ICANN could block Donuts from buying Afilias

In what appears to be an almost unprecedented move, ICANN is to review Donuts’ proposed acquisition of rival Afilias at the highest level, raising a question mark over the industry mega-merger.

The org’s board of directors will meet Thursday to consider, among other things, “Afilias Change of Control Approval Request”.

It’s highly unusual for a change of control to be discussed at such a high level.

Every registry contract contains clauses requiring ICANN’s consent before a registry switches owners, and it has approved hundreds over the last decade. But the process is usually handled by legal staff, without board involvement.

The only time, to my memory, that the board has got involved was when it withheld consent from .org manager Public Interest Registry earlier this year.

It’s not entirely clear why Afilias has been singled out for special treatment.

It’s probably not due to its status as a legacy gTLD registry operator because of .info — when GoDaddy bought .biz operator Neustar’s registry business earlier this year, there was no such board review.

In addition, the .info contract’s change of control provisions are very similar to those in the standard new gTLD contract.

Could it be due to Donuts executives former ties to ICANN and the perception of a conflict of interest? Again, it seems unlikely.

While Donuts CEO Akram Atallah is former president of ICANN’s Global Domains Division, former ICANN CEO Fadi Chehadé is no longer involved with Donuts owner Abry Partners, having jumped to erstwhile PIR bidder Ethos Capital this July.

Are there competition concerns? It’s a possibility.

Afilias holds the contracts for 24 gTLDs new and legacy, but supports a couple hundred more, while Donuts is contracted for over 240.

But between them, they have barely 10 million domains under management. Donuts isn’t even the market leader in terms of new gTLD registrations.

And ICANN avoids making competition pronouncements like the plague, preferring instead to refer to national competition regulators.

Could ICANN’s interest have been perked by the fact that Afilias is the back-end provider for .org’s 10 million domains, and the proposed Donuts deal comes hot on the heels of the failed PIR acquisition? Again, it’s a possibility.

But none of the dangers ICANN identified in the .org deal — such as pricing, freedom of speech, and the change from a non-profit to for-profit corporate structure — appear to apply here.

There could be technical concerns. Atallah told DI a couple weeks ago that the plan was to ultimately migrate its managed TLDs to its Amazon cloud-based registry.

But moving its clients’ TLDs to a new back-end infrastructure would require their consent — it would be up to PIR and its overlords at the Internet Society to agree to moving .org to the cloud.

I think it’s likely that a combination of all the above factors, and maybe others, are what’s driving the Afilias acquisition to the ICANN boardroom. It will be interesting to see what the board decrees.

Donuts boss discusses shock Afilias deal

Afilias is to spin off its registrar business and also its contested application for the .web gTLD, following its acquisition by Donuts, according to Donuts CEO Akram Atallah.

Speaking to DI last night, Atallah explained a little about how the deal, which creates a registry with about 450 strings under management, came about.

Rather than a straightforward bilateral negotiation, is seems like Afilias was shopping itself around for a buyer. Several companies were invited to bid, and Donuts won. Atallah said he does not know how many, or which, bidders Donuts was competing against.

Afilias was making over $100 million a year in revenue last time its accounts were published in 2017, but its largest gTLDs are in decline and it took a big hit when Public Interest Registry renegotiated its back-end contract for .org in 2018.

The acquisition, the value of which has not been disclosed, does not include Afilias’ registrar or mobile businesses, which Atallah said will be spun off.

He also revealed that the deal does not include Afilias’ .web gTLD application, which came second in an ICANN auction won by a Verisign-backed bidder a few years back.

Afilias is currently waiting for the results of an Independent Review Process case that seeks to overturn the winning $135 million bid and award the potentially lucrative gTLD to Afilias. The case was heard in August and a decision is surely not many months away.

What the deal does include are all of Afilias’ registry assets, including its owned gTLDs and its back-end service provider contracts.

I asked Atallah what the plans are for migrating or integrating the two registry platforms. While Afilias runs its own data centers, Donuts migrated its registry to Amazon’s AWS cloud service earlier this year.

“We have to make sure whatever we do is as painless as possible to our registrar channel and partners,” he said. “We believe that at least on the new gTLDs that they have it will probably be easier for us to move them to our back-end, which is on the cloud already… We’ll probably do that fairly quickly.”

