Latest news of the domain name industry

Recent Posts

Surprise! ICANN throws out complaints about .org price caps

Kevin Murphy, November 4, 2019, Domain Policy

ICANN has rejected two appeals against its decision to lift price caps and introduce new anti-cybersquatting measures in the .org space.

In other news, gambling is going on in Rick’s Cafe.

NameCheap and the Electronic Frontier Foundation both filed Requests for Reconsideration with ICANN back in July and August concerning the .org contract renewal.

NameCheap argued that ICANN should have listened to the deluge of public comments complaining about the removal of price caps in Public Interest Registry’s .org contract, while EFF complained about the inclusion of the Uniform Rapid Suspension rights protection mechanism.

Reconsideration requests are usually handled by the Board Accountability Mechanisms Committee but this time around three of its four members (Sarah Deutsch, Nigel Roberts, and Becky Burr) decided to recuse themselves due to the possibility of perception of conflicts of interest.

That meant the committee couldn’t reach a quorum and the RfRs went to ICANN’s outside lawyers for review instead, before heading to the full ICANN board.

This hasn’t happened before, to my recollection.

Also unprecedented, the board’s full discussion of both requests was webcast live (and archived here), which negates the need for NameCheap or the EFF to demand recordings, which is their right under the bylaws.

But the upshot is basically the same as if the BAMC had considered the requests in private — both were denied in a unanimous (with the three recusals) vote.

Briefing the board yesterday, ICANN associate general counsel Elizabeth Le said:

There was no evidence to support that ICANN Org ignored public consultation. Indeed both renewals went out for public comments and there were over 3,700 comments received, all of which ICANN reviewed and evaluated and it was discussed in not only the report of public comments, but it was discussed through extensive briefings with the ICANN board…

Ultimately, the fact that the removal of the price caps was part of the Registry Agreements does not render the public comment process a sham or that ICANN failed to act in the public benefit or that ICANN Org ignored material information.

General counsel John Jeffrey and director Avri Doria both noted that the board may not have looked at each individual comment, but rather grouped together based on similarity. Doria said:

Whether one listens to the content once or listens to it 3,000 times, they have understood the same content. And so I really just wanted to emphasize the point that it’s not the number of comments, it’s the content of the comments.

This seems to prove the point I made back in April, when this controversy first emerged, that letter-writing campaigns don’t work on ICANN.

As if to add insult to injury, the board at the same meeting yesterday approved paying an annual bonus to the ICANN Ombudsman, who attracted criticism from NameCheap and the Internet Commerce Association after dismissing many of the public comments as “more akin to spam”.

Somber mood as ICANN 66 opens in Montreal

Kevin Murphy, November 4, 2019, Domain Policy

The opening ceremony of ICANN’s 66th public meeting set a somber tone, as leaders bade farewell to recently departed and departing colleagues.

Outgoing chair Cherine Chalaby and CEO Göran Marby delivered eulogies respectively to senior vice president Tarek Kamel, and long-time industry/community participant, Don Blumenthal, both of whom died over the last several weeks.

Apparently choking up at one point, Chalaby described Kamel as a “good friend” and “great man” who “always made time for me, always encouraged me, and always advised me with great sincerity”.

Marby later announced that ICANN will create a new annual award, named after Kamel, which will honor “individuals significantly contributing to capacity building and creating diversity within our community”.

He also said that the dinner held by the CEO with the technical community at the end of every ICANN meeting will in future be named after Blumenthal, a long-serving member of the security community.

“His expertise, hard work and humor will be sorely missed,” Marby said.

Chalaby himself is leaving ICANN under less sad circumstances on Thursday, when the third and final of his terms comes to an end and he leaves the board of directors for good. He’s been on the board for nine years and chair for two.

Marby presented him with ICANN’s Leadership Award in recognition of his time served.

Chalaby will be replaced by Maarten Botterman.

ICANN 66 runs through Thursday in Montreal, Canada.

America has Amazon’s back in gTLD fight at ICANN 66

Kevin Murphy, November 3, 2019, Domain Policy

The United States looks set to stand in the way of government attempts to further delay Amazon’s application for .amazon.

