ICANN told to ban .bank or get sued

A major financial services lobby group has threatened to sue ICANN unless it puts strict limitations on “.bank” top-level domains.
BITS, the technology policy arm of the Financial Services Roundtable, said financial domains should be banned from the first round of new TLDs, until rules governing security are developed.
In a November 4 letter to ICANN chief executive Rod Beckstrom, BITS said:

If these critical issues are not fully resolved and ICANN chooses not to defer financial TLD delegation, BITS, its members and its partners are prepared to employ all available legislative, regulatory, administrative and judicial mechanisms.

BITS counts all the major US banks among its membership, as well as many large insurance companies and share-trading services.
The organization is concerned that TLDs such as .bank could lead to consumer confusion and an increase in fraud online if delegated into the wrong hands.
While BITS said that it “prefer[s] a prudent solution”, it has threatened to file “legal complaints in one or more jurisdictions” and to lobby the US Congress for legislation.
It noted that ICANN’s IANA contract, which gives it the power to create new TLDs, expires next August, and said that it may lobby Congress for legislation mandating better security as a condition of the renewal.
BITS and other financial groups have already written to members of Congress, in September, expressing disappointment with the absence of a high-security TLD policy from ICANN and adding:

In recognition of the need for higher levels of security and stability in financial services gTLDs than in gTLDs generally, we urge you to support inclusion of language in cyber security legislation language that prevents ICANN from adding financial services gTLDs to the root zone unless the IANA contract specifies higher levels of security for such gTLDs.

The Federal Deposit Insurance Corporation, the US government body responsible for insuring banks, has also written to the Department of Commerce, expressing its concerns about the possible introduction of a .bank TLD.
Currently, I’m not aware of any public initiative to apply for .bank, but it’s possible that restrictions on financial services TLDs could capture the recently launched German “.insurance” project.
The BITS correspondence was published (pdf) as an attachment to an ongoing Reconsideration Request lodged by Michael Palage, chair of the High Security Top Level Domain Verification Program Advisory Group.
The HSTLD group has been working on a set of technological policy specifications for registries managing high-security TLDs.
Palage is annoyed that ICANN’s board seems to have distanced itself from the HSTLD concept before the group has even finished its work, by resolving in September that:

ICANN will not endorse or govern the program, and does not wish to be liable for issues arising from the use or non-use of the standard.

The HSTLD group, by contrast, has a “clear majority in support of ICANN retaining a continued oversight role”, according to Palage. He wrote:

The ICANN Board’s unilateral actions also have a chilling effect on future bottom up consensus efforts because participants have no basis to know when the ICANN Board will take such unilateral actions in the future.

He’s not alone in worrying about recent top-level ICANN decisions that appear to put corporate legal liability ahead of the wishes of the community. I reported on the issue last week.

Go Daddy objects to numeric .tel domains

Go Daddy has objected to Telnic’s plan to start selling numeric .tel domain names, saying that it, among other things, “smells a lot like gaming”.
Telnic applied to ICANN last month to revise its registry contract to enable it to start selling domains containing numbers and hyphens.
I speculated a month ago that the International Telecommunications Union might object to the proposal, for reasons I explained in some depth.
(Briefly, Telnic won the .tel sponsored TLD partly because it promised for years not to enable domains that could look like phone numbers.)
But the ITU had nothing to say, at least in terms of the ICANN public comment period.
Go Daddy’s Tim Ruiz did object last Saturday on related grounds, telling ICANN:

We believe that this request cannot be granted without requiring the rebidding of the .tel sTLD itself. It is unfair to other applicants and potential applicants to allow an sTLD to change its purpose after the fact.
…
Since community, purpose, and use were such important aspects of the sTLD allocation decisions it seems inappropriate, fundamentally unfair, and even smells a lot like gaming, to allow an sTLD to change those aspects without an opportunity for others to bid competitively.

In response to Ruiz’s letter, Telnic chief executive Khashayar Mahdavi wrote to ICANN:

The restriction on all-numeric strings has nothing to do with the nature of .tel and was instead a measure put in place to address initial concerns about potential conflicts with ENUM… We believe time and the growing understanding of the .tel technology have proven such a conflict does not exist.