“But remember they have other registries and ccTLDs that don’t own that they run on their back-end, so there’ll be business issues and negotiations there to see what we can do there,” he added.

While he’s not expecting anyone to notice any big changes immediately, Atallah said that over time features such as the companies’ different EPP commands will be merged, and that valued-added services will start to cross-pollinate.

“All of the features we have on our TLDs will migrate to their TLDs and vice versa,” he said.

That means things like the Domain Protected Marks List, a defensive registration service for trademark owners, will start to show up in Afilias gTLDs before long, he said.

I asked about the possibility of layoffs, something that is no doubt worrying staff at both companies right now and seems quite possible given the move to the cloud, but Atallah said it was too early to say. Nothing will change until the deal closes at the end of the year, he said.

“Once we actually close, we’ll sit down with the management of the Afilias registry team and look at all the different assets that we have and try to pick the best in class in technology and services,” he said.

Having seen some mutterings about competition concerns, I put that question to Atallah. He laughed it away, pointing out that, even combined with Afilias, Donuts will have fewer than 15 million domains under management.

Donuts acquires Afilias to create registry giant

Donuts has agreed to acquire Afilias, the two companies have just announced.

The purchase, for an undisclosed sum, will create a registry giant, responsible in one way or the other for over 450 top-level domains.

The deal will not include Afilias’ registrar or mobile software businesses, the companies said.

The acquisition, between two private companies, is expected to close before the end of the year.

Afilias is probably best known for .info, which it has been running for almost two decades. That gTLD has almost 4.7 million domains under management.

It also runs .mobi, .pro and 21 new gTLDs from the 2012 application round, including .global, .green, .pet, .kim and .lgbt.

It acts as the back-end registry provider for over 200 third-party TLDs, the largest of which is .org, and provides DNS resolution services for other TLDs and enterprises.

Donuts owns the largest portfolio of new gTLDs, with 242 in its stable at the last count.

ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”

ICANN has been instructed to place the proposed .hotel gTLD in limbo after four applicants for the string raised “sufficiently serious questions” that ICANN may have whitewashed the “theft” of trade secrets.

The order was handed down last month by the emergency panelist in the Independent Review Process case against ICANN by claimants Fegistry, MMX, Radix and Domain Ventures Partners.

Christopher Gibson told ICANN to “maintain the status quo” with regards the .hotel contention set, meaning currently winning applicant Hotel Top Level Domain, which is now owned by Afilias, won’t get contracted or delegated until the IRP is resolved.

At the core of the decision (pdf) is Gibson’s view that the claimants raised “sufficiently serious questions related to the merits” in allegations that ICANN mishandled and acted less than transparently in its investigation into a series of data breaches several years ago.

You may recall that ICANN seriously screwed up its new gTLD application portal, configuring in such a way that any applicant was able to search for and view the confidential data, including financial information such as revenue projections, of any other competing applicant.

Basically, ICANN was accidentally publishing applicants’ trade secrets on its web site for years.

ICANN discovered the glitch in 2015 and conducted an audit, which initially fingered Dirk Krischenowski — who at time was the half-owner of a company that owned almost half of HTLD as well as a lead consultant on the bid — as the person who appeared to have accessed the vast majority of the confidential data in March and April 2014.

ICANN did not initially go public with his identity, but it did inform the affected applicants and I managed to get a copy of the email, which said he’d downloaded about 200 records he shouldn’t have been able to access.

It later came to light that Krischenowski was not the only HTLD employee to use the misconfiguration to access data — according to ICANN, then-CEO of HTLD Katrin Ohlmer and lawyer Oliver Süme had too.

HTLD execs have always denied any wrongdoing, and as far as I know there’s never been any action against them in the proper courts. Krischenowski has maintained that he had no idea the portal was glitched, and he was using it in good faith.

Also, neither Ohlmer nor Krischenowski are still involved with HTLD, having been bought out by Afilias after the hacking claims emerged.

These claims of trade secret “theft” are being raised again now because the losing .hotel applicants think ICANN screwed up its probe and basically tried to make it go away out of embarrassment.

