Digital archery ruled out for next new gTLD round

The oft-mocked “digital archery” system will not be making a return when ICANN finally starts taking more new gTLD applications.

That’s the current thinking of the ICANN community working group looking at subsequent application procedures.

Readers with long memories may recall digital archery as a hack for Californian gambling laws that ICANN org pressed for in 2012 as a way to form its 1,930 applications into an orderly queue for processing.

The idea was that applicants would fire off a bit of data to an ICANN site at a predetermined time and the applicants whose packets arrived closet to the target time, measured by the millisecond, would receive priority in the queue.

It was a bit like drop-catching, and the concept advanced to the stage where companies skilled in such things were offering digital archery services.

But after ICANN changed CEOs later that year, it turned out gambling wasn’t as illegal in California as former management thought it was. The org got itself a license to run a one-off lottery and sold tickets for $100 per application.

That’s now the preferred method for ordering the queue for the next rounds of applications, whenever those may be, according to last week’s Initial Report on the New gTLD Subsequent Procedures Policy Development Process.

Unlike 2012, the WG is proposing that portfolio applicants should be able to swap around their priority numbers according to their commercial interests.

So, if Donuts gets priority #1 for .crappy and #4,000 for .awesome, it would be able to switch priorities to get the better string evaluated earlier.

The WG is also not convinced that internationalized domain names, which received automatic priority in 2012, should get the same preferential treatment this time around.

That’s one of several questions it poses for the community in its public comment period.

While a better place in the evaluation queue had time-to-market advantages in 2012 — Donuts’ .guru sold a tonne of domains largely due to its first-mover status — that’s probably not going to be as big a deal next time around due to domainer skepticism about new gTLDs.

Comment Tagged: ICANN, new gTLDs, prioritization, subsequent procedures, the draw

Could crypto solve the Whois crisis?

Could there be a cryptographic solution to some of the problems caused by GDPR’s impact on public Whois databases? Security experts think so.

The Anti-Phishing Working Group has proposed that hashing personal information and publishing it could help security researchers carry on using Whois to finger abusive domain names.

In a letter to ICANN, APWG recently said that such a system would allow registries and registrars to keep their customers’ data private, but would still enable researchers to identify names registered in bulk by spammers and the like.

“Redacting all registration records which were formerly publicly available has unintended and undesirable consequences to the very citizens and residents that electronic privacy legislation intends to protect,” the letter (pdf) says.

Under the proposed system, each registry or registrar would generate a private key for itself. For each Whois field containing private data, the data would be added to the key and hashed using a standard algorithm such as SHA-512.

For items such as physical addresses, all the address-related fields would be concatenated, with the key, before hashing the combined value.

The resulting hash — a long string of gibberish characters — would then be published in the public Whois instead of the [REDACTED] notice mandated by current ICANN policy.

Security researchers would then be able to identify domains belonging to the same purported registrant by searching for domains containing the same hash values.

It’s not a perfect solution. Because each registry or registrar would have their own key, the same registrant would have different hash values in different TLDs, so it would not be possible to search across TLDs.

But that may not be a huge problem, given that bad guys tend to bulk-register names in TLDs that have special offers on.

The hashing system may also be beneficial to interest groups such as trademark owners and law enforcement, which also look for registration patterns when tracking down abuse registrants.

The proposal would create implementation headaches for registries and registrars — which would actually have to build the crypto into their systems — and compliance challenges for ICANN.

The paper notes that ICANN would have to monitor its contracted parties — not all of which may necessarily be unfriendly to spammers — to make sure they’re hashing the data correctly.

9 Comments Tagged: abuse, apwg, crypto, gdpr, malware, phishing, privacy, spam, whois

Euro-Whois advice still as clear as mud

European privacy chiefs have again weighed in to the ongoing debate about GDPR and Whois, offering another thin batch of vague advice to ICANN.

The European Data Protection Board, in its latest missive (pdf), fails to provide much of the granular “clarity” ICANN has been looking for, in my view.

It does offer a few pieces of specific guidance, but it seems to me that the general gist of the letter from EDPB chair Andrea Jelinek to ICANN CEO Goran Marby is basically: “You’re on your own buddy.”

If the question ICANN asked was “How can we comply with GDPR?” the answer, again, appears to be generally: “By complying with GDPR.”

To make matters worse, Jelinek signs off with a note implying that the EDPB now thinks that it has given ICANN all the advice it needs to run off and create a GDPR-compliant accreditation system for legitimate access to private Whois data.

The EDPB is the body that replaced the Article 29 Working Party after GDPR came into effect in May. It’s made up of the data protection authorities of all the EU member states.

On the accreditation discussion — which aims to give the likes of trademark owners and security researchers access to Whois data — the clearest piece of advice in the letter is arguably:

the personal data processed in the context of WHOIS can be made available to third parties who have a legitimate interest in having access to the data, provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of GDPR are met, including the provision of clear information to data subjects.

That’s a fairly straightforward statement that ICANN is fine to go ahead with the creation of an accreditation model for third parties, just as long as it’s quite tightly regulated.

But like so much of its advice, it contains an unhelpful nested reference to GDPR compliance.

The letter goes on to say that logging Whois queries should be part of these controls, but that care should be taken not to tip off registrants being investigated by law enforcement.

But it makes no effort to answer Marby’s questions (pdf) about who these legit third-parties might be and how ICANN might go about identifying them, which is probably the most important outstanding issue right now.

Jelinek also addresses ICANN’s lawsuit against Tucows’ German subsidiary EPAG, and I have to disagree with interpretations of its position published elsewhere.

The Register’s Kieren McCarthy, my Chuckle Brother from another Chuckle Mother, reckons the EDPB has torpedoed the lawsuit by “stating clearly that it cannot force people to provide additional ‘admin’ and ‘technical’ contacts for a given domain name”.

