Latest news of the domain name industry

Recent Posts

ICANN flips off governments over Whois privacy

Kevin Murphy, May 8, 2018, Domain Policy

ICANN has formally extended its middle finger to its Governmental Advisory Committee for only the third time, telling the GAC that it cannot comply with its advice on Whois privacy.

It’s triggered a clause in its bylaws used to force both parties to the table for urgent talks, first used when ICANN clashed with the GAC on approving .xxx back in 2010.

The ICANN board of directors has decided that it cannot accept nine of the 10 bulleted items of formal advice on compliance with the General Data Protection Regulation that the GAC provided after its meetings in Puerto Rico in March.

Among that advice is a direction that public Whois records should continue to contain the email address of the registrant after GDPR goes into effect May 25, and that parties with a “legitimate purpose” in Whois data should continue to get access.

Of the 10 pieces of advice, ICANN proposes kicking eight of them down the road to be dealt with at a later date.

It’s given the GAC a face-saving way to back away from these items by clarifying that they refer not to the “interim” Whois model likely to come into effect at the GDPR deadline, but to the “ultimate” model that could come into effect a year later after the ICANN community’s got its shit together.

Attempting to retcon GAC advice is not unusual when ICANN disagrees with its governments, but this time at least it’s being up-front about it.

ICANN chair Cherine Chalaby told GAC chair Manal Ismail:

Reaching a common understanding of the GAC’s advice in relation to the Interim Model (May 25) versus the Ultimate Model would greatly assist the Board’s deliberations on the GAC’s advice.

Of the remaining two items of advice, ICANN agrees with one and proposes immediate talks on the other.

One item, concerning the deployment of a Temporary Policy to enforce a uniform Whois on an emergency basis, ICANN says it can accept immediately. Indeed, the Temporary Policy route we first reported on a month ago now appears to be a done deal.

ICANN has asked the GAC for a teleconference this week to discuss the remaining item, which is:

Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

Basically, the GAC is trying to prevent the juicier bits of Whois from going dark for everyone, including the likes of law enforcement and trademark lawyers, two weeks from now.

The problem here is that while ICANN has tacit agreement from European data protection authorities that a tiered-access, accreditation-based model is probably a good idea, no such system currently exists and until very recently it’s not been something in which ICANN has invested a lot of focus.

A hundred or so members of the ICANN community, led by IP lawyers who won’t take no for an answer, are currently working off-the-books on an interim accreditation model that could feasibly be used, but it is still subject to substantial debate.

In any event, it would be basically impossible for any agreed-upon accreditation solution to be implemented across the industry before May 25.

So ICANN has invoked its bylaws fuck-you powers for only the third time in its history.

The first time was when the GAC opposed .xxx for reasons lost in the mists of time back in 2010. The second was in 2014 when the GAC overstepped its powers and told ICANN to ignore the rest of the community on the issue of Red Cross related domains.

The board resolved at a meeting last Thursday:

the Board has determined that it may take an action that is not consistent or may not be consistent with the GAC’s advice in the San Juan Communiqué concerning the GDPR and ICANN’s proposed Interim GDPR Compliance Model, and hereby initiates the required Board-GAC Bylaws Consultation Process required in such an event. The Board will provide written notice to the GAC to initiate the process as required by the Bylaws Consultation Process.

Chalaby asked Ismail (pdf) for a call this week. I don’t know if that call has yet taken place, but given the short notice I expect it has not.

For the record, here’s the GAC’s GDPR advice from its Puerto Rico communique (pdf).

the GAC advises the ICANN Board to instruct the ICANN Organization to:

i. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;

ii. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;

iii. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;

iv. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;

v. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

vi. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory crossreferencing needs; and

vii. Ensure confidentiality of WHOIS queries by law enforcement agencies.

b. the GAC advises the ICANN Board to instruct the ICANN Organization to:

i. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;

ii. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and

iii. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.

The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.

Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.

At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.

At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.

It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.

ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.

We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.

I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.

Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.

I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.

While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.

In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.

Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.

Next new gTLD round unlikely before 2022

Kevin Murphy, March 13, 2018, Domain Policy

ICANN is unlikely to accept any more new gTLD applications until a full decade has passed since the last round was open.

That’s the conclusion of some ICANN community members working on rules for the next round.

Speaking at ICANN 61 in Puerto Rico this weekend, Jeff Neuman, co-chair of the New gTLD Subsequent Procedures Working group, presented a “best case” timetable for the next round.

The timetable would see the next new gTLD application window opening in the first quarter of 2021, nine years after the 2012 round.