Back in August 2016, the ICANN board decided that demands to cancel the HTLD application were “not warranted”. Ohlmer barely gets a mention in the resolution’s rationale.

The losing applicants challenged this decision in a Request for Reconsideration in 2016, known as Request 16-11 (pdf). In that request, they argued that the ICANN board had basically ignored Ohlmer’s role.

Request 16-11 was finally rejected by the ICANN board in January last year, with the board saying it had in fact considered Ohlmer when making its decision.

But the IRP claimants now point to a baffling part of ICANN’s rationale for doing so: that it found “no evidence that any of the confidential information that Ms. Ohlmer (or Mr. Krischenowski) improperly accessed was provided to HTLD”.

In other words, ICANN said that the CEO of the company did not provide the information that she had obtained to the company of which she was CEO. Clear?

Another reason for brushing off the hacking claims has been that HTLD could have seen no benefit during the application process by having access to its rivals’ confidential data.

HTLD won the contention set, avoiding the need for an auction, in a Community Priority Evaluation. ICANN says the CPE was wholly based on information provided in its 2012 application, so any data obtained in 2014 would have been worthless.

But the losing applicants say that doesn’t matter, as HTLD/Afilias still have access to their trade secrets, which could make the company a more effective competitor should .hotel be delegated.

This all seems to have been important to Gibson’s determination. He wrote in his emergency ruling (pdf) last month:

The Emergency Panelist determines that Claimants have raised “sufficiently serious questions related to the merits” in in relation to the Board’s denial of Request 16-11, with respect to the allegations concerning the Portal Configuration issues in Request 16-11. This conclusion is made on the basis of all of the above information, and in view of Claimants’ IRP Request claim that ICANN subverted the investigation into HTLD’s alleged theft of trade secrets. In particular, Claimants claim that ICANN refused to produce key information underlying its reported conclusions in the investigation; that it violated the duty of transparency by withholding that information; that the Board’s action to ignore relevant facts and law was a violation of Bylaws; and further, to extent the BAMC and/or Board failed to have such information before deciding to disregard HTLD’s alleged breach, that violated their duty of due diligence upon reasonable investigation, and duty of independent judgment.

The Emergency Panelist echoes concerns that were raised initially by the Despegar IRP Panel regarding the Portal Configuration issues, where that Panel found that “serious allegations” had been made188 and referenced Article III(1) of ICANN’s Bylaws in effect at that time, but declined to make a finding on those issues, indicating “that it should remain open to be considered at a future IRP should one be commenced in respect of this issue.” Since that time, ICANN conducted an internal investigation of the Portal Configuration issues, as noted above; however, the alleged lack of disclosure, as well as certain inconsistencies in the decisions of the BAMC and the Board regarding the persons to whom the confidential information was disclosed and their relationship to, or position with HTLD, as well as ICANN’s decision to ultimately rely on a “no harm no foul” rationale when deciding to permit the HTLD application to proceed, all raise sufficiently serious questions related to the merits of whether the Board breached ICANN’s Article, Bylaws or other polices and commitments.

It’s important to note that this is not a final ruling that ICANN did anything wrong, it’s basically the ICANN equivalent of a ruling on a preliminary injunction and Gibson is saying the claimants’ allegations are worthy of further inquiry.

And the ruling did not go entirely the way of the claimants. Gibson in fact ruled against them on most of their demands.

For example, he said their was insufficient evidence to revisit claims that a review of the CPE process carried out by FTI Consulting was a whitewash, and he refused to order ICANN to preserve documentation relating to the case (though ICANN has said it will do so anyway).

He also ruled against the claimants on a few procedural issues, such as their demands for an Ombudsman review and for IRP administrator the International Center for Dispute Resolution to recuse itself.

Some of their claims were also time-barred under ICANN’s equivalent of the statute of limitations.

But ICANN will be prevented from contracting with HTLD/Afilias for now, which is a key strategic win.

ICANN reckons the claimants are just using the IRP to try to force deep-pocketed Afilias into a private auction they can be paid to lose, and I don’t doubt there’s more than a grain of truth in that claim.

But if it exposes another ICANN cover-up in the process, I for one can live with that.

