Latest news of the domain name industry

Recent Posts

Is ICANN over-reacting to Whois privacy law?

Kevin Murphy, March 20, 2018, Domain Policy

Is ICANN pushing the domain industry to over-comply with the European Union’s incoming General Data Protection Regulation privacy law?

Governments and plenty of intellectual property and business lobbyists think so.

After days of criticism from unhappy IP lawyers, ICANN’s public meeting in Puerto Rico last week was capped with a withering critique of the organization’s proposed plan for the industry to become GDPR compliant as pertains Whois.

The Governmental Advisory Committee, in unusually granular terms, picked apart the plan in its usual formal, end-of-meeting advice bomb, which focused on making sure law enforcement and IP owners continue to get unfettered Whois access after GDPR kicks in in May.

Key among the GAC’s recommendations (pdf) is that the post-GDPR public Whois system should continue to publish the email address of each domain registrant.

Under ICANN’s plan — now known as the “Cookbook” — that field would be obscured and replaced with a contact form or anonymized email address.

The GAC advised ICANN to “reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;”.

But its rationale for the advice is a little wacky, suggesting that email addresses under some unspecified circumstances may not contain “personal data”:

publication of the registrant’s email address should be considered in light of the important role of this data element in the pursuit of a number of legitimate purposes and the possibility for registrants to provide an email address that does not contain personal data.

That’s kinda like saying your mailing address and phone number aren’t personal data, in my view. Makes no sense.

The GAC advice will have won the committee friends in the Intellectual Property Constituency and Business Constituency, which throughout ICANN 61 had been pressuring ICANN to check whether removing email addresses from public Whois was strictly necessary.

ICANN is currently acting as a non-exclusive middleman between community members and the 20-odd Data Protection Authorities — which will be largely responsible for enforcing GDPR — in the EU.

It’s running compliance proposals it compiles from community input past the DPAs in the hope of a firm nod, or just some crumbs of guidance.

But the BC and IPC have been critical that ICANN is only submitting a single, rather Draconian proposal — one which would eschew email addresses from the public Whois — to the DPAs.

In a March 13 session, BC member Steve DelBianco pressed ICANN CEO Goran Marby and other executives and directors repeatedly on this point.

“If they [the DPAs] respond ‘Yes, that’s sufficient,’ we won’t know whether it was necessary,” DelBianco said, worried that the Cookbook guts Whois more than is required.

ICANN general counsel John Jeffrey conceded that the Cookbook given to the DPAs only contains one proposal, but said that it also outlines the “competing views” in the ICANN community on publishing email addresses and asks for guidance.

But email addresses are not the only beef the GAC/IPC/BC have with the ICANN proposal.

On Thursday, the GAC also advised that legal entities that are not “natural persons” should continue to have their full information published in the public Whois, on the grounds that GDPR only applies to people, not organizations.

That’s contrary to ICANN’s proposal, which for pragmatic reasons makes no distinction between people and companies.

There’s also the question of whether the new regime of Whois privacy should apply to all registrants, or just those based in the European Economic Area.

ICANN plans to give contracted parties the option to make it apply in blanket fashion worldwide, but some say that’s overkill.

Downtime for Whois?

While there’s bickering about which fields should be made private under the new regime, there doesn’t seem to be any serious resistance to the notion that, after May, Whois will become a two-tier system with a severely depleted public service and a firewalled, full-fat version for law enforcement and whichever other “legitimate users” can get their feet in the door.

The problem here is that while ICANN envisions an accreditation program for these legitimate users — think trademark lawyers, security researchers, etc — it has made little progress towards actually creating one.

In other words, Whois could go dark for everyone just two months from now, at least until the accreditation program is put in place.

The GAC doesn’t like that prospect.

It said in its advice that ICANN should: “Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties”.

But ICANN executives said in a session on Thursday that the org plans to ask the DPAs for a deferral of enforcement of GDPR over Whois until the domain industry has had time to come into compliance while continuing to grant access to full Whois to police and special interests.

December appears to be the favored date for this proposed implementation deadline, but ICANN is looking for feedback on its timetable by this coming Friday, March 23.

But the IPC/BC faction are not stting on their hands.

Halfway through ICANN 61 they expressed support for a draft accreditation model penned by consultant Fred Felman, formerly of brand protection registrar MarkMonitor.

The model, nicknamed “Cannoli” (pdf) for some reason, unsurprisingly would give full Whois access to anyone with enough money to afford a trademark registration, and those acting on behalf of trademark owners.

Eligible accreditees would also include security researchers and internet safety organizations with the appropriate credentials.

Once approved, accredited Whois users would have unlimited access to Whois records for defined purposes such as trademark enforcement or domain transfers. All of their queries would be logged and randomly audited, and they could lose accreditation if found to be acting outside of their legitimate purpose.