But Neuman acknowledged that the timeline would require all parts of the ICANN community — working groups, GNSO Council, board of directors, staff — to work at their most efficient.

With that in mind, 2021 seems optimistic.

“Even if we hit the 2021 date, that’s still a decade after the launch of the last round, which is crazy,” Neuman said.

Slide

The timetable assumes the GNSO wraps up its policy development a year from now, with the ICANN board approving the policy mid-2019.

It then gives the ICANN staff about six months to publish an updated Applicant Guidebook, and assumes whatever is produced is approved within about six months, after the first pass of public comments.

It’s worth noting that the 2012 round’s AGB hit its first draft in 2008 and went through half a dozen revisions over three years before it was finalized, though one imagines there would be less wheel-reinventing required next time around.

After the board gives the AGB the final nod, the timeline assumes ICANN staff about six months to “operationalize” the program.

But one unidentified ICANN staffer, who said she was “the person that will be ultimately responsible for the implementation” of whatever the GNSO comes up with, said during this weekend’s session that she doubted this was realistic.

She said ICANN the organization would need “at least 12 months” between the ICANN board approving the AGB and the application window opening. That would push the window to late 2021.

The Subsequent Procedures policy work is of course not the only gating factor to the next round.

There’s also a potential bottleneck in work being carried out to review rights protection mechanisms, where fears of filibustering have emerged in an already fractious working group.

All things considered, I wouldn’t place any bets on an application window opening as early as 2021.

Amazon’s .amazon gTLD may not be dead just yet

Kevin Murphy, March 11, 2018, Domain Policy

South American governments are discussing whether to reverse their collective objection to Amazon’s .amazon gTLD bid.

A meeting of the Governmental Advisory Committee at ICANN 61 in Puerto Rico yesterday heard that an analysis of Amazon’s proposal to protect sensitive names if it gets .amazon will be passed to governments for approval no later than mid-April.

Brazil’s GAC rep said that a working group of the Amazon Cooperation Treaty Organization is currently carrying out this analysis.

Amazon has offered the eight ACTO countries commitments including the protection of such as “rainforest.amazon” and actively supporting any future government-endorsed bids for .amazonas.

Its offer was apparently sweetened in some unspecified way recently, judging by Brazil’s comments.

ACTO countries, largely Brazil and Peru, currently object to .amazon on the grounds that it’s a clash with the English version of the name for the massive South American rain forest, river and basin region, known locally as Amazonas.

There’s no way to read the tea leaves on which way the governments will lean on Amazon’s latest proposal, and Peru’s GAC rep warned against reading too much into the fact that it’s being considered by the ACTO countries.

“I would like to stress the fact that we are not negotiating right now,” she told the GAC meeting. “We are simply analyzing a proposal… The word ‘progress’ by no means should be interpreted as favorable opinion towards the proposal, or a negative opinion. We are simply analyzing the proposal.”

ICANN’s board of directors has formally asked the GAC to give it more information about its original objection to .amazon, which basically killed off the application a few years ago, by the end of ICANN 61.

Currently, the GAC seems to be planning to say it has nothing to offer, though it may possibly highlight the existence of the ACTO talks, in its formal advice later this week.

Get drunk on Neustar’s tab and it will donate money to hurricane relief

Kevin Murphy, March 5, 2018, Gossip

Neustar has promised to donate thousands of dollars to a Puerto Rican hurricane relief charity, providng enough people show up to its open bar event in San Juan next week.

It’s fairly standard for domain companies of Neustar’s size to host free after-hours social events during ICANN meetings, but this time the company said it will donate $25 for each attendee to charity.

The beneficiary is the Puerto Rico Resistance Fund, operated by Americas for Conservation and the Arts, which is helping rebuild the island after Hurricane Maria hit it for six last September.

“We want to bring together the community, help spread awareness of the hardship and devastation in Puerto Rico, and make our community proud they are contributing in a small way financially,” Neustar VP Lori Anne Wardi told DI.

With the company telling me it expects 500 guests or more to the invitation-only event, expect a total donation topping $12,500.

The venue is the Antiguo Casino, which appears to be about a 10-minute taxi ride from the Puerto Rico Convention Center, at which the ICANN 61 public meeting is being held.

The event runs from 1900 to 2330 local time.

The official death toll in Puerto Rico from Maria was 64, but a New York Times analysis puts the number at closer to 1,000. Parts of the island, a US territory, are still suffering from infrastructure problems such as power outages.

  • Page 1 of 2
  • 1
  • 2
  • >