Latest news of the domain name industry

Recent Posts

ICANN going back to Puerto Rico for a third time

Kevin Murphy, November 11, 2019, Domain Policy

ICANN has selected Puerto Rico for its ICANN 73 public meeting.

The meeting is slated to be held at the Puerto Rico Convention Center in San Juan from March 5 to March 10, 2022.

That’s the same venue ICANN visited in March last year, in the wake of Hurricane Maria, which caused extensive damage and loss of life on the island. Indeed, the convention center had just months earlier been used as a command and control center for the recovery effort.

San Juan will become just the third city that ICANN has visited three times. It’s been to Singapore four times and its home city of Los Angeles (if you include Marina Del Rey) six times.

Puerto Rico had also been scheduled as the venue for ICANN 57 in 2016, but the meeting was moved to India instead, because of the Zika virus that was causing international concern at the time.

In 2020, meetings are to be held in Cancún, Kuala Lumpur and Hamburg, in that order. In 2021, ICANN’s going to Cancún (again), The Hague and Seattle.

ICANN flips off governments over Whois privacy

Kevin Murphy, May 8, 2018, Domain Policy

ICANN has formally extended its middle finger to its Governmental Advisory Committee for only the third time, telling the GAC that it cannot comply with its advice on Whois privacy.

It’s triggered a clause in its bylaws used to force both parties to the table for urgent talks, first used when ICANN clashed with the GAC on approving .xxx back in 2010.

The ICANN board of directors has decided that it cannot accept nine of the 10 bulleted items of formal advice on compliance with the General Data Protection Regulation that the GAC provided after its meetings in Puerto Rico in March.

Among that advice is a direction that public Whois records should continue to contain the email address of the registrant after GDPR goes into effect May 25, and that parties with a “legitimate purpose” in Whois data should continue to get access.

Of the 10 pieces of advice, ICANN proposes kicking eight of them down the road to be dealt with at a later date.

It’s given the GAC a face-saving way to back away from these items by clarifying that they refer not to the “interim” Whois model likely to come into effect at the GDPR deadline, but to the “ultimate” model that could come into effect a year later after the ICANN community’s got its shit together.

Attempting to retcon GAC advice is not unusual when ICANN disagrees with its governments, but this time at least it’s being up-front about it.

ICANN chair Cherine Chalaby told GAC chair Manal Ismail:

Reaching a common understanding of the GAC’s advice in relation to the Interim Model (May 25) versus the Ultimate Model would greatly assist the Board’s deliberations on the GAC’s advice.

Of the remaining two items of advice, ICANN agrees with one and proposes immediate talks on the other.

One item, concerning the deployment of a Temporary Policy to enforce a uniform Whois on an emergency basis, ICANN says it can accept immediately. Indeed, the Temporary Policy route we first reported on a month ago now appears to be a done deal.

ICANN has asked the GAC for a teleconference this week to discuss the remaining item, which is:

Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

Basically, the GAC is trying to prevent the juicier bits of Whois from going dark for everyone, including the likes of law enforcement and trademark lawyers, two weeks from now.

The problem here is that while ICANN has tacit agreement from European data protection authorities that a tiered-access, accreditation-based model is probably a good idea, no such system currently exists and until very recently it’s not been something in which ICANN has invested a lot of focus.

A hundred or so members of the ICANN community, led by IP lawyers who won’t take no for an answer, are currently working off-the-books on an interim accreditation model that could feasibly be used, but it is still subject to substantial debate.

In any event, it would be basically impossible for any agreed-upon accreditation solution to be implemented across the industry before May 25.

So ICANN has invoked its bylaws fuck-you powers for only the third time in its history.

The first time was when the GAC opposed .xxx for reasons lost in the mists of time back in 2010. The second was in 2014 when the GAC overstepped its powers and told ICANN to ignore the rest of the community on the issue of Red Cross related domains.

