Latest news of the domain name industry

Recent Posts

Europe’s top dogs could decide the future of Whois

Kevin Murphy, October 5, 2020, Domain Policy

ICANN is pleading with the European Commission for legal clarity to help solve the two-year-old fight over the future of Whois in the age of GDPR.

CEO Göran Marby has written to three commissioners to ask for a definitive opinion on whether a centralized, mostly automated Whois system would free up registries and registrars from legal liability if their customers’ data is inappropriately disclosed.

It’s a question ICANN has been asking for years, but this time it comes after the ICANN community has come up with a set of policy recommendations that would create something called SSAD, for System for Standardized Access/Disclosure.

SSAD is supported by registries, registrars and non-commercial interests, but has been broadly criticized by governments, intellectual property interests, security experts and others as being not fit for purpose.

While it would create a centralized gateway for funneling Whois queries to contracted parties, and an accreditation system for those making the queries, the decision to accept or refuse the query would still lie with registries and registrars and be largely human-powered.

It’s been described as a glorified, $9 million-a-year ticketing system that will fail to provide better access to Whois to those who say they need it (largely the IP interests).

But registries and registrars say they cannot accept a solution that offloads decision-making to a centralized third party such as ICANN, unless that third party shoulders all the legal liability for mistakes, and whether that’s possible is far from clear this early in the life of GDPR.

As Marby told the commissioners:

Legal clarity could mean the difference between ICANN having a fragmented system that routes most requests for access to non-public registration data from requestors to thousands of individual registries and registrars for a decision, on the one hand, versus ultimately being able to implement a centralized, predictable solution in which decisions about whether or not to disclose non-public registration data in most or all cases could be made consistently, predictably, in a manner that is transparent and accountable to requestors and data subjects alike.

In GDPR lingo, the question is who becomes the “controller” of the data in a centralized system. The controller is the one that could get slapped with huge fines in the event of a privacy breach.

There’s a concept of “successive controllers”, where data is passed through a chain of handlers. ICANN wants clarity on whether, should a registrar send data to an ICANN central gateway, its liability ends there, before the final disclosure decision is made.

It’s asking the European Commission to exercise its authority under the GDPR to force the European Data Protection Board to issue a blanket opinion clarifying these issues, with the expectation that SSAD as currently envisaged could evolve over time to be something more like what the IP folk want.

For ICANN, such a ruling could help quell criticism from its influential advisory bodies, notably the Governmental Advisory Committee, which have come out strongly against the SSAD proposals.

If ICANN chooses to wait for the European Commission and EDPB responses to its new request, it’s highly unlikely we’re going to see the ICANN board fully approve SSAD at its annual general meeting later this month.

ICANN playing ping-pong on closed generics controversy

Kevin Murphy, October 1, 2020, Domain Policy

ICANN’s board of directors has refused to comment on the issue of “closed generic” gTLDs, bouncing the thorny issue back to the community.

In its response to the SubPro working group’s draft final report this week, the board declined to be drawn on whether it thinks closed generics should be allowed in future application rounds, and urged the GNSO to figure it out, writing:

the Board is not in a position to request policy outcomes… we will base our decision on whether we reasonably believe that the policy proposal is or is not in the best interests of the ICANN community or ICANN

A closed generic is a gTLD representing a non-trademark dictionary word, where the registry is the only eligible registrant. Dozens of companies tried to snap up such TLDs in 2012

ICANN changed the rules to disallow them, based largely on government advice, before punting the issue to the community, in the form of the GNSO, back in 2015.

But despite five years of thinking, the GNSO’s SubPro working group was unable to reach a consensus on whether closed generics should be allowed or not, or whether they should be allowed, but only when there’s a “public interest” purpose.

As I noted last month, it presented three possible ways closed generics could be permitted, none of which have consensus support.

So it asked the board for guidance, and the board’s response is basically “not our problem, figure it out yourselves”.

It would be churlish to criticize the board for refusing to make policy from the top-down, of course.

Much better to wait for the next time it does make policy from the top-down, and criticize it then.

Has ICANN cut off its regulatory hands?

Kevin Murphy, October 1, 2020, Domain Policy

ICANN may have voluntarily cut off its power to enforce bans on things like cyberbullying, pornography and copyright infringement in future new gTLDs.

