Latest news of the domain name industry

Recent Posts

Does Chehade agree with Donuts on .doctor?

Kevin Murphy, March 24, 2015, Domain Policy

Should governments have the right to force business-limiting restrictions on new gTLD operators, even though they don’t have the same rules in their own ccTLDs?

ICANN CEO Fadi Chehade evidently believes the answer to that question is “No”, but it’s what ICANN is controversially imposing on Donuts and two other .doctor applicants anyway.

Donuts recently filed a Request for Reconsideration appeal with ICANN over its decision to make the .doctor gTLD restricted to medical professionals only.

It was an unprecedented “Public Interest Commitment” demanded by ICANN staff in order to keep the Governmental Advisory Committee happy.

The GAC has been asking for almost two years for so-called “Category 1” gTLD strings — which could be seen to represent highly regulated sectors such as law or medicine — to see a commensurate amount of regulation from ICANN.

Governments wanted, for example, registrants to show professional credentials before being able to register a name.

In the vast majority of instances, ICANN creatively reinterpreted this advice to require registrants to merely assert that they possess such credentials.

These rules were put in registries’ contracts via PICs.

But for some reason in February the organization told Donuts that .doctor domains must be “ascribed exclusively to legitimate medical practitioners.”

According to Donuts, this came out of the blue, is completely unnecessary, an example of ICANN staff making up policy on the spot.

Donuts wants to be able to to sell .doctor names to doctors of any discipline, not just medical doctors. It also wants people to be able to use the names creatively, such as “computer.doctor” or “skateboard.doctor”.

What makes ICANN’s decision especially confusing is that CEO Fadi Chehade had the previous day passionately leaped to the defense of new gTLD registries in their fight against unnecessary GAC-imposed red tape.

The following video, in which Chehade uses .dentist as an example of a string that should not be subject to even more oversight, was taken February 11 at a Q&A with the Domain Name Assocation.

The New gTLD Program Committee meeting that authorized ICANN staff to add the new PIC took place February 12, the very next day. Chehade did not attend.

It’s quite remarkable how in line with registries Chehade seems to be.

It cuts to the heart of what many believe is wrong with the GAC — that governments demand of ICANN policies that they haven’t even bothered to implement in their own countries, just because it’s much easier to lean on ICANN than to pass regulations at home.

Here’s the entire text of his answer. He’s describing conversations he’d had with GAC members earlier in the week.

They’re saying stop all the Category 1 TLDs. Stop them. Freeze them!

And we said: Why do we need to freeze them? What’s the issue?

They said: It’s going to harm consumers.

How will it harm consumers? We started having a debate.

It turns out that they’re worried that if somebody got fadi.casino or fadi.dentist, to pick one of Statton’s [Statton Hammock, VP at Rightside, who was present], that this person is not a dentist and will pluck your ear instead of your teeth. How do you make sure they’re a dentist?

So I asked the European Commission: How do you make sure dentist.eu is a dentist?

They said: We don’t. They just get it.

I said: Okay, so why do these guys [new gTLD registries] have to do anything different?

And they said: The new gTLD program should be better or a model…

I said: Come on guys, do not apply rules that you’re not using today to these new folks simply because it’s easy, because you can come and raise flags here at ICANN. Let’s be fair. How do you do it at EU?

“Well, if somebody reports that fadi.dentist.eu is not a dentist, we remove them.”

Statton said: We do the same thing. It’s in our PICs. If fadi.dentist is not, and somebody reports them…

They said: But we can’t call compliance.

You can call compliance. Anyone can call compliance. Call us and we’ll follow up. With Statton, with the registrar.

What we have here is Chehade making a passionate case for the domain name industry’s right to sell medical-themed domain names without undue regulation — using many of the same arguments that Donuts is using in its Reconsideration appeal — then failing to show up for a board meeting the next day when that specific issue was addressed.

It’s impossible to know whether the NGPC would have reached a different decision had Chehade been at the February 12 meeting, because no formal vote was taken.

Rather, the committee merely passed along its “sense” that ICANN staff should carrying on what it was doing with regards implementing GAC advice on Category 1 strings.

While Chehade is but one voice on the NGPC, as CEO he is in charge of the ICANN staff, so one would imagine the decision to add the unprecedented new PIC to the .doctor contract falls into his area of responsibility.

