Latest news of the domain name industry

Recent Posts

ICANN names new directors, replaces Facebook exec

Kevin Murphy, August 20, 2019, Domain Policy

ICANN’s Nominating Committee has picked two new directors to join the board of directors this November.

They are: Mandla Msimang, a South African technology policy consultant, and Ihab Osman, a serial director who ran Sudan’s ccTLD two decades ago but whose main current gig appears to be managing a Saudi Arabian dairy company.

Dutch domain industry figure Maarten Botterman, who had a stint heading Public Interest Registry, has been reappointed for his second three-year term.

But Tunisian Khaled Koubaa, head of public policy for North Africa at Facebook, who joined the board with Botterman in 2016 and also previously worked for PIR, is not being asked to return.

Msimang and Osman replace Koubaa and Cherine Chalaby, the current Egyptian-born chair, who after nine years on the board is term-limited.

Basically, it’s two Africans out, two Africans in.

In a statement, NomCom chair Damon Ashcraft noted that the committee had received 56 applications from Africa, more than any other region. Only two applications were received from North Americans.

This is perhaps unsurprising. NomCom had been duty-bound to pick at least one African, in order to maintain ICANN’s bylaws-mandated geographic balance, but there were no spots available for North Americans.

Replacing one male director with one female may also go some way to appease critics — including the ICANN board itself — who have claimed that the board needs to be more gender balanced.

The switch means that, after November, the eight NomCom appointees on the board will be evenly split in terms of gender. However, only seven out of the total 20 directors will be women.

The other directors are selected by ICANN’s various supporting organizations and advisory committees.

NomCom received applications from 42 women and 85 men this year.

ICANN has not yet published the official bios for the two new directors, but here’s what the internets has to say about about them.

Mandla Msimang. Msimang’s career appears to show her playing both hunter and gamekeeper in the South African telecommunications market, first working for the national regulator, and later for leading mobile phone operator Cell C. In 2007 she founded Pygma Consulting, a boutique IT consultancy, which she still runs.

Ihab Osman. Osman’s day job appears to be general manager of NADEC New Businesses, a unit of Nadec, a foods company partly owned by the Saudi government. He’s also president of the US-Sudan Business Council, which seeks to promote trade between the two countries. He has a long career in telecommunications, and from 1997 until 2002 was in charge of Sudan’s .sd ccTLD.

Both new directors will take their seats at the end of ICANN’s annual general meeting in Montreal this November.

There’s no word yet on who’s taking over as chair.

Registrars could be held liable for US gun violence

Kevin Murphy, August 20, 2019, Domain Policy

A US presidential candidate has come out in support of amending the law to make domain name companies liable when customers use their services to incite violence.

Beto O’Rourke, a former member of Congress, stated last week that he wants to amend the Communications Decency Act to hold providers of “domain name servers” liable “where they are found to knowingly promote content that incites violence”.

He’s believed to be the first among the swarm of 2020 Democratic presidential hopefuls to lay out a plan to combat online hate speech.

The proposed amendments to Section 230 of the CDA are part of a sweeping package of reforms O’Rourke is proposing in order to tackle gun violence and domestic terrorism in the US.

He comes from El Paso, Texas, which was the target of a race-based terrorist attack a couple of weeks ago.

He’s also pushing for stricter gun controls, such as compulsory licensing and training.

But I’m not going to get into that stuff here. This is a blog about domain names. I’m British, so you can probably guess what my opinion on guns is.

In terms of online content, O’Rourke’s plan seems primarily aimed at getting the big social media platforms to more heavily moderate the content produced by their users.

But it specifically calls out domain name companies also:

Beto would require large internet platforms to adopt terms of service to ban hateful activities, defined as those that incite or engage in violence, intimidation, harassment, threats, or defamation targeting an individual or group based on their actual or perceived race, color, religion, national origin, ethnicity, immigration status, gender, gender identity, sexual orientation or disability. These companies also would be required to put in place systems designed to identify and act on content violating the terms of service. Platforms must be transparent when they block content and provide for an appeal process in order to guard against abuse.

Beto supports amending Section 230 of the CDA to remove legal immunity from lawsuits for large social media platforms that fail to change their terms of service and put in place systems as described above. Informational service providers of all sizes, including domain name servers and social media platforms, also would be held liable where they are found to knowingly promote content that incites violence.

Should registrars be worried about this?

If the legal test was that registrars “knowingly promote content that incites violence”, that seems like a pretty high bar.

I’m not convinced even Epik, which has come under fire for providing domain services to the likes of Stormfront and 8chan — both of which O’Rourke cites in his policy — “knowingly promotes” incitements to violence.