ENUM is a protocol for addressing voice services using the DNS. It uses dots between each individual digit of a phone number, which would be specifically disallowed under Telnic’s plans.
Mahdavi also expressed confusion as to why Go Daddy bothered to object – it is not currently a registry, it does not carry .tel domains and it will presumably not be affected by the relaxation of the .tel rules.
Is it possible the registrar is taking a principled stance?
Ruiz also noted:

We believe that certain other recent requests under the guise of the RSEP [Registry Services Evaluation Process] by sTLDs were also likely inappropriate for similar reasons

He didn’t specify which sTLDs he was talking about. Without wishing to put words into his mouth, I can think of at least one that fits the description.
The Telnic proposal has already passed ICANN’s staff evaluation. I expect it could come before the board next month at its Cartagena meeting.
In separate news, Telnic’s less-controversial proposal to start selling one and two-character .tel domains has now passed its ICANN evaluation (pdf).

How “final” is the new TLD guidebook?

Many would-be new top-level domain registries were pleasantly surprised a week ago when ICANN published the latest Applicant Guidebook and referred to it as the “proposed final” version.
But it was pretty clear, even on a cursory reading, that the AGB is far from complete; in some cases, text is explicitly referred to as being subject to further revision.
There’s also a public comment period ongoing, providing feedback some of which will presumably be taken on board by ICANN at its Cartagena meeting next month.
But ICANN has now provided a little bit more clarity on how “final” the “proposed final” AGB really is.
Senior veep Kurt Pritz, ICANN’s point man on the new TLD program, had this to say on Thursday’s teleconference of the GNSO Council:

There are always going to be changes to the guidebook. And so, even though this is the proposed final guidebook, we’re doing some final work on trying to find areas of accommodation with the Recommendation 6 working group and making some changes there, and working through perhaps a registry code of conduct; there are perhaps some issues with data protection there.
If folks want to consider this as final it will have to be with the understanding that the guidebook will always be changing, but having an understanding that those changes really don’t materially change the positions of applicants or the decisions of whether or not to go ahead and apply or the resources necessary to apply or sustain registry operations.

I reported on some of the issues with the Rec 6 working group, which is dealing with the “morality an public order objections” process, earlier this week.
The registry code of conduct, which sets limits on what data can be shared in co-owned registries/registrars, was new in the latest AGB draft. It looks to me like the kind of thing you’d normally expect to be debated for many months before being accepted.
But apparently future changes to these parts of the guidebook will not be substantive enough to change potential applicants’ plans.
Pritz said on the GNSO call that the current public comment period, which ends on the day of the Cartagena board meeting, could be thought of as similar to the comment periods that precede votes on ICANN’s budget.
In those cases, the board votes to approve the budget subject to changes based on public comments in advance of those changes being made.
It seems to me that the board’s options in Cartagena are to a) approve the AGB, b) approve it subject to directed changes (the “budget” scenario), or c) delay approval pending further community work.
I’m guessing option b) is the preferred outcome, but there’s no predicting what surprises could emerge over the next few weeks.

Sponsor stonewalls .jobs critics

The sponsor of the .jobs top-level domain appears to be giving opponents including Monster.com a hard time as they continue to challenge the liberalization of the domain.
In its most recent ICANN filing (pdf), the Society for Human Resource Management said it does not want to meet with the .JOBS Charter Compliance Coalition and ICANN to help resolve their differences.
Last week, SHRM declined to given ICANN a straight answer when it asked whether jobs sites like Monster.com will be able to register domains under the new .jobs rules.
The Coalition of jobs sites was assembled to oppose the “Phased Allocation Program”, which allows .jobs registry Employ Media to allocate thousands of premium geographic and vocational domains to its partners.
While the program has already been approved by ICANN’s board, the Coalition has filed a Reconsideration Request appeal in an attempt to get the ruling overturned.
This week, Coalition lawyer Becky Burr sent a letter (pdf) to ICANN asking for a face-to-face meeting with representatives of ICANN, the Coalition, Employ Media and SHRM.
In response, SHRM general counsel Henry Hart said the organization “does not believe that it should participate in such a meeting.”
Last week, SHRM threw its full support behind Employ Media, tersely responding (pdf) to a list of ICANN’s questions relating to the registry’s plans for the domain.
ICANN’s reconsideration committee wanted to know whether the allocation program violated the .jobs charter by allowing registrants from outside the human resources community.
SHRM said it did not, but it did confirm that it does expect .jobs – which has so far been reserved for companies to list their own job vacancies – to be used in future for aggregated jobs sites operated by Employ Media.

Did the SHRM PD Council intend to enable the Registry (Employ Media) to register domain names in the .JOBS sTLD for the purpose of allowing third-party job postings on those sites? If so, please explain how this consistent with the .JOBS Charter.
Yes. The PD Council concluded, based on input from the Community, that this would serve the needs of the international human resource management community.