But Cannoli felt some resistance from ICANN brass, some of whom pointed out that it had been drafted by just one part of the community

“If the community — the whole community — comes up with an accreditation model we would be proud to put that before the DPAs,” Marby said during Thursday’s public forum in Puerto Rico.

It’s a somewhat ironic position, given that ICANN was just a few weeks ago prepared to hand over responsibility for creating the first stage of the accreditation program — covering law enforcement — wholesale to the GAC.

The GAC’s response to that request?

It’s not interested. Its ICANN 61 communique said the GAC “does not envision an operational role in designing and implementing the proposed accreditation programs”.

Community calls on ICANN to cut staff spending

Kevin Murphy, March 11, 2018, Domain Policy

ICANN should look internally to cut costs before swinging the scythe at the volunteer community.

That’s a key theme to emerge from many comments filed by the community last week on ICANN’s fiscal 2019 budget, which sees spending on staff increase even as revenue stagnates and cuts are made in other key areas.

ICANN said in January that it would have to cut $5 million from its budget for the year beginning July 1, 2018, largely due to a massive downwards revision in how many new gTLD domains it expects the industry to process.

At the same time, the organization said it will increase its payroll by $7.3 million, up to $76.8 million, with headcount swelling to 425 by the end of the fiscal year and staff receiving on average a 2% pay rise.

In comments filed on the budget, many community members questioned whether this growth can be justified.

Among the most diplomatic objections came from the GNSO Council, which said:

In principle, the GNSO Council believes that growth of staff numbers should only occur under explicit justification and replacements due to staff attrition should always occur with tight scrutiny; especially in times of stagnate funding levels.

The Council added that it is not convinced that the proposed budget funds the policy work it needs to do over the coming year.

The Registrars Stakeholder Group noted the increased headcount with concern and said:

Given the overall industry environment where organizations are being asked to do more with less, we are not convinced these additional positions are needed… The RrSG is not yet calling for cuts to ICANN Staff, we believe the organization should strive to maintain headcount at FY17 Actual year-end levels.

The RrSG shared the GNSO Council’s concern that policy work, ICANN’s raison d’etre, may suffer under the proposed budget.

The At-Large Advisory Committee said it “does not support the direction taken in this budget”, adding:

Specifically we see an increase in staff headcount and personnel costs while services to the community have been brutally cut. ICANN’s credibility rests upon the multistakeholder model, and cuts that jeopardize that model should not be made unless there are no alternatives and without due recognition of the impact.

Staff increases may well be justified, but we must do so we a real regard to costs and benefits, and these must be effectively communicated to the community

ALAC is concerned that the budget appears to cut funding to many projects that see ICANN reach out to, and fund participation by, non-industry potential community members.

Calling for “fiscal prudence”, the Intellectual Property Constituency said it “encourages ICANN to take a hard look at personnel costs and the use of outside professional services consultants.”

The IPC is also worried that ICANN may have underestimated the costs of its contractual compliance programs.

The Non-Commercial Stakeholders Group had some strong words:

The organisation’s headcount, and personnel costs, cannot continue to grow. We feel strongly that the proposal to grow headcount by 25 [Full-Time Employees] to 425 FTE in a year where revenue has stagnated cannot be justified.

With 73% of the overall budget now being spent on staff and professional services, there is an urgent need to see this spend decrease over time… there is a need to stop the growth in the size of the staff, and to review staff salaries, bonuses, and fringe benefits.

NCSG added that ICANN could perhaps reduce costs by relocating some positions from its high-cost Los Angeles headquarters to the “global south”, where the cost of living is more modest.

The ccNSO Strategic and Operational Planning Standing Committee was the only commentator, that I could find, to straight-up call for a freeze in staff pay rises. While also suggesting moving staff to less costly parts of the globe, it said:

The SOPC – as well as many other community stakeholders – seem to agree that ICANN staff are paid well enough, and sometimes even above market average. Considering the current DNS industry trends and forecasts, tougher action to further limit or even abolish the annual rise in compensation would send a strong positive signal to the community.

It’s been suggested that, when asked to find areas to cut, ICANN department heads prioritized retaining their own staff, which is why we’re seeing mainly cuts to community funding.

I’ve only summarized the comments filed by formal ICANN structures here. Other individuals and organizations filing comments in their own capacity expressed similar views.

I was unable to find a comment explicitly supporting increased staffing costs. Some groups, such as the Registries Stakeholder Group, did not address the issue directly.

While each commentator has their own reasons for wanting to protect the corner of the budget they tap into most often, it’s a rare moment when every segment of the community (commercial and non-commercial, domain industry and IP interests) seem to be on pretty much the same page on an issue.

