Latest news of the domain name industry

Recent Posts

Whois rule changes that nobody likes get approved anyway

Kevin Murphy, November 3, 2021, Domain Services

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

IP lobby demands halt to Whois reform

Kevin Murphy, March 17, 2021, Domain Policy

Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.

The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.

SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.

But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.

Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.

The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.

First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.

Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.

Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?

Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy

Forrest concludes:

We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.

It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.

When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.

ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.

The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.

ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.

Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.

New rules could stop registries ripping off big brands

Kevin Murphy, January 25, 2021, Domain Policy

New gTLD registries could be banned from unfairly reaching into the deep pockets of famous brands, under proposed rules soon to be considered by ICANN.

A recommendation approved by the GNSO Council last Thursday targets practices such as using reserved and premium lists to block trademark owners from registering their brands during sunrise periods, or charging them exorbitant fees.

It’s believed to target new TLDs that hope to copy controversial practices deployed by the likes of .sucks, .feedback and .top in the 2012 gTLD round.

The recommendations came in the final report of Review of All Rights Protection Mechanisms (RPMs) in All gTLDs working group, which suggests over 30 tweaks to policies such as Sunrise, Trademark Claims, Trademark Clearinghouse and Uniform Rapid Suspension.

While the recommendations almost all received full consensus of the working group, that’s largely because the group could not agree to any of the major changes that had been demanded by the intellectual property lobby.

The aforementioned RPMs will therefore not change a great deal for the next batch of new gTLD applicants.

Even the recommendation about not ripping off big brands is fairly weak, and may well be watered down to homeopathic levels by the forthcoming Implementation Review Team, which will be tasked with turning policy into practice.

This is the recommendation:

Sunrise Final Recommendation #1

The Working Group recommends that the Registry Agreement for future new gTLDs include a provision stating that a Registry Operator shall not operate its TLD in such a way as to have the effect of intentionally circumventing the mandatory RPMs imposed by ICANN or restricting brand owners’ reasonable use of the Sunrise RPM.

Implementation Guidance:

The Working Group agrees that this recommendation and its implementation are not intended to preclude or restrict a Registry Operator’s legitimate business practices that are otherwise compliant with ICANN policies and procedures.

The idea is that ICANN Compliance could come down on registries deploying unfair rules designed to rip off trademark owners.

Practices that have come in for criticism in the past, and are cited in the report, include:

.top’s attempt to charge Facebook $30,000 for facebook.top

.feedback registering thousands of brand-match domains to itself

.sucks placing brand-match domains in an expensive premium pricing tier

Famous Four Media doing the same thing

The working group could not agree on whether any of these should be banned, and it looks like the IRT will have a lot of wriggle room when it comes to interpret the recommendation.

Now that the GNSO Council has approved the RPM working group’s final report (pdf), it will be passed to the ICANN board of directors for consideration before the nitty-gritty work of translating words into reality begins.

ICANN denies Whois policy “failure” as Marby issues EU warning

Kevin Murphy, October 19, 2020, Domain Policy

ICANN directors have denied that recently delivered Whois policy recommendations represent a “failure” of the multistakeholder model.

You’ll recall that the GNSO Council last month approved a set of controversial recommendations, put forward by the community’s EPDP working group, to create a semi-centralized system for requesting access to private Whois data called SSAD.

The proposed policy still has to be ratified by the ICANN board of directors, but it’s not on the agenda for this week’s work-from-home ICANN 69 conference.

That has not stopped there being some robust discussion, of course, with the board talking for hours about the recommendations with its various stakeholder groups.

The EPDP’s policy has been criticized not only for failing to address the needs of law enforcement and intellectual property owners, but also as a failure of the multistakeholder model itself.

One of the sharpest public criticisms came in a CircleID article by Fabricio Vayra, IP lawyer are Perkins Coie, who tore into ICANN last month for defending a system that he says will be worse than the status quo.

But ICANN director Becky Burr told registries and registrars at a joint ICANN 69 session last week: “We don’t think that the EPDP represents a failure of the multistakeholder model, we actually think it’s a success.”

“The limits on what could be done in terms of policy development were established by law, by GDPR and other data protection laws in particular,” she added.

In other words, it’s not possible for an ICANN working group to create policy that supersedes the law, and the EPDP did what it could with what it was given.