That makes it all the more baffling that Donuts, and the other .doctor new gTLD applicants, are faced with this unique demand to restrict their registrant base to one subset of potential customers.

ICANN ditches plan to give governments more power

Kevin Murphy, February 25, 2015, Domain Policy

ICANN has quietly abandoned a plan to make it harder for its board of directors to go against the wishes of national governments.

A proposal to make a board two-thirds super-majority vote a requirement for overruling advice provided by the Governmental Advisory Committee is now “off the table”, ICANN CEO Fadi Chehade told a US Senate committee hearing today.

The threshold, which would replace the existing simple majority requirement, was proposed last August as a result of talks in a board-GAC working group.

At the time, I described the proposal as a “fait accompli” — the board had even said it would use the higher threshold in votes on GAC advice in advance of the required bylaws change.

But now it’s seemingly gone.

The news emerged during a hearing of the Senate Committee on Commerce, Science, and Transportation today in Washington DC, which was looking into the transition of US oversight of ICANN’s IANA functions to a multi-stakeholder process.

Asked by Sen. Deb Fischer whether the threshold change was consistent with ICANN’s promise to limit the power of governments in a post-US-oversight world, Chehade replied:

You are right, this would be incongruent with the stated goals [of the IANA transition]. The board has looked at that matter and has pushed it back. So it’s off the table.

That came as news to me, and to others listening to the hearing.

The original plan to change the bylaws came in a board resolution last July.

If it’s true that the board has since changed its mind, that discussion does not appear to have been documented in any of the published minutes of ICANN board meetings.

If the board has indeed changed its mind, it has done so with the near-unanimous blessing of the rest of the ICANN community (although I doubt the GAC was/will be happy).

The public comment period on the proposal attracted dozens of responses from community members, all quite vigorously opposed to the changes.

The ICANN report on the public comments was due October 2, so it’s currently well over four months late.

UPDATE 1: An ICANN spokesperson just got in touch to say that the board decided to ditch its plan in response to the negative public comments.

UPDATE 2: Another ICANN spokesperson has found a reference to the board’s U-turn in the transcript of a meeting between the ICANN board and GAC at the Los Angeles public meeting last October. A brief exchange between ICANN chair Steve Crocker and Heather Dryden, then chair of the GAC, reads:

DRYDEN: On the issue of the proposed bylaw changes to amend them to a third — two-thirds majority to reject or take a decision not consistent with the GAC’s advice, are there any updates there that the Board would like to — the Board or NGPC? I think it’s a Board matter? Yes?

CROCKER: Yes.

Well, you’ve seen the substantial reaction to the proposal.

The reaction embodies, to some extent, misunderstanding of what the purpose and the context was, but it also is very instructive to all of us that the timing of all this comes in the middle of the broader accountability question.

So it’s — I think it’s in everyone’s interest, GAC’s interest, Board’s interest, and the entire community’s interest, to put this on hold and come back and revisit this in a larger context, and that’s our plan.

So it seems that the ICANN board did tip its hand a few months ago, but not many people, myself included, noticed.

Delays to two-letter domains after governments take a second bite at the apple

Kevin Murphy, February 16, 2015, Domain Registries

New gTLD registries will have to wait a bit longer before they’re allowed to start selling two-character domain names, after ICANN’s Governmental Advisory Committee controversially issued new guidelines on their release.

The registries for hundreds of gTLDs will be affected by the delays, which could last a few months and were put in place by the ICANN board of directors at the request of the GAC at the ICANN 52 meeting in Singapore last week.

The two-character domain issue was one of the most contentious topics discussed at ICANN 52.

Exasperated registries complained to ICANN’s board that their requests to release such domains had been placed on hold by ICANN staff, apparently based on a letter from GAC chair Thomas Schneider which highlighted concerns held by a small number of governments.

The requests were frozen without a formal resolution by the board, and despite the fact that the GAC had stated more than once that it did not have consensus advice to give.

Some governments don’t want any two-letter domains that match their own ccTLDs to be released.

Italy, for example, has made it clear that it wants it.example and 1t.example blocked from registration, to avoid confusion.

Others, such as the US, have stated publicly that they have no issue with any two-character names being sold.

The process for releasing the names went live in December, following an October board resolution. It calls for a 30-day comment period on each request, with official approval coming seven to 10 days later.