The board resolved at a meeting last Thursday:

the Board has determined that it may take an action that is not consistent or may not be consistent with the GAC’s advice in the San Juan Communiqué concerning the GDPR and ICANN’s proposed Interim GDPR Compliance Model, and hereby initiates the required Board-GAC Bylaws Consultation Process required in such an event. The Board will provide written notice to the GAC to initiate the process as required by the Bylaws Consultation Process.

Chalaby asked Ismail (pdf) for a call this week. I don’t know if that call has yet taken place, but given the short notice I expect it has not.

For the record, here’s the GAC’s GDPR advice from its Puerto Rico communique (pdf).

the GAC advises the ICANN Board to instruct the ICANN Organization to:

i. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;

ii. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;

iii. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;

iv. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;

v. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

vi. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory crossreferencing needs; and

vii. Ensure confidentiality of WHOIS queries by law enforcement agencies.

b. the GAC advises the ICANN Board to instruct the ICANN Organization to:

i. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;

ii. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and

iii. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.

The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.

Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.

At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.

At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.

It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.

ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.

We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.

I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.

Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.

I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.

While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.

In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.

Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.

Next new gTLD round unlikely before 2022

Kevin Murphy, March 13, 2018, Domain Policy

ICANN is unlikely to accept any more new gTLD applications until a full decade has passed since the last round was open.

That’s the conclusion of some ICANN community members working on rules for the next round.

Speaking at ICANN 61 in Puerto Rico this weekend, Jeff Neuman, co-chair of the New gTLD Subsequent Procedures Working group, presented a “best case” timetable for the next round.

The timetable would see the next new gTLD application window opening in the first quarter of 2021, nine years after the 2012 round.

But Neuman acknowledged that the timeline would require all parts of the ICANN community — working groups, GNSO Council, board of directors, staff — to work at their most efficient.

With that in mind, 2021 seems optimistic.

“Even if we hit the 2021 date, that’s still a decade after the launch of the last round, which is crazy,” Neuman said.

Slide

The timetable assumes the GNSO wraps up its policy development a year from now, with the ICANN board approving the policy mid-2019.

It then gives the ICANN staff about six months to publish an updated Applicant Guidebook, and assumes whatever is produced is approved within about six months, after the first pass of public comments.

It’s worth noting that the 2012 round’s AGB hit its first draft in 2008 and went through half a dozen revisions over three years before it was finalized, though one imagines there would be less wheel-reinventing required next time around.

After the board gives the AGB the final nod, the timeline assumes ICANN staff about six months to “operationalize” the program.

But one unidentified ICANN staffer, who said she was “the person that will be ultimately responsible for the implementation” of whatever the GNSO comes up with, said during this weekend’s session that she doubted this was realistic.

She said ICANN the organization would need “at least 12 months” between the ICANN board approving the AGB and the application window opening. That would push the window to late 2021.

The Subsequent Procedures policy work is of course not the only gating factor to the next round.

There’s also a potential bottleneck in work being carried out to review rights protection mechanisms, where fears of filibustering have emerged in an already fractious working group.

All things considered, I wouldn’t place any bets on an application window opening as early as 2021.

Amazon’s .amazon gTLD may not be dead just yet

Kevin Murphy, March 11, 2018, Domain Policy

South American governments are discussing whether to reverse their collective objection to Amazon’s .amazon gTLD bid.

A meeting of the Governmental Advisory Committee at ICANN 61 in Puerto Rico yesterday heard that an analysis of Amazon’s proposal to protect sensitive names if it gets .amazon will be passed to governments for approval no later than mid-April.

Brazil’s GAC rep said that a working group of the Amazon Cooperation Treaty Organization is currently carrying out this analysis.

Amazon has offered the eight ACTO countries commitments including the protection of such as “rainforest.amazon” and actively supporting any future government-endorsed bids for .amazonas.

Its offer was apparently sweetened in some unspecified way recently, judging by Brazil’s comments.

ACTO countries, largely Brazil and Peru, currently object to .amazon on the grounds that it’s a clash with the English version of the name for the massive South American rain forest, river and basin region, known locally as Amazonas.

