First bits of new gTLD Applicant Guidebook expected next week

The internet community will officially get eyes on the draft Applicant Guidebook for ICANN’s next new gTLD Applicant Guidebook as early as next week.

The ICANN staff/community Implementation Review Team crafting the language of the AGB is targeting February 1, next Thursday, for opening a formal Public Comment on drafts of seven sections of the document.

These sections mostly cover some of the low-hanging fruits — explanatory text or rules that have not changed a great deal from the 2012 round. They are:

• Code of Conduct and Conflict of Interest Guidelines.
• Conflicts of Interest Process for Vendors and Subcontractors. Along with the above, these sections specify what ICANN’s vendors (such as application evaluators) must not do in order to avoid the perception of conflicts of interest, such as not accepting gifts and not entering into deals to acquire applicants.
• Applicant Freedom of Expression. This section is a single-paragraph disclaimer warning applicants to be “mindful of limitations to free expression”. In other words, if your applied-for string breaks ICANN rules, your free speech rights are forfeit.
• Universal Acceptance. A brief warning or disclaimer that even successfully applied-for gTLDs may not work everywhere on the internet due to lack of software support.
• Reserved and Blocked Names. Covers the variety of reasons why an applied-for string will be rejected or subject to additional review, including names that break technical standards, are geographic in nature, or refer to organizations in the ICANN ecosystem.
• Geographic Names. Specifies when an applied-for string is considered a Geographic Name and is therefore banned outright or requires governmental approval for the application to proceed. There’s at least one potential applicant, thinking of applying for .eth, that I predict will not be happy with one of these rules.
• Predictability Framework. This is new to the 2026 round. It’s a procedure designed to tackle unexpected changes to process or policy that are required after applicants have already paid up and submitted their paperwork. In some circumstances, it requires ICANN to consult with a community group called SPIRT to make sure applicants are not affected too adversely.

The full AGB is not expected to be completed until May 2025, with ICANN currently hoping to open the next application window in April 2026.

The public comment period on the first batch of docs is expected to run from February 1 to March 19. If you want to get the jump on what is very likely to be published, drafts can be found here.

ICANN bans closed generics for the foreseeable

There will be no applications for closed generic gTLDs in the 2026 application round, ICANN has confirmed.

While the Org has yet to publish the results of last weekend’s board meeting, chair Tripti Sinha has written to community leaders to let them know that companies won’t be able to apply for exclusive-use, non-trademark strings for the foreseeable future.

The ban follows years of talks that failed to find a consensus on whether closed generics should be permitted, and subsequent advice from the Governmental Advisory Committee, backed up by the At-Large Advisory Committee, that they should not.

Apparently quoting board output from its January 21 meeting, Sinha wrote (pdf):

the Board has considered the GAC Advice and has determined that closed generic gTLD applications will not be permitted until such time as there is an approved methodology and criteria to evaluate whether or not a proposed closed domain is in the public interest.

Closed generics were permitted — or at least not explicitly outlawed — in the 2012 application round, but were retroactively banned by ICANN following GAC advice in 2013, stymying the plans of dozens of applicants.

Ironically, it was the clumsy wording of the 2013 advice that saw the debate re-open a few years ago, with the initiation of a closed-doors, Chatham House Rules “facilitated dialogue” between the pro- and anti- camps, which also failed to reach a consensus.

By drawing a line under the issue now, ICANN has finally officially removed closed generics as a potential delaying factor on the next gTLD application round, which is already 13 years late.

DNS Women barred from ICANN funding?

A networking group set up to support women in the domain name industry, especially in the developing world, may be banned from applying for ICANN funding under rules published earlier this week.

Concerns have been raised that DNS Women may be excluded from the $10 million in non-profit Grant Program funding ICANN is making available this year because its CEO participated in the program’s community rule-making process.

ICANN’s rules, written by Org staff based on the recommendations of the Cross-Community Working Group on New gTLD Auction Proceeds (CCWG-AP), ban anyone from applying for grants — set at between $50,000 and $500,000 — if they have potential conflicts of interest.

Participation in the CCWG-AP is listed as one such conflict:

No person that participated as a member (including temporary member appointments) of the Cross-Community Working Group on New gTLD Auction Proceeds (CCWG-AP) is eligible to apply for or be included within funded proposal activities as principals, advisors, or in other roles. Grants may not be awarded to businesses and organizations owned in whole or in part by the CCWG-AP members or their family members. Grant funding may not be used to pay compensation to CCWG-AP members or their family members.