Its board of directors yesterday informed the chairs of SubPro, the community group working on new gTLD policy for the next round, that its ability to enforce so-called Public Interest Commitments may be curtailed in future.

A PIC is a contractual promise to act in the public interest, enforceable by ICANN through a PIC Dispute Resolution Process. All 2012 new gTLDs have them, but some have additional PICs due to the gTLD’s sensitive nature.

They were created because ICANN’s Governmental Advisory Committee didn’t like the look of some applications for gTLD strings it considered potentially problematic.

.sucks is a good example — registry Vox Populi has specific commitments to ban cyberbullying, porn, and parking in its registry agreement.

Should ICANN receive complaints about bullying in .sucks, it would be able to invoke the PICDRP and, at least in theory, terminate Vox Pop’s registry contract.

But these are all restrictions on content, and ICANN is singularly focused on not being a content regulator.

It’s so focused on staying away from content that four years ago, during the IANA transition, it amended its bylaws to specifically handcuff itself. The bylaws now state, front and center:

ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet’s unique identifiers or the content that such services carry or provide… For the avoidance of doubt, ICANN does not hold any governmentally authorized regulatory authority.

There’s a specific carve-out grandfathering contracts inked before October 1, 2016, so PICs agreed to by 2012-round applicants are still enforceable.

But it’s doubtful that any PICs not related to the security and stability of the DNS will be enforceable in future, the board told SubPro.

The issue is being raised now because SubPro is proposing a continuation of the PICs program, baking it into policy in what it calls Registry Voluntary Commitments.

Its draft final report acknowledges that ICANN’s not in the content regulation business, but most of the group were in favor of maintaining the status quo.

But the board evidently is more concerned. It told SubPro’s chairs:

The language of the Bylaws, however, could preclude ICANN from entering into future registry agreements (that materially differ in form from the 2012 round version currently in force) that include PICs that reach outside of ICANN’s technical mission as stated in the Bylaws. The language of the Bylaws specifically limits ICANN’s negotiating and contracting power to PICs that are “in service of its Mission.” The Board is concerned, therefore, that the current Bylaws language would create issues for ICANN to enter and enforce any content-related issue regarding PICs or Registry Voluntary Commitments (RVCs)

There’s a possibility that it could now be more difficult for future applicants to get their applications past GAC concerns or other complaints, particularly if their chosen string addresses a “highly sensitive or regulated industry”.

There was a “chuck it in the PICs” attitude to many controversies in the 2012 round, but with that option perhaps not available in future, it may lead to an increase in withdrawn applications.

Could .sucks get approved in future, without a cast-iron, enforceable commitment to ban bullying?

Should YOU have to pay when lawyers access your private Whois info?

Kevin Murphy, September 23, 2020, Domain Policy

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

Amazon finally gets its dot-brands despite last-minute government plea

Amazon’s three long-sought dot-brand gTLDs were added to the DNS root last night, despite an eleventh-hour attempt by South American governments to drag the company back to the negotiating table.

.amazon, along with the Japanese and Chinese translations — .アマゾン (.xn--cckwcxetd) and .亚马逊 (.xn--jlq480n2rg) — and its NIC sites have already gone live.

Visiting nic.amazon today will present you with a brief corporate blurb and a link to Amazon’s saccharine social-responsibility blog. As a dot-brand, only Amazon will be allowed to use .amazon domains.

The delegations come despite a last-minute plea to ICANN by the eight-government Amazon Cooperation Treaty Organization, which unsuccessfully tried to insert itself into the role of “joint manager” of the gTLDs.

ACTO believes its historical cultural right to the string outweighs the e-commerce giant’s trademark, and that its should have a more or less equal role in the gTLD’s management.

This position was untenable to Amazon, which countered with a collection of safeguards protecting culturally sensitive strings and various other baubles.

Talks fell through last year and ICANN approved the gTLDs over ACTO’s objections.

ACTO’s secretary-general, Alexandra Moreira, wrote to ICANN (pdf) May 21 to take one last stab at getting Amazon back in talks, telling CEO Göran Marby:

the name “Amazon” pertains to a geographical region constituting an integral part of the heritage of its countries. Therefore, we Amazonians have the right to participate in the governance of the “.amazon” TLD.