That’s not to say that registrars couldn’t find themselves prosecuted or sued anyway, of course.

O’Rourke is not a current front-runner in the Democrat presidential pack. While still in the race, he’s towards the bottom of the top 10, polls suggest.

What O’Rourke’s policy statement does suggest is that the regulation of online speech could become a significant issue in the 2020 election, and that the domain name industry in the US could find itself a political football in an extremely divisive game.

Can NameCheap reverse .org price cap scrap?

Kevin Murphy, July 25, 2019, Domain Policy

NameCheap has taken it upon itself to fight ICANN’s decision to remove price increase caps on .org. But does it stand a snowball’s chance in hell of winning?

The registrar has filed a Request for Reconsideration with ICANN, appealing the organization’s signing of a Registry Agreement with Public Interest Registry that allows PIR to raise prices by however much it wants, more or less whenever that it wants.

NameCheap, which had over 390,000 .org domains under management at the last count, says it is fighting for 700-odd of its customers whose comments, filed with ICANN, were allegedly not taken into account when the decision was made, along with registrars and everyone else that may be adversely impacted by unfettered .org price increases.

NameCheap thinks its business could be harmed if price increases are uncapped, with customers perhaps letting their domains expire instead of renewing. It’s RfR states:

The decision by ICANN org to unilaterally remove the price caps when renewing legacy TLDs with little (if any) evidence to support the decision goes against ICANN’s Commitments and Core Values, and will result in harm to millions of internet users throughout the world.

Unrestricted price increases for legacy TLDs will stifle internet innovation, harm lesser served regions and groups, and significantly disrupt the internet ecosystem. An incredible variety of public comments was submitted to ICANN from all continents (except Antarctica) imploring ICANN to maintain the legacy TLD price caps — which were completely discounted and ignored by ICANN org.

Before the new contract was signed, PIR was limited to a 10% increase in its .org registry fee every year. It didn’t always exercise that right, and has said twice in recent months that it still has no plans to increase its prices.

The new contract — which has already been signed and is in effect — was subjected to a public comment period that attracted over 3,200 comments, almost all of them expressing support for maintaining the caps.

Despite not-for-profit PIR’s protestations, many commenters came from the position that giving PIR the power to increase its fee without limit would very possibly lead to price gouging.

That ICANN allegedly “ignored” these comments is the key pillar of NameCheap’s RfR case.

The public comment period was a “sham”, the registrar claims.

But is this enough to make ICANN change its mind and (somehow) unsign the .org contract?

There are three ways, under ICANN’s bylaws, to win an RfR.

Requestors can show that the board or staff did something that contradicts “ICANN’s Mission, Commitments, Core Values and/or established ICANN policy(ies)”

They also win if they can show the decision was was taken “without consideration of material information” or with “reliance on false or inaccurate relevant information”.

It’s quite a high bar, and most RfRs are rejected by the Board Accountability Mechanisms Committee, which is the court of first instance for reconsideration requests.

Requestors rarely show up with sufficient new information sufficiently persuasive to kick the legs from under ICANN’s original decision, and the question of something contradicting ICANN’s core principles is usually a matter of interpretation.

For example, in this case, NameCheap is arguing that failing to side with the commenters who disagreed with the removal of price caps amounts to a breach of ICANN’s Core Value to make all decisions in consultation with stakeholders:

The ICANN org will decide whether to accept or reject public comment, and will unilaterally make its own decisions — even if that ignores the public benefit or almost unanimous feedback to the contrary, and is based upon conclusory statements not supported by the evidence. This shows that the public comment process is basically a sham, and that ICANN org will do as it pleases in this and other matters.

But one of ICANN’s stated reasons for approving the contract was to abide by its Core Value to depend “on market mechanisms to promote and sustain a competitive environment in the DNS market”. It doesn’t want to be a price regulator, in other words.

So we have a clash of Core Values here. It will be pretty easy for ICANN’s lawyers — who drafted the contract and will draft the resolutions of the BAMC and the full board — to argue that the Core Values were respected.

I think NameCheap is going to have a hard time here.

Even if it were to win, how on earth does one unsign a contract? As far as I can tell, ICANN has no termination rights that would apply here.

Where the RfR will certainly succeed is to force the ICANN board itself to take ownership, on the record, of the .org contract decision.

As ICANN explained to DI earlier this month, while the board was very much kept in the loop on the state of negotiations, it was senior staff that made all the calls on the new contract.

But an RfR means that the BAMC, which comprises five directors, will first have to raise their hands to confirm the .org decision was kosher.

NameCheap will then get a chance to file a rebuttal before the BAMC decision is handed to the full ICANN board for a confirmatory vote.