DNS Women is currently led by Vanda Scartezini, who was a member of CCWG-AP representing the At-Large Advisory Committee. She’s written to ICANN to express surprise to find herself suddenly unable to apply for funding. ICANN has responded with a pointer to the CCWG-AP’s recommendations, where the language closely mirrors that found in the new application rules as implemented.

But if Scartezini has shot herself in the foot, she may not be alone. According to the CCWG-AP’s final report, there may have been almost enough foot-shooting to create a Paralympic football team.

Of the 22 people who participated as full members of the group — and would be therefore barred from financially benefiting from grants — 10 people answered “yes” or “maybe” when asked to disclose whether they or their employer expected to apply for funding (almost all, including Scartezini, were “maybes”).

The $10 million tranche available this year comes from a $217 million fund ICANN raised auctioning off contested gTLDs following the 2012 application round.

$10 million of ICANN cash up for grabs

ICANN has officially launched its Grant Program, making $10 million available to not-for-profit projects this year.

The Org expects to start accepting applications for between $50,000 and $500,000 between March 25 and May 24 and start handing out the cash early next year.

It’s the first phase of a program that currently sees ICANN sitting on a distributable cash pile of $217 million that it raised by auctioning off contested new gTLD registry contracts under the 2012 gTLD application round.

The money is only available to registered charities that in some way support ICANN’s mission in terms of developing internet interoperability or capacity building.

Organizations worldwide will be able to apply, but it seems unlikely anyone from a country currently subject to US government sanctions will be successful. Conflicted organizations — such as those led by somebody involved with the program — are also barred.

Applications for grants will be assessed by ICANN staff, a yet-to-be-named Independent Application Assessment Panel comprising “a diverse collective of subject matter experts”, and ultimately the ICANN board of directors.

More information and the application form can be found here.

ICANN threatens to regulate your speech [RANT]

ICANN wants to know if it’s okay if it regulates your speech, even when you’re not doing ICANN stuff.

Acting CEO Sally Costerton has floated the idea of extending ICANN’s Expected Standards of Behavior into things people say in their everyday lives.

The notion came up in ICANN’s response (pdf) to consultant Jeff Neuman, who recently complained to the Org about a TV interview given by Talal Abu-Ghazaleh, a prominent member of the intellectual property community in the Middle-East.

In the interview on Jordanian TV last October, Abu-Ghazaleh made some outrageously anti-Semitic remarks and appeared to suggest the Holocaust was a good thing.

His TAG-Org business has at least three ties to ICANN. It’s an accredited registrar, it’s involved in an approved UDRP provider, and it hosts an instance of ICANN’s L-root DNS root server.

Neuman said that ICANN should not associate with racists and should remove TAG-Org’s L-root instance and relocate it to another organization in Jordan or elsewhere the Middle-East.

It took a few months to get a response, but now Costerton has written back to Neuman “to make it absolutely clear that hate speech has no place in ICANN’s multistakeholder process”:

She said that ICANN has “reached out directly to inform Talal Abu Ghazaleh and TAG-Org that their hate speech violates ICANN’s Expected Standards of Behavior” and “referred this matter to the Office of the Ombuds to investigate and make further recommendations.”

Costerton concludes:

Although your letters are specifically about TAG-Org, they also point to a larger question that has not yet been addressed by the ICANN community. Specifically what role, if any, should ICANN have in addressing egregious conduct that violates the Expected Standards of Behavior to the extent that it could cause significant reputational harm to ICANN and the multistakeholder model if left unaddressed? This is an area for which there is currently no policy or community guidance. In its absence, it is difficult to know how to weigh potentially competing issues. For example, your letters reference free speech questions. This incident has made it clear that as a community we need to discuss this further in the coming weeks and months.

This brief reference to the “free speech” implications of taking action may be a clue that ICANN is actually just trying to preemptively weasel out of actually doing anything about TAG-Org. Neuman seems to think that’s a possibility.

But let’s take Costerton’s letter at face value. ICANN is now talking about extending its Expected Standards of Behavior to things people say when they’re not doing ICANN community stuff.

The ESB is ICANN’s take on codified politeness, banning all the -isms and -phobias from ICANN community conduct. It’s supplemented by the Community Anti-Harassment Policy, which is referenced in Costerton’s letter (pdf) to TAG-Org and which among many other things bans swearing.

Participants are reminded of applicability of these policies whenever they walk into an ICANN conference center or log in to a Zoom call.

