Warning (or threat?) prices must go up or .org will suffer DAYS of downtime

Public Interest Registry’s new commercial owner will have to raise domain prices significantly, or .org web sites will suffer over three days of downtime every year, one of its subcontractors has warned.
The claim came in a surprising, confusing letter (pdf) to ICANN’s top brass from Packet Clearing House, a major provider of DNS Anycast services.
PCH claims that Ethos Capital, which is in the process of buying PIR from the Internet Society for $1.135 billion, can only make a profit on the deal if it significantly ups the price of .org domains while simultaneously cutting infrastructure spending.
But its numbers don’t make a whole heck of a lot of sense to me, unless you interpret them as a threat to throw .org under a bus.
PCH is a non-profit company in the business, partly, of selling DNS Anycast services. This is the technology that allows domain names to be resolved by a server as close to the end user as possible, cutting down on internet travel time and load-balancing resolution across the world.
For 15 years, it has been providing such services to Afilias, which is the back-end registry services provider for .org and hundreds of other TLDs. Some of the money PIR makes selling .org domains therefore flows from PIR to Afilias to PCH.
While PCH is hardly a household name, even in the domain name industry (in almost 10 years, I’ve mentioned its name once), the letter, sent last week and published by ICANN last night, attempts to open the kimono a little to reveal how much it costs to reliably resolve a major gTLD.
According to PCH, “annual operational cost necessary to ensure the reliable and performant availability of .ORG” has grown from $11 million in 2004 to $30 million today.
Does that mean Afilias pays PCH $30 million a year to help resolve .org? No.
PCH says that in 2019, $1.3 million will come “indirectly from .ORG registration revenue”, with the remaining $29 million “met through tax-deductible contributions from PCH’s many donors”.
As a non-profit, PCH accepts donations from more than 30 listed sponsors, including Afilias and ICANN, as well as household names such as Amazon, Google and Netflix.
According to PCH’s letter, if .org is transferred into for-profit control, this $29 million will dry up. The letter states:

Under IRS tax law, tax-deductible donations to non-profits cannot accrue to the benefit of a for-profit. Therefore if .ORG is transferred to a for-profit entity, we cannot ask our donors to continue to subsidize its operation, 96% of .ORG’s current operational funding will disappear, and the reliability of its operation will sink from that of .COM and .NET to the least-common-denominator of commodity domains, which generally suffer several days of outage per year.

It estimates .org’s potential downtime at 3.12 days per year. It’s not saying that would happen in one big 72-hour chunk, but it still averages out at about 12 minutes per day
This amount of interruption would put PIR firmly on ICANN’s naughty step when it comes to the registry’s contractual uptime commitments — it has to provide 100% DNS service availability every month, under pain of losing its contract.
But why would those PCH contributions dry up?
Is PCH seriously saying that its donors are chucking in $29 million a year specifically to subsidize .org resolution services? Why on Earth would they do that, when .org brings in revenue of over $90 million per year and PIR only pays Afilias $18 million for registry services?
PCH provides Anycast for 243 gTLDs and 120 ccTLDs. The vast majority of these are managed by for-profit entities. There simply are not 243 non-profit gTLDs out there. Not even close.
In fact, most of the gTLDs PCH serves appear to be for-profit Afilias clients, including many dot-brands.
Goodness knows how PCH segments its income and expenditure, but it seems very likely that PCH’s donors are already financially helping to provide resolution services for commercial registries.
Could we interpret this letter as a threat to deliberately degrade .org’s performance, should the Ethos transaction go through? I’m not sure, but I think it’s a plausible read.
Regardless, we have to take PCH’s claims about the loss of sponsorship money at face value if we want to follow the rest of its calculations.

If the .ORG domain is sold for USD 1.135B, wholesale price and number of domains remain unchanged over the remaining nine years of the delegation (USD 900M gross), and operational reliability is maintained (at a cost of USD 270M), the buyer would take a net loss of USD 470M, or -6.33% CAGR. Private equity does not purposefully enter into loss-making deals. We may therefore conclude that the above scenario is not the intended outcome of the proposed sale.

That calculation seems to assume that PIR/Ethos/Afilias picks up the slack caused by the loss of the purported $29 million subsidy, rather than continuing to pay $1.3 million per year.
But PCH goes on to calculate that Ethos could make a profit on the acquisition only if it raises prices at over 10% a year AND refuses to chip in the missing $29 million.

If the .ORG domain is sold for USD 1.135B, prices are increased by 10% annually (USD 1.357B gross), and operational spending is slashed by 99%, (USD 2.7M), the buyer would make a net gain of USD 220M, or 1.99% CAGR, while increasing down-time to more than three days per year.
1.99% CAGR is not a return for which private equity would typically take this magnitude of risk. The unavoidable conclusion is that any private equity buyer who spends $1.135B to buy the .ORG domain must not only increase prices by more than 10% annually, but also cut operational costs to the minimum levels we see available at the low end of the market, with disastrous consequences for .ORG registrants and the public who depend upon them.

