Latest news of the domain name industry

Recent Posts

How a single Whois complaint got this registrar shitcanned

Kevin Murphy, August 15, 2018, Domain Registrars

A British registrar has had its ICANN contract terminated after a lengthy, unprecedented fight instigated by a single complaint about the accuracy of a single domain’s Whois.

Astutium, based in London and with about 5,000 gTLD domains under management, finally lost its right to sell gTLD domains last week, after an angry battle with ICANN Compliance, the Ombudsman, and the board of directors.

While the company is small, it does not appear to be of the shady, fly-by-night type sometimes terminated by ICANN. Director Rob Golding has been an active face at ICANN for many years and Astutium has, with ICANN approval, taken over portfolios from other de-accredited registrars in the past.

Nevertheless, its Registrar Accreditation Agreement has been torn up, as a result of a complaint about the Whois for the domain name tomzink.com last December.

Golding told DI today that he considers the process that led to his de-accreditation broken and that he’s considering legal action.

The owner of tomzink.com and associated web site appears to be a Los Angeles-based music producer called Tom Zink. The web site seems legit and there’s no suggestion anywhere that Zink has done anything wrong, other than possibly filling out an incomplete Whois record.

The person who complained about the Whois accuracy, whose identity has been redacted from the public record and whose motives are still unclear, had claimed that the domain’s Whois record lacked a phone and fax number and that the registrant and admin contacts contained “made-up” names.

Historical Whois records archived by DomainTools show that in October last year the registrant name was “NA NA”.

The registrant organization was “Astutium Limited” and the registrant email was an @astutium.com address. The registrant mailing address was in Long Beach, California (the same as Zink). There were no phone/fax numbers in the record.

Golding told DI that some of these details were present when the domain was transferred in from another registrar. Others seem to have been added because the registrar was looking after the name on behalf of its client.

The admin and technical records both contained Astutium’s full contact information.

Following the December complaint, the record was cleaned up to remove all references to Astutium and replace them with Zink’s contact data. Judging by DomainTools’ records, this seems to have happened the same day as ICANN forwarded the complaint to Astutium, December 20.

So far, so normal. This kind of Whois cleanup happens many times across the industry every day.

But this is where relations between Astutium and ICANN began to break down, badly.

Even though the Whois record had been cleaned up already, Golding responded to Compliance, via the ICANN complaints ticketing system:

Please dont forward bigus/meaningless whois complaints which are clearly themselves totally inaccurate… No action is necessary or will be taken on bogus/incomplete/rubbish reports. [sic]

Golding agreed with me today that his tone was fairly belligerent from the outset, but noted that it was far from the first time he’d received a compliance complaint he considered bogus.

In the tomzink.com case, he took issue with the fact that the complainant had said that the admin/tech records contained no fax number. Not only was this not true (it was Astutium’s own fax number), but fax numbers are optional under ICANN’s Whois policy.

He today acknowledges that some parts of the complaint were not bogus, but notes that the Whois record had been quickly updated with the correct information.

But simply changing the Whois record is not sufficient for ICANN. It wants you to show evidence of how you resolved the problem in the form of copies of or evidence of communications with the registered name holder.

The Whois Accuracy Program Specification, which is part of the RAA, requires registrars to verify and validate changes to the registered name holder either automated by phone or email, or manually.

Golding told DI that in this case he had called the client to advise him to update his contact information, which he did, so the paper trail only comprises records of the client logging in and changing his contact information.

What he told ICANN in January was:

If ICANN compliance are unable to do the simple job they have been tasked with (to correctly vet and format the queries before sending them on, as they have repeatedly agreed they will do *on record* at meetings) then Registrars have zero obligations to even look at them. Any ‘lack of compliance’ is firmly at your end and not ours in this respect.

However in this specific case we chose to look, contacted the registrant, and had them update/correct/check the records, as can easily be checked by doing a whois

ICANN then explained that “NA NA” and the lack of a phone number were legitimate reasons that the complaint was not wholly bogus, and again asked Golding to provide evidence of Astutium’s correspondence with Zink.