The case continues…

The $135 million battle for .web could be won in weeks

Afilias is to get its day in “court” to decide the fate of the .web gTLD just 10 days from now.

The registry is due to face off with ICANN before an Independent Review Process panel in a series of virtual hearings beginning August 3.

The IRP complaint was filed late 2018 as the endgame of Afilias’ attempt to have the results of the July 2016 .web auction overturned.

You’ll recall that Verisign secretly bankrolled the winning bidder, a new gTLD investment vehicle called Nu Dot Co, to the tune of $135 million, causing rival bidders to cry foul.

If that win was vacated, Afilias could take control of .web with its second-place bid.

Afilias claims that ICANN broke its own rules by refusing to thoroughly analyze whether NDC had a secret sugar daddy, something DI first reported on two weeks before the auction.

It has put forward the entirely plausible argument that Verisign splashed out what amounts to about a month’s .com revenue on .web in order to bury it and fortify its .com mindshare monopoly against what could be its most formidable competitor.

In the IRP case to date, ICANN has been acting as transparently as you’d expect when its legal team is involved.

It first redacted all the juiciest details from the Verisign-NDC “Domain Acquisition Agreement” and the presumably damaging testimony of one of its own directors, and more recently has been fighting Afilias’ demands for document discovery.

In March, the IRP panel ruled against ICANN’s protests on almost every count, ordering the org to hand over a mountain of documentation detailing its communications with Verisign and NDC and its internal deliberations around the time of the auction.

But the ace up ICANN’s sleeve may be an allegation made by Verisign that Afilias itself is the one that broke the auction’s rules.

Verisign has produced evidence that an Afilias exec contacted his NDC counterpart five days before the auction, breaking a “blackout period” rule so serious that violators could lose their applications.

While Afilias denies the allegation, the IRP panel ruled in March that Afilias must hand over copies of all communications between itself and rival bidders over the auction period.

We’re not likely to see any of this stuff until the panel issues its final declaration, of course.

In the past, IRP panels have taken as long as six or seven months after the final hearing to deliver their verdicts, but the most-recently decided case, Amazon v ICANN, was decided in just eight or nine weeks.

.black gTLD has seen boost since George Floyd killing

Afilias’ little-known new gTLD .black has seen a noticeable increase in registrations in the last few weeks, as Black Lives Matter protests span the globe.

Between January 1 and May 25 this year, the day on which George Floyd was killed by Minneapolis police over a trivial offence, the gTLD’s zone file grew by 227 domains.

But in the 22 days since the killing, as BLM protests have spread across the US and elsewhere, it’s grown by 292 domains, currently standing at a modest 4,490.

Basically, it’s grown in three weeks by more than the previous five months combined.

The domain georgefloyd.black was registered May 27, after video of the incident shared on social media had attracted mainstream media attention, and is currently parked at GoDaddy.

Other .black domains registered since his death include accountable.black, lives.black, understanding.black, listen.black and itshardbeing.black.

Afilias promotes .vote domains amid US vote-by-mail controversy

Afilias-owned Monolith Registry, which runs .vote and .voto, has launched a site designed to help US citizens figure out how — or if — they’re able to vote by mail during the coronavirus outbreak.

The site, at mailyourballot.vote, comes as controversy rages in the US about whether voters should be forced to show up in person to ballot boxes in the midst of a deadly-virulent pandemic.

Reports suggest that Republicans are generally against mail-in votes, hiding behind bogus fears of voter fraud, because a lower turnout generally favors their candidates.

While I suppose one could argue that by attempting to make the information accessible it’s implicitly picking a side, Afilias doesn’t have a lot to say about the partisan debate. It said in a press release:

In the age of COVID-19, many voters are interested in voting by mail to avoid potential exposure to the virus. Unfortunately, learning HOW to vote by mail is difficult, as every state has different rules and puts this critical information in a different place. For example, 7 states (IN, LA, MI, SC, TX, YN and KY) restrict voting by mail to elderly voters only and 29 states (plus Washington, D.C.) only allow it in federal elections. Recently, governors of two states (NY and KY) ordered absentee ballot applications to be sent to all of their states’ voters.