ICANN CEO Göran Marby doubled down, not only agreeing with Burr but passing blame to EU bureaucrats who so far have failed to give a straight answer on important liability issues related to the GDPR privacy regulation.

“I think the EPDP came as far as it could,” he said during the same session. “Some of the people now criticizing it are rightly disappointed, but their disappointment is channeled in the wrong direction.”

He then referred to his recent outreach to three European Commission heads, in which he pleaded for clarity on whether a more centralized Whois model, with more liability shifted away from registrars to ICANN, would be legal.

A failure to provide such clarity would be to acknowledge that the EPDP’s policy proposals are all just fine and dandy, despite what law enforcement and some governments believe, he suggested.

“If the European Union, the European Commission, member states in Europe, or the data protection authorities don’t want to do anything, they’re happy with the situation,” he told registrars and registries.

“If they don’t take actions now, or answer our questions, they’re happy with the way people or organizations get access to the Whois data… it seems that if they don’t change or do anything, they’re happy, and then were are where we are,” he said.

He reiterated similar thoughts at sessions with other stakeholders last week.

But he faced some pushback from members of the pro-privacy Non-Commercial Stakeholders Group, particularly during an entertaing exchange with EPDP member Milton Mueller, who’s unhappy with how Marby has been characterizing the group’s output to the EU.

He specifically unhappy with Marby telling the commissioners: “Should the ICANN Board approve the SSAD recommendations and direct ICANN org to implement it, the community has recommended that the SSAD should become more centralized in response to increased legal clarity.”

Mueller reckons this has no basis in what the EPDP recommended and the GNSO Council approved. It is what the IP interests and governments want, however.

In response, Marby talked around the issue and seemed to characterize it as a matter of interpretation, adding that he’s only trying to provide the ICANN community with the legal clarity it needs to make decisions.

Peaceful transfer of power? GNSO’s next chair is a shoo-in

Kevin Murphy, October 5, 2020, Domain Policy

Unlike other upcoming democratic processes we could mention, it looks like the transition to a new chair of ICANN’s GNSO Council will be peaceful, non-controversial, and probably won’t result in widespread looting and arson.

Philippe Fouquart is the sole candidate, and he’ll be voted in with an open ballot at the ICANN AGM later this month.

As a senior techie for telecoms company Orange, he’s sat on the Council as a representative of the Internet Service Providers Constituency for the last three years. He hails from France.

Fouquart was nominated by the Non-Contracted Parties House. The Contracted Parties House, representing registries and registrars, did not field a candidate.

Unlike normal procedure, which calls for a secret paper ballot, the Council will vote via a simple, public roll-call at the AGM.

He’ll replace Verisign VP Keith Drazek, who’s chaired the Council for the last two years.

In terms of vice-chairs, the CPH has reappointed Pam Little of Chinese registrar Alibaba for another year and the NCPH has selected cybersecurity policy expert Tatiana Tropina to replace Rafik Dammak.

ICANN playing ping-pong on closed generics controversy

Kevin Murphy, October 1, 2020, Domain Policy

ICANN’s board of directors has refused to comment on the issue of “closed generic” gTLDs, bouncing the thorny issue back to the community.

In its response to the SubPro working group’s draft final report this week, the board declined to be drawn on whether it thinks closed generics should be allowed in future application rounds, and urged the GNSO to figure it out, writing:

the Board is not in a position to request policy outcomes… we will base our decision on whether we reasonably believe that the policy proposal is or is not in the best interests of the ICANN community or ICANN

A closed generic is a gTLD representing a non-trademark dictionary word, where the registry is the only eligible registrant. Dozens of companies tried to snap up such TLDs in 2012

ICANN changed the rules to disallow them, based largely on government advice, before punting the issue to the community, in the form of the GNSO, back in 2015.

But despite five years of thinking, the GNSO’s SubPro working group was unable to reach a consensus on whether closed generics should be allowed or not, or whether they should be allowed, but only when there’s a “public interest” purpose.

As I noted last month, it presented three possible ways closed generics could be permitted, none of which have consensus support.

So it asked the board for guidance, and the board’s response is basically “not our problem, figure it out yourselves”.

It would be churlish to criticize the board for refusing to make policy from the top-down, of course.

Much better to wait for the next time it does make policy from the top-down, and criticize it then.