While the first two board discussions of the .org contract were not minuted, the bylaws contain an interesting feature related to RfRs that I’d never noticed before today:

If the Requestor so requests, the Board shall post both a recording and a transcript of the substantive Board discussion from the meeting at which the Board considered the Board Accountability Mechanisms Committee’s recommendation.

I sincerely hope NameCheap invokes this right, as I think it’s pretty important that we get some additional clarity on ICANN’s thinking here.

Airline hit with $230 million GDPR fine

Kevin Murphy, July 8, 2019, Domain Policy

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.

This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.

About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..

It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.

The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.

Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.

The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.

GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

.amazon frozen AGAIN as endless government games continue

Kevin Murphy, June 25, 2019, Domain Policy

Amazon’s application for the .amazon gTLD has yet again been frozen, after a South American government invoked ICANN’s appeals process.

The bid, as well as applications for the Chinese and Japanese versions, were returned to “on-hold” status at the weekend, after Colombia filed a formal Request for Reconsideration, an ICANN spokesperson confirmed to DI.

“The processing toward contracting of the .AMAZON applications has been halted pending the resolution of Request 19-1, per ICANN organization’s normal processes,” the spokesperson said.

This means the applications could remain frozen for 135 days, until late October, while ICANN processes the request. It’s something that has happened several times with other contested gTLDs.

Colombia filed RfR 19-1 (pdf) on June 15. It demands that ICANN reverses its board’s decision of May 15, which handed Amazon a seemingly decisive victory in its long-running battle with the eight governments of the Amazon Cooperation Treaty Organization.

ACTO’s members believe they should have policy control over .amazon, to protect the interests of their citizens who live in the region they share.

To win an RfR — something that hardly ever happens — a complainant has to show that the ICANN board failed to consider pertinent information before it passed a resolution.

In Colombia’s case, it argues that the board ignored an April 7 letter (since published in PDF format here) its Governmental Advisory Committee representative sent that raises some interesting questions about how Amazon proposes to operate its TLDs.

Because .amazon is meant to be a highly restricted “dot-brand” gTLD, it would presumably have to incorporate Specification 13 into its ICANN registry agreements.

Spec 13 releases dot-brands from commitments to registrar competition and trademark protection in exchange for a commitment that only the brand itself will be able to own domains in the TLD.

But Colombia points out that Amazon’s proposal (pdf) to protect ACTO governments’ interests would give the eight countries and ACTO itself “beneficial ownership” over a single domain each (believed to be names such as co.amazon, .br.amazon, etc).

If this means that Amazon would not qualify for Spec 13, it could follow that ICANN’s board made its decision to continue processing .amazon on faulty assumptions, Colombia argues.

Colombia points to the case of .sas, a dot-brand that is apparently shared by two companies that have the same brand, as a possible model for shared management of .amazon.

RfRs are handled by ICANN’s Board Accountability Mechanisms Committee.

BAMC took just a couple of days to rule out (pdf) Colombia’s request for “urgent reconsideration”, which would reduce its regular response time from 90 days to 7 days.

The committee said that because the .amazon applications were being placed back on-hold as part of normal procedure during consideration of an RfR, no harm could come to Colombia that would warrant “urgent” reconsideration.

According to ICANN’s spokesperson, under its bylaws the latest the board can respond to Colombia’s request is October 28.

At a GAC session at the ICANN 65 meeting in Marrakech, taking place right now, several ACTO governments have just spent over an hour firmly and publicly protesting ICANN’s actions surrounding .amazon.

They’re still talking as I hit “publish” on this post.

In a nutshell, they believe that ICANN has ignored GAC advice and reneged on its commitment to help Amazon and ACTO reach a “mutually acceptable solution”.

ICANN launches cash-for-kids scheme

Kevin Murphy, June 19, 2019, Domain Policy

ICANN will hand over cash to help community members cover their childcare commitments, the organization announced yesterday.

If you show up to an ICANN public meeting with an ankle-biter under 12 years of age, ICANN will give you up to $750 to cover the cost of babysitting.

You’ll have to show receipts, and ICANN will not cover stuff like travel, lodging, tourism or other costs that parents would have during the normal course of owning a kid.

Only volunteer community members will qualify, not staffers. The full list of rules can be found here.

While the announcement may seem unusual, it does not come out of the blue. There have been a number of public calls, from a handful of single parents, for ICANN to lay on some kind of on-site childcare services over the last several years.

It isn’t doing that, however. Good grief, imagine the optics if ICANN accidentally killed a kid…

Instead, it will only give parents a list of nearby childcare providers, which it will not formally vet or recommend, and let them make their own minds up.

The program is a pilot, and will run at the next three meetings in Montreal, Cancun and Kuala Lumpur.