The new site itself is little more than a directory: a clickable map of the US that bounces you to the official state government policy/instructions on voting by mail.

.vote isn’t an especially populous gTLD, having roughly 3,500 regs at the last count.

The US presidential election is this November.

Hacking claims resurface as .hotel losers force ICANN to lawyer up again

The fight over .hotel has been escalated, with four unsuccessful applicants for the gTLD whacking ICANN with a second Independent Review Process appeal.
The complaint resurrects old claims that a former lead on the successful application, now belonging to Afilias, stole trade secrets from competing applicants via a glitched ICANN web site.
It also revives allegations that ICANN improperly colluded with the consultant hired to carry out reviews of “community” applications and then whitewashed an “independent” investigation into the same.
The four companies filing the complaint are new gTLD portfolio applicants MMX (Minds + Machines), Radix, Fegistry, and Domain Venture Partners (what we used to call Famous Four).
The IRP was filed November 18 and published by ICANN December 16, but I did not spot it until more recently. Sorry.
There’s a lot of back-story to the complaint, and it’s been a few years since I got into any depth on this topic, so I’m going to get into a loooong, repetitive, soporific, borderline unreadable recap here.
This post could quite easily be subtitled “How ICANN takes a decade to decide a gTLD’s fate”.
There were seven applicants for .hotel back in 2012, but only one of them purported to represent the “hotel community”. That applicant, HOTEL Top Level Domain, was mostly owned by Afilias.
HTLD had managed to get letters of support from a large number of hotel chains and trade groups, to create a semblance of a community that could help it win a Community Priority Evaluation, enabling it to skip to the finish line and avoid a potentially costly auction against its rival applicants.
CPEs were carried out by the Economist Intelligence Unit, an independent ICANN contractor.
Surprisingly to some (including yours truly), back in 2014 it actually managed to win its CPE, scoring 15 out of the 16 available points, surpassing the 14-point winning threshold and consigning its competing bidders’ applications to the scrap heap.
There would be no auction, and no redistribution of wealth between applicants that customarily follows a new gTLD auction.
Naturally, the remaining applicants were not happy about this, and started to fight back.
The first port of call was a Request for Reconsideration, which all six losers filed jointly in June 2014. It accused the EIU of failing to follow proper procedure when it evaluated the HTLD community application.
That RfR was rejected by ICANN, so a request for information under ICANN’s Documentary Information Disclosure Policy followed. The losing applicants reckoned the EIU evaluator had screwed up, perhaps due to poor training, and they wanted to see all the communications between ICANN and the EIU panel.
The DIDP was also rejected by ICANN on commercial confidentiality grounds, so the group of six filed another RfR, asking for the DIDP to be reconsidered.
Guess what? That got rejected too.
So the applicants then filed an IRP case, known as Despegar v ICANN, in March 2015. Despegar is one of the .hotel applicants, and the only one that directly plays in the hotel reservation space already.
The IRP claimed that ICANN shirked its duties by failing to properly oversee and verify the work of the EIU, failing to ensure the CPE criteria were being consistently applied between contention sets, and failing in its transparency obligations by failing to hand over information related to the CPE process.
While this IRP was in its very early stages, it emerged that one of HTLD’s principals and owners, Dirk Krischenowski, had accessed confidential information about the other applicants via an ICANN web site.
ICANN had misconfigured its applicant portal in such a way that any user could very access any attachment on any application belonging to any applicant. This meant sensitive corporate information, such as worst-case-scenario financial planning, was easily viewable via a simple search for over a year.
Krischenowski appears to have been the only person to have noticed this glitch and used it in earnest. ICANN told applicants in May 2015 that he had carried out 60 searches and accessed 200 records using the glitch.
Krischenowski has always denied any wrongdoing and told DI in 2016 that he had always “relied on the proper functioning of ICANN’s technical infrastructure while working with ICANN’s CSC portal.”
The applicants filed another DIDP, but no additional information about the data glitch was forthcoming.
When the first IRP concluded, in February 2016, ICANN prevailed, but the three-person IRP panel expressed concern that neither the EIU nor ICANN had any process in place to ensure that community evaluations carried out by different evaluators were consistently applying the CPE rules.
The IRP panel also expressed concern about the “very serious issues” raised by the ICANN portal glitch and Krischenowski’s data access.