Our side is ready to resume negotiations on the TLD’s governance with the Amazon Corporation., from the point where their side interrupted it, with a view to arriving at a satisfactory agreement.

Her letter came in response to an earlier Marby missive (pdf) that extensively set out ICANN’s case that talks fell apart due to ACTO repeatedly postponing and cancelling scheduled meetings.

Despite the fact that Amazon’s basically got what it wanted, seven years after filing its gTLD applications, ACTO’s members didn’t get nothing.

The contracts Amazon signed with ICANN back in December have Public Interest Commitments in them that allow the governments to reserve up to 1,500 culturally sensitive strings from registration, as well as giving each nation its own .amazon domain.

Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay

Kevin Murphy, April 15, 2020, Domain Policy

Coronavirus may have claimed another victim at ICANN — closure on talks designed to reopen private Whois data to the likes of law enforcement and trademark owners.

In a remarkable U-turn, the Governmental Advisory Committee, which has lit a series a fires under ICANN’s feet on this issue for over a year, late last week urged that the so-called Expedited Policy Development Process on Whois should not wrap up its work in June as currently planned.

This would mean that access to Whois data, rendered largely redacted worldwide since May 2018 due to the GDPR regulation in Europe, won’t be restored to those who want it as quickly as they’ve consistently said that they want it.

Surprisingly (or perhaps not), pro-access groups including the Intellectual Property Constituency and Business Constituency sided with the GAC’s request.

In an email to the EPDP working group’s mailing list on Thursday, GAC chair Manal Ismail indicated that governments simply don’t have the capacity to deal with the issue due to the coronavirus pandemic:

In light of the COVID-19 pandemic, and its drastic consequences on governments, organizations, private sector and individuals worldwide, I would like to express our serious concerns, as GAC leaders, that maintaining the current pace of work towards completion of Phase 2 by mid-June could jeopardize the delivery, efficacy and legitimacy of the EPDP’s policy recommendations.

While recognizing that the GAC has continually advised for swiftly completing policy development and implementing agreed policy on this critical public policy matter, we believe that given the current global health emergency, which puts many in the EPDP and the community under unprecedented stress (for example governments has been called to heightened duties for the continuity of essential public services), pressing important deliberations and decisions in such a short time frame on already strained participants would mean unacceptably sacrificing the product for the timeline.

We understand there are budget and human resources considerations involved in the completion of Phase 2 of the EPDP. However, we are all living through a global health pandemic, so we call on the EPDP Team to seriously reassess its course and expectations (be it on the duration of its calls, the turn-around time of reviews, its ultimate timeline and budget) emulating what numerous governments, global organizations, and households are doing to adapt during these challenging times across the world.

In April last year, before the EPDP group had even formally started its current phase of talks, Ismail wrote to ICANN to say the GAC expected the discussions to be more or less wrapped up by last November and that the new policy be implemented by this April.

Proponents of the access model such as Facebook have taken to suing registrars for not handing over Whois data in recent months, impressing the need for the issue to be urgently resolved.

So to now request a delay beyond June is a pretty big U-turn.

While Ismail later retracted her request for delay last Thursday, it was nevertheless discussed by the working group that same day, where the IPC, the BC and the ALAC all expressed support for the GAC’s position.

The registrars and registries, the non-commercial users and the ISPs were not supportive.

Delay might be tricky. For starters, hard-sought neutral working group chair Janis Karklins, has said he can’t continue working on the project beyond June 30, and the group has not secured ICANN funding for any further extensions to its work.

It will be up to the GNSO Council to decide whether to grant the extension, and the ICANN board to decide on funding.

The working group decided on Thursday to ask the Council for guidance on how to proceed.

What’s worrying about the request, or at least the IPC and BC’s support of it, is that coronavirus may just be being deployed as an excuse to extend talks because the IP owners don’t like the proposal currently on the table.

“The reality is we’re looking at a result that is… just not going to be sufficient from our perspective,” MPAA lawyer Frank Journoud, an IPC rep on the working group, said on its Thursday call. “We don’t want the perfect to be the enemy of the good, but right now we’re not even going to get to good.”

