Latest news of the domain name industry

Recent Posts

Refund “options” for in-limbo gTLD applicants?

Kevin Murphy, November 6, 2017, Domain Policy

ICANN may just be a matter of weeks away from giving applicants for the .mail, .corp and .home gTLDs an exit strategy from their four years in limbo.

Its board of directors on Thursday passed a resolution calling for staff to “provide options for the Board to consider to address the New gTLD Program applications for .CORP, .HOME, and .MAIL by the first available meeting of the Board following the ICANN60 meeting in Abu Dhabi”.

It’s possible this means the board could consider the matter before the end of the year.

Twenty remaining applications for the three strings have been on hold since they were identified as particularly risky in August 2013.

A study showed that all three — .home and .corp in particular — already experience vast amounts of erroneous DNS traffic on a daily basis.

This is due to so-called “name collisions”, which come about when a newly delegated TLD is actually already in use on corporate or public networks.

Many companies use .corp and .mail already behind their firewalls, a practice sometimes historically encouraged by commercial technical documentation, and .home is known to be used by some ISPs in residential and business routers.

Both of these scenarios and others can lead to DNS queries spilling out onto the public internet, which could cause breakage or data leakage.

The solution for all new gTLDs delegated to date has been to wildcard the entire zone with the message “Your DNS needs immediate attention” for a period before registrations are accepted.

This has led to some new gTLDs with far less collision traffic seeing small but notable pockets of outrage when delegated — Google’s .prod (used by some as an internal shorthand for “production”) in 2014.

Studies to date have concentrated on the volume of error traffic to applied-for gTLDs, but last Thursday the ICANN board kicked off a study that will look at what the real-world impact of name collisions in .mail, .corp and .home could be.

It’s tasked the Security and Stability Advisory Committee with carrying out the study in conjunction with related groups such as the IETF.

But this is likely to take quite a long time, so the board also resolved to think up “options” for the 20 affected applications.

Could the applicants be offered a full refund, as opposed to the partial one they currently qualify for? Could there be some kind of deferment option, such as that offered to unsuccessful 2000-round applicants? Either seems possible.

ICANN beefs up background checks on directors amid concerns about vice-chair

Kevin Murphy, November 6, 2017, Domain Policy

ICANN is to beef up background screening procedures for its own board of directors after concerns were raised about financial integrity.

Directors in four seats that were not previously subject to screening have voluntarily agreed to checks “immediately” and ICANN has urged two of its supporting organizations to bring in such checks as standard.

Chris Disspain and Mike Silber, selected by the Country Code Names Supporting Organization, and Generic Names Supporting Organization selectees Becky Burr and Matthew Shears are these volunteers.

Neither the GNSO nor ccNSO currently screen their director picks to the same standard as other supporting organizations and the Nominating Committee.

ICANN said that they will be checked for “negative indicators such as discrepancies on a resume (including licenses, educational history and employment history), or publicly reported issues of financial mismanagement, fraud, harassment and mishandling of confidential information”.

The board passed a resolution last Thursday calling for the two SOs to bring in “the same or similar” screening procedures for future directors.

The resolution was passed minutes before the formal handover of power from outgoing chair Steve Crocker to new chair Cherine Chalaby. Disspain is the new vice-chair, replacing Chalaby.

ICANN had been put under pressure to widen its director due diligence earlier in the week by consultant and long-time ICANN community member Ron Andruff, who is known to have concerns about Disspain’s financial integrity.

Andruff spoke at an open-mic session with the board last Monday to recommend that the four anomalous directors face screening before the board was re-seated just a few days later.

“We’re talking about risk,” he said. “We’re talking about making sure that we do not put our institution that we’ve worked so hard to put into ICANN 2.0 in a place where we have four people that might have something, or not. And quite frankly, I don’t expect we’re going to find anything. I just want to make sure that we’ve checked that box,” Andruff said.

“We have the resources to do four background screenings between now and Thursday. No one expects any issues to surface. But this simple act will ensure that the institution is properly protected,” Andruff said.

Then-chair Crocker responded that it would not be possible to do the checks so quickly, but agreed in principle with the need for screening and said the board had had “substantial discussions” on the matter.

Andruff is former chair-elect of the Nominating Committee, which chooses eight directors and subjects all of its appointees to background screening.

He recently made a Freedom of Information Act request in Australia related to the circumstances leading to Disspain getting fired as CEO of local ccTLD administrator auDA in March 2016.