After ignoring a further round or two of communication via the ticketing system, Golding responded: “No, we don’t provide details of private communications to 3rd parties”.

He reiterated this point a couple more times throughout February, eventually saying that nothing in WAPS requires Astutium to “demonstrate compliance” by providing such communications to ICANN, and threatening to escalate the grievance to the Ombudsman.

(That may be strictly true, but the RAA elsewhere does require registrars to keep records and allow ICANN to inspect them on demand.)

It was around the same time that Compliance started trying to get in touch with Golding via phone. While it was able to get through to the Astutium office landline, Compliance evidently had the wrong mobile phone number for Golding himself.

Golding told DI the number ICANN was trying to use (according to ICANN it’s the one listed in RADAR, the official little black book for registrars) had two digits transposed compared to his actual number, but he did not know why that was. Several other members of ICANN staff have his correct number and call him regularly, he said.

By February 27, Compliance had had enough, and issued Astutium with its first public breach notice (pdf)

Allowing a compliance proceeding to get to this stage is always bad news for a registrar — when ICANN hits the public breach notice phase, staff go out and actively search for other areas of potential non-compliance.

Golding reckons Compliance staff are financially incentivized, or “get paid by the bullet point”, at this stage, but I have no evidence that is the case.

Whatever the reason, Compliance in February added on claims:

  • that Astutium was failing to output Whois records in the tightly specified format called for by the RAA (Golding blames typos and missed memos for this and says the errors have been corrected),
  • that Astutium’s registration agreement failed to include renewal and post-renewal fees (Golding said every single page of the Astution web site, including the registration agreement page, carries a link to its price list. While he admitted the text of the agreement does not include these prices, he claimed the same could be said of some of the biggest registrars),
  • that the registration agreement does not specify how expiration notices are delivered (according to Golding, the web site explains that it’s delivered via email)
  • that the address published on the Astutium web site does not match the one provided via the Registrar Information Specification, another way ICANN internally tracks contact info for its registrars (Golding said that his company’s address is published on every single page of its site)

A final bullet point asked the company to implement corrective measures to ensure it “will respond to ICANN compliance matters timely, completely and in line with ICANN’s Expected Standards of Behavior”.

The reference to the Expected Standards of Behavior — ICANN’s code of politeness for the community — is a curious one, not typically seen in breach notices. Unless I’m reading too much into it, it suggests that somebody at ICANN wasn’t happy with Golding’s confrontational, sometimes arguably condescending, attitude.

Golding claims that some of ICANN’s allegations in this breach notice are “provably false”.

He told us he still hasn’t ruled out legal action for defamation against ICANN or its staff as a result of the publication of the notice.

“I’ll be in California, serving the paperwork myself,” he said.

Astutium did not respond to the breach notice, according to ICANN documents, and it was escalated to full-blown termination March 21.

On March 30, the registrar filed a Request for Reconsideration (pdf) with ICANN. That’s one of the “unprecedented” things I referred to at the top of this article — I don’t believe a registrar termination has been challenged through the RfR process before.

The second unprecedented thing was that the RfR was referred to Ombudsman Herb Waye, under ICANN’s relatively new, post-transition, October 2016 bylaws.

Waye’s evaluation of the RfR (pdf), concluded that Astutium was treated fairly. He noted multiple times that the company had apparently made no effort to come into compliance between the breach notice and the termination notice.

Golding was not impressed with the Ombudsman’s report.

“The Ombudsman is totally useless,” he said.

“The entire system of the Ombudsman is designed to make sure nobody has to look into anything,” he said. “He’s not allowed to talk to experts, he’s not actually allowed to talk to the person who made the complaint [Astutium], his only job is to ask ICANN if they did the right thing… That’s their accountability process.”

The Board Accountability Mechanisms Committee, which handles reconsideration requests, in June found against Astutium, based partly on the Ombudsman’s evaluation.

BAMC then gave Golding a chance to respond to its decision, before it was sent to the ICANN board, something I believe may be another first.