Whois plan approved, but it may be a waste of money

Kevin Murphy, September 24, 2020, Domain Policy

ICANN’s GNSO Council has approved a plan to overhaul Whois and sent it to the ICANN board for the royal assent, alongside a warning that it may be a huge waste of money.

All seven members of the Contracted Parties House voted in favor of the plan, created by the so-called EPDP working group, which would create a centralized System for Standardized Access/Disclosure for Whois records.

In the Non-Contracted Parties House, only the two members of the Intellectual Property Constituency and the two members of the Business Constituency voted against the headline resolution, with the remaining nine voting in favor.

This was sufficient to count as a supermajority, which was the threshold required.

But the board will be receiving the SSAD recommendations alongside a request for a consultation on “whether a further cost-benefit analysis should be conducted”:

Noting some of the questions surrounding the financial sustainability of SSAD and some of the concerns expressed within the different minority statements, the GNSO Council requests a consultation with the ICANN Board as part of the delivery of the GNSO Council Recommendations Report to the ICANN Board to discuss these issues, including whether a further cost-benefit analysis should be conducted before the ICANN Board considers all SSAD-related recommendations for adoption.

The cost of SSAD is currently estimated by ICANN loosely at $9 million to build and $8.9 million a year to run. Under the approved recommendations, it would be paid for by accreditation fees paid by end-user data requestors.

And the benefits?

Well, to listen to the IPC, BC, governments and security experts — collectively the expected customers of SSAD — the system will be a bit rubbish and maybe not even worth using.

They complain that SSAD still leaves ultimate responsibility for deciding whether to grant access to Whois records to trained humans at individual registries and registrars. They’d prefer a centralized structure, with much more automation, more closely resembling the pre-GDPR universe.

Contracted parties counter that if GDPR is going to hold them legally responsible for disclosures, they can’t risk offloading decision-making to a third party.

But this could prove a deterrent to adoption, and if fewer companies want to use SSAD that could mean less revenue to fund it which in turn could lead to even higher prices or the need for subsidies out of ICANN’s budget.

The IPC called the recommendations “an outcome that will not meet the needs of, and therefore will not be used by, stakeholders”.

It’s a tricky balancing act for ICANN, and it could further extend the runway to implementation.

The most likely first chance the ICANN board will get to vote on the recommendations would be the AGM, October 22, but if the GNSO consultation concludes another cost/benefit analysis is due, that would likely push the vote out into 2021.

There’s the additional wrinkle that three of ICANN’s four advisory committees, including the governments, have expressed their displeasure with the EPDP outcome, which is likely to add complexity and delay to the roadmap.

And the GNSO’s work on Whois is not even over yet.

Also during today’s meeting, the Council started early talks on whether to reopen the EPDP to address the issues of data accuracy, whether registrars should be obliged to distinguish between legal and natural persons, and whether it’s feasible to have a uniform system of anonymized email addresses in Whois records.

Should YOU have to pay when lawyers access your private Whois info?

Kevin Murphy, September 23, 2020, Domain Policy

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

The end of the beginning? ICANN releases policies for next round of new gTLDs

Kevin Murphy, August 25, 2020, Domain Policy

Over eight years after ICANN last accepted applications for new gTLDs and more than four years after hundreds of policy wonks first sat around the table to discuss how the program could be improved, the working group has published its draft final, novel-length set of policy recommendations.

Assuming the recommendations are approved, in broad terms the next round will be roughly similar to the 2012 round.

But almost every phase of the application process, from the initial communications program to objections and appeals, is going to get tweaked to a greater or lesser extent.

The recommendations came from the GNSO’s New gTLD Subsequent Procedures working group, known as SubPro. It had over 200 volunteer members and observers and worked for thousands of hours since January 2016 to come up with its Final Draft Report.

Some of the proposed changes mean the cost of an application will likely go down, while others will keep the cost artificially high.

Some changes will streamline the application process, others may complicate it.

Many of the “changes” to policy are in fact mere codifications of practices ICANN brought in unilaterally under the controversial banner of “implementation” in the 2012 round.

Essentially, the GNSO will be giving the nod retroactively to things like Public Interest Commitments, lottery-based queuing, and name collisions mitigation, which had no basis in the original new gTLDs policy.

