Latest news of the domain name industry

Recent Posts

ICANN ditches plan to give governments more power

Kevin Murphy, February 25, 2015, Domain Policy

ICANN has quietly abandoned a plan to make it harder for its board of directors to go against the wishes of national governments.

A proposal to make a board two-thirds super-majority vote a requirement for overruling advice provided by the Governmental Advisory Committee is now “off the table”, ICANN CEO Fadi Chehade told a US Senate committee hearing today.

The threshold, which would replace the existing simple majority requirement, was proposed last August as a result of talks in a board-GAC working group.

At the time, I described the proposal as a “fait accompli” — the board had even said it would use the higher threshold in votes on GAC advice in advance of the required bylaws change.

But now it’s seemingly gone.

The news emerged during a hearing of the Senate Committee on Commerce, Science, and Transportation today in Washington DC, which was looking into the transition of US oversight of ICANN’s IANA functions to a multi-stakeholder process.

Asked by Sen. Deb Fischer whether the threshold change was consistent with ICANN’s promise to limit the power of governments in a post-US-oversight world, Chehade replied:

You are right, this would be incongruent with the stated goals [of the IANA transition]. The board has looked at that matter and has pushed it back. So it’s off the table.

That came as news to me, and to others listening to the hearing.

The original plan to change the bylaws came in a board resolution last July.

If it’s true that the board has since changed its mind, that discussion does not appear to have been documented in any of the published minutes of ICANN board meetings.

If the board has indeed changed its mind, it has done so with the near-unanimous blessing of the rest of the ICANN community (although I doubt the GAC was/will be happy).

The public comment period on the proposal attracted dozens of responses from community members, all quite vigorously opposed to the changes.

The ICANN report on the public comments was due October 2, so it’s currently well over four months late.

UPDATE 1: An ICANN spokesperson just got in touch to say that the board decided to ditch its plan in response to the negative public comments.

UPDATE 2: Another ICANN spokesperson has found a reference to the board’s U-turn in the transcript of a meeting between the ICANN board and GAC at the Los Angeles public meeting last October. A brief exchange between ICANN chair Steve Crocker and Heather Dryden, then chair of the GAC, reads:

DRYDEN: On the issue of the proposed bylaw changes to amend them to a third — two-thirds majority to reject or take a decision not consistent with the GAC’s advice, are there any updates there that the Board would like to — the Board or NGPC? I think it’s a Board matter? Yes?

CROCKER: Yes.

Well, you’ve seen the substantial reaction to the proposal.

The reaction embodies, to some extent, misunderstanding of what the purpose and the context was, but it also is very instructive to all of us that the timing of all this comes in the middle of the broader accountability question.

So it’s — I think it’s in everyone’s interest, GAC’s interest, Board’s interest, and the entire community’s interest, to put this on hold and come back and revisit this in a larger context, and that’s our plan.

So it seems that the ICANN board did tip its hand a few months ago, but not many people, myself included, noticed.

Delays to two-letter domains after governments take a second bite at the apple

Kevin Murphy, February 16, 2015, Domain Registries

New gTLD registries will have to wait a bit longer before they’re allowed to start selling two-character domain names, after ICANN’s Governmental Advisory Committee controversially issued new guidelines on their release.

The registries for hundreds of gTLDs will be affected by the delays, which could last a few months and were put in place by the ICANN board of directors at the request of the GAC at the ICANN 52 meeting in Singapore last week.

The two-character domain issue was one of the most contentious topics discussed at ICANN 52.

Exasperated registries complained to ICANN’s board that their requests to release such domains had been placed on hold by ICANN staff, apparently based on a letter from GAC chair Thomas Schneider which highlighted concerns held by a small number of governments.

The requests were frozen without a formal resolution by the board, and despite the fact that the GAC had stated more than once that it did not have consensus advice to give.

Some governments don’t want any two-letter domains that match their own ccTLDs to be released.

Italy, for example, has made it clear that it wants it.example and 1t.example blocked from registration, to avoid confusion.

Others, such as the US, have stated publicly that they have no issue with any two-character names being sold.

The process for releasing the names went live in December, following an October board resolution. It calls for a 30-day comment period on each request, with official approval coming seven to 10 days later.

But despite hundreds of requests going through the pipe, ICANN has yet to approve any. That seems to be due to Schneider’s letter, which said some governments were worried the comment process was not transparent enough.

This looked like a case of ICANN staff putting an unreasonable delay on part of registries’ businesses, based on a non-consensus GAC position that was delivered months after everyone thought it was settled law.

Registries grilled the board and senior ICANN executives about this apparent breakdown in multi-stakeholder policy-making last Tuesday, but didn’t get much in the way of an explanation.

It seems the GAC chair made the request, and ICANN implemented a freeze on a live business process, without regard to the usual formal channels for GAC advice.

However, the GAC did issue formal advice on two-letter domains on Wednesday during the Singapore meeting. ICANN’s board adopted the advice wholesale the next day.

This means that the comment period on each request — even the ones that have already completed the 30-day period — will be extended to 60 days.

The delay will be longer than a month for those already in the pipe, however, as ICANN still has to implement the board-approved changes to the process.

One of those changes is to alert governments when a new registry request has been made, a potentially complex task given that not every government is a member of the GAC.

The board’s resolution says that all comments from governments “will be fully considered”, which probably means we won’t be seeing the string “it” released in any new gTLD.

The GAC has also said it will publish a list of governments that do not intend to object to any request, and a list of governments that intend to object to every request.