The US Governmental Advisory Committee representative, Vernita Harris, said today that the US “does not support further GAC advice on the .amazon issue” and that ICANN is well within its rights to move forward with Amazon’s controversial gTLD applications.

She spoke after a lengthy intervention from Brazilian rep Ambassador Achilles Zaluar Neto, who said South American nations view the contested string as their “birthright” and said ICANN is allowing Amazon “to run roughshod over the concerns and the cultural heritage of eight nations and tens of millions of people”.

It was the opening exchange in would could prove to be a fractious war of words at ICANN 66 in Montreal, which formally opens tomorrow.

The .amazon applications have been controversial because the eight countries in the Amazon Cooperation Treaty Organization believe their unwritten cultural rights to the word outweigh Amazon’s trademark rights.

Forced to the negotiating table by ICANN last year, the two sides each posed their own sets of ideas about how the gTLD could be managed in such a way as to protect culturally sensitive terms at the second-level, and taking ACTO’s views into account.

But an ICANN-imposed deadline for talks to conclude in April was missed, largely as a result of the ongoing Venezuela crisis, which caused friction between the ACTO governments.

But today, Brazil said that ACTO is ready and willing to get back to the negotiating table asked that ICANN reopen these talks with an impartial mediator at the helm.

As things stand, Amazon is poised to get .amazon approved with a bunch of Public Interest Commitments in its registry contract that were written by Amazon without ACTO’s input.

Neto said that he believed a “win-win” deal could be found, which “would provide a positive impetus for internet governance instead of discrediting it”. He threatened to raise the issue at the Internet Governance Forum next month.

ICANN’s failure to reopen talks “would set a bad precedent and reflect badly on the current state of internet governance, including its ability to establish a balance between private interests and public policy concerns”, he said

But the US rallied to Amazon’s defense. Harris said:

The United States does not support further GAC advice on the .amazon issue. Any further questions from the GAC to the Board on this matter we believe is unwarranted… We are unaware of any international consensus that recognizes inherent governmental rights and geographic names. Discussions regarding protections of geographic names is the responsibility of other forums and therefore should be discussed and those relevant and appropriate forums. Contrary to statements made by others, it is the position of the United States that the Board’s various decisions authorizing ICANN to move forward with processing the.application are consistent with all relevant GAC advice. The United States therefore does not support further intervention that effectively works to prevent or delay the delegation of .amazon and we believe we are not supportive and we do not believe that it’s required.

This is a bit of a reversal from the US position in 2013.

Back then, the GAC wanted to issue consensus advice that ICANN should reject .amazon, but the US, protecting one of its largest companies, stood in the way of full consensus until, in the wake of the Snowden revelations, the US decided instead to abstain, apparently to appease an increasingly angry Brazil.

It was that decision that opened the door to the six more years of legal wrangling and delay that .amazon has been subject to.

With the US statement today, it seems that the GAC will be unlikely to be able to issue strong, full-consensus advice that will delay .amazon further, when it drafts its Montreal communique later in the week.

The only other GAC member speaking today to support the US position was Israel, whose rep said “since it is an ongoing issue for seven years, we don’t believe that there is a need for further delay”.

Several government reps — from China, Switzerland, Portugal, Belgium and the European Commission — spoke in favor of Brazil’s view that ICANN should allow ACTO and Amazon back to the negotiating table.

The GAC is almost certain to say something about .amazon in its communique, due to drop Wednesday, but the ICANN board of directors does not currently have an Amazon-related item on its Montreal agenda.

UPDATE: The originally published version of this story incorrectly identified the US GAC representative as Ashley Heineman, who is listed on the GAC’s web site as the US representative. In fact, the speaker was Vernita Harris, acting associate administrator at the US National Telecommunications and Information Administration. Had I been watching the meeting, rather that just listening to it, this would have been readily apparent to me. My apologies to Ms Heineman and Ms Harris for the error.

Emoji domains get a 😟 after broad study

Kevin Murphy, October 28, 2019, Domain Tech

Domain names containing emojis are a security risk and not recommended, according to a pretty comprehensive review by an ICANN study group.

The Country-Code Names Supporting Organization has delivered the results of its 12-person, 18-month Emoji Study Group, which was tasked with looking into the problems emoji domains can cause, review current policy, and talk to ccTLD registries that currently permit emoji domains.