Fight as ICANN “backtracks” on piracy policing

Kevin Murphy, July 1, 2016, Domain Policy

ICANN has clarified that it will not terminate new gTLD registries that have piracy web sites in their zones, potentially inflaming an ongoing fight between domain companies and intellectual property interests.

This week’s ICANN 56 policy meeting in Helsinki saw registries and the Intellectual Property Constituency clash over whether an ICANN rule means that registries breach their contract if they don’t suspend piracy domains.

Both sides have different interpretation of the rule, found in the so-called “Public Interest Commitments” or PICs that can be found in Specification 11 of every new gTLD Registry Agreement.

But ICANN chair Steve Crocker, in a letter to the IPC last night, seemed to side strongly with the registries’ interpretation.

Spec 11 states, among other things, that:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

A literal reading of this, and the reading favored by registries, is that all registries have to do to be in compliance is to include the piracy prohibitions in their Registry-Registrar Agreement, essentially passing off responsibility for piracy to registrars (which in turn pass of responsibility to registrants).

Registries believe that the phrase “consistent with applicable law and related procedures” means they only have to suspend a domain name when they receive a court order.

Members of the IPC, on the other hand, say this reading is ridiculous.

“We don’t know what this clause means,” Marc Trachtenberg of the IPC said during a session in Helsinki on Tuesday. “It’s got to mean something. It can’t just mean you have to put a provision into a contract, that’s pointless.”

“To put a provision into a contract that you’re not going to enforce, has no meaning,” he added. “And to have a clause that a registry operator or registrar has to comply with a court order, that’s meaningless also. Clearly a registry operator has to comply with a court order.”

Some IPC members think ICANN has “backtracked” by introducing the PICs concept then failing to enforce it.

IPC members in general believe that registries are supposed to not only require their registrars to ban piracy sites, but also to suspend piracy domains when they’re told about them.

Registries including Donuts have started doing this recently on a voluntary basis with partners such as the Motion Picture Association of America, but believe that ICANN should not be in the business of content policing.

“[Spec 11] doesn’t say what some members of the IPC think it says,” Donuts VP Jon Nevett said during the Helsinki session. “To say we’re in blatant violation of that PIC and that ICANN is not enforcing that PIC is problematic.”

The fight kicked off face-to-face in Helsinki, but it has been happening behind the scenes for several months.

The IPC got mad back in February when Crocker, responding to Governmental Advisory Committee concerns about intellectual property abuse, said the issue “appears to be outside of our mandate” (pdf).

That’s a reference to ICANN’s strengthening resolve that it is not and should not be the internet’s “content police”.

In April (pdf) and June (pdf) letters, IPC president Greg Shatan and the Coalition for Online Accountability’s Steve Metalitz called on Crocker to clarify this statement.

Last night, he did, and the clarification is unlikely to make the IPC happy.

Crocker wrote (pdf):

ICANN will bring enforcement actions against Registries that fail to include the required prohibitions and reservations in its end-user agreements and against Registrars that fail to main the required abuse point of contact…

This does not mean, however, that ICANN is required or qualified to make factual and legal determinations as to whether a Registered Name Holder or website operator is violating applicable laws and governmental regulations, and to assess what would constitute an appropriate remedy in any particular situation.

This seems pretty clear — new gTLD registries are not going to be held accountable for domains used for content piracy.

The debate may not be over however.

During Helsinki there was a smaller, semi-private (recorded but not webcast live) meeting of the some registries, IPC and GAC members, hosted by ICANN board member Bruce Tonkin, which evidently concluded that more discussion is needed to reach a common understanding of just what the hell these PICs mean.

ICANN boss warns against “content policing” calls

Kevin Murphy, October 20, 2015, Domain Policy

ICANN should resist attempts to turn the organization into a content regulator responsible for fighting piracy, counterfeiting and terrorism.

That’s according to CEO Fadi Chehade, speaking in Dublin yesterday at the opening ceremony of ICANN’s 54th public meeting.

His remarks have already solicited grumbles from members of the intellectual property community, which are eager for ICANN to take a more assertive role against registries and registrars.

Speaking to a packed auditorium, Chehade devoted a surprisingly large chunk of his opening address to the matter of content policing, which he said was firmly outside of ICANN’s remit.

He presented this diagram, breaking up the internet into three layers. ICANN plays in the central “logical” section but has no place in the top “societal” segment, he said.

ICANNs remit

“Where does ICANN’s role start and where does ICANN’s role stop?” Chehade posed. “It’s very clear Our remit starts and stops in this logical yellow layer. We do not have any responsibility in the upper layer.”

“The community has spoken, and it is important to underline that in every possible way, ICANN’s remit is not in the blue layer, it is not in the economic/societal layer,” he said. This is a technical organization.”

