Latest news of the domain name industry

Recent Posts

Concern as ICANN shuts down “independent” security review

Kevin Murphy, October 31, 2017, Domain Policy

Just a year after gaining its independence from the US government, ICANN has come under scrutiny over concerns that its board of directors may have overstepped its powers.

The board has come in for criticism from almost everyone expressing an opinion at the ICANN 60 meeting in Abu Dhabi this week, after it temporarily suspended a supposedly independent security review.

The Security, Stability and Resiliency of the DNS Review, known as SSR-2, is one of the mandatory reviews that got transferred into ICANN’s bylaws after the Affirmation of Commitments with the US wound up last year.

The review is supposed to look at ICANN’s “execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet’s system of unique identifiers that ICANN coordinates”.

The 14 to 16 volunteer members have been working for about eight months, but at the weekend the ICANN board pulled the plug, saying in a letter to the review team that it had decided “to suspend the review team’s work” and said its work “should be paused”.

Chair Steve Crocker clarified in sessions over the weekend and yesterday that it was a direction, not a request, but that the pause was merely “a moment to take stock and then get started again”.

Incoming chair Cherine Chalaby said in various sessions today and yesterday that the community — which I take to mean the leaders of the various interest groups — is now tasked with un-pausing the work.

Incoming vice-chair Chris Disspain told community leaders in an email (pdf) yesterday:

The Board has not usurped the community’s authority with respect to this review. Rather, we are asking the SOs and ACs to consider the concerns we have heard and determine whether or not adjustments are needed. We believe that a temporary pause in the SSR2 work while this consideration is under way is a sensible approach designed to ensure stakeholders can reach a common understanding on the appropriate scope and work plan

Confusion has nevertheless arise among community members, and some serious concerns and criticisms have been raised by commercial and non-commercial interests — including governments — over the last few days in Abu Dhabi.

But the board’s concerns with the work of SSR-2 seem to date back a few months, to the Johannesburg meeting in June, at which Crocker said “dangerous signals” were observed.

It’s not clear what he was referring to there, but the first serious push-back by ICANN came earlier this month, when board liaison Kaveh Ranjbar, apparently only appointed to that role in June, emailed the group to say it was over-stepping its mandate.

Basically, the SSR-2 group’s plan to carry out a detailed audit of ICANN’s internal security profile seems to have put the willies up the ICANN organization and board.

Ranjbar wrote:

The areas the Board is concerned with are areas that indeed raise important organizational information security and organizational oversight questions. However, these are also areas that are not segregated for community review, and are the responsibility of the ICANN Organization (through the CEO) to perform under the oversight of the ICANN Board.

While we support the community in receiving information necessary to perform a full and meaningful review over ICANN’s SSR commitments, there are portions of the more detailed “audit” plan that do not seem appropriate for in-depth investigation by the subgroup. Maintaining a plan to proceed with detailed assessments of these areas is likely to result in recommendations that are not tethered to the scope of the SSR review, and as such, may not be appropriate for Board acceptance when recommendations are issued. This also can expand the time and resources needed to perform this part of the review.

This does not seem hugely unreasonable to me. This kind of audit could be expensive, time-consuming and — knowing ICANN’s history of “glitches” — could have easily exposed all kinds of embarrassing vulnerabilities to the public domain.

Ranjbar’s letter was followed up a day later with a missive (pdf) from the chair of ICANN’s Security and Stability Advisory Committee, which said the SSR-2’s work was doomed to fail.

Patrick Falstrom recommended a “temporarily halt” to the group’s work. He wrote:

One basic problem with the SSR2 work is that the review team seems neither to have sufficient external instruction about what to study nor to have been able to formulate a clear direction for itself. Whatever the case, the Review Team has spent hundreds of hours engaged in procedural matters and almost no progress has been made on substantive matters, which in turn has damaged the goodwill and forbearance of its members, some of whom are SSAC members. We are concerned that, left to its own devices, SSR2 is on a path to almost certain failure bringing a consequential loss of credibility in the accountability processes of ICANN and its community.

Now that ICANN has actually acted upon that recommendation, there’s concern that it sets a disturbing precedent for the board taking “unilateral” action to scupper supposedly independent accountability mechanisms.

The US government itself expressed concern, during a session between the board and the Governmental Advisory Committee in Abu Dhabi today.

“This is unprecedented,” US GAC rep Ashley Heineman said. “I just don’t believe it was ever an expectation that the ICANN board would unilaterally make a decision to pause or suspend this action. And that is a matter of concern for us.”

“It would be one thing if it was the community that specifically asked for a pause or if it was a review team that says ‘Hey, we’re having issues, we need a pause.’ What’s of concern here is that ICANN asked for this pause,” she said.

UK GACer Mark Carvell added that governments have been “receiving expressions of grave concern” about the move and urged “maximum transparency” as the SSR-2 gets back on track.

Jonathan Zuck of the Innovators Network Foundation, one of the volunteers who worked on ICANN’s transition from US government oversight, also expressed concern during the public forum session yesterday.