He did, with a distinctly more conciliatory tone, writing in an email (pdf):

Ultimately my aim has always been to have the ‘final decision’ questioned as completely disproportionate to the issue raised… and the process that led to the decisions looked into so that improvements can be made, and should there still be unresolved issues, opportunity to work in a collaborative method to solve them, without the need to involve courts, lawyers, further complaints/challenge processes and so on.

And then the ICANN board voted to terminate the company, in line with BAMC’s recommendation.

That vote happened almost a month ago, but Astutium did not lose its IANA number until a week ago.

According to Golding, the company is still managing almost all of its gTLD domains as usual.

One registry, CentralNic, turned it off almost immediately, so Astutium customers are not currently able to manage domains in TLDs such as .host, he said. The other registries still recognize it, he said. (CentralNic says only new registrations and transfers are affected, existing registrants can manage their domains.)

After a registrar termination, ICANN usually transfers the affected domains to another accredited registrar, but this has not happened yet in Astutium’s case.

Golding said that he has a deal with fellow UK registrar Netistrar to have the domains moved to its care, on the understanding that they can be transferred back should Astutium become re-accredited.

He added that he’s looking into acquiring three other registrar accreditations, which he may merge.

So, what is to be learned from all this?

It seems to me that we may be looking at a case of a nose being cut off to spite a face, somebody talking themselves into a termination. This is a compliance issue that probably could have been resolved fairly quickly and quietly many months ago.

Another takeaway might be that, if the simple act of making a phone call to a registrar presents difficulties, ICANN’s Compliance procedures may need a bit of work.

A third takeaway might be that ICANN Compliance is very capable of disrupting registrars’ businesses if they fail to meet the letter of the law, so doing what you’re told is probably the safest way to go.

Or, as Golding put it today: “The lesson to be learned is: if you don’t want them fucking with your business, bend over, grab your ankles, and get ready.”

Some men at ICANN meetings really are assholes

Kevin Murphy, March 24, 2018, Domain Policy

Several men have been accused of sexual harassment at ICANN meetings.

A group of women have written to ICANN with five stories of how they were groped, intimidated, objectified or otherwise harassed in violation of not only common decency but also ICANN’s year-old anti-harassment policy.

They’ve not named the alleged harassers, but hinted that they may do so in future.

If we assume the stories are all the unembellished truth — and we kinda have to nowadays — then the behavior described is unambiguously out of order.

Fortunately, none of the allegations rise to the level of the obviously seriously criminal. In these cases we appear to be talking more Hoffman than Weinstein.

But we’re not talking about bizarro Cheesesandwichgate-level interactions either. The stories allege groping, simulated sexual activity, and physical restraint, among other things.

In one allegation, a woman claims a drunk man touched her rear during a social interaction.

In another, a man is alleged to have attempted to let himself into a woman’s hotel room, prompting her to block the door from the inside with a chair, after his earlier advances were rebuffed.

Another woman claims a man she had never met chose, as his opening conversational gambit, to compliment her appearance and inquire after her marital status — during a daytime coffee break for crying out loud — and then grabbed her waist and wrists to prevent her from leaving.

“If you want to start a conversation, ask what I do, what do I work with and why am I here,” the woman is quoted as saying. “Do not acknowledge physical attributes and reduce me to this.”

“If you want to talk to women in a professional setting, do not tighten her wrists, do not grab her waist. Do not ask whether she is married or not,” she said. “Regardless, you should respect her integrity, not her marital status.”

Another man is accused of simulating a sex position with a woman during a cocktail event.

A fifth is accused of “body-blocking” a woman as she attempted to leave a room.

The letter states:

These actions which are definitely categorized as harassment and even assault, would not only affect the woman who went through the incident but it would also lead to several probable repercussions such as (1) Her withdrawal from the community and physical presence. We all know how important being present in meetings is on different levels of engagement in and outside meetings (2) When no solid response from the community is done towards the harasser, there can definitely be an increase in aggressive characters of harassers as there would be no accountability to stop them (3) With the increase in harassment there surely will be a decrease in the representation of young women’s voices in any proceeding which defies the core concept of diversity.