There’s no way to read the tea leaves on which way the governments will lean on Amazon’s latest proposal, and Peru’s GAC rep warned against reading too much into the fact that it’s being considered by the ACTO countries.

“I would like to stress the fact that we are not negotiating right now,” she told the GAC meeting. “We are simply analyzing a proposal… The word ‘progress’ by no means should be interpreted as favorable opinion towards the proposal, or a negative opinion. We are simply analyzing the proposal.”

ICANN’s board of directors has formally asked the GAC to give it more information about its original objection to .amazon, which basically killed off the application a few years ago, by the end of ICANN 61.

Currently, the GAC seems to be planning to say it has nothing to offer, though it may possibly highlight the existence of the ACTO talks, in its formal advice later this week.

Get drunk on Neustar’s tab and it will donate money to hurricane relief

Kevin Murphy, March 5, 2018, Gossip

Neustar has promised to donate thousands of dollars to a Puerto Rican hurricane relief charity, providng enough people show up to its open bar event in San Juan next week.

It’s fairly standard for domain companies of Neustar’s size to host free after-hours social events during ICANN meetings, but this time the company said it will donate $25 for each attendee to charity.

The beneficiary is the Puerto Rico Resistance Fund, operated by Americas for Conservation and the Arts, which is helping rebuild the island after Hurricane Maria hit it for six last September.

“We want to bring together the community, help spread awareness of the hardship and devastation in Puerto Rico, and make our community proud they are contributing in a small way financially,” Neustar VP Lori Anne Wardi told DI.

With the company telling me it expects 500 guests or more to the invitation-only event, expect a total donation topping $12,500.

The venue is the Antiguo Casino, which appears to be about a 10-minute taxi ride from the Puerto Rico Convention Center, at which the ICANN 61 public meeting is being held.

The event runs from 1900 to 2330 local time.

The official death toll in Puerto Rico from Maria was 64, but a New York Times analysis puts the number at closer to 1,000. Parts of the island, a US territory, are still suffering from infrastructure problems such as power outages.

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.

ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.

The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.

Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.

After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.

Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.

Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.

Registrants would have the right to opt in to having their full record displayed in the public Whois.

Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.

The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.

This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.

The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.

The model would apply to all gTLD domains where there is some connection to the European Economic Area.

If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.

Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.

While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.

The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.

Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.

The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.

Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.

Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.

Domain NameDisplay
Registry Domain IDDisplay
Registrar WHOIS ServerDisplay
Registrar URLDisplay
Updated DateDisplay
Creation DateDisplay
Registry Expiry DataDisplay
Registrar Registration Expiration DateDisplay
RegistrarDisplay
Registrar IANA IDDisplay
Registrar Abuse Contact EmailDisplay
Registrar Abuse Contact PhoneDisplay
ResellerDisplay
Domain StatusDisplay
Domain StatusDisplay
Domain StatusDisplay
Registry Registrant IDDo not display
Registrant NameDo not display
Registrant OrganizationDisplay
Registrant StreetDo not display
Registrant CityDo not display
Registrant State/ProvinceDisplay
Registrant Postal CodeDo not display
Registrant CountryDisplay
Registrant PhoneDo not display
Registrant Phone ExtDo not display
Registrant FaxDo not display
Registrant Fax ExtDo not display
Registrant EmailAnonymized email or web form
Registry Admin IDDo not display
Admin NameDo not display
Admin OrganizationDo not display
Admin StreetDo not display
Admin CityDo not display
Admin State/ProvinceDo not display
Admin Postal CodeDo not display
Admin CountryDo not display
Admin PhoneDo not display
Admin Phone ExtDo not display
Admin FaxDo not display
Admin Fax ExtDo not display
Admin EmailAnonymized email or web form
Registry Tech IDDo not display
Tech NameDo not display
Tech OrganizationDo not display
Tech StreetDo not display
Tech CityDo not display
Tech State/ProvinceDo not display
Tech Postal CodeDo not display
Tech CountryDo not display
Tech PhoneDo not display
Tech Phone ExtDo not display
Tech FaxDo not display
Tech Fax ExtDo not display
Tech EmailAnonymized email or web form
Name ServerDisplay
Name ServerDisplay
DNSSECDisplay
DNSSECDisplay
URL of ICANN Whois Inaccuracy Complaint FormDisplay
>>> Last update of WHOIS databaseDisplay

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.

