Feds warn of Covid risk from “dark” Whois
The US Food and Drug Administration has escalated its beef with ICANN, warning that inaccessible Whois data is making it harder to tackle bogus Covid-19 “cures” and the country’s opioid crisis.
Catherine Hermsen from the FDA’s Office of Criminal Investigations wrote to ICANN CEO Göran Marby last week to complain that some registrars do not adequately respond to abuse complaints and that ICANN ignores follow-up complaints from government agencies.
She doubled down on the FDA’s previous complaint that ICANN’s inaction may be because it is funded by the industry, but back-pedaled on previous insinuations that ICANN’s leadership were putting their own big salaries ahead of public safety.
The beef started in early June, when an organization called Coalition for a Secure & Transparent Internet — basically a front for the likes of DomainTools and other companies whose business models are threatened by privacy legislation — held a one-sided webinar entitled “The Threat of a Dark WHOIS”.
On that webinar, Daniel Burke, chief of the FDA’s Investigative Services Division, lamented the lack of cooperation his agency gets when requesting private Whois data from “certain” registrars, and pointed to cases where the FDA’s inability to quickly get fake pharma sites, including those related to Covid-19, shut down have led to deaths.
He also said that complaints to ICANN about non-compliant registrars fall on deaf ears, to the point that it no longer bothers complaining, and suggested that ICANN and domain companies are financially incentivized to be uncooperative.
Burke quoted the writer Upton Sinclair: “It is difficult to get a man to understand something when his salary depends on his not understanding it.”
“I have found that’s the case with my interactions with ICANN and certain registries and registrars,” Burke said. “They just don’t want to listen… it’s a money-maker for them right now, it’s not profitable for them to deal with it.”
Marby also “spoke” on the CSTI webinar, but his brief intervention was actually just an out-of-context snippet — the “GDPR is not my fault!” T-shirt speech — taken from a recording of an ICANN webinar back in January and presented — dishonestly in my opinion — as if it had been filmed as a contribution to the CSTI discussion.
His inability to directly respond to Burke live led him to write to the FDA (pdf) a couple of weeks later to dispute some of his claims.
First, Marby said the the FDA does not need to obtain a subpoena to get access to Whois data. Registrars are obliged to respond to “legitimate interest” requests, when balanced against the privacy rights of the registrant, he said. He added:
In a few instances, government agencies have submitted complaints to ICANN Contractual Compliance regarding registrars’ refusal to provide non-public registration data. These agencies were ultimately successful in gaining access to the requested data without having to obtain a subpoena or lawful order.
Second, Marby disputed the financial motivation claims, writing: “ICANN’s leadership’s salaries are in no way tied to or dependent upon domain name registrations.”
Third, he offered a (pretty weak, in my view) defense against the claim that ICANN ignores complaints from government agencies, pointing out: “ICANN is not political and, therefore, takes actions to ensure that the workings of the Internet are not politicized.”
He also pointed out that ICANN operates a system called DNSTICR which monitors reports of DNS abuse related to the pandemic and alerts the relevant registries and registrars.
The problem here is that ICANN’s definition of abuse is pretty narrow and does not extend to web sites that sell industrial bleach as a Covid cure. That would count as “content” and ICANN is not the “content police”.
That’s pretty much what Hermsen says in the latest missive (pdf) in this row.
DNS security threats such as malware and phishing, however, were not what SA Burke was referring to in his presentation. Given the agency’s public health mission, FDA has been working during the pandemic to protect Americans from unproven or fraudulent medical products claiming to treat, cure, prevent, mitigate or diagnose COVID-19…
Given your stated concerns regarding COVID-19-related malware and phishing activity, we trust that you are equally concerned about registrars who may not be following the [Registrar Accreditation Agreement’s] requirements to “investigate” and “respond appropriately” following receipt of notifications about abuse, particularly complaints reporting activity involving COVID-19-related fraud or activity exacerbated the current opioid addiction crisis — especially in light of ICANN’s singular ability to enforce the terms of RAAs.
She also comes back, splitting hairs in my opinion, on the ICANN salaries claim, stating: “SA Burke was not referring to ICANN’s leadership salaries… SA Burke was referring more generally to the substantial source of funding ICANN receives from domain name registries and registrars.”
ICANN has just started work on a Whois Disclosure System that, while pretty weak, may make it slightly easier for government agencies to obtain the data they want.
ICANN names NomCom chairs
ICANN has announced its picks for chair and chair-elect of its influential Nominating Committee, raising questions about the latter role for not the first time.
The board of directors has picked Vanda Scartezini as chair and Amir Qayyum as chair elect, according to a newly published resolution.