The current state of play with the working group is that it published its initial report (pdf) for public comment in February.

The group is recommending something called SSAD, for Standardized System for Access and Disclosure, in which a central gateway provider, possibly ICANN itself, would be responsible for granting Whois access credentials and fielding requests to the relevant registries and registries.

The almost 70 comments submitted before the March 23 deadline have been published in an unreadable, eye-fucking Google spreadsheet upon which transparency-loving ICANN may as well have hung a “Beware of the Leopard” sign. The staff summary of the comments is currently nine days late.

Amazon governments vow revenge for “illegal and unjust” ICANN decision on .amazon

Kevin Murphy, January 17, 2020, Domain Policy

The eight nations of the Amazon Cooperation Treaty Organization are unhappy that ICANN is giving .amazon to Amazon the retailer and have vowed to spread the word that ICANN has acted “illegally”.

ACTO secretary general Alexandra Moreira has written (pdf) to ICANN CEO Göran Marby to say: “We consider this decision an illegal and unjust expropriation of our culture, tradition, history and image before the world.”

She said that ACTO is now “committed to disseminating news of this situation to all relevant groups”, adding:

the international community should be aware of the very real consequences or ramifications (be it economic, environmental, cultural or related to questions of sovereignty) of granting exclusive access to the domain “.Amazon” to a single company.

The delegation of .amazon to Amazon the company, “jeopardizes the continued well-being of the societies that live there”, she wrote, with no elaboration.

Amazon was last month told it could have the gTLD after a years-long battle with ACTO and the ICANN Governmental Advisory Committee, which had advised ICANN by consensus to reject the .amazon application.

That consensus broke last year when the US government basically said enough was enough and refused to continue back the eight South American governments’ plight.

Under the terms of Amazon’s contract, it has to protect hundreds of culturally sensitive second-level domains of ACTO’s choosing, and to give each of its members a single domain that they can use to promote their portion of the Amazonian region.

ACTO had wanted more, basically demanding joint ownership of .amazon, which Amazon refused.

It remains to be seen whether ACTO’s reaction will be limited to harsh language, or whether its members will actively try to disrupt ICANN activities. The next GAC-ICANN face-to-face, set for Cancun in March, could be interesting viewing.

Amazon beats South America! Dot-brand contracts now signed

Kevin Murphy, December 23, 2019, Domain Policy

Amazon has prevailed in its seven-year battle to obtain the right to run .amazon as a branded top-level domain.

The company signed contracts for .amazon and the Chinese and Japanese translations on Thursday, despite years-long protests from the eight South American governments that comprise the Amazon Cooperation Treaty Organization.

This means the three gTLDs are likely to be entered into the DNS root system within a matter of weeks, after ICANN has conducted pre-delegation testing to make sure the registry’s technical systems are up to standard. The back-end is being provided by Neustar, so this is pretty much a formality.

.amazon is pretty much a done deal, in other words, and there’s pretty much nothing ACTO can do within the ICANN system to get the contract unsigned.

ACTO was of course angry about .amazon because it thinks the people of the Amazonia region have greater rights to the string than the American e-commerce giant.

It had managed to muster broad support against the gTLD applications from its Governmental Advisory Committee colleagues until the United States, represented on the GAC by the National Telecommunications Administration did a U-turn this November and withdrew its backing for the consensus.

This coincided with Amazon hiring David Redl, the most-recent former head of the NTIA, as a consultant.

The applications were originally rejected by ICANN due to a GAC objection in 2013.

But Amazon invoked ICANN’s Independent Review Process to challenge the decision and won in 2017, with the IRP panel ruling that ICANN had paid too much deference to unjustified GAC demands.

More recently, ACTO had been demanding shared control of .amazon, while Amazon had offered instead to protect cultural interests through a series of Public Interest Commitments in its registry agreements that would be enforceable by governments via the PIC Dispute Resolution Procedure.

This wasn’t enough for ACTO, and the GAC demanded that ICANN facilitate bilateral talks with Amazon to come to a mutually acceptable solution.

But these talks never really got underway, largely due to ACTO internal disputes during the political crisis in Venezuela this year, and eventually ICANN drew a line in the sand and approved the applications.

After rejecting an appeal from Colombia in September, ICANN quietly published Amazon’s proposed PICs (pdf) for public comment.