Disspain was let go after his relationship with the auDA board became “increasingly strained over issues of process, transparency and accountability”, according to an external review published by auDA in October last year.

auDA’s practices had “not kept pace with auDA’s growth in scale and importance to the Australian community, nor with evolving good practice in governance and accountability”, this review found.

The review did not directly allege any wrongdoing by Disspain.

A separate and currently unpublished review around the same time by PPB Advisory found that auDA had been “under-reporting” so-called “fringe benefit tax” to the Aussie tax authorities, according to auDA board meeting minutes.

FBT is tax companies must pay on employee benefits such as a company car or payment of private expenses.

There’s no clear indication in the public record that this under-reporting was directly related to benefits Disspain received, though the under-reporting very likely happened at least partially during his 15 years as CEO.

A slide deck discussing the PPB review published by auDA identified “a lack of formal policies and procedures governing how travel and expenses were managed”.

It added: “There were high levels of expenditure on international travel and reimbursement arrangements with international bodies that lacked transparency, which should have warranted a more robust process”.

All expenses incurred by ICANN’s directors and reimbursed in relation to their duties are a matter of public record.

Disspain receives not only a $45,000 annual salary but also tens of thousands of dollars in reimbursements each year, much of which is related to directors’ extensive travel obligations, these records show.

In its last reported tax year, to June 30, 2016, he received $68,437 in reimbursements, according to a published document (pdf). ICANN directly paid another $32,951 on his behalf.

A number of allegations have been made to DI (and, I believe, to other bloggers) over the last few months about alleged wrongdoing by Disspain in connection to these nuggets of information, but they’ve come from sources who refuse to identify themselves or provide corroborating evidence.

Despite efforts, I’ve been unable to independently verify these anonymous claims, which come amid turbulent times for auDA and its members, so I’ve chosen not to repeat them.

Andruff, meanwhile, has used FOI law to ask the Australian government, which has oversight of auDA, for the full PPB report, as well as documents related to the FBT issue, Disspain’s termination and his travel expenses.

Andruff and Disspain are known to have a history of friction.

Two years ago, Andruff expressed his anger after having been passed over for the job of chair of the NomCom, a role that be believes should have gone to him as chair-elect.

He lost the opportunity after the ICANN board, exercising its bylaws-permitted discretion, accepted the recommendation of its Board Governance Committee — at the time chaired by Disspain — that it be given to Stephane Van Gelder instead.

The original deadline for the Australian government response to Andruff’s FOI request was October 16, but this has been extended twice, now to November 19, due to the complexity of the request.

The eventual response will no doubt be read with interest.

“We own your name” government tells Amazon in explosive slapdown

Kevin Murphy, October 29, 2017, Domain Policy

Amazon suffered a blistering attack from South American governments over its controversial .amazon gTLD applications this weekend.

A Peruvian official today excoriated Amazon’s latest peace offering, telling the tech giant in no uncertain terms that the word “Amazon” is not its property and demanding an apology for the company’s alleged behavior during recent legal proceedings.

“We will be giving you permission to use a certain word, not the other way around,” she said. “We are the owners of the Amazonian region.”

Speaking for almost 10 minutes during a session at the ICANN 60 meeting in Abu Dhabi this afternoon, Peru’s representative to the Governmental Advisory Committee pulled rank and scolded Amazon like a naughty schoolchild.

She claimed that Amazon had been bad-mouthing Peru by saying former GAC reps had “lied to and manipulated” the rest of the GAC in order to get support for its objection. She then demanded an apology from the company for this.

She was speaking in support of the idea that the string “Amazon” belongs to the people of the Amazonas region, which covers as many as eight South American countries, rather than the American company, despite the fact that none of those countries use the English word to describe the region.

Her remarks drew applause from parts of the audience.

Amazon had showed up at the session — described by two GAC reps later as a “lion’s den” — to offer a “strong, agreed-upon compromise that addresses the needs of the governments”.

The proposed deal would see the GAC drop its objections to .amazon in exchange for certain safeguards.

Amazon is promising to reserve geographically and culturally sensitive words at the second level in .amazon.

The domain rainforest.amazon, its associate general counsel Dana Northcott said by way of example, would be never be used by anyone.

Affected governments would get to negotiate a list of such terms before .amazon went live and there’d be an ongoing consultation process for more such terms to be protected in future.

The company has also promised not to object to — and in fact to actively support with hard resources — any future applications for .amazonas or other local-language variants by the people of the region.

But Peru was not impressed, telling the company that not only is the English version of the name of the region not its property but also that it must show more respect to governments.