But other contentious aspects of the last round are still up in the air — SubPro failed to find consensus on highly controversial items such as closed generics.

The report will not tell you when the next round will open or how much it will cost applicants, but the scope of the work ahead should make it possible to make some broad assumptions.

What it will tell you is that the application process will be structurally much the same as it was eight years ago, with a short application window, queued processing, objections, and contention resolution.

SubPro thankfully rejected the idea replacing round-based applications with a first-come, first-served model (which I thought would have been a gaming disaster).

The main beneficiaries of the policy changes appear to be registry service providers and dot-brand applicants, both of which are going to get substantially lowered barriers to entry and likely lower costs.

There are far too many recommendations for me to summarize them eloquently in one blog post, so I’m going to break up my analysis over several articles to be published over the next week or so.

In the meantime, ICANN has opened up the final draft report for public comment. You have until September 30.

The report notes that previously rejected comments will not be considered, so if your line is “New gTLDs suck! .com is King!” you’re likely to find your input falling on deaf ears.

After the comment period ends, and SubPro considers the comments, the report will be submitted to the GNSO Council for approval. Subsequently, it will need to be approved by the ICANN board of directors.

It’s not impossible that this could all happen this year, but there’s a hell of a lot of implementation work to be done before ICANN starts accepting applications once more. We could be looking at 2023 before the next window opens and 2024 before the next batch of new gTLDs start to launch.

UPDATE: This post was updated August 27, 2020 to clarify procedural and timing issues.

The pricey, complex, clusterfuck plan to reopen Whois

Kevin Murphy, August 3, 2020, Domain Policy

After a little more than two years, an ICANN working group has finalized the policy that could allow people to start accessing unredacted Whois records again.

Despite the turnaround time being relatively fast by ICANN standards, the Expedited Policy Development Process group has delivered what could be the most lengthy and complex set of policy recommendations I’ve seen since the policy work on new gTLDs over a decade ago.

Don’t get too excited if you’re itching to get your hands on Whois data once more. It’s a 171-page document containing over a hundred recommendations that’s bound to take ages to implement in full, if it even gets approved in the coming weeks.

I’d be surprised if it’s up and running fully before 2022 at the earliest. If and when the system does eventually come online, don’t expect to get it for free.

It’s already being slammed in multiple quarters, with one constituency saying it could result in a “multi-year-implementation resulting in a system which would effectively be a glorified, overly complex and very expensive ticketing system”.

Trademark owners are livid, saying the proposed policy completely fails to address their needs, and merely entrenches the current system of registrar discretion into formal ICANN policy.

The recommendations describe a proposed system called SSAD, for System for Standardized Access/Disclosure, which would be overseen by ICANN and enforced through its contracts with registries and registrars.

It’s a multi-tiered system involving a few primary functions, wrapped in about a thousand miles of red tape.

First and foremost, you’ve got the Central Gateway Manager. This would either be ICANN, or a company to which ICANN outsources. Either way, ICANN would be responsible for overseeing the function.

The gateway manager’s job is to act as a middleman, accepting Whois data requests from accredited users and forwarding them to registries and registrars for processing.

In order to access the gateway, you’d need to be accredited by an Accreditation Authority. Again, this might be ICANN itself or (more likely) a contractor.

The policy recommendations only envisage one such authority, but it could rely on a multitude of Identity Providers, entities that would be responsible for storing the credentials of users.

It’s possible all of these roles and functions could be bundled up in-house at ICANN, but it appears the far more likely scenario is that there will be a bunch of RFPs coming down the pike for hungry contractors later this year.

But who gets to get accredited?

Anyone with a “legitimate interest or other lawful basis”, it seems. The document is far from prescriptive or proscriptive when it comes to describing possible users.

But the recommendations do give special privileges to governments and government-affiliated entities such as law enforcement, consumer protection bodies and data privacy watchdogs.

For law enforcement agencies, the proposed policy would mandate fully automated processing at the gateway and at the registry/registrar. It sounds like cops would get pretty much instant access to all the Whois data they need.

Requests just the for city field of the record would also be fully automated, for any accredited requestor.

There would be at least three priorities of Whois request under the proposed system.