It’s the third time in recent years that the previous year’s chair-elect, in this case Damon Ashcraft, has not gone on to become chair, as the ICANN bylaws anticipate.
The bylaws say that the chair-elect, who does not have a vote, is basically an apprentice to the chair who spends a year on the committee to prepare her or him for the big seat. The bylaws also say that the ICANN board can pick another person for chair if it wants to.
In this case, while Scartezini was on the 2022 committee she was not chair-elect.
Something similar happened last year, when the board picked 2021 chair-elect Tracy Hackshaw for chair, then changed its mind two weeks later.
It also caused a controversy in the 2015 cycle when it snubbed Ron Andruff.
The NomCom is responsible for picking several leadership roles in the ICANN community, including three directors per year.
New chair Scartezini is from the At-Large community and Brazil. Qayyum is from the root server community and Pakistan.
ICANN’s top brass get pay raises
ICANN’s CEO and several top executives are to receive pay raises amounting to tens of thousands of dollars.
The Org’s board of directors has approved a 4% raise for Göran Marby and four other of the top brass, with CFO Xavier Calvez getting an extra 4.5%.
The board also approved the payment of Marby’s bonus, but the amount — capped at 30% of his salary — will likely not be disclosed until ICANN files its tax returns.
It’s the fourth year in a row the CEO has received a pay rise.
Last year it was 3% andthe year before’s was 5%, but it was not a unanimous decision of the board. It’s not yet known how this year’s vote broke down.
The other execs receiving a raise of up to 4% are general counsel John Jeffrey, senior VPs Theresa Swinehart and David Olive and CIO Ashwin Rangan. None of them earned less than $450,000 in ICANN’s last tax filings.
The board resolution states that Marby’s salary is still lower than the low end of the 50-75th percentile of comparable industry salaries, though this formula is sometimes criticized for weighing tech industry CEOs in with non-profit CEOs.
New gTLD prep work delayed until December
ICANN has confirmed that the current phase of preparation for the next round of new gTLDs will last six weeks longer than previously expected.
The new deadline for the delivery of the Operational Design Assessment for the project is December 12, almost certainly pushing out board consideration of the document out into 2023.
The extension follows the GNSO’s approval of a new Whois Disclosure System, which will suck Org resources from the new gTLDs ODP as work on both continues in parallel.
ICANN chair Maarten Botterman confirmed the delay yesterday, and the precise length was disclosed by staff in a blog post today. It says in part:
While we’re sharing our best estimate of the impact that the WHOIS Disclosure System design paper work could have on the SubPro ODA in the interest of transparency, rest assured that we are simultaneously moving forward on the ODA and actively seeking ways to streamline and minimize the impact as much as possible.
The updated timetable has been published here.
New gTLDs WILL be delayed by Whois work
The next round of new gTLD applications will be delayed by ICANN’s work on Whois reform, ICANN chair Maarten Botterman confirmed today.
In a letter to his GNSO Council counterpart Philippe Fouquart, Botterman states that the new gTLDs Operational Design Phase, which was due to wrap up in October, will have to proceed with an “extended timeline”.
This is because the GNSO has pushed the concept of a Whois Disclosure System, previously known as SSAD Light and meant to provide the foundations of a system for access private Whois data, and ICANN needs time to design it.
Botterman wrote (pdf):
there is an overlap in org resources with the relevant expertise needed to complete these efforts. As a result, work on the [Whois] design paper will impact existing projects. While SubPro [new gTLDs] ODP work will not stop during this period, we anticipate that an extended timeline will be required to account for the temporary unavailability of resources allocated to the design paper work.
Botterman did not put a length of time to these delays, but previous ICANN estimates have talked about six weeks. GNSO members had worried that this estimate might be a low-ball that could be extended.
ICANN had given the GNSO the option to choose to delay Whois work to complete the SubPro ODP, but it could not come to an agreement on which project was more important, and seemed to resent even being asked.
ICANN backtracks on legal waiver for ICANN 75
ICANN has softened the language in the legal waiver it requires all of its public meeting attendees to agree to.
The waiver for ICANN 75, due to take place in Kuala Lumpur in September, no longer requires you to absolve ICANN from blame if you get sick due to the Org’s own gross negligence.
For last month’s ICANN 74 in The Hague, the waiver stated:
I knowingly and freely assume all risks related to illness and infectious diseases, including but not limited to COVID-19, even if arising from the negligence or fault of ICANN.
The Kuala Lumpur waiver states:
I knowingly and freely assume all risks related to illness and infectious diseases, including but not limited to COVID-19.