The letter (pdf) is unsigned, and ICANN broke with its usual practice of listing the sender on the correspondence page of its web site.

The letter also does not name any of the accused men, but it and a related comment from a group of women at the public forum at ICANN 61 last week, said the women “refrain from using names for now, in order to keep the focus on the topic and not the person”.

It’s been DI practice to not name either party concerned in such allegations, even when we know who they are.

While the anti-harassment policy exists to deal precisely with the kinds of behaviors outlined in the letter, we reported in November that the ICANN Ombudsman had received no complaints whatsoever invoking the policy, even after the post-Weinstein sea change in workplace sexual politics.

But the letter-writers say this is because the current Ombudsman, Herb Weye, is a man, and women are sometimes reluctant to report such incidents to a man. The letter states:

There should be a woman ombudsperson for harassment reporting. It has been proven by several studies that given the sensitivity of the issue, harassment reports are more prone to be tackled and come forth with, when the ombudsperson is (a) a woman (b) an expert in gender-related issues and mitigating harassment risks

They’re also not confident that the policy, which has yet to be tested, will cause more good than harm.

They also want all ICANN meeting delegates to read the harassment policy as a condition for attendance, and for signage at the meetings to warn against inappropriate behavior.

In response to the public forum comments, ICANN vice-chair Chris Disspain promised that the board will respond to the women’s letter, adding that the Ombudsman is taking a look at how the harassment policy has been implemented.

“It’s very important that ICANN is a safe place for everyone,” chair Cherine Chalaby told the women. “The more we raise awareness, the more it is safe.”

The message to certain blokes at ICANN meetings seems pretty clear: stop being assholes.

Like most places of work, the ICANN community is resplendent with examples of people forming lasting romantic relationships — or even just getting laid — but none of them began with a man grabbing a woman’s backside without her consent.

Even post-Weinstein, no sexual harassment complaints at ICANN

Kevin Murphy, November 14, 2017, Domain Policy

There have been no formal complaints of sexual harassment in the ICANN community since the organization introduced a zero tolerance policy back in March, according to the Ombudsman.

That’s even after the current media storm about such behavior, precipitated by the revelations about movie producer Harvey Weinstein, which has given men and women in many industries the confidence to level accusations against others.

“There have been no complaints of sexual harassment since the implementation of the Community Anti-Harassment Policy nor the uptake of [post-Weinstein] media coverage,” ICANN Ombudsman Herb Weye told DI in response to an inquiry today.

The anti-harassment policy was adopted in March, and there have been three full, in-person ICANN meetings since then.

Face-to-face meetings are of course where one would expect to see such incidents, if any were to occur.

The policy bans everything from groping to wolf-whistling to dirty jokes to repeated, unwanted requests for dates.

At the time the policy was approved, ICANN general counsel John Jeffrey noted that there had been more than one such complaint since the infamous Cheesesandwichgate incident in March 2016.

No complaints since March does not necessarily mean no incidents, of course.

One recent recommendation to reform the office of the Ombudsman (or Ombudsperson, or simply Ombuds, in recent ICANN documentation) is to ensure a gender-mixed staff to perhaps make it more likely for issues related to gender to be reported.

A recent, non-scientific survey of ICANN participants found that about a third of women had knowledge or experience of sexism in the community.

Weye said that most complaints about non-sexual “harassment” occur at social events where alcohol is involved. He said that ICANN participants should be discreet when discussing “sensitive” cultural issues in such contexts, lest they inadvertently offend those within earshot.

There is “no place for disrespect in ICANN’s multi-cultural diverse environment” he said.

Iran rep reported to ICANN Ombudsman, again

Kevin Murphy, August 3, 2017, Domain Policy

Iran’s Governmental Advisory Committee representative has found himself reported to ICANN’s Ombudsman for alleged bad behavior for the second time in just a few months.

Outspoken GACer Kavouss Arasteh was referred to Ombudsman Herb Waye by consultant John Laprise, according to posts on mailing lists and social media.

Both men serve on an ICANN volunteer working group that is looking at matters related to the jurisdiction in which ICANN operates.

