Latest news of the domain name industry

Recent Posts

Concern as ICANN shuts down “independent” security review

Kevin Murphy, October 31, 2017, Domain Policy

Just a year after gaining its independence from the US government, ICANN has come under scrutiny over concerns that its board of directors may have overstepped its powers.

The board has come in for criticism from almost everyone expressing an opinion at the ICANN 60 meeting in Abu Dhabi this week, after it temporarily suspended a supposedly independent security review.

The Security, Stability and Resiliency of the DNS Review, known as SSR-2, is one of the mandatory reviews that got transferred into ICANN’s bylaws after the Affirmation of Commitments with the US wound up last year.

The review is supposed to look at ICANN’s “execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet’s system of unique identifiers that ICANN coordinates”.

The 14 to 16 volunteer members have been working for about eight months, but at the weekend the ICANN board pulled the plug, saying in a letter to the review team that it had decided “to suspend the review team’s work” and said its work “should be paused”.

Chair Steve Crocker clarified in sessions over the weekend and yesterday that it was a direction, not a request, but that the pause was merely “a moment to take stock and then get started again”.

Incoming chair Cherine Chalaby said in various sessions today and yesterday that the community — which I take to mean the leaders of the various interest groups — is now tasked with un-pausing the work.

Incoming vice-chair Chris Disspain told community leaders in an email (pdf) yesterday:

The Board has not usurped the community’s authority with respect to this review. Rather, we are asking the SOs and ACs to consider the concerns we have heard and determine whether or not adjustments are needed. We believe that a temporary pause in the SSR2 work while this consideration is under way is a sensible approach designed to ensure stakeholders can reach a common understanding on the appropriate scope and work plan

Confusion has nevertheless arise among community members, and some serious concerns and criticisms have been raised by commercial and non-commercial interests — including governments — over the last few days in Abu Dhabi.

But the board’s concerns with the work of SSR-2 seem to date back a few months, to the Johannesburg meeting in June, at which Crocker said “dangerous signals” were observed.

It’s not clear what he was referring to there, but the first serious push-back by ICANN came earlier this month, when board liaison Kaveh Ranjbar, apparently only appointed to that role in June, emailed the group to say it was over-stepping its mandate.

Basically, the SSR-2 group’s plan to carry out a detailed audit of ICANN’s internal security profile seems to have put the willies up the ICANN organization and board.

Ranjbar wrote:

The areas the Board is concerned with are areas that indeed raise important organizational information security and organizational oversight questions. However, these are also areas that are not segregated for community review, and are the responsibility of the ICANN Organization (through the CEO) to perform under the oversight of the ICANN Board.

While we support the community in receiving information necessary to perform a full and meaningful review over ICANN’s SSR commitments, there are portions of the more detailed “audit” plan that do not seem appropriate for in-depth investigation by the subgroup. Maintaining a plan to proceed with detailed assessments of these areas is likely to result in recommendations that are not tethered to the scope of the SSR review, and as such, may not be appropriate for Board acceptance when recommendations are issued. This also can expand the time and resources needed to perform this part of the review.

This does not seem hugely unreasonable to me. This kind of audit could be expensive, time-consuming and — knowing ICANN’s history of “glitches” — could have easily exposed all kinds of embarrassing vulnerabilities to the public domain.

Ranjbar’s letter was followed up a day later with a missive (pdf) from the chair of ICANN’s Security and Stability Advisory Committee, which said the SSR-2’s work was doomed to fail.

Patrick Falstrom recommended a “temporarily halt” to the group’s work. He wrote:

One basic problem with the SSR2 work is that the review team seems neither to have sufficient external instruction about what to study nor to have been able to formulate a clear direction for itself. Whatever the case, the Review Team has spent hundreds of hours engaged in procedural matters and almost no progress has been made on substantive matters, which in turn has damaged the goodwill and forbearance of its members, some of whom are SSAC members. We are concerned that, left to its own devices, SSR2 is on a path to almost certain failure bringing a consequential loss of credibility in the accountability processes of ICANN and its community.