Anger as governments delay two-letter domains

Kevin Murphy, February 9, 2015, Domain Registries

ICANN has heard an angry response from gTLD registries after delaying the release of two-character domains in new gTLDs, apparently at the whim of a small number of governments.

ICANN has yet to approve any of the over 350 requests for the release of two-letter domains filed by registries under a process approved by its board last October and launched in December.

The reason, according to registries, is that members of ICANN’s Governmental Advisory Committee — probably a minority — have objected and ICANN staff has “unilaterally” put a halt to the process.

Some governments — Spain, Italy and Cote d’Ivoire among them — are concerned that two-letter domains, such as es.example or it.example, may cause confusion with existing ccTLDs.

But the GAC itself was unable to find a consensus against the release of two-letter domains when it discussed the issue back in October. It merely asked for comment periods to allow individual governments to object to specific domains.

So ICANN’s board asked staff to create an “efficient procedure” to have requests swiftly approved, taking some of the stress off of the regular Registry Services Evaluation Process.

Two-letter domains have a premium dollar value for open registries, while multinational dot-brands expect to find them useful to market to the territories in which they operate.

Under the streamlined approval process, each request is subject to a 30-day comment period, and would be approved or not within seven to 10 days.

Right now, the oldest requests, which were filed in early December, are almost a month overdue for a response. The Registries Stakeholder Group told ICANN, in a letter (pdf):

We write to raise serious concern about what appears to be a recent closed-door, unilateral decision by ICANN staff, which took place over a period of weeks, to defer action on pending requests for two-character labels. This action was apparently initiated as a result of recent correspondence you received from the Chair of the Governmental Advisory Committee — but which critically does not represent formal consensus advice or even purport to represent the opinion of the GAC as a whole

It’s a case of governments strong-arming ICANN staff into changing policy, the registries claim.

GAC chair Thomas Schneider’s letter (pdf) says that an unspecified number of governments have “concerns” that the approval process was launched quite quickly and without any formal consultation with the GAC.

He goes on to make a laundry list of recommendations for making the process more amenable to governments, before requesting a “stay” on approvals until the GAC has further discussed the issue.

To date, registries representing a little over 300 strings have completed their 30-day comment periods, yet there have been only four comments from governments.

Italy and Cote d’Ivoire want ICANN to deny all requests for it.example and ci.example, because they may be confused with ccTLDs.

Spain, meanwhile, filed specific objections against the release of es.bingo, es.casino and es.abogado (lawyer), saying that these are regulated industries in Spain and should only be given to registrants who “have the required credentials”.

The RySG wants ICANN staff to immediately start approving requests that have passed through the comment process. The GAC says it will discuss the matter further at the ICANN 52 meeting currently going on in Singapore.

When RySG members raised the topic at a meeting the with ICANN board yesterday, directors avoided directly addressing the specific concerns.

Human glitch lets hackers into ICANN

Kevin Murphy, December 17, 2014, Domain Policy

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.

For only the second time, ICANN tells the GAC to get stuffed

Kevin Murphy, November 3, 2014, Domain Policy

ICANN’s board of directors has decided to formally disagree with its Governmental Advisory Committee for what I believe is only the second time in the organization’s history.

In a letter to new GAC chair Thomas Schneider today, ICANN chair Steve Crocker took issue with the fact that the GAC recently advised the board to cut the GNSO from a policy-making decision.

The letter kick-starts a formal “Consultation Procedure” in which the board and GAC try to reconcile their differences.

It’s only the second time, I believe, that this kind of procedure — which has been alluded to in the ICANN bylaws since the early days of the organization — has been invoked by the board.

The first time was in 2010, when the board initiated a consultation with the GAC when they disagreed about approval of the .xxx gTLD.

It was all a bit slapdash back then, but the procedure has since been formalized somewhat into a seven-step process that Crocker outlined in an attachment to his letter (pdf) today.

The actual substance of the disagreement is a bit “inside baseball”, relating to the long-running (embarrassing, time-wasting) saga over protection for Red Cross/Red Crescent names in new gTLDs.

Back in June at the ICANN 50 public meeting in London, the GAC issued advice stating:

the protections due to the Red Cross and Red Crescent terms and names should not be subjected to, or conditioned upon, a policy development process

A Policy Development Process is the mechanism through which the multi-stakeholder GNSO creates new ICANN policies. Generally, a PDP takes a really long time.

The GNSO had already finished a PDP that granted protection to the names of the Red Cross and Red Crescent in multiple scripts across all new gTLDs, but the GAC suddenly decided earlier this year that it wanted the names of 189 national Red Cross organizations protected too.

And it wasn’t prepared to wait for another PDP to get it.

So, in its haste to get its changing RC/RC demands met by ICANN, the GAC basically told ICANN’s board to ignore the GNSO.

That was obviously totally uncool — a slap in the face for the rest of the ICANN community and a bit of an admission that the GAC doesn’t like to play nicely in a multi-stakeholder context.

But it would also be, Crocker told Schneider today, a violation of ICANN’s bylaws:

The Board has concerns about the advice in the London Communiqué because it appears to be inconsistent with the framework established in the Bylaws granting the GNSO authority to recommend consensus policies to the Board, and the Board to appropriately act upon policies developed through the bottom-up consensus policy developed by the GNSO.

Now that Crocker has formally initiated the Consultation Procedure, the process now calls for a series of written and face-to-face interactions that could last as long as six months.

While the GAC may not be getting the speedy resolution it so wanted, the ICANN board’s New gTLD Program Committee has nevertheless already voted to give the Red Cross and Red Crescent the additional protections the GAC wanted, albeit only on a temporary basis.