But despite hundreds of requests going through the pipe, ICANN has yet to approve any. That seems to be due to Schneider’s letter, which said some governments were worried the comment process was not transparent enough.

This looked like a case of ICANN staff putting an unreasonable delay on part of registries’ businesses, based on a non-consensus GAC position that was delivered months after everyone thought it was settled law.

Registries grilled the board and senior ICANN executives about this apparent breakdown in multi-stakeholder policy-making last Tuesday, but didn’t get much in the way of an explanation.

It seems the GAC chair made the request, and ICANN implemented a freeze on a live business process, without regard to the usual formal channels for GAC advice.

However, the GAC did issue formal advice on two-letter domains on Wednesday during the Singapore meeting. ICANN’s board adopted the advice wholesale the next day.

This means that the comment period on each request — even the ones that have already completed the 30-day period — will be extended to 60 days.

The delay will be longer than a month for those already in the pipe, however, as ICANN still has to implement the board-approved changes to the process.

One of those changes is to alert governments when a new registry request has been made, a potentially complex task given that not every government is a member of the GAC.

The board’s resolution says that all comments from governments “will be fully considered”, which probably means we won’t be seeing the string “it” released in any new gTLD.

The GAC has also said it will publish a list of governments that do not intend to object to any request, and a list of governments that intend to object to every request.

Anger as governments delay two-letter domains

Kevin Murphy, February 9, 2015, Domain Registries

ICANN has heard an angry response from gTLD registries after delaying the release of two-character domains in new gTLDs, apparently at the whim of a small number of governments.

ICANN has yet to approve any of the over 350 requests for the release of two-letter domains filed by registries under a process approved by its board last October and launched in December.

The reason, according to registries, is that members of ICANN’s Governmental Advisory Committee — probably a minority — have objected and ICANN staff has “unilaterally” put a halt to the process.

Some governments — Spain, Italy and Cote d’Ivoire among them — are concerned that two-letter domains, such as es.example or it.example, may cause confusion with existing ccTLDs.

But the GAC itself was unable to find a consensus against the release of two-letter domains when it discussed the issue back in October. It merely asked for comment periods to allow individual governments to object to specific domains.

So ICANN’s board asked staff to create an “efficient procedure” to have requests swiftly approved, taking some of the stress off of the regular Registry Services Evaluation Process.

Two-letter domains have a premium dollar value for open registries, while multinational dot-brands expect to find them useful to market to the territories in which they operate.

Under the streamlined approval process, each request is subject to a 30-day comment period, and would be approved or not within seven to 10 days.

Right now, the oldest requests, which were filed in early December, are almost a month overdue for a response. The Registries Stakeholder Group told ICANN, in a letter (pdf):

We write to raise serious concern about what appears to be a recent closed-door, unilateral decision by ICANN staff, which took place over a period of weeks, to defer action on pending requests for two-character labels. This action was apparently initiated as a result of recent correspondence you received from the Chair of the Governmental Advisory Committee — but which critically does not represent formal consensus advice or even purport to represent the opinion of the GAC as a whole

It’s a case of governments strong-arming ICANN staff into changing policy, the registries claim.

GAC chair Thomas Schneider’s letter (pdf) says that an unspecified number of governments have “concerns” that the approval process was launched quite quickly and without any formal consultation with the GAC.

He goes on to make a laundry list of recommendations for making the process more amenable to governments, before requesting a “stay” on approvals until the GAC has further discussed the issue.

To date, registries representing a little over 300 strings have completed their 30-day comment periods, yet there have been only four comments from governments.

Italy and Cote d’Ivoire want ICANN to deny all requests for it.example and ci.example, because they may be confused with ccTLDs.

Spain, meanwhile, filed specific objections against the release of es.bingo, es.casino and es.abogado (lawyer), saying that these are regulated industries in Spain and should only be given to registrants who “have the required credentials”.

The RySG wants ICANN staff to immediately start approving requests that have passed through the comment process. The GAC says it will discuss the matter further at the ICANN 52 meeting currently going on in Singapore.

When RySG members raised the topic at a meeting the with ICANN board yesterday, directors avoided directly addressing the specific concerns.

Human glitch lets hackers into ICANN

Kevin Murphy, December 17, 2014, Domain Policy

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.