Under my reading, what it actually states is that registrants should be able to either use their own contact data, or anonymized contact information identifying a third party, in these records.

The EDPB clearly anticipates that admin and technical contacts can continue to exist, as long as they contain non-personal contact information such as “admin@example.com”, rather than “kevin@example.com”.

That’s considerably more in line with ICANN’s position than that of Tucows, which wants to stop collecting that data altogether.

One area where EDPB does in fact shoot down ICANN’s new Whois policy is when it comes to data retention.

The current ICANN contracts make registrars retain data for two years, but the EDPB notes that ICANN does not explain why or where that number comes from (I hear it was “pulled out of somebody’s ass”).

The EDPB says that ICANN needs to “re-evaluate the proposed data retention period of two years and to explicitly justify and document why it is necessary”.

Finally, the EDPB weighs in on the issue of Whois records for “legal persons” (as opposed to “natural persons”). It turns out their Whois records are not immune to GDPR either.

If a company lists John Smith and john.smith@example.com in its Whois records, that’s personal data on Mr Smith and therefore falls under GDPR, the letter says.

That should provide a strong incentive for registries and registrars to stop publishing potentially personal fields, if they’re still doing so.

5 Comments Tagged: edpb, epag, european data protection board, gdpr, ICANN, privacy, tucows, whois, wp29

New gTLD fees could be kept artificially high

More windfalls for ICANN? It’s possible that application fees for new gTLDs could be artificially propped up in order to discourage gaming.

In the newly published draft policy recommendations for the next new gTLD round, ICANN volunteers expressed support for keeping fees high “to deter speculation, warehousing of
TLDs, and mitigating against the use of TLDs for abusive or malicious purposes”.

It’s one of the ideas posed in the the Initial Report on the New gTLD Subsequent Procedures Policy Development Process, published this week.

It recommends that ICANN continues to price its application fees on a revenue-neutral basis, but with one big exception.

The report notes that there’s support for an “application fee floor” — a minimum fee threshold that would not be crossed no matter how cheap application processing actually becomes:

there might be a case where a revenue neutral approach results in a fee that is “too low,” which could result in an excessive amount of applications (e.g., making warehousing, squatting, or otherwise potentially frivolous applications much easier to submit), reduce the sense of responsibility and value in managing a distinct and unique piece of the Internet, and diminish the seriousness of the commitment to owning a TLD.

The subgroup looking at fees was “generally supportive” of the notion of a floor, the report says.

If the fee floor were used, excess funds would have to be pumped into efforts such as “universal acceptance”, the ongoing outreach project that hopes to persuade developers to ensure their software supports all TLDs.

It could also be used to support applications from the poorer regions of the world.

I wonder how much of a deterrent to warehousing an artificially high application fee would be; deep-pocketed Google and Amazon appear to have warehoused dozens of TLDs they applied for in the 2012 round.

The application fee in 2012 was $185,000 per string, priced on a “cost recovery” basis. The idea was that ICANN shouldn’t use the fees to subsidize its regular operations and vice versa.

But with roughly one third of that amount earmarked for unexpected contingencies — basically a legal defense fund — ICANN currently has close to $100 million in unspent fees sitting idle in a dedicated bank account.

The Initial Report also discusses whether application fees should be varied based on application type, as well as posing dozens of other questions for the community on the rules for the next round of new gTLDs.

Comment here.

1 Comment Tagged: fees, ICANN, new gTLDs

First-come, first-served for new gTLDs? Have your say

Should new gTLDs be allocated on a first-come, first-served basis? That’s a possibility that has not yet been ruled out by the ICANN community.

The ICANN working group currently writing policy for the next round of gTLD applications has published its first draft for public comment, and FCFS is one option still on the table.

The Initial Report on the New gTLD Subsequent Procedures Policy Development Process outlines six possible paths for the new gTLD program, and the group wants to hear your feedback.

The six options presented range from a 2012-style one-off application round, followed again by a potentially interminable series of reviews, to full-on FCFS from day one.

With neither of those extremes particularly appealing, the working group seems to be erring towards one of the four other choices.

ICANN could, for example, announce two or three more rounds, with firm dates for each perhaps separated by a year or two, followed by a long breather period.

Or it could kick of an endless series of application periods, perhaps happening at the same time every year.

Or it could conduct one or more rounds before implementing full FCFS.

The report lists many of the pros and cons of these various options.

For example, FCFS could lead to scrappy applications, gTLD warehousing, capture by ICANN insiders, and disadvantages to community applicants, but it could also reduce the cost of acquiring a gTLD by eliminating expensive auction-based contention resolution.

Conversely, the round-based structure could cause scaling problems for ICANN, could face unanticipated delays, and may not be responsive to applicants’ business needs, the report says.

The working group could not reach consensus on which model should be used, but it noted that there was no appetite for either immediate FCFS or another 2012-style effort. Its report states:

The Working Group recommends that the next introduction of new gTLDs shall be in the form of a “round.” With respect to subsequent introductions of the new gTLDs, although the Working Group does not have any consensus on a specific proposal, it does generally believe that it should be known prior to the launch of the next round either (a) the date in which the next introduction of new gTLDs will take place or (b) the specific set of criteria and/or events that must occur prior to the opening up of the subsequent process. For the purposes of providing an example, prior to the launch of the next round of new gTLDs, ICANN could state something like, “The subsequent introduction of new gTLDs after this round will occur on January 1, 2023 or nine months following the date in which 50% of the applications from the last round have completed Initial Evaluation.”

The question of how to balance rounds and, potentially, FCFS, is one of many, many questions posed in the 310-page initial report. You can comment here.

Expect more coverage of this monster from DI shortly.

Comment Tagged: fcfs, ICANN, new gTLDs