upon itself to fight ICANN’s decision to remove price increase caps on .org. But does it stand a snowball’s chance in hell of winning?

The registrar has filed a Request for Reconsideration with ICANN, appealing the organization’s signing of a Registry Agreement with Public Interest Registry that allows PIR to raise prices by however much it wants, more or less whenever that it wants.

NameCheap, which had over 390,000 .org domains under management at the last count, says it is fighting for 700-odd of its customers whose comments, filed with ICANN, were allegedly not taken into account when the decision was made, along with registrars and everyone else that may be adversely impacted by unfettered .org price increases.

NameCheap thinks its business could be harmed if price increases are uncapped, with customers perhaps letting their domains expire instead of renewing. It’s RfR states:

The decision by ICANN org to unilaterally remove the price caps when renewing legacy TLDs with little (if any) evidence to support the decision goes against ICANN’s Commitments and Core Values, and will result in harm to millions of internet users throughout the world.

Unrestricted price increases for legacy TLDs will stifle internet innovation, harm lesser served regions and groups, and significantly disrupt the internet ecosystem. An incredible variety of public comments was submitted to ICANN from all continents (except Antarctica) imploring ICANN to maintain the legacy TLD price caps — which were completely discounted and ignored by ICANN org.

Before the new contract was signed, PIR was limited to a 10% increase in its .org registry fee every year. It didn’t always exercise that right, and has said twice in recent months that it still has no plans to increase its prices.

The new contract — which has already been signed and is in effect — was subjected to a public comment period that attracted over 3,200 comments, almost all of them expressing support for maintaining the caps.

Despite not-for-profit PIR’s protestations, many commenters came from the position that giving PIR the power to increase its fee without limit would very possibly lead to price gouging.

That ICANN allegedly “ignored” these comments is the key pillar of NameCheap’s RfR case.

The public comment period was a “sham”, the registrar claims.

But is this enough to make ICANN change its mind and (somehow) unsign the .org contract?

There are three ways, under ICANN’s bylaws, to win an RfR.

Requestors can show that the board or staff did something that contradicts “ICANN’s Mission, Commitments, Core Values and/or established ICANN policy(ies)”

They also win if they can show the decision was was taken “without consideration of material information” or with “reliance on false or inaccurate relevant information”.

It’s quite a high bar, and most RfRs are rejected by the Board Accountability Mechanisms Committee, which is the court of first instance for reconsideration requests.

Requestors rarely show up with sufficient new information sufficiently persuasive to kick the legs from under ICANN’s original decision, and the question of something contradicting ICANN’s core principles is usually a matter of interpretation.

For example, in this case, NameCheap is arguing that failing to side with the commenters who disagreed with the removal of price caps amounts to a breach of ICANN’s Core Value to make all decisions in consultation with stakeholders:

The ICANN org will decide whether to accept or reject public comment, and will unilaterally make its own decisions — even if that ignores the public benefit or almost unanimous feedback to the contrary, and is based upon conclusory statements not supported by the evidence. This shows that the public comment process is basically a sham, and that ICANN org will do as it pleases in this and other matters.

But one of ICANN’s stated reasons for approving the contract was to abide by its Core Value to depend “on market mechanisms to promote and sustain a competitive environment in the DNS market”. It doesn’t want to be a price regulator, in other words.

So we have a clash of Core Values here. It will be pretty easy for ICANN’s lawyers — who drafted the contract and will draft the resolutions of the BAMC and the full board — to argue that the Core Values were respected.

I think NameCheap is going to have a hard time here.

Even if it were to win, how on earth does one unsign a contract? As far as I can tell, ICANN has no termination rights that would apply here.

Where the RfR will certainly succeed is to force the ICANN board itself to take ownership, on the record, of the .org contract decision.

As ICANN explained to DI earlier this month, while the board was very much kept in the loop on the state of negotiations, it was senior staff that made all the calls on the new contract.

But an RfR means that the BAMC, which comprises five directors, will first have to raise their hands to confirm the .org decision was kosher.

NameCheap will then get a chance to file a rebuttal before the BAMC decision is handed to the full ICANN board for a confirmatory vote.

While the first two board discussions of the .org contract were not minuted, the bylaws contain an interesting feature related to RfRs that I’d never noticed before today:

If the Requestor so requests, the Board shall post both a recording and a transcript of the substantive Board discussion from the meeting at which the Board considered the Board Accountability Mechanisms Committee’s recommendation.

I sincerely hope NameCheap invokes this right, as I think it’s pretty important that we get some additional clarity on ICANN’s thinking here.

Airline hit with $230 million GDPR fine

Kevin Murphy, July 8, 2019, Domain Policy

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.

This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.

About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..

It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.

The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.

Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.

The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.

GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

.amazon frozen AGAIN as endless government games continue

Kevin Murphy, June 25, 2019, Domain Policy

Amazon’s application for the .amazon gTLD has yet again been frozen, after a South American government invoked ICANN’s appeals process.

The bid, as well as applications for the Chinese and Japanese versions, were returned to “on-hold” status at the weekend, after Colombia filed a formal Request for Reconsideration, an ICANN spokesperson confirmed to DI.

“The processing toward contracting of the .AMAZON applications has been halted pending the resolution of Request 19-1, per ICANN organization’s normal processes,” the spokesperson said.

This means the applications could remain frozen for 135 days, until late October, while ICANN processes the request. It’s something that has happened several times with other contested gTLDs.