The group’s discussions have recently become extremely fractious, largely due to a series of combative emails and teleconference interventions from Arasteh.

Laprise eventually said on the list that Arasteh was being a “bad actor”, adding that “his tone, manner, and insinuations are detrimental and indeed hostile to the process.”

He later said on Facebook that he had reported the matter to the Ombudsman.

The spat centered on an August 1 teleconference in which members of the so-called WS2-Jurisdiction working group heard a briefing from ICANN lawyers on the Office of Foreign Assets Control, which oversees international trade sanctions in the US.

As well as enforcing sanctions against countries including Iran, OFAC maintains a list of people and organizations, many of them Iranian, that American companies are forbidden from doing business with.

It impacts ICANN because the organization in its normal course of business is often obliged to deal with ccTLD registries in sanctioned nations, for which it needs to apply for OFAC licenses.

Arasteh initially complained multiple times that the meeting had been rescheduled for August 1 — apparently with his initial consent — which is a national holiday in his home nation of Switzerland.

He also fought for ICANN lawyers to be asked to provide, at very short notice, a written briefing paper on OFAC, answering the group’s questions, prior to the teleconference taking place.

On neither issue did he receive support from fellow volunteers, something for which he seemed to blame group chair Greg Shatan, an intellectual property lawyer.

Arasteh’s criticisms of an increasingly weary Shatan sometimes seemed to border on conspiracy theory. All other working group members who publicly expressed an opinion said Shatan was doing a fine job herding this particular set of cats.

During the teleconference itself, Arasteh ate up the first five or six minutes of allotted time with a rambling, barely comprehensible complaint about the format of the meeting, compelling Shatan to eventually ask for his mic to be cut off.

In emails over the next 48 hours, the GAC rep continued his tirade against what he perceives as Shatan’s bias against him and called again for ICANN legal to provide a formal set of written answers to questions.

Some fellow group members believe Arasteh’s defensive and confrontational approach is merely a clash of cultures between his usual style of government diplomacy and the staid, tediously polite style of ICANN working group interactions.

Others are less charitable.

Still, the question of whether the latest WG friction has infringed any of ICANN’s “Expected Standards of Behavior” now appears to be in the hands of the Ombudsman.

Arasteh was also reported to Waye back in May, when he accused the chairs of a different ICANN working group of trying to exclude governmental voices from new gTLD policy-making by scheduling teleconferences at times he found inconvenient.

Waye subsequently reported that the complaint had been resolved between the parties.

In June, he said he was proactively monitoring a third working group mailing list after receiving allegations of harassment. That was unrelated to Iran.

Ombudsman steps in after harassment claims in Whois group

Kevin Murphy, June 16, 2017, Domain Policy

ICANN Ombudsman Herb Waye has started monitoring an ICANN mailing list after multiple complaints of disrespectful behavior.

Waye this week told participants in the Registration Data Services working group that he is to trawl through their list archives and proactively monitor the group following “multiple complaints regarding behavior that contravenes the ICANN Expected Standards of Behavior and possibly the Community Anti-Harassment Policy”.

The RDS working group is exploring the possibility of replacing the current Whois system, in which all data is completely open, with something “gated”, restricting access to authenticated individuals based on their role.

Law enforcement agencies, for example, may be able to get a greater level of access to personal contact information than schmucks like me and you.

Privacy advocates are in favor of giving registrants more control over their data, while anti-abuse researchers hate anything that will limit their ability to stop spam, phishing and the like.

It’s controversial stuff, and arguments on the RDS WG list have been been very heated recently, sometimes spilling over into ad hominem attacks.

The Expected Standards of Behavior requires all ICANN community members to treat each other with civility.

I haven’t seen anything especially egregious, but apparently the disrespect on display has been sufficiently upsetting that the Ombudsman has had to step in.

It’s the first time, that I’m aware of, that the ICANN Ombudsman has proactively monitored a list rather than simply responding to complaints.

Waye said that he plans to deliver his verdict before ICANN 59, which kicks off in a little over a week.