So if an infected ICANN staffer spits in the coffee, this time you could probably sue.
The 74 waiver caused a fair few complaints when it first emerged. It was accused of being “excessive” by the CEOs of Blacknight and the Namibian ccTLD registry in a Request for Reconsideration that was eventually dismissed by the ICANN board of directors.
It also caused the At-Large Advisory Committee to issue a withering takedown accusing ICANN of insensitivity and intimidation, which ICANN’s chair brushed off (pdf) a couple weeks ago.
There are other language changes in the new waiver, but none seem to be as significant as ICANN making itself legally bullet-proof.
Kuala Lumpur will have substantially the same Covid-19 precautions as The Hague, which includes mandatory mask-wearing indoors, testing, and social distancing, ICANN has confirmed.
Community tells ICANN to walk and chew gum at the same time
Whois or new gTLDs? Whois or new gTLDs? Whois or new gTLDs?
It’s the question ICANN has been pestering the community with since early May. ICANN can’t work on developing the proposed Whois Disclosure System (formerly known as SSAD) without delaying work on the next round of new gTLDs, Org said, so the community was given a Sophie’s Choice of which of its babies to sacrifice on the altar of failed resource planning.
And now it has its answer: why the heck can’t you do both, and why the heck are you asking us anyway?
GNSO Council chair Philippe Fouquart has written to Maarten Botterman, his counterpart on the ICANN board of directors, to request that Org figure out how to do both Whois and new gTLDs at the same time, and to existing deadlines:
While Council members might differ on which project should take precedence, there is unanimous agreement that the Subsequent Procedures ODP and SSAD development are among the most important tasks before ICANN. Therefore, we urge that every effort should be undertaken by ICANN Org to complete the work in parallel and to meet currently published milestones.
Fouquart goes on (pdf) to puzzle as to why ICANN decided to “inappropriately include the broad community in the minutiae of ICANN operations planning”.
ICANN had told the GNSO that if it wanted the Whois work to kick off, it would add “at least” six weeks of delay to the new gTLDs Operational Design Phase, which is scheduled to wrap up in October.
Naturally enough, folks such as IP lawyers were very keen that ICANN start to do something — anything — to roll back the damage caused by GDPR, while domain-selling companies are anxious that they get more inventory for their virtual shelves.
The public record has always been a bit sketchy on where the resource bottleneck actually is, in an organization with half a billion bucks in the bank, a $140 million operating budget, and around 400 staff.
Maintaining Whois and the expansion of the root zone are, after all, two of the main things ICANN was founded to do, being unable to do both at once could be seen as embarrassing.
But now it has its answer, as unhelpful as it is.
And it only took two months.
ICANN picks comms firm for new gTLDs outreach
The next round of new gTLDs is getting real.
ICANN has selected a communications firm to promote the next round ahead of its launch, and authorized a wedge of cash to pay for it, according to a resolution of the board of directors.
The resolution does not name the firm or the exact amount of money earmarked, because a deal has yet to be signed, but it is worth over $500,000.
In the 2012 round, I believe ICANN worked with long-time PR agency Edelman.
The agency will be responsible for planning the outreach campaign and then executing it over three months ahead of the application window opening, whenever that may be.
The resolution states that ICANN will contract the firm for 50 “instances”, where an instance is a country or industry.
The 2011/2012 outreach campaign came under criticism for not doing enough to entice applications from the global south and emerging economies, something which current ICANN management has said they hope to rectify next time around.
Broker says it will sue after DNS abuse sting operation
The CEO of domain broker VPN.com is threatening to sue an online safety advocacy group after a report was published alleging the company trades in names that could be used for illegal activity.
Michael Gargiulo said he will take action against the Digital Citizens Alliance unless it removes a report that claimed one of the company’s brokers agreed to coordinate the $21,000 purchase of covidvaccinecardsforsale.com, even after being told it would be used for illegal purposes.
“[We] sadly have no choice but to sue the Digital Citizens Alliance, Executive Director Tom Galvin, their Managing Editor, and every John Doe that coordinated this fraud unless this content is removed within 48 hours from now,” Gargiulo said.
The DCA report, entitled “Peddling For Profit — How Website Retailers Enable Bad Actors to Become the Master of Illicit Domains” (pdf), is largely an attempt to highlight how domain registrars don’t vet domains for potentially illegal use before allowing them to be registered.
It’s mostly familiar nonsense, apparently written with a general audience and tabloid headlines, rather than the domain industry or tech industry, in mind.
There’s no attempt to explore the complexities of automatically determining a registrant’s intent at the point of sale and comparing it to the world’s hundreds of legal jurisdictions, it’s mainly just “Woah, GoDaddy let me register untraceablegunsforsale.com!”