That, as far as I’m concerned, is where it should begin and end — when you’re in an ICANN meeting or participating on a mailing list, play nice. ICANN’s house, ICANN’s rules.

Abu-Ghazaleh spouted some pretty incredibly racist stuff, but he did so in a media appearance. He wasn’t on TV to discuss ICANN, or domain names, or intellectual property. He was talking about the attacks in Israel and Gaza.

ICANN’s Expected Standards of Behavior have no jurisdiction over Jordanian TV. Or, indeed, any news media.

ICANN as a private organization would of course be well within its rights to just unilaterally remove the Amman L-root. It refuses to take money from alt-roots. It refuses to work with convicted pirates. Surely refusing to work with a Holocaust supporter isn’t too much of a stretch.

But the idea that ICANN’s rules on personal conduct should extend outside the grey, windowless walls of an ICANN convention center, or that ICANN employees should be the judges of whether something is or isn’t offensive… nah.

Remember, a lot of these people are Californians.

ICANN predicts flattish 2025 for domain industry

The gTLD domain industry will be pretty much flat in terms of sales next year, according to the predictions in ICANN’s latest budget.

The bean counters reckon the Org will make $89 million from transactions in legacy gTLDs (mainly .com) in its fiscal 2025, up from the $88.9 million it expects to make in fiscal 2024, which ends next June 30.

Meanwhile, it expects transactions in new gTLDs to bring in $10.1 million, up from the $9.9 million it expects in FY24.

Both of the updated FY24 estimates are actually a bit ahead of ICANN’s current budget, written in April and approved in May, which predicted $87.1 million from legacy and $9.2 million from new.

ICANN expects to lose 22 registries (presumably unused dot-brands, of which there are still plenty, with a couple hundred contracts up for renewal in 2025) and gain 40 new registrars.

This will lead to revenue from registry fixed fees to dip to $27.6 million from a predicted $28.1 million, and registrar fixed fees going up from $10.4 million from a predicted $10.1 million.

The FY24 registrar numbers are a little healthier than ICANN predicted back in April, when it expected 2,447 accredited registrars at the end of the financial year versus the 2,575 it’s expecting now. Gname’s decision to buy 150 new accreditations will have played a big role in moving this number up. ICANN expects 2,615 registrars at the end of FY25.

But ICANN is losing registries faster than it predicted back in April. Then, it had expected to end FY24 with 1,127 registries; now it thinks it will have 1,118. It expects that to drop to 1,089 by the end of June 2025.

Overall, ICANN is budgeting for funding of $148 million and the same level of expenses in FY25, the same as FY24.

Did I find a murder weapon in a zone file?

Registrars are usually very reluctant to police the content of web sites by taking down domains they manage, but they quite often make an exception when the web site in question calls for violence. But what if the site itself attempts to physically harm visitors through their screens?

It sounds a bit mad, but I think I’ve found such a site.

I recently randomly came across a domain name that caught my eye while scrolling through a zone file. I’m not going to reveal the domain here, but it consisted of three words across the dot and could be taken as an instruction to “murder” a specific, but unnamed, individual.

Expecting humor, I visited the domain out of curiosity and was confronted by a blank page that rapidly flashed between two background colors, creating a strobe effect. There was no other content.

My first impression was that the site had been created in order to trigger seizures in photosensitive epileptics. The CSS seemed to confirm that the strobe effect fell within the frequency range that the charity Epilepsy Action says can cause such seizures.

This raised an interesting question: could this be considered “DNS abuse”?

The DNS Abuse Institute’s definition (pdf) says DNS Abuse consists of “malware, botnets, phishing, pharming, and spam (when it serves as a delivery mechanism for the other forms of DNS Abuse)”.

DNSAI says registries and registrars “must” act on these five categories of abuse, but it adds that there are some categories of web content where registrars “should” take action. Its Framework to Address Abuse, which has been endorsed by dozens of registries and registrars, states:

Specifically, even without a court order, we believe a registry or registrar should act to disrupt the following forms of Website Content Abuse: (1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence. Underlying these Website Content Abuses is the physical and often irreversible threat to human life.

Epileptic seizures can be fatal. A school friend of mine did not make it out of his teens due to one. Even when non-fatal, they are dangerous and clearly unpleasant.

So if a site encouraging physical violence “should” be taken down, what about a site that seems designed to actively physically attack individuals, no incitement required? That’s a reasonable question, right?

I filed an abuse report with the registrar managing the domain and was told it did not violate its acceptable use policies.