The ESG didn’t have a lot of power, and its recommendations are basically an exercise in can-kicking, but it’s easily the most comprehensive overview of the issues surrounding emoji domains that I’ve ever come across.

It’s 30 pages long, and you can read it here (pdf).

Emojis are currently banned in gTLDs, where ICANN has to approve new Unicode tables before they can be used by registries at the second level, under its internationalized domain name policy, IDNA 2008.

But ccTLDs, which are not contracted with ICANN, have a lot more flexibility. There are 15 ccTLDs — almost all representing small islands or low-penetration African nations — that currently permit emoji domains, the ESG found.

That’s about 6% of Latin-script ccTLDs out there today. These TLDs are .az, .cf, .fm, .je, .ga, .ge, .gg, .gq, .ml, .st, .to, .tk, .uz, .vu, and .ws.

Five of them, including .tk, are run by notorious freebie registry Freenom, but perhaps the best-known is .ws, where major brands such as Budweiser and Coca-Cola have run marketing campaigns in the past.

The main problem with emojis is the potential for confusing similarity, and the ESG report does a pretty good job of enumerating the ways confusability can arise. Take its comparison of multiple applications’ version of the exact same “grinning face” emoji, for example:

Emoji comparison

If you saw a domain containing one of those in marketing on one platform, would you be able to confidently navigate to the site on another? I doubt I would.

There’s also variations in how registrars handle emojis on their storefronts, the report found. On some you can search with an emoji, on others you’ll need to type out the xn-- prefixed Punycode translation longhand.

In terms of recommendations, the ESG basically just asked ICANN to keep an eye on the situation, to come to a better definition of what an emoji actually is, and to reach out for information to the ccTLDs accepting emojis, which apparently haven’t been keen on opening up so far.

Despite the lack of closure, it’s a pretty good read if you’re interested in this kind of thing.

Verisign likely to get its billion-dollar .com pricing windfall

Kevin Murphy, October 28, 2019, Domain Registries

Verisign and ICANN appear to be on the verge of signing a new .com registry contract that could prove extremely lucrative for the legacy gTLD company.

Speaking to analysts following the announcement of Verisign’s third-quarter results late last week, CEO Jim Bidzos said talks with ICANN, which have their first anniversary this week, are “nearly complete”.

The new contract will take on the terms of the Cooperative Agreement between Verisign and the US Department of Commerce, which was amended a year ago to scrap an Obama-era price freeze.

Under the future contract, Verisign is expected to be able to raise its .com fee from its current $7.85 by 7% in four of the six years of the deal. As I wrote at the time, this could be worth close to a billion dollars.

This, for a company that already enjoys profit margins so generous that I regularly receive phone calls from perplexed analysts asking me to help explain how they get away with it.

Bidzos said on Thursday night:

let me remind you that under the 2016 amendment to our .com registry agreement with ICANN, which extended the term of the agreement, we and ICANN also agree to negotiate in good faith to do two things; first, we agree to reflect changes to the Cooperative Agreement in the com agreement, including pricing terms. Second, we agree to amend the com agreement to include terms to preserve and enhance the security and stability of the com registry or the internet.

We believe these discussions with ICANN are nearly complete. While it will be inappropriate at this time to provide more details, I can say that we were satisfied with the results so far. As noted, this is an ICANN process and we expect that before long ICANN will be publishing for public comment the documents we have been discussing.

The Cooperative Agreement also allows Verisign to launch a registrar business, just as long as that registrar does not sell .com domains.

Potentially, Verisign could get the right to launch a customer-facing registrar focused on selling .net, .org and newer gTLDs and ccTLDs.

Given we already pretty much know what the new pricing regime is going to be, the big mystery right now is why it’s taken ICANN and Verisign so long to renegotiate the contract.

One analyst asked Bidzos on Thursday whether ICANN has talked its way into getting a bigger slice of the registry fee, currently set at $0.25 per annual domain transaction.

That’s in-line with what almost all the other gTLD registries pay, and I can’t see ICANN demanding more without attracting a tonne of criticism. Verisign is already by some margin its biggest funding source.

