Latest news of the domain name industry

Recent Posts

ICANN ditches plan to give governments more power

Kevin Murphy, February 25, 2015, Domain Policy

ICANN has quietly abandoned a plan to make it harder for its board of directors to go against the wishes of national governments.

A proposal to make a board two-thirds super-majority vote a requirement for overruling advice provided by the Governmental Advisory Committee is now “off the table”, ICANN CEO Fadi Chehade told a US Senate committee hearing today.

The threshold, which would replace the existing simple majority requirement, was proposed last August as a result of talks in a board-GAC working group.

At the time, I described the proposal as a “fait accompli” — the board had even said it would use the higher threshold in votes on GAC advice in advance of the required bylaws change.

But now it’s seemingly gone.

The news emerged during a hearing of the Senate Committee on Commerce, Science, and Transportation today in Washington DC, which was looking into the transition of US oversight of ICANN’s IANA functions to a multi-stakeholder process.

Asked by Sen. Deb Fischer whether the threshold change was consistent with ICANN’s promise to limit the power of governments in a post-US-oversight world, Chehade replied:

You are right, this would be incongruent with the stated goals [of the IANA transition]. The board has looked at that matter and has pushed it back. So it’s off the table.

That came as news to me, and to others listening to the hearing.

The original plan to change the bylaws came in a board resolution last July.

If it’s true that the board has since changed its mind, that discussion does not appear to have been documented in any of the published minutes of ICANN board meetings.

If the board has indeed changed its mind, it has done so with the near-unanimous blessing of the rest of the ICANN community (although I doubt the GAC was/will be happy).

The public comment period on the proposal attracted dozens of responses from community members, all quite vigorously opposed to the changes.

The ICANN report on the public comments was due October 2, so it’s currently well over four months late.

UPDATE 1: An ICANN spokesperson just got in touch to say that the board decided to ditch its plan in response to the negative public comments.

UPDATE 2: Another ICANN spokesperson has found a reference to the board’s U-turn in the transcript of a meeting between the ICANN board and GAC at the Los Angeles public meeting last October. A brief exchange between ICANN chair Steve Crocker and Heather Dryden, then chair of the GAC, reads:

DRYDEN: On the issue of the proposed bylaw changes to amend them to a third — two-thirds majority to reject or take a decision not consistent with the GAC’s advice, are there any updates there that the Board would like to — the Board or NGPC? I think it’s a Board matter? Yes?

CROCKER: Yes.

Well, you’ve seen the substantial reaction to the proposal.

The reaction embodies, to some extent, misunderstanding of what the purpose and the context was, but it also is very instructive to all of us that the timing of all this comes in the middle of the broader accountability question.

So it’s — I think it’s in everyone’s interest, GAC’s interest, Board’s interest, and the entire community’s interest, to put this on hold and come back and revisit this in a larger context, and that’s our plan.

So it seems that the ICANN board did tip its hand a few months ago, but not many people, myself included, noticed.

Chehade to face Congressional grilling this week

Kevin Murphy, February 23, 2015, Domain Policy

ICANN CEO Fadi Chehade is heading to Washington DC this week to defend plans to decouple the organization from formal US oversight in front of a potentially hostile committee of Congresspeople.

The Senate Committee on Commerce, Science, and Transportation will meet this Wednesday at 1000 local time to grill Chehade and others on the plan to remove the US government from the current triumvirate responsible for managing changes to the DNS root zone under the IANA arrangements.

He will be joined by Larry Strickling, who as head of the National Telecommunications and Information Administration is the US government’s point person on the transition, and Ambassador David Gross, a top DC lawyer formerly with the Department of State.

All three men are pro-transition, while the Republican-tilted committee is likely to be much more skeptical.

The blurb for the Wednesday hearing reads:

As the U.S. government considers relinquishing control over certain aspects of Internet governance to the private sector, concerns remain that the loss of U.S. involvement over the Internet Assigned Numbers Authority (IANA) could empower foreign powers — acting through intergovernmental institutions or other surrogates — to gain increased control over critical Internet functions.

Republicans and right-leaning media commentators have warned that handing over IANA oversight to a multistakeholder body risks giving too much power to governments the US doesn’t like, such as Russia and China.

Several bills introduced in the House and Senate over the last year would have given Congress much more power to delay or deny the transition.