But the loss of the IRP did not stop the six losing applicants from ploughing on. Their lawyer wrote to ICANN in March 2016 to denounce Krischenowski’s actions as “criminal acts” amounting to “HTLD stealing trade secrets of competing applicants”, and as such HTLD’s application for .hotel should be thrown out.
Again, to the best of my knowledge, Krischenowski has never been charged with, let alone convicted of, any criminal act.
Afilias wrote to ICANN not many weeks later, April 2016, to say that it had bought out Krischenowski’s 48.8% stake in HTLD and that he was no longer involved in the company or its .hotel application.
And ICANN’s board of directors decided in August 2016 that Krischenowski may well have accessed documents he was not supposed to, but that it would have happened after the .hotel CPE had been concluded, so there was no real advantage to HTLD.
A second, parallel battle against ICANN by an unrelated new gTLD applicant had been unfolding over the same period.
A company called Dot Registry had failed in its CPE efforts for the strings .llc, .llp and .inc, and in 2014 had filed its own IRP against ICANN, claiming that the EIU had “bungled” the community evaluations, applying “inconsistent” scoring criteria and “harassing” its supporters.
In July 2016, almost two years later, the IRP panel in that case ruled that Dot Registry had prevailed, and launched a withering attack on the transparency and fairness of the ICANN process.
The panel found that, far from being independent, the EIU had actually incorporated notes from ICANN staff into its CPE evaluations during drafting.
It was as a result of this IRP decision, and the ICANN board’s decision that Krischenowski’s actions could not have benefited HTLD, that the losing .hotel applicants filed yet another RfR.
This one lasted two and a half years before being resolved, because in the meantime ICANN launched a review of the CPE process.
It hired a company called FTI Consulting to dig through EIU and ICANN documentation, including thousands of emails that passed between the two, to see if there was any evidence of impropriety. It covered .hotel, .music, .gay and other gTLD contention sets, all of which were put on hold while FTI did its work.
FTI eventually concluded, at the end of 2017, that there was “no evidence that ICANN organization had any undue influence on the CPE reports or engaged in any impropriety in the CPE process”, which affected applicants promptly dismissed as a “whitewash”.
They began lobbying for more information, unsuccessfully, and hit ICANN with yet another RfR in April 2018. Guess what? That one was rejected too.
The .hotel applicants then entered into a Cooperative Engagement Process — basically pre-IRP talks — from October 2018 to November 2019, before this latest IRP was filed.
It’s tempting to characterize it as a bit of a fishing expedition, albeit not a baseless one — any allegations of ICANN’s wrongdoing pertaining the .hotel CPE are dwarfed by the applicants’ outraged claims that ICANN appears to be covering up both its interactions with the EIU and its probe of the Krischenowski incident, partly out of embarrassment.
The claimants want ICANN to be forced to hand over documentation refused them on previous occasions, relating to: “ICANN subversion of the .HOTEL CPE and first IRP (Despegar), ICANN subversion of FTI’s CPE Process Review, ICANN subversion of investigation into HTLD theft of trade secrets, and ICANN allowing a domain registry conglomerate to takeover the ‘community-based’ applicant HTLD.”
“The falsely ‘independent’ CPE processes were in fact subverted by ICANN in violation of Bylaws, HTLD stole trade secrets from at least one competing applicant, and Afilias is not a representative of the purported community,” the IRP states.
“HTLD’s application should be denied, or at least its purported Community Priority relinquished, as a consequence not only for HTLD’s spying on its competitors’ secret information, but also because HTLD is no longer the same company that applied for the .HOTEL TLD. It is now just a registry conglomerate with no ties to the purported, contrived ‘Community’ that it claims entitled to serve,” it goes on.
ICANN is yet to file its response to the complaint.
Whether the IRP will be successful is anyone’s guess, but what’s beyond doubt is that if it runs its course it’s going to add at least a year, probably closer to two, to the delay that .hotel has been languishing under since the applications were filed in 2012.
Potentially lengthening the duration of the case is the claimants’ demand that ICANN “appoint and train” a “Standing Panel” of at least seven IRP panelists from which each three-person IRP panel would be selected.
The standing panel is something that’s been talked about in ICANN’s bylaws for at least six or seven years, but ICANN has never quite got around to creating it.
ICANN pinged the community for comments on how it should go about creating this panel last year, but doesn’t seemed to have provided a progress report for the last nine months.
The .hotel applicants do not appear to be in any hurry to get this issue resolved. The goal is clearly to force the contention set to auction, which presumably could happen at Afilias’ unilateral whim. Time-to-market is only a relevant consideration for the winner.
With .hotel, and Afilias’ lawsuit attempting to block the .web sale to Verisign, the last round of new gTLD program, it seems, is going to take at least a decade from beginning to end.

