Latest news of the domain name industry

Recent Posts

ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”

Kevin Murphy, September 3, 2020, 19:10:00 (UTC), Domain Policy

ICANN has been instructed to place the proposed .hotel gTLD in limbo after four applicants for the string raised “sufficiently serious questions” that ICANN may have whitewashed the “theft” of trade secrets.

The order was handed down last month by the emergency panelist in the Independent Review Process case against ICANN by claimants Fegistry, MMX, Radix and Domain Ventures Partners.

Christopher Gibson told ICANN to “maintain the status quo” with regards the .hotel contention set, meaning currently winning applicant Hotel Top Level Domain, which is now owned by Afilias, won’t get contracted or delegated until the IRP is resolved.

At the core of the decision (pdf) is Gibson’s view that the claimants raised “sufficiently serious questions related to the merits” in allegations that ICANN mishandled and acted less than transparently in its investigation into a series of data breaches several years ago.

You may recall that ICANN seriously screwed up its new gTLD application portal, configuring in such a way that any applicant was able to search for and view the confidential data, including financial information such as revenue projections, of any other competing applicant.

Basically, ICANN was accidentally publishing applicants’ trade secrets on its web site for years.

ICANN discovered the glitch in 2015 and conducted an audit, which initially fingered Dirk Krischenowski — who at time was the half-owner of a company that owned almost half of HTLD as well as a lead consultant on the bid — as the person who appeared to have accessed the vast majority of the confidential data in March and April 2014.

ICANN did not initially go public with his identity, but it did inform the affected applicants and I managed to get a copy of the email, which said he’d downloaded about 200 records he shouldn’t have been able to access.

It later came to light that Krischenowski was not the only HTLD employee to use the misconfiguration to access data — according to ICANN, then-CEO of HTLD Katrin Ohlmer and lawyer Oliver Süme had too.

HTLD execs have always denied any wrongdoing, and as far as I know there’s never been any action against them in the proper courts. Krischenowski has maintained that he had no idea the portal was glitched, and he was using it in good faith.

Also, neither Ohlmer nor Krischenowski are still involved with HTLD, having been bought out by Afilias after the hacking claims emerged.

These claims of trade secret “theft” are being raised again now because the losing .hotel applicants think ICANN screwed up its probe and basically tried to make it go away out of embarrassment.

Back in August 2016, the ICANN board decided that demands to cancel the HTLD application were “not warranted”. Ohlmer barely gets a mention in the resolution’s rationale.

The losing applicants challenged this decision in a Request for Reconsideration in 2016, known as Request 16-11 (pdf). In that request, they argued that the ICANN board had basically ignored Ohlmer’s role.

Request 16-11 was finally rejected by the ICANN board in January last year, with the board saying it had in fact considered Ohlmer when making its decision.

But the IRP claimants now point to a baffling part of ICANN’s rationale for doing so: that it found “no evidence that any of the confidential information that Ms. Ohlmer (or Mr. Krischenowski) improperly accessed was provided to HTLD”.

In other words, ICANN said that the CEO of the company did not provide the information that she had obtained to the company of which she was CEO. Clear?

Another reason for brushing off the hacking claims has been that HTLD could have seen no benefit during the application process by having access to its rivals’ confidential data.

HTLD won the contention set, avoiding the need for an auction, in a Community Priority Evaluation. ICANN says the CPE was wholly based on information provided in its 2012 application, so any data obtained in 2014 would have been worthless.

But the losing applicants say that doesn’t matter, as HTLD/Afilias still have access to their trade secrets, which could make the company a more effective competitor should .hotel be delegated.

This all seems to have been important to Gibson’s determination. He wrote in his emergency ruling (pdf) last month:

The Emergency Panelist determines that Claimants have raised “sufficiently serious questions related to the merits” in in relation to the Board’s denial of Request 16-11, with respect to the allegations concerning the Portal Configuration issues in Request 16-11. This conclusion is made on the basis of all of the above information, and in view of Claimants’ IRP Request claim that ICANN subverted the investigation into HTLD’s alleged theft of trade secrets. In particular, Claimants claim that ICANN refused to produce key information underlying its reported conclusions in the investigation; that it violated the duty of transparency by withholding that information; that the Board’s action to ignore relevant facts and law was a violation of Bylaws; and further, to extent the BAMC and/or Board failed to have such information before deciding to disregard HTLD’s alleged breach, that violated their duty of due diligence upon reasonable investigation, and duty of independent judgment.

The Emergency Panelist echoes concerns that were raised initially by the Despegar IRP Panel regarding the Portal Configuration issues, where that Panel found that “serious allegations” had been made188 and referenced Article III(1) of ICANN’s Bylaws in effect at that time, but declined to make a finding on those issues, indicating “that it should remain open to be considered at a future IRP should one be commenced in respect of this issue.” Since that time, ICANN conducted an internal investigation of the Portal Configuration issues, as noted above; however, the alleged lack of disclosure, as well as certain inconsistencies in the decisions of the BAMC and the Board regarding the persons to whom the confidential information was disclosed and their relationship to, or position with HTLD, as well as ICANN’s decision to ultimately rely on a “no harm no foul” rationale when deciding to permit the HTLD application to proceed, all raise sufficiently serious questions related to the merits of whether the Board breached ICANN’s Article, Bylaws or other polices and commitments.

It’s important to note that this is not a final ruling that ICANN did anything wrong, it’s basically the ICANN equivalent of a ruling on a preliminary injunction and Gibson is saying the claimants’ allegations are worthy of further inquiry.

And the ruling did not go entirely the way of the claimants. Gibson in fact ruled against them on most of their demands.

For example, he said their was insufficient evidence to revisit claims that a review of the CPE process carried out by FTI Consulting was a whitewash, and he refused to order ICANN to preserve documentation relating to the case (though ICANN has said it will do so anyway).

He also ruled against the claimants on a few procedural issues, such as their demands for an Ombudsman review and for IRP administrator the International Center for Dispute Resolution to recuse itself.

Some of their claims were also time-barred under ICANN’s equivalent of the statute of limitations.

But ICANN will be prevented from contracting with HTLD/Afilias for now, which is a key strategic win.

ICANN reckons the claimants are just using the IRP to try to force deep-pocketed Afilias into a private auction they can be paid to lose, and I don’t doubt there’s more than a grain of truth in that claim.

But if it exposes another ICANN cover-up in the process, I for one can live with that.

The case continues…


If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.

Tagged: , , , , , , , , , , , , , , , , ,

Add Your Comment