That basically means that ICANN has no responsibility to determine which web sites are good and which are bad. That’s best left to others such as the courts and governments.

Chehade recounted an anecdote about a meeting with a national president who demanded that ICANN shut down a list of terrorism-supporting web sites.

“We have no responsibility to render judgement about which sites are terrorists,” he said, “which sites are the good pharmacies, which sites are the bad pharmacies, which sites are comitting crimes, which sites are infringing copyrights…”

“When people ask us to render judgement on matters in the upper layer, we can’t.”

With that all said, Chehade added that ICANN should not shirk its duties as part of the ecosystem, whether through voluntary measures at registries and registrars or via contractual enforcement.

“Once determinations are made, how do we respond the these?” he said. “I hope, voluntarily.”

He gave the example of credit card companies that voluntarily stop doing business with web sites that have been reported to be involved in crime or spam.

The notion of registrars adhering to a set of voluntary principles was first floated by ICANN’s chief compliance officer, Allen Grogan, in a blog post earlier this month.

It was the one bone he threw to IP interests in a determination that otherwise came down firmly on the side of registrars.

Grogan had laid out a minimum set of actions registrars must carry out when they receive abuse reports, none of which contained a requirement to suspend or delete domain names.

The Intellectual Property Constituency appeared to greet Chehade’s speech with cautious optimism, but members are still pushing for ICANN to take a stricter approach to contract compliance.

In a session between the IPC and the ICANN board in Dublin this morning, ICANN was asked to make these hypothetical voluntary measures enforceable.

Marc Trachtenberg disagreed with Chehade’s credit card company example.

“The have an incentive to take action, which is the avoidance of future potential costs,” he said. “That similar incentive does not exist with respect to registries and registrars.”

“In order for any sort of voluntary standards to be successful or useful, there have to be incentives for the parties to actually comply with those voluntary standards,” he said.

“One possibility among many is a situation where those registries and registrars that don’t comply with the voluntary standards are potentially subject to an ICANN compliance action,” he said.

It’s pretty clear that this issue is an ongoing one.

Chehade warned in his address yesterday that calls for ICANN to increase its policing powers will only increase when and if its IANA contract is finally divorced from US government oversight.

Grogan will host a roundtable tomorrow at 10am Dublin time to discuss possible voluntary mechanisms that could be created to govern abuse.

.sucks threatens ICANN with defamation claim after “extortion” letters

Vox Populi Registry has threatened to sue ICANN for defamation and other alleged breaches of US law, over allegations of “extortion” made by two of its constituencies.

The registry’s outside law firm wrote to ICANN yesterday, saying that it has “has no interest in pursuing claims at this time” but adding:

if ICANN or any of its constituent bodies (or any directly responsible member thereof) engages in any further wrongful activity that prevents the company from fulfilling its contractual obligations and operating the .SUCKS registry as both ICANN and Vox Populi envisioned, the company will have no choice but to pursue any and all remedies available to it.

The letter follows claims by the Intellectual Property Constituency that .sucks and its $1,999 annual sunrise fees constitute a “predatory” “shakedown”, claims which ICANN has forwarded to US and Canadian trade regulators for their legal opinions.

The IPC letter was followed up by similar claims by the Business Constituency on Friday.

Vox Pop now wants these constituencies, and ICANN itself, to shut up.

“Rather than assuming cooler heads will prevail, it is time to tell ICANN to stop interfering in our ability to operate the registry,” CEO John Berard said in an email to reporters. “We are not taking legal action at this point but making it clear that we reserve the right if ICANN continues in its wrong-headed approach.”

The company denies that .sucks will encourage cybersquatting, noting that like all other gTLDs it is subject to the anti-cybersquatting UDRP and URS remedies.

it would seem that ICANN is not actually concerned about cybersquatting or any other illegal activity. Rather, ICANN appears concerned that registrations on the .SUCKS registry will be used to aggregate uncomplimentary commentary about companies and products — the very purpose for the registry that Vox Populi identified in the application it submitted to ICANN, and that ICANN approved

ICANN has disseminated defamatory statements about Vox Populi and its business practices aimed at depriving Vox Populi of the benefits of its contract with ICANN. These actions further violate the duty of good faith and fair dealing that is implied in every contract… in suggesting illegality without any basis whatsoever, your actions (and those of the ICANN IPC and ICANN BC) have given rise to defamation claims against ICANN. Vox Populi hereby demands that ICANN, including any and all of its subdivisions, cease any and all such activity immediately.

There’s bucketloads of irony here, of course.

The company says it is standing up for its future registrants’ rights to free speech, but wants its own critics gagged today.

Read the letter as a PDF here.