Only four comments were received during the month-long consultation.

As a personal aside, I’d been assured by ICANN several months ago that there would be a public announcement when the PICs were published, which I even promised you I would blog about.

There was no such announcement, so I feel like a bit of a gullible prick right now. It’s my own stupid fault for taking this on trust and not manually checking the .amazon application periodically for updates — I fucked up, so I apologize.

PICs commenters, including a former GAC vice-chair, also noticed this lack of transparency.

ACTO itself commented:

The proposed PIC does not attend to the Amazon Countries public policy interests and concerns. Besides not being the result of a mutually acceptable solution dully endorsed by our countries, it fails to adequately safeguard the Amazon cultural and natural heritage against the the risks of monopolization of a TLD inextricably associated with a geographic region and its populations.

Its comments were backed up, in pretty much identical language, by the Brazilian government and the Federal University of Rio de Janeiro.

Under the Amazon PICs, ACTO and its eight members each get a .amazon domain that they can use for their own web sites.

But these domains must either match the local ccTLD or “the names of indigenous peoples’ groups, and national symbols of the countries in the Amazonia region, and the specific terms OTCA, culture, heritage, forest, river, and rainforest, in English, Dutch, Portuguese, and Spanish”.

The ACTO nations also get to permanently block 1,500 domains that have the aforementioned cultural significance to the region.

The ACTO and Brazilian commenters don’t think this goes far enough.

But it’s what they’ve been given, so they’re stuck with it.

Governments kill off another gTLD bid

Kevin Murphy, November 26, 2019, Domain Registries

Another proposed new gTLD has been killed off by governmental intervention.

A Thailand-based company call Better Living Management Company applied for .thai back in 2012, but quickly ran into opposition from the Thai government, which thought the string too culturally sensitive.

The ICANN Governmental Advisory Committee did not object to Thailand’s objection, and issued consensus advice asking ICANN to reject the application, which it did in November 2013.

BLM filed an Independent Review Process complaint in April 2014, alleging irregularities within the GAC, but the appeal was quickly shelved.

Now, five years later, the company has finally withdrawn it application, meaning it gets most of its application fee back as a refund.

Part of the reason the application failed is likely the fact that the Thai ccTLD registry, Thai Network Information Center Foundation, already runs the internationalized domain name ccTLD .ไทย, which means “.thai” in Thai.

Other applications to be killed off by GAC advice include .islam, .halal, .gcc and one of the .africa bids.

Former NTIA chief Redl now working for Amazon

Kevin Murphy, November 6, 2019, Domain Policy

David Redl, the former head of the US National Telecommunications and Information Administration has joined Amazon as an internet governance advisor, I’ve learned.

I don’t know whether he’s taken a full-time job or is a contractor, but he’s been spotted palling around with Amazon folk at ICANN 66 in Montreal and knowledgeable sources tell me he’s definitely on the payroll.

Redl was assistant secretary at the NTIA until May, when he was reportedly asked to resign over a wireless spectrum issue unrelated to the domain names after just 18 months on the job.

His private sector career prior to NTIA was in the wireless space. I don’t believe he’s ever been employed in the domain industry before.

NTIA is of course the US agency responsible for participating in all matters ICANN, including the ongoing fight over Amazon’s application for the .amazon brand gTLD.

The proposed dot-brand has been in limbo for many years due to the objections of the eight nations of the Amazon Cooperation Treaty Organization, which claims cultural rights to the string.

ACTO nations on ICANN’s Governmental Advisory Committee want ICANN to force Amazon back to the negotiating table, to give them more power over the TLD after it launches.

But the NTIA rep on the GAC indicated at the weekend that the US would block any GAC calls for .amazon to be delayed any longer.

As I type these words, the GAC is debating precisely what it should say to ICANN regarding .amazon in its Montreal communique, using competing draft texts submitted by the US and European Commission, and it’s not looking great for ACTO.

As I blogged earlier in the week, another NTIA official, former GAC rep Ashley Heineman, has accepted a job at GoDaddy.

UPDATE: As a commenter points out, Redl last year criticized the revolving door between ICANN and the domain name industry, shortly after Akram Atallah joined Donuts.