But when ICANN asked whether this means Monster.com, for example, would qualify, SHRM response was more vague.

Are independent job site operators (such as Monster.com) engaged in “human resources management” for the purpose of the definition set forth in the .JOBS Charter if the job site operator is advertising for jobs outside its own organization?
Independent job site operators provide a highly valued service to the international human resource management community.

The Coalition, in Burr’s letter, said the answers “simply ignore the responses sought by the direct questions of the [Board Governance Committee”.
Hart disputed this characterization of the answers.
Employ Media plans to allocate premium domains at first via an RFP process. It’s believed that the DirectEmployers Association is set to receive the lion’s share of the good domains for its universe.jobs plan.

Some new TLDs will have traffic from day one

Some non-existent top-level domains already receive so much traffic that they would risk being overwhelmed if delegated under ICANN’s new TLD program.
That’s one of the takeaways from a new report from ICANN’s Security and Stability Advisory Committee, published this week (pdf).
Amazingly, the SSAC found that the top 10 non-existent TLDs already account for a whopping 10% of traffic at the DNS root servers, with some strings receiving many millions of lookups every day.
Over a quarter of the TLD resolutions handled by the roots result in errors, it found.
Most of these invalid lookups are the result of configuration errors on networking gear.
The word “local” is responsible for about 5% of all TLD lookups, the report says. The terms “corp”, “lan”, “home” and “belkin” also account for big slices of traffic.
This presents potentially serious security problems, as you might imagine.
Imagine that “.lan” is approved as a TLD. Previously unresolveable domains would start working, and badly configured gear could start sending private LAN data out into the cloud.
It would also put an big load on the .lan TLD operator from day one.
The SSAC said:

The .lan TLD registry operator – and generally, any TLD registry operator that chooses a string that has been queried with meaningful frequency at the root – potentially inherits millions of queries per day. These queries represent data that can be mined or utilized by the registry operator.

The report recommends that ICANN add certain highly trafficked strings from to its list of prohibited TLDs, and also that it warns applicants for TLDs that already have traffic.

We recommend that ICANN inform new TLD applicants of the problems that can arise when a previously seen string is added to the root zone as a TLD label and that ICANN should coordinate with the community to identify principles that can serve as the basis for prohibiting the delegation of strings that may introduce security or stability problems at the root level of the DNS.

If endorsed by ICANN, the recommendation could make TLDs such as .home, .corp and .local verboten. It could also present Belkin with a problem if it planned to apply for a “.brand”.
(UPDATE: .local is actually already on the reserved list)

Was this the first-ever .uk domain?

Last night I attended a party, held by Nominet at the swanky Somerset House in London, celebrating 25 years of .uk.
During opening remarks, chief executive Lesley Cowley said that Nominet still hasn’t tracked down the first-ever registered .uk domain name. I reported on this for The Register a couple of weeks ago.
After doing a little digging, I think I may have a strong contender.
ucl.ac.uk
This is the domain for University College London. There are a few reasons to believe ucl.ac.uk could lay claim to be the “first” .uk domain.
It’s well known that the .uk namespace predates Nominet by over a decade. Before Nominet was formed, registrations were handled by a Naming Committee.
According to the Milton Mueller book “Ruling The Root“, and various other sources, the .uk top-level domain was originally delegated to UCL’s Andrew McDowell. This probably happened in 1984.
Digging through some old mailing list archives, I’ve found McDowell making references to running ucl.ac.uk and cambridge.ac.uk, albeit on a test basis, as early as June 1985.
The namedroppers mailing list back then was used by academics to test their newfangled domain name system, so it’s a good place to look for firsts. I’ve mentioned it before, in this blog’s inaugural post.
In one message sent to namedroppers on June 24, 1985, McDowell writes about running .uk, ucl.ac.uk and cambridge.ac.uk on his test-only name servers. The email was sent from a .arpa address.
On July 4, 1985, he sent his first email to the list from a ucl.ac.uk email address, which suggests that the domain was up and running at that time.
That’s 20 days before .uk was delegated, according to the official IANA record.
For this reason I think ucl.ac.uk may have a strong claim to be the first .uk domain.
However, it’s possible the reality may be rather less exciting (yes, even less exciting than something already not particularly exciting).
Anonymous Coward comments posted on The Register are perhaps not the most reliable source of information, but this guy seems to know what he’s talking about:

I believe .uk was the third top level domain to be established after .edu and .us. This predated dns and would have been in 1982 or 3.
.uk was run with a hosts.txt file and the first sub-domains being either ucl or mod.
dns came in in 85 or 86 and the first sub-domains in that were copied from the UK NRS from the X.25 world (ac.uk, co.uk and mod.uk) so there probably wasn’t a first dns sub-domain for uk.
This work was done by UCL CS and at least 2 people directly involved are still there.