With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

Expect “minor inconveniences” in post-hurricane Puerto Rico

Kevin Murphy, December 12, 2017, Domain Policy

ICANN 61 is going ahead in Puerto Rico despite the continuing fallout of a devastating hurricane season, the organization has confirmed.

The March 10-15 meeting will take place at the convention center in San Juan, and participants can only expect “minor inconveniences”

ICANN said in a statement:

We recognize that Puerto Rico is still in the recovery phase, and while we can expect some minor inconveniences, the convention center and supporting hotels are fully operational and eager to host our event in March.

ICANN has not yet listed its official supporting hotels, where it usually negotiates bulk discounts, on the official ICANN 61 page.

In the event you, like me, always find ICANN’s approved hotels a tad on the pricey side, you’ll probably need to do your own research.

ICANN added that it has been working with the island’s governor and that: “We have been assured that our presence in San Juan will support economic recovery on the island.”

Hurricane Maria made landfall in Puerto Rico on September 20, killing at least 48 people and causing billions of dollars in property damage.

The convention center venue for ICANN 61 escaped relatively unscathed and was actually used as a command and control center during the immediate aftermath of the disaster.

After Zika threat passes, ICANN confirms return to Puerto Rico

Kevin Murphy, December 16, 2016, Domain Policy

ICANN will hold its first public meeting of 2018 in San Juan, Puerto Rico, which was originally supposed to the venue for this October’s meeting.

ICANN moved ICANN 57 from San Juan to Hyderabad, India in May, at the height of the scare about the Zika virus.

Zika is spread by mosquitoes and sex and can cause horrible birth defects. An epidemic, beginning in 2015, saw thousands affected in the Americas and South-East Asia.

Puerto Rico was one of the affected regions. At the time of the ICANN postponement, numerous government travel warnings were in effect.

The World Health Organization announced last month that the epidemic is over.

It was always understood that Puerto Rico had been merely postponed rather than permanently canceled, and ICANN’s board of directors this week resolved to hold the March 2018 meeting — ICANN 61 — there.

ICANN diverts from Puerto Rico to India to avoid Zika

Kevin Murphy, May 17, 2016, Domain Policy

ICANN has confirmed that its 57th public meeting will not be held, as originally planned, in Puerto Rico.

Instead, it is asking community members to instead head to Hyderabad, India, this November.

Those Las Vegas rumors turned out not to be true. However, on the up-side, those Las Vegas rumors turned out not to be true!

The decision was to relocate made to the a “state of emergency” being declared in Puerto Rico due to the Zika virus.

Zika is spread by mosquitoes and male sexual partners and can cause devastating birth defects in kids.

Latest figures from the US Center for Disease Control put infections in US territories at 701, three of whom were travelers.

ICANN said in a blog post this evening:

This decision was based on available research and information and the fact that Puerto Rico has declared a state of emergency due to the ongoing Zika virus outbreak. We believe that the Zika virus poses a significant enough threat that we need to postpone going to Puerto Rico for the health and safety of our community and our ICANN team, just as we had to postpone ICANN52 and relocate from Marrakech to Singapore due to the Ebola virus outbreak in 2014.

It’s the second of this year’s meetings to be relocated due to Zika. June’s Panama meeting has been moved to Helsinki.

ICANN said that the new venue for ICANN 57, which takes place from November 3 to 9 this year, is the Hyderabad International Convention Centre.

It’s said that ICANN will take a seven-figure hit to its bank balance in order to cancel the PR meeting.