Now that ICANN has actually acted upon that recommendation, there’s concern that it sets a disturbing precedent for the board taking “unilateral” action to scupper supposedly independent accountability mechanisms.

The US government itself expressed concern, during a session between the board and the Governmental Advisory Committee in Abu Dhabi today.

“This is unprecedented,” US GAC rep Ashley Heineman said. “I just don’t believe it was ever an expectation that the ICANN board would unilaterally make a decision to pause or suspend this action. And that is a matter of concern for us.”

“It would be one thing if it was the community that specifically asked for a pause or if it was a review team that says ‘Hey, we’re having issues, we need a pause.’ What’s of concern here is that ICANN asked for this pause,” she said.

UK GACer Mark Carvell added that governments have been “receiving expressions of grave concern” about the move and urged “maximum transparency” as the SSR-2 gets back on track.

Jonathan Zuck of the Innovators Network Foundation, one of the volunteers who worked on ICANN’s transition from US government oversight, also expressed concern during the public forum session yesterday.

“I think having a fundamental accountability mechanism unilaterally put on hold is something that we should be concerned about in terms of process,” he said. “I’m not convinced that it was the only way to proceed and that from a precedential standpoint it’s not best way to proceed.”

Similar concerns were voiced by many other parts of the community as they met with the ICANN board throughout today and yesterday.

The problem now is that the bylaws do not account for a board-mandated “pause” in a review team’s work, so there’s no process to “unpause” it.

ICANN seems to have got itself tangled up in a procedural quagmire — again — but sessions later in the week have been scheduled in order for the community to begin to untangle the situation.

It doubt we’ll see a resolution this week. This is likely to run for a while.

ALAC throws spanner in ICANN accountability discussions

Kevin Murphy, October 18, 2015, Domain Policy

The At-Large Advisory Committee has yanked backing for a key ICANN accountability proposal.

The ALAC, on of ICANN’s policy advisory groups, this afternoon voted unanimously “to withdraw support for the Membership model” at ICANN 54 in Dublin.

The Membership model is a proposal out of the Cross Community Working Group on Accountability (CCWG) that would change ICANN’s legal structure to one of formal membership, where a Sole Member gets legal rights to enforce accountability over the ICANN board of directors.

The model has some fierce support in the CCWG, but over the last few days in Dublin the group has started to explore the possibility of a “Designator” model instead.

That would be a weaker accountability model than one based on membership, but stronger than the “Multistakeholder Enforcement Mechanism” proposed by the ICANN board.

ALAC chair Alan Greenberg said in a statement to the CCWG mailing list:

In its formal response to the CCWG-Accountability proposal issued in August 2015, the ALAC said that it could support the model being proposed, but preferred something far less complex and lighter-weight, and that we saw no need for the level of enforceability that the proposal provided. Moreover, the ALAC had specific concerns with the budget veto and the apparent lack of participation of perhaps a majority of AC/SOs.

In light of the reconsideration of a designator model by the CCWG, along with the recommendations of the Saturday morning break-out sessions, the ALAC felt that a revised statement was in order. Accordingly we decided, by a unanimous vote of the 14 ALAC members present (with 1 not present), to withdraw support for the Membership model.

I want to make it clear that this is not a “red line” decision. Should a Membership model become one that is generally advocated by the CCWG, and supported by a supermajority of Board directors (who ultimately MUST support any changes that they will be called upon to approve, else they would be in violation of their fiduciary duty), then the ALAC reserves its right to support such a model.

The move revises the battle lines in the ongoing accountability debate. It’s no longer a simple case of CCWG versus ICANN board.

Dublin is a crunch time for the accountability proposals.

The clock is ticking — if the ICANN community cannot agree on a consensus proposal soon it risks delaying the transition of the IANA functions from US government oversight and possibly killing off the transition altogether.

Yet, while the CCWG is making steady progress cleaning up remaining areas of disagreement, the differences between itself and the board are still as sharp as ever.

Chehade outlines five ways ICANN could die

Kevin Murphy, October 7, 2015, Domain Policy

Aarrgh! We’re all going to die!!!!1

ICANN CEO Fadi Chehade has outlined five ways in which the internet could fall to pieces if the IANA transition fails, and they all seem really horrible.

