Will ICANN swap Hamburg for Zoom for 69?

ICANN’s board of directors is meeting this week to discuss arrangements for ICANN 69, and I think there’s a reasonable chance it will decide to take the meeting online-only.

The last official word from ICANN was that it is working on the assumption that normality will have resumed by September, and that October’s meeting could go ahead in Hamburg, Germany as planned.

But will it?

Current German coronavirus-related travel restrictions, which have been in place since March, forbid non-citizen incoming travelers from pretty much anywhere, even elsewhere in the EU.

Some travelers are being asked to self-quarantine for 14 days upon entry, which is obviously impractical for conference travel.

However, German is loosening its rules next week for EU travelers and will treat countries on a case-by-case basis, based on how many infections they’re recording at the time.

Americans will still not be allowed to travel to Germany and there’s no word on when the ban will be lifted.

German guidelines also currently prohibit any large gatherings of people, including conferences, until at least the end of August.

ICANN’s obviously going to have to do a bit of crystal ball-gazing, to guess whether business travel is going to be safe and permitted in October.

It’s also going to have to guess whether a large enough number of people will actually want to attend to make an in-person meeting worthwhile.

With many medical experts predicting a third-quarter resurgence of the pandemic, the so-called “second wave”, inviting guests from every continent to gather in the same room might be seen as risky.

Conferences in other industries that had been due to take place in Germany in October have been canceled or postponed.

Notably, Oktoberfest in Munich (which starts in September but runs into October) is not going ahead this year, but I’ve found examples of conventions in publishing, gaming and catering sectors that have also been canceled.

However, some events due to take place in March and April have been postponed UNTIL October, suggesting a level of confidence that the virus will be low-risk by that time.

Top-level reshuffle as ICANN loses its COO

ICANN today announced a series of organizational changes at the highest level of management after its COO decided to quit.

Susanna Bennett, senior veep and chief operations officer, will leave July 1 for pastures new after seven years on the job, and her role will be split between other senior figures.

ICANN also said today that Theresa Swinehart has been appointed head of the Global Domains Division, a role she’s been filling on an interim basis since Cyrus Namazi quit a few months back.

She’s also senior VP of multistakeholder strategy and strategic initiatives and CEO Göran Marby’s co-deputy. She’ll be keeping both of those jobs too.

In terms of ops, Bennett’s functions will be split between CFO Xavier Calvez, senior VP of HR Gina Villavicencio, and general counsel John Jeffrey. Calvez will also take on some of the MSSI responsibilities previously held by Swinehart.

The fact that Bennett and Namazi, who together were compensated to the tune of $860,000 in ICANN’s fiscal 2019, had functions that can be easily redistributed among other staffers does rather beg the question of whether ICANN has been spending domain registrants’ money as efficiently as possible.

Still, the rejigger will presumably be welcomed by those who believe that ICANN has in recent years become overly bloated and bureaucratic.

ICANN recently slashed its FY21 budget by 8% due to the expected impact of the coronavirus-related recessions.

Is ICANN chickening out of Whois access role?

As talks over a centralized system for Whois access enter their eleventh hour, confusion has been sown over whether ICANN still wants to play ball.

The ICANN working group tasked with creating a “unified access model” for Whois data, currently rendered private by the GDPR privacy law, was forced last week to ask ICANN’s board of directors three blunt questions about how it sees its future role.

The group has been working for two years on a system of Whois access based around a central gateway for requests, which could be made only by those given credentials by an accreditation authority, which would also be able to revoke access rights if abused.

The proposed model as a whole has come to be known as SSAD, for System for Standardized Access/Disclosure.

The assumption has been that ICANN would act in these roles, either hands-on or by subcontracting the functions out to third parties, largely because ICANN has given every indication that it would and is arguably inventor of the concept.

But that assumption was thrown into doubt last Thursday, during a working group teleconference, when ICANN board liaison Chris Disspain worried aloud that the group may be pushing ICANN into areas beyond its remit.

Disspain said he was “increasingly uncomfortable with the stretching of ICANN’s mandate”, and that there was no guarantee that the board would approve a policy that appeared to push it outside the boundaries of its mission statement and bylaws.

“While it may be convenient and it might seem to solve the problem to say ‘Well, let ICANN do it’, I don’t think anyone should assume that ICANN will,” he said.

He stressed that he was speaking in his personal capacity rather on behalf of the board, but added that he was speaking based on his over eight years of experience on the board.