The first, “Urgent”, would be limited to situations that “pose an imminent threat to life, serious bodily injury, critical infrastructure (online and offline) or child exploitation”. Non-cops could use this method too. Contracted parties would have one business day or three calendar days to respond.

The second would be limited to ICANN-related procedures like UDRP and URS, and registrars would have a maximum of two business days to respond.

The third would encapsulate all other requests, with some priority given to fraud or malware-related requests. Response times here could be a long as 10 days.

I’m trying to keep it simple here, but a lot of the recommendations describe the aforementioned red tape surrounding each stage of the process.

Registrars and registries would be bound to service level agreements, there’d be appeals processes for rejected requests, there’d be logging, audits, reporting, methods to de-accredit users and methods for them to appeal their de-accreditation… basically a shedload of checks and balances.

And who’s going to pay for it all?

ICANN’s latest guesstimate is that SSAD will cost $9 million to build and another $8.9 million annually to operate.

It seems the main burden will be placed on the shoulders of the end-user requestors, which will certainly have to pay for accreditation (which would have to be renewed periodically) and may have to pay per-query too.

Trademark lawyers within the ICANN community are furious about this — not because they have to pay, but because SSAD functionality does “not come close to justifying the costs”.

They’d envisaged a system that would be increasingly automated as time went by, eventually enabling something pretty much like the old way of doing Whois lookups, but say the current proposals preclude that.

It’s also not impossible that the system could lead to higher fees for registrants.

The EPDP group is adamant that domain registrants should not have to pay directly when somebody queries their Whois data, and says the SSAD should be cheaper to run for registrars than the current largely manual system, but acknowledges there’s nothing ICANN can do to stop registrars raising their prices as a result of the proposed policy.

The recommendations say that ICANN should not take a profit from SSAD, but do not discount its contractors from making a fair return from their work.

Prices are, like much else described in this Final Report, still very much TBD. The EPDP working group was given a lot to accomplish in very little time, and there’s a lot of buck-passing going on.

And there’s no guarantee that the policy will even be approved in the short term, given the level of dissent from working group participants.

Before the recommendations become formal Consensus Policy — and therefore binding on all registries and registrars — they first have to be approved by the GNSO Council and then the ICANN board of directors.

The first opportunity for the GNSO Council to vote is at its meeting September 24, but it could be a very tight vote.

For an EPDP to pass, it needs a supermajority vote of the Council, which means a two-thirds majority of both “houses” — the Contracted Parties House (ie, registries and registrars) and the Non-Contracted Parties house — or a 75% approval in one house and a simple majority in the other.

The way things stand, it looks to me like the CPH will very likely vote 100% in favor of the proposal, which means that only seven out of the 13 NCPH members will have to vote in favor of the report in order for it to pass.

The NCPH is made up of six people from the Non-Commercial Stakeholders Group, which generally hold pro-privacy views and have already criticized the report as not going far enough to protect registrants’ data.

Six more NCPH members comprise two members each from the Intellectual Property Constituency, Business Constituency and Internet Service Providers Constituency.

The IPC and BC put their names to a joint minority statement in the Final Report saying that its recommendations:

amount to little more than affirmation of the [pre-EPDP] status quo: the elements of WHOIS data necessary to identify the owners and users of domain names are largely inaccessible to individuals and entities that serve legitimate public and private interests.

I’m chalking those four Council members down as reliable “no” votes, but they’ll need the support of the two ISP guys and the wildcard Nominating Committee appointee in order to bury this policy proposal.

If it does pass the Council, the next and final stage of approval for SSAD would be the ICANN board, probably at ICANN 69 in October.

But then ICANN would actually have to build the damn thing.

This would take many months of implementation and review, then there’d have to be multiple RFP processes to select the companies to write the software and build the infrastructure to run it, who’d then actually have to build and test it.

In the same guesstimate that put a $9 million price tag on the system, ICANN reckoned that it would take a full year for a third party to build and test SSAD. That’s not even taking registrar integration into account.

So, if you’re looking for streamlined Whois access again, you’d best think 2022 at the very earliest, if ever.

If you wish to read the EPDP working group’s Final Report, you can do so here (pdf).

UPDATE: This article originally misstated the date of the next GNSO Council meeting at which this proposal could be considered. It’s not August 20. It’s September 24, which means initial ICANN board consideration is out in October. Add another month to whatever timeline you were hoping for.