An amendment to an appropriations bill approved in December prevents the NTIA from spending any taxpayer money on relinquishing its DNS root oversight role until after September 30 this year, the same day that the current IANA contract expires.

This effectively prevents a transition during the current IANA contract’s run. Strickling recently said that the NTIA is complying with this legislation, but noted that it does not prevent the agency participating in the development of the transition proposal.

ICANN community working groups are currently working on plans for ICANN oversight post-NTIA and for addressing ICANN accountability.

These documents are hoped to be ready to sent to the NTIA by July, so the NTIA will have enough time to consider them before September 30.

Strickling recently addressed this date in a speech at the State of the Net conference in Washington, saying:

I want to reiterate again that there is no hard and fast deadline for this transition. September 2015 has been a target date because that is when the base period of our contract with ICANN expires. But this should not be seen as a deadline. If the community needs more time, we have the ability to extend the IANA functions contract for up to four years. It is up to the community to determine a timeline that works best for stakeholders as they develop a proposal that meets NTIA’s conditions, but also works.

Opponents of the transition say that because the NTIA is prevented from terminating the IANA contract before October 1, the NTIA will have no choice but to extend it until September 30, 2017.

Given that 2016 is a presidential election year in the US, Barack Obama would be a private citizen again by the time the next opportunity to transition comes around, they say.

Which presidential hopeful — from either party — would not buckle if asked whether he supports a plan to let Iran run the internet? That’s the political logic at work here.

Chehade himself told the AFP news agency earlier this month that the transition would have to happen before the 2016 elections, to avoid political distractions.

I’m not so sure I agree with the premise that, due to the restraints imposed by the appropriation bill, the transition now has to happen under the next president’s administration.

In my layman’s reading of the current IANA contract, the NTIA is able to terminate it for the “convenience of the government” pretty much whenever it wants.

There’s also an option to extend the contract by up to six months. The NTIA exercised this option in March 2012 when it did not approve of ICANN’s first renewal proposals.

Chehade declines to backtrack on domain “hogging” comments

Kevin Murphy, February 10, 2015, Domain Policy

ICANN CEO Fadi Chehade responded yesterday to anger from domain investors over recent comments in which he talked about “hogging” domain names and implied a link to cybersquatting.

But he did not, at least as far as I understood his explanation, backtrack on his original remarks.

Chehade was cheekily asked his current thoughts on domain “hoggers” by blogger David Goldstein during a press conference at the ICANN 52 meeting in Singapore yesterday.

This is the entirety of his reply:

I think the statement I made to a different media outlet about that was conflated to signify I was including in this all those who are in the domain name business. And that’s not true. There are those that do this as a business and do it very well and actually enhance the market and there are those that do it and make the business and the market less attractive and less desirable. So I think any insinuation that that statement engulfs everyone that is in this business is not true. As you know very well I’ve a very big supporter of the industry groups and was one of the people who was frankly very happy when the Domain Name Association was created and I attended their first formation meeting. This is where we stand and we continue to feel good about how this market is evolving and how these players are making this a good market that serves the public interest.

Having listened to it a few times, I wonder whether Chehade deliberately didn’t backtrack on his original remarks, or whether he doesn’t quite understand why they caused offense in the first place.

A couple of weeks back, Chehade was talking to the Huffington Post about new gTLDs during an interview at the World Economic Forum in Davos.

The interviewer asked about “concerns about a land-grab going on” among domain speculators.

It was a bit of a silly question, if you ask me. A speculative land-grab is pretty low down the list of concerns held by critics of the new gTLD program. Regardless, Chehade replied:

The reality is, the more there are names, the less people will actually be hogging names in order to charge a lot for them. Because if somebody took your name on dot X, you can go get another name on dot Y now.

I’d personally agree with that characterization of the program. It’s meant to make finding a good name at a cheap price easier. “Hogging” was probably a poor choice of words, but Chehade was talking off the cuff so I could give him a pass.

But later in the same reply, he used the term “cybersquatting” in such a way as to make it easy to infer he was conflating domain investing with cybersquatting. That’s a loaded term that is usually reserved for trademark infringement, at least when used inside the industry.

Obviously this was guaranteed to get investors’ hackles up.