Could ICANN have demanded that Verisign adopt the Uniform Rapid Suspension anti-cybersquatting policy, which would be guaranteed to enrage domain investors?

Whatever else is to be added to the contract, it appears to be related to that amorphous term “security and stability”, which could mean basically anything.

When ICANN and Verisign agreed to talk about new terms “to preserve and enhance the security and stability of the Internet or the TLD”, what on Earth where they talking about?

It looks like we won’t have to wait too much longer to find out.

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.

ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.

It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.

In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.

The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.

When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.

The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.

The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.

Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.

We could be looking at the death of Whois within a year.

DI Leaders Roundtable #1 — How many new gTLDs will be applied for next time around?

Kevin Murphy, October 21, 2019, Leaders Roundtable

How many new gTLDs will be applied for in the next application round?

This is the first question I put to the DI Leaders Roundtable, which you may recall I announced a couple weeks back.

As a reminder, the panel is comprised of leading thinkers in the domain name industry or ICANN community, covering as broad a cross-section of expertise as I could muster.

The question I posed each panelist this time was:

There were 1,930 applications for new gTLDs in 2012. Given everything we’ve learned over the last seven years, how many applications do you think there will be in the next round?

There seemed to be a rough consensus that it’s a little early to put any concrete predictions out there, and that perhaps I should have eased the panel in with something a little less challenging, but some very interesting — and divergent — opinions were nevertheless expressed.

Some of the participants asked me to note that they were speaking in a personal capacity rather than with them wearing a specific one of their various professional/volunteer hats. To save time, readers should just assume that every opinion being expressed below is personal to the expert concerned.

In no particular order…

Jeff Neuman, Senior VP, Com Laude

MugshotWithout wanting to sound like I’m trying to avoid answering the question or hedge my bets, we have to consider this question in the context of the current landscape. The number of applications in the next round will be dependent on the outcomes of the current Subsequent Procedures PDP Working Group, alongside macroeconomic business factors. So therefore I’ll put a range on the possible answer — at the low end (if the application fee remains as is and world economies are facing significant troubles) around 1,000; at the top end (with application fee reduced to a level that operates as far less of a barrier, a fair economic wind behind us and some targeted promotion of the opportunities) there could be up to 10,000.

One thing that is clear is that many of the applications will come from brands that would like to actively use their domains. Those who were forward-thinking and have taken bold steps in the first round are the ones who are benefiting most from the new gTLD program. That’s not to say that there have not also been issues with brands. In 2012 many brands were pressured to apply for TLDs by third parties who advised them to apply for purely defensive reasons. Others gave up after the many fits and starts of the program as well as the overly lengthy period it took ICANN to evaluate the TLDs, approve Specification 13, respond to name collision, and the change of rules to temporarily disallow “closed generic” TLDs. Not surprisingly, we have seen a number of these brands drop out of the program.

However, many of the ones that have stuck it out are doing well. Some have even made transitions from their “.com” or their ccTLDs to their brand TLDs. Others have used their TLDs for marketing campaigns, corporate social responsibility programs, internal corporate intranets, job sites, geolocation tools, social media programs, events and customer service. And this is just the beginning.

What we need to ensure for the future is that application fees represent the true costs of the program and that the process is predictable, reliable and flexible enough to allow brands and others to innovate. Over-regulation due to the fear of unlikely edge cases or paranoia due to how potential applicants for purely generic open TLDs cannot be allowed to happen. All TLDs should not be painted with the same regulatory brush and the community needs to understand that we should be encouraging different business models for TLDs that do not necessarily include the unfettered ability for the public to register domain names in all TLDs. Ultimately, we need to do what is best for end users on the Internet.

Incentives should be provided for TLDs like .bank and .pharmacy to validate their registrants and ensure the safety of their end users by curbing abusive behavior. This could come in the form of reduced fees to ICANN or even ensuring that other similarly sensitive strings have similar verification requirements before allowing them to be delegated.

Finally, in order for the program to succeed, we need to stimulate growth of registries and registrars in the developing world. Support for these organizations should not only be in the form of monetary contributions, but also training programs, consulting services, legal support, and even operational support (eg., the free or low-cost use of third party DNS servers globally, security monitoring and other critical services).