“No government is going to accept any impositions from you,” she said, before appealing to fellow GAC members that the issue represents a kind of existential threat.

“The core issue here… is our survival as governments in this pseudo-multi-stakeholder space that has been invented,” she said.

“They want us to believe this is a place where we have dignity but that is increasingly obvious that this is not the case,” she said. “We don’t have it. And that is because of companies like yours… Companies that persist in not respecting the governments and the people they represent.”

The Peruvian GAC rep, listed on the GAC web site as María Milagros Castañon Seoane but addressed only as “Peru” during the session, spoke in Spanish; I’ve been quoting the live interpretation provided by ICANN.

Her remarks, in my opinion, were at least partially an attempt to strengthen her side’s negotiating hand after an Independent Review Process panel this July spanked ICANN for giving too much deference to GAC advice.

The IRP panel decided that ICANN had killed the .amazon applications — in breach of its bylaws — due to a GAC objection that appeared on the face of the public record to be based on little more than governmental whim.

The panel essentially highlighted a clash between ICANN’s bylaws commitments to fairness and transparency and the fact that its New gTLD Applicant Guidebook rules gave the GAC a veto over any application for any reason with no obligation to explain itself.

It told ICANN to reopen the applications for consideration and “make an objective and independent judgment regarding whether there are, in fact, well-founded, merits-based public policy reasons for denying Amazon’s applications”.

That was back in July. Earlier today, the ICANN board of directors in response to the IRP passed a resolution calling for the GAC to explain itself before ICANN 61 in March next year, resolving in part:

Resolved (2017.10.29.02), the Board asks the GAC if it has: (i) any information to provide to the Board as it relates to the “merits-based public policy reasons,” regarding the GAC’s advice that the Amazon applications should not proceed; or (ii) any other new or additional information to provide to the Board regarding the GAC’s advice that the Amazon applications should not proceed.

Other governments speaking today expressed doubt about whether the IRP ruling should have any jurisdiction over such GAC advice.

“It is not for any panelist to decided what is public policy, it is for the governments to decide,” Iran’s Kavouss Arasteh said.

During a later session today the GAC, talking among itself, made little progress in deciding how to formally respond to the ICANN board’s resolution.

A session between the GAC and the ICANN board on Tuesday is expected to be the next time the issue raises its increasingly ugly head.

Amsterdam refuses to publish Whois records as GDPR row escalates

Kevin Murphy, October 23, 2017, Domain Policy

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.

Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.

ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.

FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.

dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.

Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.

That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.

It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.

Legal entities such as companies do not count as “private persons”.

Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.

It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.

But the registries have lawyered up already, regardless.

A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.

The GDPR is perhaps the most pressing issue for ICANN at the moment.

It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.

It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.

One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.

According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.

These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.

During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.

“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”

ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.

It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.

ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.

But the domain industry has accused ICANN the organization of not doing enough fast enough.

Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.

They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.

Complaining that ICANN is moving too slowly, the October 13 letter states:

The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.

GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.

For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.

Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.

The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.

UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.

Chalaby named next ICANN chair

Kevin Murphy, September 26, 2017, Domain Policy

Cherine Chalaby is to be the next chair of ICANN.

In a case of burying the lede extreme even by ICANN standards, current chair Steve Crocker announced the news in the 11th paragraph of a blog post entitled “Chairman’s Blog: The Montevideo Workshop Wrap-Up” this evening.

Crocker wrote: “the Board had an opportunity to participate in the discussion of the Board’s future leadership, and have indicated unanimous support for the future election of Cherine Chalaby as the next Chair of the ICANN Board.”

No formal election has happened yet, but the board decided to come to a consensus on which way they will vote anyway.

Chris Disspain has been selected future vice-chair using the same informal process, Crocker wrote.

The actual raising of hands will take place during the board’s Annual General Meeting in Abu Dhabi at ICANN 60 in early November.

Chalaby was born in Egypt, also holds British citizenship, and lives in ICANN’s home town of Los Angeles.

He’s the first ICANN chair to come from the financial services world, having served a career at Accenture before joining Rasmala Investments.

He’s been a member of the ICANN board since the Nominating Committee selected him in December 2010 and was elected vice-chair a few years back.

His stint as chair will not be long. I believe he’s term-limited and will have to step aside at the end of 2019.

Crocker, an early internet pioneer, has been chair since 2011. No doubt ICANN is planning a big send-off for him at ICANN 60.

  • Page 1 of 2
  • 1
  • 2
  • >