Where the report differs from the norm is when it looks at the secondary market, where human beings work with buyer and seller to agree a price and transfer a domain.
With VPN, the DCA reporter posed as the potential buyer of covidvaccinecardsforsale.net and carried out an email conversation with a broker in which it was stated the domain would be used to sell “Covid cards” to “the unvaccinated”, from which one could certainly infer a nefarious purpose.
The VPN broker responded by trying to negotiate the sale of the matching .com for a higher price, the DCA report states. Later, the DCA reporter says he wants to “stay under the radar of the FTC” but VPN’s response, if any, is not reported.
Gargiulo told DI that DCA “posed as a legitimate Buyer on the original inquiry with fraudulent intent, which by their publication admission, is fraudulent and illegal in America.”
The broker in question is from outside the US and “did not understand their [DCA’s] illegal intent” he said.
“In many parts of the world including Europe, Covid cards are used for vaccinated and unvaccinated people,” he said, giving the Netherlands as an example.
“We take this matter very seriously as the characterization of our company is absolutely ridiculous in this document,” he said. “There was little-to-no journalistic integrity to verify the other side of this story by DCA and the transaction never even got remotely close to occurring.”
DCA also attempted to buy buystolencreditcards.com via broker Domain Agents, but after blatantly describing how the name would be used for crime, “the broker canceled the deal.”
DCA, as its name implies, is funded by undisclosed companies in Big Content, Big Pharma, internet security and consumer safety. It’s led by former Verisign PR man Tom Galvin.
“We will let the report speak for itself,” a DCA spokesperson said when asked for comment on the legal threat.
The slow crawl to closed generics at ICANN 74
Last Monday saw the 10th anniversary of Reveal Day, the event in London where ICANN officially revealed the 1,930 new gTLD applications submitted earlier in 2012 to a crowd of excited applicants and media.
Dozens of those applications were for closed generics — where the registry operator is the sole registrant, but the string isn’t a trademark — but now, a decade later, the ICANN community still hasn’t decided what to do about that type of gTLD.
At ICANN 74 last week, the Generic Names Supporting Organization and Governmental Advisory Committee inched closer to agreeing the rules of engagement for forthcoming talks on how closed generics should be regulated.
The GNSO’s working group on new gTLDs — known as SubPro — had failed to come to a consensus on whether closed generics should even be allowed, failing even to agree on whether the status quo was the thousand-year-old earlier GNSO policy recommendations that permitted them or the later GAC-influenced ICANN retconning that banned them.
But ever since SubPro delivered its final report, the GAC has been reminding ICANN of its 2013 Beijing communique advice, which stated: “For strings representing generic terms, exclusive registry access should serve a public interest goal.”
At the time, this amounted to an effective ban, but today it’s become an enabler.
ICANN has for the last several months been coaxing the GNSO and the GAC to the negotiating table to help bring the SubPro stalemate into line with the Beijing communique, and the rules of engagement pretty much guarantee that closed generics will be permitted, as least in principle, in the next application round.
GAC chair Manal Ismail told ICANN (pdf) back in April:
discussion should focus on a compromise to allow closed generics only if they serve a public interest goal and that the two “edge outcomes” (i.e. allowing closed generics without restrictions/limitations, and prohibiting closed generics under any circumstance) are unlikely to achieve consensus, and should therefore be considered out of scope for this dialogue.
Remarkably, the GNSO agreed to these terms with little complaint, essentially allowing the GAC to set at least the fundamentals of the policy.
Last week, talks centered on how these bilateral negotiations — or trilateral, as the At-Large Advisory Committee is now also getting a seat at the table — will be proceed.
The rules of engagement were framed by ICANN (pdf) back in March, with the idea that talks would begin before ICANN 74, a deadline that has clearly been missed.
The GNSO convened a small team of members to consider ICANN’s proposals and issued its report (pdf) last week, which now seems to have been agreed upon by the Council.
Both GNSO and GAC are keen that the talks will be facilitated by an independent, non-conflicted, knowledgeable expert, and have conceded that they may have to hire a professional facilitator from outside the community.
That person hasn’t been picked yet, and until he/she has taken their seat no talks are going to happen.
ICANN said a few months ago that it did not expect the closed generics issue to delay the SubPro Operational Design Phase, which is scheduled to wind up in October, but the longer the GAC, GNSO and ICANN dawdle, the more likely that becomes.
All that has to happen is for a group of 14-16 community members to agree on what “public interest” means, and that should be easy, right? Right?






Recent Comments