If that is to be believed, it looks like there may have been a “first batch” of .uk names that were put into the DNS, rather than a single domain name.
However, given that UCL was managing the system at the time, I’d hazard a guess that ucl.ac.uk was probably the first to be used.

Vertical integration was not a slam dunk

Two members of ICANN’s board voted against the decision to allow registrars and registries to own each other, according to a preliminary report from its November 5 meeting.
The decision was a surprise when it was announced last week, as it was diametrically opposed to the board’s previous stance essentially opposing vertical integration.
The new position, already incorporated in the Applicant Guidebook, allows registrars to apply to run new top-level domains, subject to a code of conduct.
From the board of directors’ meeting report:

Eleven Board members voted in favor of the Resolution. Two Board members were opposed to the Resolution. Two Board members did not participate in the discussion or the vote on the Resolution due to conflicts of interest. The Resolution carried.

I believe Bruce Tonkin was one of the people who recused themselves from the vote. I’m not certain who the other was.
We won’t discover who the dissenting opinions belonged to, or what they were, until the minutes are published, probably not long after the Cartagena meeting next month.

Is ICANN too scared of lawsuits?

Arguments about the new top-level domain Applicant Guidebook kicked off with a jolt this week, when ICANN was accused of abdicating its responsibilities and being too risk-averse.
In what I think was the first case of a top ICANN staff member publicly discussing the AGB, senior veep Kurt Pritz fielded questions about “morality and public order objections” on a packed and occasionally passionate conference call (mp3).
On the call, Robin Gross of IPJustice accused ICANN’s of shirking its duties by proposing to “fob off” decisions on whether to reject controversial TLDs onto third-party experts.
She said:

I’m concerned that there’s a new policy goal – a new primary policy goal – which is the risk mitigation strategy for ICANN. I don’t remember us ever deciding that that was going to be a policy goal. But it seems that now what is in the best interest for the Internet is irrelevant. The policy goal that rules is what is in the best interest for ICANN the corporation

A cross-constituency working group (CWG) had said that controversial TLDs should be rejected only after a final nod from the ICANN board, rather than leaving the decision entirely in the hands of outside dispute resolution providers.
There was a concern that third parties would be less accountable than the ICANN board, and possibly more open to abuse or capture.
But ICANN rejected that recommendation, and others, on “risk mitigation” grounds. Explanatory notes accompanying the new AGB (pdf) say:

Independent dispute resolution is a cornerstone of the risk mitigation strategy. Without outside dispute resolution, ICANN would have to re-evaluate risks and program costs overall.

Almost a third of every new TLD application fee – $60,000 of every $185,000 – will go into a pool set aside for ICANN’s “risk costs”.
These costs were based on an estimate that there will be 500 applications, and that ICANN will need $30 million to cover risks.
These are often thought to be primarily risks relating to litigation.
There’s a fear, I suspect, that ICANN could become embroiled in more interminable .xxx-style disputes if it allows the board to make subjective calls on TLD applications, rather than hiring independent experts to make decisions based on uniform criteria.
On Monday’s conference call, Gross said that ICANN’s treatment of the CWG’s recommendations was a “really big shock”. She added:

clearly here this is just a fobbing off of that responsibility, trying to again avoid litigation, avoid responsibility rather than take responsibility and take accountability

But ICANN says that the risk mitigation strategy benefits TLD applicants by removing uncertainty from the program, as well making ICANN more credible.
Pritz said on the call:

the risk to the program is in creating a process or procedure that isn’t transparent and predictable for applicants. By what standard can a TLD be kicked out? It’s got to be: here’s the standards, here’s the decision maker and here’s the process.
When I talk about risk, it’s risk to this process.
If this process attracts a lot of litigation, and ICANN published the process and then did not follow it, or that the process wasn’t clear so that the applicant had no way of predicting what was going to happen to its application, the risk is then litigation would halt the process and undermine the ICANN model.
So it doesn’t really have anything to do with the people that are the directors or the people that are the staff; it has to do with the credibility of ICANN as a model for Internet governance.

In other words, if TLD applicants pay their fees and go into the process knowing what the rules are, and knowing that there’s little chance of being jerked around by the ICANN board, there’s less chance of the program as whole being disrupted by lawsuits.
Seems fair enough, no?