Rick Schwartz, domain investor

MugshotWho cares?? Nobody in the real world. Totally meaningless except to the 1,930 applicants and a totally corrupt and out of control ICANN that needs oversight! SHAMEFUL!

Christa Taylor, CMO, MMX

Mugshot“Will you walk into my parlour and tell me how many applications there will be for the next round, said a Spider to a Fly”

Oh, poor fly, good luck getting out of this one. There have been some exceptionally large volumes thrown around — 10k, 20k, but this fly would prefer to utilize data gathered from statistical surveys. Unfortunately, my workload didn’t allow me to conduct a survey this week so instead, I’ll utilize a less scientific approach and seek the same leniency ICANN received in their volume prediction used in the 2012 round.

A multitude of variables may impact the volume of applications including: notice period, application fees, auctions and delegation rates with each factor being additive to the prior factor.

  • Base volume: 2,000 applications is utilized as the initial value. While the type of applications may change, the overall volume is a logical starting point especially when considering the last round was in 2012.
  • Notice period: A longer notice period on when the application period will begin will allow for more applicants to apply. Assuming a notice period of four months with a 10% increase in application volume for each additional four-month period. i.e. if there is a six month notice until application window opens, volume will increase by 100 (2,000 x 10% x (6-4/4)). Our total volume of applications is now 2,100.
  • Application fee: The new gTLD program is expected to operate on a ‘revenue neutral’ basis. As such, the application fee should decrease from the 2012 fee of $185k. Since the volume of applications is inversely related to the fee, increasing the volume by say, 15% for every $10k less than $150k. For example, if the actual application fee is $125k, the volume of applications will increase by approximately ~800 (15% x 2,100 x ($150k – $125k/$10k) for a total of 2,900 applications.
  • Auctions: One of the most significant items that could drive the volume of applications if auctions and other related resolution mechanisms. The windfalls from ‘losing’ in auctions are well-known and while other options have been discussed – Vickrey auctions, draws, etc. some applications will be submitted for financial gains. Additionally, the potential to gain from ‘losing’ in contention sets combined with reduced application fees and delegation rates (detailed below) will again impact the volume of applications. As such, the number of applications will increase similar to application fees but would suggest that for every $5k less than $150k application fee, the volume of applications will increase by 10%. If the application fee is $125k, the volume will increase by 1,250 (10% x 2,888 x ($150k-$125k/$5k) for a combined volume of 4,150 applications.
  • Delegation rate: The final factor in this unscientific, simplistic volume projection is the delegation rate. In 2010, a rate of 1,000 per year was provided to minimize security and stability risks. If the delegation rate remains relatively the same, the processing of applications could take years and thereby, encourage potential applicants to apply knowing it will take years before their application is delegated. Additionally, a reduced application fee minimizes an applicant’s risk if they decide to withdraw at a later date. Applying another broad brushstroke of 5% per year for the length of time it will take for all applications to be delegated, excluding objections. If it is expected to take three years to process the subsequent round of applications, add in another ~750 applications (5% x 3 years X 4,150) for a total volume of 4,900, rounding to 5,000 applications.

“And take a lesson from this tale of the Spider and the Fly” — gather real data to project application volumes and escape these impossible questions.

Ref: Howitt, Mary. The Spider and the Fly. (1829)

Michele Neylon, CEO, Blacknight

MugshotIt’s not one that’s easy to answer — I think we all got it terribly wrong the last time round.

I suspect, though I could be completely wrong, that there will be at least 1,000 applications if there is a new round. Of course, that number is not based on anything other than just a gut instinct. I don’t think there will be as many distributed retail TLDs in a next round. Apart from a couple of outliers the bulk of new TLDs haven’t been as big of a success as their backers expected.

I can imagine that some cities would pitch for a TLD in the next round but it’d be more of a play in terms of tourism rather than commercial gain.

Some would have us believe that a “lot” of brands want to apply for a TLD in a next round, but I do wonder how much of that demand is “real” and comes from brands and how much of it is being pushed by those who stand to gain from applications. Of course, there could be a lot of brands out there that feel a desire to get their own TLD, but it’s also very clear that many of the brands that got one the last time round haven’t done a lot with them (with a few notable exceptions)

It’s a very good question to ask, but until there’s more clarity about the rules and the costs we’re all going to be guessing.