“I think having a fundamental accountability mechanism unilaterally put on hold is something that we should be concerned about in terms of process,” he said. “I’m not convinced that it was the only way to proceed and that from a precedential standpoint it’s not best way to proceed.”

Similar concerns were voiced by many other parts of the community as they met with the ICANN board throughout today and yesterday.

The problem now is that the bylaws do not account for a board-mandated “pause” in a review team’s work, so there’s no process to “unpause” it.

ICANN seems to have got itself tangled up in a procedural quagmire — again — but sessions later in the week have been scheduled in order for the community to begin to untangle the situation.

It doubt we’ll see a resolution this week. This is likely to run for a while.

ICANN ditches plan to give governments more power

Kevin Murphy, February 25, 2015, Domain Policy

ICANN has quietly abandoned a plan to make it harder for its board of directors to go against the wishes of national governments.

A proposal to make a board two-thirds super-majority vote a requirement for overruling advice provided by the Governmental Advisory Committee is now “off the table”, ICANN CEO Fadi Chehade told a US Senate committee hearing today.

The threshold, which would replace the existing simple majority requirement, was proposed last August as a result of talks in a board-GAC working group.

At the time, I described the proposal as a “fait accompli” — the board had even said it would use the higher threshold in votes on GAC advice in advance of the required bylaws change.

But now it’s seemingly gone.

The news emerged during a hearing of the Senate Committee on Commerce, Science, and Transportation today in Washington DC, which was looking into the transition of US oversight of ICANN’s IANA functions to a multi-stakeholder process.

Asked by Sen. Deb Fischer whether the threshold change was consistent with ICANN’s promise to limit the power of governments in a post-US-oversight world, Chehade replied:

You are right, this would be incongruent with the stated goals [of the IANA transition]. The board has looked at that matter and has pushed it back. So it’s off the table.

That came as news to me, and to others listening to the hearing.

The original plan to change the bylaws came in a board resolution last July.

If it’s true that the board has since changed its mind, that discussion does not appear to have been documented in any of the published minutes of ICANN board meetings.

If the board has indeed changed its mind, it has done so with the near-unanimous blessing of the rest of the ICANN community (although I doubt the GAC was/will be happy).

The public comment period on the proposal attracted dozens of responses from community members, all quite vigorously opposed to the changes.

The ICANN report on the public comments was due October 2, so it’s currently well over four months late.

UPDATE 1: An ICANN spokesperson just got in touch to say that the board decided to ditch its plan in response to the negative public comments.

UPDATE 2: Another ICANN spokesperson has found a reference to the board’s U-turn in the transcript of a meeting between the ICANN board and GAC at the Los Angeles public meeting last October. A brief exchange between ICANN chair Steve Crocker and Heather Dryden, then chair of the GAC, reads:

DRYDEN: On the issue of the proposed bylaw changes to amend them to a third — two-thirds majority to reject or take a decision not consistent with the GAC’s advice, are there any updates there that the Board would like to — the Board or NGPC? I think it’s a Board matter? Yes?

CROCKER: Yes.

Well, you’ve seen the substantial reaction to the proposal.

The reaction embodies, to some extent, misunderstanding of what the purpose and the context was, but it also is very instructive to all of us that the timing of all this comes in the middle of the broader accountability question.

So it’s — I think it’s in everyone’s interest, GAC’s interest, Board’s interest, and the entire community’s interest, to put this on hold and come back and revisit this in a larger context, and that’s our plan.

So it seems that the ICANN board did tip its hand a few months ago, but not many people, myself included, noticed.

Governments to get more power at ICANN

Kevin Murphy, August 18, 2014, Domain Policy

Governments are to get more power to influence ICANN’s board of directors.

Under a proposal launched late Friday, ICANN plans to make it harder for the board to reject the often-controversial advice of the Governmental Advisory Committee.

Today, the board is able to reject GAC advice with a simple majority vote, which triggers a consultation and reconciliation process.

Following the proposed changes to the ICANN bylaws, the threshold would be increased to a two-thirds majority.

The change is to be made following the recommendations of the Board-GAC Recommendations Implementation Working Group, made up of members of the board and the GAC.

The new rule would bring the GAC into line with the multistakeholder Generic Names Supporting Organization. The ICANN board also needs a two-thirds vote to reject a formal GNSO recommendation.

The differences between the GAC and the GNSO include the lack of detailed industry awareness GAC members regularly demonstrate during their public meetings, and the fact that GAC advice regularly comprises deliberately vague negotiated language that ICANN’s board has a hard time interpreting.

That disconnect may improve in future due to the recent creation of a GAC-GNSO liaison position, designed to keep the GAC up to date with policy goings-on between the thrice-yearly ICANN meetings.

The proposed bylaws change is open for public comment, but appears to be a fait accompli; the board has already said it will use the higher voting threshold if called to make a decision on GAC advice prior to its formal adoption.