He spoke within the context of a discussion about how Whois access accreditation could be revoked in the event that the user abused their privileges, and whether an ICANN department such as Compliance should be responsible.

Several working group members expressed surprise at his remarks, with Milton Mueller of the Non-Commercial Stakeholders Group later calling it “a sudden and rather suspicious departure from nearly two years of ICANN Org statements and activities”.

The confusion comes at a critical juncture for the working group, which has to wrap up its work before chair Janis Karklins quits on June 30.

Karklins wrote to the board late last week to ask:

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the Accreditation Authority function?

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the central Gateway function?

If SSAD becomes an adopted consensus policy, would ICANN Org enforces compliance of SSAD users and involved parties with its consensus policy?

It’s a kinda important set of questions, but there’s no guarantee ICANN will provide straight answers.

When the working group, known as the EPDP, wraps up, the policy will go to the GNSO Council for approval before it goes to the board.

Irony alert! Data protection agency complains it can’t get access to private Whois data

A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.

Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.

This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.

Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.

This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.

Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:

Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.

So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.

It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.

The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.

Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:

ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.

…

ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned

ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.

Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.

Spring Break redux! ICANN picks Cancun for 2023 meeting

Having had its plans for a public meeting in Cancun, Mexico concurrent with Spring Break nixed by the nasty coronavirus this March, ICANN has decided to try again not once but twice.

Not only is it planning to hold its Community Forum there next year, but its board of directors has just voted to return in 2023 also, in a meeting that will run from March 11 to 16.

It will be ICANN 76. But the location of ICANN 75, scheduled for September 2022, is still a mystery. The board has authorized negotiations with the proposed venue(s) but has redacted any clues as to where it might be.

We don’t even know which of ICANN’s five rotating geographic regions it will be in, though Asia-Pac seems most likely, given that its last physical meeting there was in March 2019.

After Zoom trolling, ICANN 68 will be password-protected

If you want to show up to ICANN 68, which will be held online next month, you’re going to need a password.

ICANN said this week that it’s updating its Zoom software and standard configuration to require passwords. In a blog post outlining a number of changes to its Zoom instance, ICANN said:

The most impactful change is the new requirement that all meetings be secured with a password. This is the first step recommended by security professionals to keep meetings secure, and one which we had largely adopted org-wide prior to making it a requirement for all. We will make another announcement in the coming weeks regarding how this may impact joining meetings during ICANN68, as we work towards the best overall solution.

Quite how this could work while maintaining the usual openness of ICANN’s public meetings — which have always been free to attend basically anonymously — remains to be seen.

At ICANN 67, Zoom sessions that were open to the public simply required you to enter a name. Any name. At in-person public meetings, I don’t think you even need to show ID to get a hall pass.

The changes come in the wake of a “Zoombombing” incident during a minor meeting in March, during which trolls showed up via a publicly-posted link and flooded the session with “inappropriate and offensive” audio and imagery.

ICANN whistleblower expects to be fired after alleging budget irregularities, bugged meetings

The chair of ICANN’s highly influential Nominating Committee expects to lose his seat after turning whistleblower to expose what he says are budgetary irregularities and process failures that could have altered the outcome of ICANN’s board-selection process.

In a remarkable March 25 letter, Jay Sudowski even accuses ICANN of secretly recording and transcribing NomCom’s confidential deliberations.

The NomCom is the secretive committee responsible for selecting people to fill major policy-making roles at ICANN, including eight members of its board of directors. It’s made up of people drawn from all areas of the community.

Because its role is essentially to conduct job interviews with board hopefuls, it’s one of the few areas of the ICANN community whose conversations are almost entirely held in private.

But Sudowski is attempting to shine a little light on what’s going on behind the scenes by filing a broad and deep request under the Documentary Information Disclosure Policy, which is ICANN’s equivalent of a freedom of information law.

In it, he accuses ICANN Org of some fairly serious stuff.

First, he claims ICANN is fudging its budget by over-reporting how many full-time equivalent (FTE) staff members are involved in NomCom work, and by denying requests for “trivial” reimbursements of as little as $47 even as NomCom cuts costs by moving to a remote-only working model.

ICANN grants NomCom a FY20 budget of $900,000, of which $600,000 is allocated to “personnel costs” related to three FTEs.

“Nowhere near 3 FTEs are allocated to NomCom. Where is this money going?” Sudowski asks, demanding under the DIDP to see records of how much ICANN actually spent supporting NomCom’s work over the last five years.