Is the .co rebid biased toward Afilias? Yeah, kinda

The Colombian government has come under fire for opening up the .co registry contract for rebid in a way that seems predetermined to pick Afilias as the winner, displacing its fierce rival Neustar.
As I blogged in November, Colombia thinks it might be able to secure a better registry deal, so it plans to shortly open .co up to competitive proposals.
A company called .CO Internet, acquired by Neustar for $109 million in 2014, has been running the ccTLD for the last decade. There are currently around 2.3 million .co domains under management, according to Colombia.
With the renewal deadline looming, the government’s technology ministry, MinTIC, published an eyebrow-raising request for proposals last month.
What’s surprising about the RFP is that some of the four main technical performance criteria listed are so stringent that probably only two companies in the industry qualify — Verisign and Afilias, and so far Verisign has not been involved in the RFP process.
The companies that have been engaging with the government to date are Afilias, Neustar/.CO, Nominet, CentralNic and Donuts.
First, MinTIC wants a registry that’s had at least two million domains under management across its portfolio continuously for two years. All five registries qualify there.
Second, it wants a registry that’s been involved in the migration of a TLD of at least one million names, either as the gaining or losing back-end.
That immediately narrows the pack to just two of the five aforementioned registries — Neustar and Afilias.
Verisign would also qualify, if it’s in the bidding, but I suspect it’s not. Taking over .co would look like a “buy it to kill it” strategy, which would be horrible optics for the Colombian government.
There have only ever been three migrations over one million names, to my knowledge: the Verisign->Afilias .org transition of 2003, the Neustar->Afilias .au move of 2018, and last year’s Afilias->Neustar .in handover.
CentralNic, Nominet and Donuts have all moved numerous TLDs between back-ends, but with much smaller per-TLD domain volumes.
Third — and here’s the kicker — the successful .co bidder will have to show that it processes on average 25 million registry transactions — defined as “billable EPP (write) transactions, as well as all EPP search (read) transactions” — per day. (All of the RFP quotes in this post have been machine-translated from Spanish by Google and run by a few generous Spanish speakers for verification.)
The RFP is not entirely clear on what exact data points it’s looking at here, but my take is that qualifying transactions include, at an absolute minimum, attempts to create a domain, renew a domain, transfer a domain and check whether a domain is registered.
The vast majority of such transactions are in the check and create functions, and I believe a great deal of that activity relates to drop-catching, where registries are flooded with add requests for just-deleted domains.
Whichever way you split it, 25 million a day is a ludicrously high number. Literally only .com, which sees 2.3 billion checks and 1.5 billion adds per month, sees that kind of action.
According to Neustar, which actually runs .co, it only sees 6.4 million transactions per day on average. The requirement to handle 25 million a day is “exaggerated, unjustified and discriminatory” against Neustar, Neustar told MinTIC.
But the RFP allows for the bidding registries to spread their 25-million-a-day quota across all of the TLDs they manage, and this MAY sneak Afilias over the line.
I say MAY in big letters because I don’t believe the numbers that Afilias (and probably other registries too) reports to ICANN every month are reliable.
If you add up the reported, qualifying EPP transactions for September in Afilias’ top four legacy gTLDs — .org, .info, .mobi and .pro — you get to over 25 million per day.
But those same records show that, for example, .mobi, .pro and .info had exactly the same number of EPP availability checks that month — 215,988,497 each.
This is clearly bad data.
I reported on this issue last May, when ICANN’s Security and Stability Advisory Committee informed ICANN that major registries were providing “not reliable” or possibly “fabricated” data about port 43 Whois queries.
Afilias, which was one of the apparent offenders, told me at the time that it was addressing the issue with ICANN, but it does not yet appear to have fully fixed its reporting to enable TLD-by-TLD breakdowns of its registry activity.
It is of course quite possible, even very likely, that Afilias has on average more than 25 million qualifying EPP transactions per day, but how’s it going to prove that to the Colombian government when the numbers it reports under contract to ICANN are clearly unreliable?
It’s a little harder to determine whether Neustar would qualify under the 25-million transaction rule, because some of its largest zones are ccTLDs — .co, .in and .us — that do not publicly report this kind of data. Its comments to the RFP suggest it would not.
Numbers aside, I’ll note that there’s very probably an inherent bias towards legacy gTLD operators like Afilias and against relative newcomers such as CentralNic if you’re counting EPP transactions. As I noted above, a lot of these transactions are coming from drop-catch activity, which is more prevalent on larger, older TLDs where there are more dropping domains that are more likely to have existing backlinks and traffic.
The fourth technical requirement in the Colombian RFP that looks a bit fishy is the requirement that the new registry must have channel relationships with at least 10 of the largest 25 registrars, as listed by a web site called domainstate.com.
I can’t say I’ve looked at domainstate.com very often, if at all, but a quick look at its numbers for September strongly suggests to me that it does not count post-2012 new gTLD registrations in its registrar league table. One registrar with almost four million domains under management doesn’t even show up on the list. This arguably could give an advantage to a registry that plays strongly in legacy gTLDs.
That said, it’s probably an academic point — I don’t think any of the bidders for the .co contract would have difficulty showing that they have 10 of the top 25 registrars on board, whichever way you calculate that league table.
Cumulatively, these four technical hurdles have led some to suggest that Afilias has somehow steered MinTIC towards creating an RFP only it could win.
Apart from what I’ve discussed here, I’ve no evidence that is the case, and Afilias has not yet responded to my request for comment today.
Luckily for the bidding registries, the Columbian RFP has not yet been finalized. Comments submitted by the bidders and others are apparently going to be taken on board, so the barriers to entry for respondents could be lowered before bids are finally accepted.
MinTIC posted an update last night that extends the period that the RFP could run, and the transition period should Neustar lose the contract. A handover, should one happen at all, could now happen as late as February next year.