Happy 10th birthday new TLDs!

With all the excitement about ICANN’s weekend publication of the new top-level domain Applicant Guidebook, it’s easy to forget that “new” TLDs have been around for a decade.
Tomorrow, November 16, is the 10th anniversary of the ICANN meeting at which the first wave of new gTLDs, seven in total, were approved.
The recording of the 2000 Marina Del Rey meeting may look a little odd to any relative newcomers to ICANN.
The open board meeting at which the successful new registries were selected took well over six hours, with the directors essentially making up their selection policies on the spot, in the spotlight.
It was a far cry from the public rubber-stamping exercises you’re more likely to witness nowadays.
Take this exchange from the November 2000 meeting, which seems particularly relevant in light of last week’s news about registry/registrar vertical integration.
About an hour into the meeting, chairman Esther Dyson tackled the VI idea head on, embracing it:

the notion of a registry with a single registrar might be offensive on its own, but in a competitive world I don’t see any problem with it and I certainly wouldn’t dismiss it out of hand

To which director Vint Cerf, Dyson’s eventual successor, responded, “not wishing to be combative”:

The choices that we make do set some precedents. One of the things I’m concerned about is the protection of users who register in these various top-level domains… If you have exactly one registrar per registry, the failure of either the registrar or the registry is a serious matter those who people who registered there. Having the ability to support multiple registrars, the demonstrated ability to support multiple registrars, gives some protection for those who are registering in that domain.

Odd to think that this ad-hoc decision took ten years to reverse.
It was a rather tense event.
The audience, packed with TLD applicants, had already pitched their bids earlier in the week, but during the board meeting itself they were obliged to remain silent, unable to even correct or clarify the misapprehensions of the directors and staff.
As a rookie reporter in the audience, the big news for me that day was the competition between the three registries that had applied to run “.web” as a generic TLD.
Afilias and NeuStar both had bids in, but they were competing with Image Online Design, a company that had been running .web in an alternate root for a number of years.
Cerf looked like he was going to back the IOD bid for a while, due to his “sympathy for pioneers”, but other board members were not as enthusiastic.
I was sitting immediately behind company CEO Christopher Ambler at the time, and the tension was palpable. It got more tense when the discussion turned to whether to grant .web to Afilias instead.
Afilias was ultimately granted .info, largely due to IOD’s existing claim on .web. NeuStar’s application was not approved, but its joint-venture bid for .biz was of course successful.
This was the meat of the resolution:

RESOLVED [00.89], the Board selects the following proposals for negotiations toward appropriate agreements between ICANN and the registry operator or sponsoring organization, or both: JVTeam (.biz), Afilias (.info), Global Name Registry (.name), RegistryPro (.pro), Museum Domain Management Association (.museum), Société Internationale de Télécommunications Aéronautiques (.aero), Cooperative League of the USA dba National Cooperative Business Association (.coop);

If any of this nostalgia sounds interesting, and you want to watch seven hours of heavily pixelated wonks talking about “putting TLDs into nested baskets”, you can find the video (.rm format, that’s how old it is) of the MDR board meeting buried in an open directory here.

New TLD guidebook bans domain front-running

ICANN’s newly published Applicant Guidebook for new top-level domain operators contains a draft Code of Conduct for registries that, among other things, bans “front-running”.
The code, which I think is probably going to be one of the most talked-about parts of the AGB in the run-up to ICANN’s Cartagena meeting next month, is designed to address problems that could arise when registrars are allowed to run registries and vice versa.
Front-running is the name given to a scenario in which registrars use insider information – their customers’ domain availability lookups – to determine which high-value domains to register to themselves.
While there’s plenty of anecdotal evidence that such practices have occurred in the past, a study carried out last year by researcher Ben Edelman found no evidence that it still goes on.
Front-running was however held up as one reason why registrars and registries should not be allowed to vertically integrate, so the AGB’s code of conduct explicitly bans it.
It also bans registries accessing data generated by affiliated registrars, or from buying any domains for its own use, unless they’re needed for the management of the TLD.
Integrated registries will have to keep separate accounts for their registrar arms, and there will have to be a technological Chinese wall stopping registry and registrar data from cross-pollinating.
Registries will also have to submit a self-audit to ICANN, certifying their compliance with the code of conduct, before January 20 every year.
The code is currently a six-point plan, which, given the past “ingenuity” of domain name companies, may prove a little on the light side.
There’s lots more discussion to be had on this count, no doubt.