He also claims that the NomCom process may have been compromised by allowing non-voting members to participate in decision-making meetings during the 2017 cycle, writing:

ICANN Org potentially allowed the NomCom to violate ICANN Bylaws by allowing nonvoting members of the NomCom to participate in outcome determinate components of the assessment and selection process that may have fundamentally alerted [I believe this is a typo for “altered”] the outcome of the 2017 NomCom process.

The non-voting members of the NomCom are the board-appointed chair and chair-elect, as well as appointees from the Root Server System Advisory Committee, Security and Stability Advisory Committee and Governmental Advisory Committee.

The board members appointed by NomCom in 2017 were Avri Doria and Sarah Deutsch. NomCom also picked members of the GNSO Council, ccNSO Council and At-Large Advisory Committee.

Sudowski, whose day job is running a data center company in Colorado, further claims that the ICANN board has been instructed by the Org to refuse to communicate with NomCom members.

“In recent years, ICANN Org has secretly recorded and transcribed confidential deliberations of the NomCom,” he adds.

He wants evidence of all of this to be released under the DIDP, under a nine-point list of documentation requests.

It’s unfortunate that I am forced to make this request in such a public manner, but when there is controversy over a $47 expense to support a NomCom member, I can only come to the conclusion that ICANN Org is unable and unwilling to provide necessary “administrative and operational support” for the NomCom.

He also expects retribution:

I also expect that the Board, which has been instructed to not communicate with me, will remove me from my role as Chair of the NomCom, given the nature of the concerns noted in this letter. Frankly, if this comes to pass, my removal is a clear and direct attack on the autonomy and authority of the entire NomCom.

So far, his request has not been answered.

Under the DIDP, ICANN has a maximum of 30 days to reply to such requests. In reality, this has always been treated as a minimum, with both request and response typically published on the same day, exactly 30 days after the original filing.

Its responses are typically links to information already in the public record and a list of excuses why no more info will be released.

But so far, neither request nor response has been published in the usual place, 42 days after Sudowski sent his letter. ICANN has missed its deadline by almost two weeks.

The only reason the DIDP (pdf) is in the public domain at all is that Sudowski copied it to the mailing list of the Empowered Community, ICANN’s community-based oversight body. Thanks to George Kirikos for posting the link to Twitter last week.

It is a pretty extensive request for information, that presumably would take some time to collate, so I’d be hesitant to cry “cover-up” just yet.

But the fact that the request exists at all serves to highlight the shocking lack of trust between ICANN and one of its most powerful committees.

UPDATE: Sudowski has said that his request was withdrawn. There’s no particular reason it could not be refiled by somebody else, however, as DIDP is open to all.

I actually withdrew the request. Org and the Board have been very helpful and responsive in meeting the needs of the NomCom since the original request was submitted. It’s water under the bridge as far as I’m concerned.

— Jay Sudowski (@HNJaySuds) May 1, 2020

Domain industry likely to suffer from coronavirus as ICANN slashes budget by 8%

ICANN is predicting a miserable time for the domain name industry due to the coronavirus pandemic, today announcing that it’s slashing its revenue outlook for the next year by 8%.

The organization expects to receive revenue of $129.3 million for the fiscal year beginning July 1. That’s $11.1 million lower than its previous estimate, which was made in December.

ICANN’s budget is based on projections based on previous industry performance and its accountants’ conversations with registries and registrars, so this is another way of saying that it expects the industry to suffer due to the pandemic.

ICANN said in its newly revised budget:

ICANN org funding may be impacted because the economic crisis stemming from the pandemic has the potential to impact the funding from domain name registrations and contracted parties through the end of FY20 and into the first months of FY21. ICANN org also anticipates there may be long-lasting effects of such impacts. At the time this document is published, the impact cannot yet be quantified.

The drill-down is not great, showing that ICANN expects registries and registrars in both legacy and new gTLDs to be hit.

New gTLDs are predicted to be hit hardest, with revenue from registry transaction fees dropping by a full 33% from its FY20 forecast. That’s a drop from $6.7 million to $4.5 million.

Extrapolating from its $0.25 registry fee, that means ICANN thinks there will be 8.8 million fewer billable transactions — registrations, renewals and transfers in new gTLDs with over 50,000 names — for the year ending June 30, 2021.

Expected revenue from registrars selling new gTLDs has also been slashed by a third, down from $5.3 million this year to $3.5 million next year.

Legacy gTLDs are expected to fare a little better.