Now PIR rubbishes .org “downtime” claims

Two of Public Interest Registry’s top geeks have come out swinging against recent claims that .org will suffer days of downtime if PIR is acquired by Ethos Capital.
Chief technology officer Joe Abley and Susanne Woolf, senior director of technology community engagement, have penned a blog post calling the recent assertions by subcontractor Packet Clearing House “baffling” and “wrong”.
PCH claimed earlier this month that should PIR fall into for-profit hands, donations made to PCH would dry up, giving Ethos no choice but to either significantly increase .org prices or risk over three days of downtime per year.
PCH is a not-for-profit provider of DNS resolution services that contracts with Afilias to support .org and a couple hundred other Afilias-managed TLDs.
But PIR’s technologists today wrote:

PCH is a contractor to Afilias and has no business relationship with PIR; consequently PCH has no access to non-public financial information. We’re more concerned with the assertions that the current costs of maintaining DNS services are only sustainable if PIR remains a non-profit, and that a for-profit PIR will need to make deep cuts to funding for operations. These inferences are at odds with our knowledge and experience regarding the costs of providing solid DNS service. To be clear – they are wrong.

They go on to say “we find that PCH’s claims about their operational costs and funding models are baffling” and to suggest that if PCH is unhappy with .org’s forthcoming for-profit status, Afilias has plenty of competitors to choose from, writing:

If PCH is unable or unwilling to continue to provide service to Afilias at current pricing, Afilias has many options to ensure that .ORG continues to function at the high levels the technical community expects.

Afilias has already rubbished PCH’s claims in a letter to ICANN.
The $1.135 billion acquisition of PIR from the Internet Society is expected to close in the first quarter, but it’s currently undergoing some scrutiny by ICANN, which has to first approve the change of control.