Colombia filed RfR 19-1 (pdf) on June 15. It demands that ICANN reverses its board’s decision of May 15, which handed Amazon a seemingly decisive victory in its long-running battle with the eight governments of the Amazon Cooperation Treaty Organization.

ACTO’s members believe they should have policy control over .amazon, to protect the interests of their citizens who live in the region they share.

To win an RfR — something that hardly ever happens — a complainant has to show that the ICANN board failed to consider pertinent information before it passed a resolution.

In Colombia’s case, it argues that the board ignored an April 7 letter (since published in PDF format here) its Governmental Advisory Committee representative sent that raises some interesting questions about how Amazon proposes to operate its TLDs.

Because .amazon is meant to be a highly restricted “dot-brand” gTLD, it would presumably have to incorporate Specification 13 into its ICANN registry agreements.

Spec 13 releases dot-brands from commitments to registrar competition and trademark protection in exchange for a commitment that only the brand itself will be able to own domains in the TLD.

But Colombia points out that Amazon’s proposal (pdf) to protect ACTO governments’ interests would give the eight countries and ACTO itself “beneficial ownership” over a single domain each (believed to be names such as co.amazon, .br.amazon, etc).

If this means that Amazon would not qualify for Spec 13, it could follow that ICANN’s board made its decision to continue processing .amazon on faulty assumptions, Colombia argues.

Colombia points to the case of .sas, a dot-brand that is apparently shared by two companies that have the same brand, as a possible model for shared management of .amazon.

RfRs are handled by ICANN’s Board Accountability Mechanisms Committee.

BAMC took just a couple of days to rule out (pdf) Colombia’s request for “urgent reconsideration”, which would reduce its regular response time from 90 days to 7 days.

The committee said that because the .amazon applications were being placed back on-hold as part of normal procedure during consideration of an RfR, no harm could come to Colombia that would warrant “urgent” reconsideration.

According to ICANN’s spokesperson, under its bylaws the latest the board can respond to Colombia’s request is October 28.

At a GAC session at the ICANN 65 meeting in Marrakech, taking place right now, several ACTO governments have just spent over an hour firmly and publicly protesting ICANN’s actions surrounding .amazon.

They’re still talking as I hit “publish” on this post.

In a nutshell, they believe that ICANN has ignored GAC advice and reneged on its commitment to help Amazon and ACTO reach a “mutually acceptable solution”.

ICANN launches cash-for-kids scheme

Kevin Murphy, June 19, 2019, Domain Policy

ICANN will hand over cash to help community members cover their childcare commitments, the organization announced yesterday.

If you show up to an ICANN public meeting with an ankle-biter under 12 years of age, ICANN will give you up to $750 to cover the cost of babysitting.

You’ll have to show receipts, and ICANN will not cover stuff like travel, lodging, tourism or other costs that parents would have during the normal course of owning a kid.

Only volunteer community members will qualify, not staffers. The full list of rules can be found here.

While the announcement may seem unusual, it does not come out of the blue. There have been a number of public calls, from a handful of single parents, for ICANN to lay on some kind of on-site childcare services over the last several years.

It isn’t doing that, however. Good grief, imagine the optics if ICANN accidentally killed a kid…

Instead, it will only give parents a list of nearby childcare providers, which it will not formally vet or recommend, and let them make their own minds up.

The program is a pilot, and will run at the next three meetings in Montreal, Cancun and Kuala Lumpur.

Time for some more ICANN salary porn

Kevin Murphy, June 3, 2019, Domain Policy

ICANN has filed its tax return for its fiscal 2018, so it’s once again that time of the year in which the community gets to salivate over how much its top staffers get paid.

The latest form 990, covering the 12 months to June 30, 2018, shows that the top 21 ICANN employees were compensated to the tune of $10.3 million, an average of $492,718 each.

That’s up about 4% from $9.9 million in the previous year, an average across the top 21 staffers of $474,396 apiece.

These numbers include base salary, bonuses, and benefits such as pension contributions.

Employee compensation overall increased from $60 million to $73.1 million.

The biggest earner was of course CEO Göran Marby, who is now earning more than his immediate predecessor Fadi Chehadé but a bit less than last-but-one boss Rod Beckstrom.

Marby’s total compensation was $936,585, having received a bonus of almost $200,000 during the year. His base salary was $673,133.

The number of staffers receiving six-figure salaries increased from 159 in fiscal 2017 to 183 — about 44% of its estimated end-of-year headcount.

Towards the end of the reported year, as ICANN faced a budget crunch, many members of the ICANN community had called on the organization to rein in its spending on staff.

ICANN says it targets compensation in the 50th to 75th percentile range for the relevant industry.

The top five outside contractors in the year were:

  • Jones Day, ICANN’s go-to law firm. It received $5.4 million, down from $8.7 million in 2017.
  • Zensar Technologies, the IT consultancy that develops and supports ICANN software. It received $3.7 million.
  • IIS, the Swedish ccTLD registry, which does pre-delegation testing for new gTLDs. It received $1.3 million.
  • Iron Mountain, the data escrow provider. It received $1.1 million.
  • Infovity, which provides Oracle software support. It received $1 million.

The return shows that ICANN made a loss of $23.9 million in the year, on revenue that was down from $302.6 million to $136.7 million.

The primary reason for this massive decrease in revenue was the $135 million Verisign paid for the rights to run .web, at an ICANN last-resort auction, in ICANN’s fiscal 2017.

The tax form for 2018 can be found here (pdf) and 2017’s can be found here (pdf).