Attacking epileptics with flashing images sent online has been a criminal offence in the UK since October 26, when the controversial Online Safety Act 2023 was enacted.

A component of the Act is named Zach’s Law, after an eight-year-old boy who in 2020 was attacked with flashing images by internet wankers after he carried out a sponsored walk for the Epilepsy Society.

The Act makes it illegal to send a flashing image to somebody you know is epileptic with the intent to harm them. You can get up to five years imprisonment and a fine.

ICANN drops the “man” from Ombudsman

ICANN is looking for a new “Ombuds”, having quietly dropped the “man” from Ombudsman following the resignation of Herb Waye.

The Org said it has hired a recruitment consultant and put out a call for expressions of interest in the role last night.

The Ombuds’ job is to handle complaints independently of ICANN Org and board and be an “objective advocate for fairness”. It’s one of ICANN’s bylaws-mandated accountability mechanisms.

The Org seems to have officially made the switch from “Ombudsman” to “Ombuds” at the start of October when Krista Papac took on the job on an interim basis. The old URL icann.org/ombudsman now forwards to icann.org/ombuds.

Like many middle-aged men, I often roll my eyes at this kind of terminology change, despite my impeccable woke credentials.

I have always assumed that “Ombudsman” was etymologically a gender-neutral term, given its Scandinavian roots, but I’ve read around the topic today and it seems that that assumption is open to debate.

I’ve concluded that it doesn’t matter either way — nobody’s getting hurt by the change, so fuck it, “Ombuds” it is.

Have your say on police domain takedown powers

The UK Parliament wants your input on a new proposed law that would give the police powers to take down domain names and IP addresses.

The broad-ranging Criminal Justice Bill 2023 (pdf) would give police the ability to obtain court orders requiring registries and registrars to suspend domains believed to be used in criminal activity.

Accompanying explanatory notes say that these court orders could be applied internationally against domain companies in other countries via various means.

The clock is ticking for submissions — the Public Bill Committee of Parliament is due to sit to consider evidence from December 12 and issue its report with suggested amendments by January 30.

The committee advises submitting evidence as soon as possible to maximize the time spent considering it.

Most registrars are shunning ICANN’s new Whois system

Most of the largest domain registrars are not currently participating in ICANN’s new Registration Data Request Service, according to my research.

I used the RDRS tool to check domains managed by every accredited registrar that has over a million domains under management and discovered that at least 25 out of these 40 registrars do not currently support the service.

The number may be 26, but RDRS did not recognize any domains managed by Chinese registrar Ali Baba as valid, giving instead a “domain does not exist” error message, even for alibaba.com itself.

In total, the 25 registrars coming up blank look after over 63 million gTLD domains, about 28% of the total.

Some very recognizable brands are not in the system.

Squarespace Domains II, the new name for the old Google Domains, the fourth-largest registrar, is the largest company not participating. Together with its original accreditation, Squarespace Domains, they have over 10 million domains under management.

TurnCommerce, GMO, IONOS, NameSilo, PDR, Gname, Dynadot, Wix, OVH, Register.com, FastDomain, Name.com, Domain.com, Hostinger, Sav.com, Xin Net, West.cn, Cronon, Domain Robot, Automattic, DNSPod, and Cloudflare are also not in the system.

Oh, and neither is Markmonitor.

While I only checked 40 registrars, not the full 2,702 that were active in the July registry transaction reports, I would expect the level of support to decline the lower down the list you get, particularly as hundreds of accreditations have a trivial number of domains or are merely aliases for companies already known to not support RDRS.

It’s quite possible some of the registrars I’ve named here are planning to sign up and have just been slow to do so, but they’ve had plenty of time — ICANN has been onboarding registrars since September 20.

The level of support from the registrar industry will be critical to judging whether the RDRS project is deemed a success.

In a recent letter to the GNSO Council discussing “success criteria” for the program, ICANN chair Tripti Sinha wrote (pdf):

The Board agrees that the participation of a sufficient number of registrars with a sufficient number of domain name registrations under management will be important with respect to gathering data.

On the bright side, GoDaddy, Tucows and Namecheap are on board, and that represents about 90 million domains. GoDaddy alone accounts for 65 million, slightly more than the combined total of the 25 large registrars that are not participating.

RDRS is a system designed to simplify the process of requesting non-public Whois data by passing all such requests to the relevant registrars through a central hub.

Of course, it’s only useful if the registrars are actually in the system.