First up with the hackles was Mike Berkens, who called Chehade out on The Domains, saying he “throws large domain investors under the bus and then backs up the bus and rolls over them again”.

Berkens pointed out, quite reasonably I thought, that ICANN is funded to a great extent by domain investors. He estimates that he alone pays ICANN about $15,000 a year in the fees that are collected at the point of registration and renewal.

By some estimates, which may even be conservative, about a third of new gTLD registrations to date have been made to speculators.

Berkens made the even better point that many of the people who have pumped hundreds of millions of dollars into the new gTLD program — Uniregistry’s Frank Schilling, XYZ.com’s Daniel Negari and multiple Donuts executives, for example — made their fortunes investing in second-level domains.

He concluded:

All and all some pretty ignorant statements in our opinion made by the CEO of ICANN and an insult to those domain investors that are some of the biggest buyer’s of new gTLD’s domain names who have paid ICANN a small fortune over the years allowing them to travel the world, pay millions a year in salary and other benefits.

Phil Corwin Jeremiah Johnston of the Internet Commerce Association followed up a few days ago with an open letter to Chehade which explained the outrage in slightly more formal and lawyerly way, with all the apostrophes in the right places. He wrote:

The ICA objects to your statement as it expresses a disdainful view towards the legitimate activity of domain investing, a hostile view of domain investors who are significant ICANN stakeholders who are deeply affected by its policies, a lack of awareness of the market realities of domains as an asset class, and an unwarranted promotion of new gTLD domains over those at legacy gTLDs.

Domain investors are not “hogs” and they most certainly are not deliberate trademark infringers, or “cybersquatters”. It is not clear what you intended by your reference to “cybersquatting”, though it is concerning that you used this pejorative term just after making disparaging remarks about domain investors.

With all these criticisms in mind, let’s go back and parse what Chehade said in Singapore yesterday.

First, he said his remarks had been wrongly “conflated to signify I was including in this all those who are in the domain name business”.

I’m not sure that’s what happened. I’m pretty certain Berkens and his commenters, and then Corwin Johnston, got the hump purely because Chehade dismissed domain investing as “hogging” and then implied a link between investing and trademark infringement.

Who is Chehade talking about when he draws a distinction between those who “enhance the market” and those who “make the business and the market less attractive”?

Is the line drawn between the trademark infringers and the legitimate investors, or its it drawn somewhere else?

Why did Chehade go on to express his support for the DNA, a sell-side trade group funded largely by registries and registrars? Was he drawing the line between regular second-level domainers (hogging) and those that in many cases are essentially just top-level domainers (enhancing)?

Chehade was given the opportunity to backtrack and he didn’t take it.

I’m not a domainer, but if I were I don’t think I’d be particularly satisfied about that.

Overworked ICANN community “at breaking point”, Chehade warns

Kevin Murphy, February 9, 2015, Domain Policy

The volunteers that do the bulk of the policy-development work at ICANN are are suffering from “burnout” and are at “breaking point”, CEO Fadi Chehade said during the opening ceremony of the ICANN 52 public meeting in Singapore today.

“This community — we’re hearing this from many of your leaders — is reaching a bit of burnout. And we in the staff are responsible to support you better so that we can manage the workload that you’re all feeling,” Chehade said.

A session later today will demonstrate some of the tools and processes ICANN plans to put in place to alleviate the load, he said.

Much of the work in ICANN’s supporting organizations is done on a volunteer basis.

ICANN’s tendency to spawn new working groups, roles and committees on an almost fractal basis, and the relative lack of people willing to shoulder the burden of endless teleconferences and sprawling mailing lists, has long been an issue for the community.

Not only does ICANN have to do the work of making DNS policies, it also undergoes a permanent process of self-analysis and review, which eats up time. That has been especially pronounced as ICANN prepares for its probable transition away from US government oversight.

Chehade gave an example of a key community member who showed up uncomplainingly to an important meeting despite suffering a personal tragedy just a day earlier.

“This community is a very unique community. The volunteers that make up ICANN are essentially the spirit of ICANN,” Chehade said. “This is who we are. But this is the beauty of ICANN. This is what makes us very special, and I know that our volunteers are at break-point, but let me tell you, there is no better community.”

Human glitch lets hackers into ICANN

Kevin Murphy, December 17, 2014, Domain Policy

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.