Time for some more ICANN salary porn

Kevin Murphy, June 3, 2019, Domain Policy

ICANN has filed its tax return for its fiscal 2018, so it’s once again that time of the year in which the community gets to salivate over how much its top staffers get paid.

The latest form 990, covering the 12 months to June 30, 2018, shows that the top 21 ICANN employees were compensated to the tune of $10.3 million, an average of $492,718 each.

That’s up about 4% from $9.9 million in the previous year, an average across the top 21 staffers of $474,396 apiece.

These numbers include base salary, bonuses, and benefits such as pension contributions.

Employee compensation overall increased from $60 million to $73.1 million.

The biggest earner was of course CEO Göran Marby, who is now earning more than his immediate predecessor Fadi Chehadé but a bit less than last-but-one boss Rod Beckstrom.

Marby’s total compensation was $936,585, having received a bonus of almost $200,000 during the year. His base salary was $673,133.

The number of staffers receiving six-figure salaries increased from 159 in fiscal 2017 to 183 — about 44% of its estimated end-of-year headcount.

Towards the end of the reported year, as ICANN faced a budget crunch, many members of the ICANN community had called on the organization to rein in its spending on staff.

ICANN says it targets compensation in the 50th to 75th percentile range for the relevant industry.

The top five outside contractors in the year were:

  • Jones Day, ICANN’s go-to law firm. It received $5.4 million, down from $8.7 million in 2017.
  • Zensar Technologies, the IT consultancy that develops and supports ICANN software. It received $3.7 million.
  • IIS, the Swedish ccTLD registry, which does pre-delegation testing for new gTLDs. It received $1.3 million.
  • Iron Mountain, the data escrow provider. It received $1.1 million.
  • Infovity, which provides Oracle software support. It received $1 million.

The return shows that ICANN made a loss of $23.9 million in the year, on revenue that was down from $302.6 million to $136.7 million.

The primary reason for this massive decrease in revenue was the $135 million Verisign paid for the rights to run .web, at an ICANN last-resort auction, in ICANN’s fiscal 2017.

The tax form for 2018 can be found here (pdf) and 2017’s can be found here (pdf).

Four presidents slam .amazon decision

Kevin Murphy, May 28, 2019, Domain Policy

The leaders of four of the eight governments of the Amazon region of South America have formally condemned ICANN’s decision to move ahead with the .amazon gTLD.

In a joint statement over the weekend, the presidents of Peru, Colombia, Ecuador and Bolivia, said they have agreed to “to join efforts to protect the interests of our countries related to geographical or cultural names and the right to cultural identity of indigenous peoples”.

These four countries comprise the Andean Community, an economic cooperation group covering the nations through which the Andes pass, which has just concluded a summit on a broad range of issues.

The presidents said they have “deep concerns” about ICANN’s decision to proceed towards delegating .amazon to Amazon the company, over the objections of the eight-nation Amazon Cooperation Treaty Organization.

ICANN is “setting a serious precedent by prioritizing private commercial interests over public policy considerations of the States, such as the rights of indigenous peoples and the preservation of the Amazon in favor of humanity and against global warming”, they said (via Google Translate).

ACTO had been prepared to agree to Amazon running .amazon, but it wanted effective veto power on the TLD’s policy-setting committee and a number of other concessions that Amazon thought would interfere with its commercial interests.

As it stands, Amazon has offered to block thousands of culturally sensitive domains and to give the ACTO nations a minority voice in its policy-making activities.

ICANN will soon open these proposed commitments to public comment, and will likely decide to put .amazon into the root not too long thereafter.

ICANN plans return to Cancun in 2021

Kevin Murphy, May 7, 2019, Domain Policy

ICANN has named the locations of two of its 2021 public meetings.

Notably, it will return to Cancun, Mexico, in the March for ICANN 70, just one year after hosting ICANN 67 there.

In both years, the dates appear to coincide with some US universities’ “Spring Break” academic holiday, which sees many college students descend on Cancun to take advantage to excess of Mexico’s more liberal drinking laws.

In June 2021, ICANN will head to the Hague in the Netherlands, perhaps also known for its more liberal attitude to inebriants, for its mid-year policy meeting.

It’s already named Seattle, home to several domain companies, as its choice for the final meeting of 2021.

Under ICANN’s system of dividing up the world into regions for the purpose of meetings rotation, Mexico counts as Latin America rather than North America.

Governments demand Whois reopened within a year

Kevin Murphy, April 29, 2019, Domain Policy

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.

The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.

The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.

She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.

It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.

It strikes me as a ludicrously ambitious deadline.

Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.

The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.

IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).

Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.

Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.

The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.

Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.

Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.

The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.

For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.

With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.