ICANN predicts transaction revenue from legacy gTLDs to decrease over the period, down to $47.7 million in FY21 from $49 million in FY20. Registrars selling legacy gTLDs are expected to bring in revenue of $29.7 million, down from $33.3 million.

That also represents shrinkage measured in the millions of domains.

It gets worse. ICANN is also expecting the number of registries and registrars to decrease even faster over the course of the next year.

It thinks it will end June with 1,174 fee-paying registries, but for this to decrease by 62 in FY21. It decreased by 29 in FY20. Many of these will probably be unused dot-brands having their contracts cancelled.

On the registrar side, it expects to lose 380 accreditations in FY21, compared to a loss of 104 this fiscal year, to end FY21 with 1,977 registrars.

ICANN does not expect its voluntary contributions from ccTLDs and Regional Internet Registries to decrease, but it does expect to lose a few hundred thousand bucks from the absence of sponsorship of its in-person meetings.

This overall predicted decrease in funding has led to a matching decrease in planned expenditure, with ICANN saying it will operate with “increased prudence, frugality, and with heightened conditions of necessity”.

It’s going to save 20% less on travel — $12.4 million — due to coronavirus-related restrictions, but seems to still be planning to take the industry to Hamburg in October for ICANN 69 (even though Munich has cancelled Oktoberfest this year).

ICANN also plans to delay some projects and to reduce its average headcount by 15 to 395.

The lower budget projections come even as some registries —including CentralNic, which looks after some very large new gTLDs — have said they expect the financial impact of coronavirus to be minimal.

The revised budget is published here and ICANN’s board may approve it as early as next week.

ICANN meeting got “Zoombombed” with offensive material

An ICANN meeting held over the Zoom conferencing service got “Zoombombed” by trolls last month.

According to the organization, two trolls entered an ICANN 67 roundup session for Spanish and Portuguese speakers on March 27 and “shared inappropriate and offensive audio and one still image” with the legitimate participants.

The session was not password protected (rightly) but the room had (wrongly) not been configured to mute participants or disable screen-sharing, which enabled the offensive material to be shared.

The trolls were quickly kicked and the loopholes closed, ICANN said in its incident report.

ICANN appears to have purged the meeting entirely from its calendar and there does not appear to be an archive or recording, so I sadly can’t share with you the gist of the shared content.

Zoombombing has become an increasingly common prank recently, as the platform sees many more users due to the coronavirus-related lockdowns worldwide.

As ICANN meets to decide .org’s fate, California AG says billion-dollar deal must be rejected

California Attorney General Xavier Becerra has urged ICANN to deny approval of Ethos Capital’s $1.13 billion acquisition of .org manager Public Interest Registry.

The call came in a letter (pdf) dated yesterday, just a day before ICANN’s board of directors was scheduled to meet to discuss the deal.

Becerra, who started looking into the deal in late January, wrote, right out of the gate:

I urge ICANN to reject the transfer of control over the .ORG registry to Ethos Capital. The proposed transfer raises serious concerns that cannot be overlooked.

Chief among his concerns is the fact that ICANN originally granted PIR the right to run .org largely because it was a non-profit with a committment to serve non-profits. He wrote:

If, as proposed, Ethos Capital is permitted to purchase PIR, it will no longer have the unique characteristics that ICANN valued at the time that it selected PIR as the nonprofit to be responsible for the .ORG registry. In effect, what is at stake is the transfer of the world’s second largest registry to a for-profit private equity firm that, by design, exists to profit from millions of nonprofit and non-commercial organizations

He’s also bothered about the lack of transparency about who Ethos is and what its plans are. The proposed new owners of PIR are hidden behind a complex hierarchy of dummy LLCs, and Ethos has so far refused to name its money men or to specify what additional services it might offer to boost its revenue.

Becerra also doesn’t buy the business plan, which would see PIR required to pay off a $300 million loan and, as a newly converted for-profit entity, start paying taxes.

He’s particularly scathing about the fact that ICANN approved the removal of PIR’s price caps last year despite receiving over 3,000 public comments opposing the changes and only half a dozen in favor.

“There is mounting concern that ICANN is no longer responsive to the needs of its stakeholders,” he writes.

Despite saying he “will take whatever action necessary to protect Californians and the nonprofit community”, Becerra does not specify what remedies are available to him.

But it looks like ICANN faces the risk of legal action no matter which way its board of directors votes (or voted) today.

Its current deadline to make a decision is April 20.