Chehade presented the list at a telephone meeting of leaders of ICANN supporting organizations and advisory committees yesterday.

I don’t know what was said yet, but I can guess the tone from one of Chehade’s accompanying slides:

5 Risks we face if the IANA Stewardship Transition is Delayed/Fails:

I. ICANN’s community may fracture or fray slowly, becoming divided, acrimonious, bitter — potentially risking ICANN’s stability, effectiveness — and impacting the participation of global stakeholders

II. The technical operating communities using IANA may go separate ways, with the IETF and the Numbering communities choosing to take their business elsewhere — ending the integrity of the Internet’s logical infrastructure

III. Governments (encouraged by G77) may lead an effort starting at this year during the WSIS review to shift Internet Governance responsibilities to a more stable and predictable inter-governmental platform

IV. Key economies that shifted positions since NTIA’s announcement in March 2014 may reverse their support for ‘one Internet’ logical infrastructure coordinated by ICANN

V. The resilience and effectiveness of the multistakholder model will be questioned by those seeking solutions to the emerging Internet Governance issues in the economic and societal layer (e.g. cyber security, trade, privacy, copyright protections, etc.)

Judging by the slides, ICANN reckons that the community needs to have its transition proposal delivered by December, if ICANN is to meet the current September 30, 2016 transition deadline.

There are a whole host of sessions devoted to the transition at the forthcoming public meeting in Dublin.

The transition process is currently in a very tricky spot because the ICANN board of directors does not agree with the community proposals to restructure ICANN.

Chehade confirms he’ll be gone before IANA transition is done

Kevin Murphy, June 22, 2015, Domain Policy

ICANN CEO Fadi Chehade has laid out his current best thinking for the timeline of the IANA’s transition from US government oversight, and he’ll be gone well before it’s done.

At the opening ceremony of the ICANN 53 meeting in Buenos Aires today, Chehade described how June 2016 is a likely date for the divorce; three months after his resignation takes effect.

Chehade said:

I asked our community leaders, “Based on your plans and what you’re seeing and what you know today, when could that finish?” The answers that are coming back to us seem to indicate that by ICANN 56, which will be back in Latin America in the middle of 2016, a year from today, the contract with the US Government could come to an end.

He showed a slide that broke the remaining work of the transition into three phases.

Work being carried out within ICANN is not entirely to blame for the length of time the process will take.

The US National Telecommunications and Information Administration needs 60 to 90 days to review the final community-developed transition proposal.

And under forthcoming US legislation, 30 legislative days will be required for the US Congress to review the NTIA’s approval of the plan.

Thirty legislative days, Chehade explained, could mean as many as 60 actual days, depending on the yet-unpublished 2016 Congressional calendar.

He urged the community focus hard on Phase One in his graphic — actually producing a consensus transition plan.

The target for delivery of this is the next ICANN meeting, 54, which will take place in Dublin, Ireland from October 18 to October 22 this year.

After slamming the ccNSO, India joins it

Kevin Murphy, August 20, 2014, Domain Registries

India has become the newest member of ICANN’s country-code Supporting Organization, the ccNSO, just one month after the local registry slammed the group for not representing its interests.

The National Internet Exchange (NIXI), which runs .in, became the 152nd ccNSO member yesterday, according to a note on its website.

I haven’t reported on the first 151 ccTLDs to join, but this one’s interesting because NIXI’s mononymed CEO, Dr Govind, led a charge of criticism against the ccNSO for excluding non-members from the IANA transition review.

In July, Govind complained that a “significant section of the ccTLD Registry operator community do not share the objectives of the ccNSO membership are now excluded from the process.”

By joining the ccNSO, registries agree to follow the policies it creates for ccTLDs (though I understand they may opt out), which has led 103 ccTLDs to stay out of it completely.

Some ccTLDs are primarily concerned that the ccNSO does nothing to dilute or overturn RFC 1591, the 20-year-old standards document that states ccTLDs can only be redelegated with the consent of the incumbent.