Jon Nevett, CEO, Public Interest Registry

MugshotCheck back with me in 2022 when we may know the application fee; how contention resolution would work (i.e. will there be speculative applications); and the role of the GAC in reviewing applications.

Dave Piscitello, Partner, Interisle Consulting Group

MugshotWhile I can’t speculate how many, I truly hope that we have fewer “generics” that only serve to create a larger set of TLDs that will be offered in bulk at fees as low as 1 yen to organized spam gangs or botnet operators. ICANN hasn’t provided a scientifically valid economic study that demonstrates a need for more of these; in fact, ICANN’s own DAAR data shows that nearly half of the abused or criminally-used domain names have migrated to the piddling 10-12% share of the total gTLD delegated (and resolving) domain names that the new TLDs represent.

Having said this, I do believe that there are some success stories that point would-be applicants to modestly profitable ventures. City TLDs for the most part have remained free of abuse or criminal misuse. A portfolio of these might be interesting. I think that brands still don’t really know how to use their TLD or migrate to these in a way that alters the threat landscape.

Ben Crawford, CEO, CentralNic

MugshotOur focus today at CentralNic is supporting the growth of existing ccTLD and gTLD registries. However there is no company more prepared for the next round than us, and based on our discussions with potential applicants, we expect more applications in this nTLD round that the last.

Generic TLD applicants obviously gravitate towards CentralNic Registry Solutions as the natural home of TLDs seeking meaningful growth. We are not only the market leaders with more registrars actively selling our nTLD domains than any other backend, but we have as many domains under management as the number 2, 3 and 4 players combined.

Brand owners are also very keen to sign up with BrandShelter as a low cost and flexible one-stop shop that can handle application, backend, registrar and domain management services under a single contract with a money back guarantee. They particularly like that we have the best value support for dot-brands that do want to actively use their TLDs (like .DVAG, .ALLFINANZ and .MINI) while we don’t employ pushy sales people to hassle our clients happy with a defensive strategy to “activate” their TLDs.

Milton Mueller, Professor, Georgia Tech

MugshotIs a negative number an acceptable answer? Will some of the past 1,930 be allowed to bring their TLDs back to the store for a refund? What exactly is ICANN’s return policy, is it as good as TJ Maxx’s? More seriously, I would expect quite a few less applications this time around. I’d be surprised if it exceeded 500. We don’t see any smashing successes from the first round.

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.

In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.

That abuse comprises malware, phishing, botnets, pharming and spam.

The companies agree that these are activities which registrars and registries “must” act upon.

But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.

The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.

It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.

Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.

Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.

They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.

However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.

The DAAR report for September shows that spam constituted 73% of all tracked abuse.

The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.

Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.

The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.

The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.

Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.

They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.

But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.

During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.

“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.

Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.

The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.

While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.

But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.

While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.

Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.

Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.

The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.

Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.

PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.

Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.

Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.

The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.

The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.

Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).

Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.

The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.

The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.

The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).

Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.

Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.

The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.

The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.

So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.

If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.

How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.

There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.

This will be a hot topic at ICANN 66 in Montreal next month.

Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Google quietly launches .new domains sunrise

Kevin Murphy, October 14, 2019, Domain Registries

Google Registry will allow trademark owners to register domains matching their marks in the .new gTLD from tomorrow.

While the company hasn’t made a big public announcement about the launch, the startup dates it has filed with ICANN show that its latest sunrise period will run from October 15 to January 14.

As previously reported, .new is a bit of a odd one. Google plans to place usage restrictions that require registrants to use the domains in the pursuit of “action generation or online contention creation”.

In other words, it wants registrants to use .new in much the same way as Google is today, with domains such as docs.new, which automatically opens up a fresh Google Docs word processing document when typed into a browser address bar.

From January 14, all the way to July 14, Google wants to run a Limited Registration Period, which will require wannabe registrants to apply to Google directly for the right to register a name.

During that period, registrants will have to that they’re going to use their names in compliance with .new’s modus operandi. It’s Google’s hope that it can seed the space with enough third-party content for .new’s value proposition to become more widely known.

If you’re wanting to pick up a .new domain in general availability, it looks like you’ve got at least nine more months to wait.