Again, all of these calculations appear to rely upon the notion that $29 million of voluntary donations from Amazon, Netflix, IBM, et al disappear when the acquisition is finalized.
It’s difficult to say how much PCH spends on its DNS infrastructure across the board, or how it accounts for its donations. The company does not make any financial information available on its web site.
Wikipedia reports, in an edit apparently made by PCH executive director Bill Woodcock, that the company had revenue of $251 million last year.
I assume the vast majority of that comes from and supports its primary business, which is building and maintaining internet exchange points around the world.
The only 990 tax return I could find for a “Packet Clearing House” in the San Francisco bay area shows an entity with barely $2 million of revenue in 2018.
To return to the letter, PCH concludes:

Three days per year of interrupted communications for millions of not-for-profit organizations would unacceptably damage the stability and functionality of the Internet, and more broadly of society globally.
We believe that stability and functionality should be central to any consideration by ICANN of change of control or contract modifications in relation to the .ORG TLD. As we demonstrate, the proposed transaction, or any financially-similar one, guarantees a disastrous effect on stability. Please do not approve it.

It’s a pretty shocking request, coming from an organization with a 15-year relationship with .org.
Perhaps PCH is concerned that PIR, under new management, will dump Afilias as back-end provider, leading to a loss of business for itself? Maybe, but that only appears to be a piddling $1.3 million out of a $251 million budget.
A more pressing question is arguably whether ICANN, which is currently probing ISOC and Ethos for additional information about the acquisition, finds PCH’s arguments persuasive.
ICANN has so far proved unresponsive to community concerns about pricing, but technical stability is its absolute raison d’etre. If there’s any risk at all that .org will start regularly missing its uptime targets, ICANN is duty bound to take those concerns seriously.

GoDaddy girls often make more money than the men

Women in some roles at GoDaddy are making more money than their male counterparts, according to data released by the registrar today.
In technical positions in the US, female employees are making on average $1.03 for every $1 men make, GoDaddy said. Women in leadership positions make two cents more than men.
But women in non-techie, non-leadership jobs make a penny less than males, the company said.
“The 2019 global salary data shows that GoDaddy is paying men and women at parity across the company, when comparing men and women in like roles,” GoDaddy said.
The new data also shows that 29% of GoDaddy employees globally are female, which is the same as last year.
But the proportion of women in technical jobs decreased by two points to 17%.
Meanwhile, 36% of non-technical roles are staffed by women, up one point from 2018.
In the US, the female contingent was a little higher — 30% overall, 19% of techies and 37% of non-techies.
The male-female mix at GoDaddy appears to be in the same ballpark as what we generally see with attendance statistics coming out of ICANN meetings — roughly 70/30.
GoDaddy started publishing this data five years ago as part of a plan to foster diversity, reduce unconscious bias, and generally get away from its roguish foundational image as a company that flogged millions of domains with “GoDaddy Girls” — usually busty spokesmodels in skimpy clothing.

Amid .org controversy, Cerf predicts the death of all domains

As the debate about the sale by the Internet Society of .org registry PIR to a private equity company passionately continues, one reason put forward to defend the deal doesn’t appear to have been given much attention: it seems ISOC doesn’t have much confidence in the longevity of the domain name industry.
Reducing ISOC’s exposure to a single revenue source has been expressed as a pro for the deal by several supporters, but was perhaps best stated by Vint Cerf — ISOC founder, former ICANN chair, and Google’s chief internet evangelist — on an ISOC mailing list posting last week. Cerf wrote:

The domain name business started in 1992. There is not assurance that it will go one indefinitely — something new will likely come along. It would be good for ISOC to be able to continue its work without specific dependence on a single TLD’s commercial viability.

It’s perhaps not a particularly controversial statement. Nothing lasts forever. Everything dies. Whether it’s climate-related human extinction, a robot uprising, the zombie apocalypse, or the inevitable heat death of the universe, something’s definitely going to kill off DNS eventually.
I expect Cerf was more probably referring to a new technology that will come along to replace the need for domains altogether.
But is it a pressing reason to flog Public Interest Registry in 2019?
Maybe. It’s no secret that volume growth across the domain market is not great. Verisign’s latest Domain Name Industry Brief showed most growth in the second quarter driven by anomalies.
Even .org itself is struggling. Look at this chart, that tracks .org domains under management in the last few years.

You’ll see that DUM peaked at 11.4 million names in early 2016. That was after a couple of anomalous spikes that I speculate were related to pricing promotions or marketing campaigns.
It only took a few years for the gTLD to shed these gains.
Before the spikes, .org was at 10.6 million DUM. By July this year, it was at 10.5 million. Not pictured, the just-published transaction reports for August show the loss of about 30,000 more domains, bringing the TLD to its lowest level since October 2014.
Roughly speaking, for every domain it loses, PIR’s top line shrinks by a little under $10. A million domains lost is $10 million in lost revenue.
And this is a period in which PIR did not increase its prices, despite being permitted to do so by 10% per year.
Some amount of recent shrinkage could be accounted for by PIR’s “Quality Performance Index”, which seeks to reduce abusive .org registrations. But that’s only been in place since this June.
So, ISOC and Cerf perhaps have a right to be pessimistic.
And if the decline in volumes continues, it is perhaps inevitable that PIR’s new owner will have to increase prices just to keep revenues from going down in line with DUM.

DI Leaders Roundtable #3 — What did you think of ICANN 66?

It’s time for the third in the series of DI Leaders Roundtables, in which I pose a single question to a selection of the industry’s thought leaders.
With ICANN 66 taking place a couple of weeks ago in Montreal, Canada, a multitude of topics came under public discussion, among them: DNS abuse, the .amazon gTLD application, access to Whois data and geographic names protections.
So, this time around, I asked:

What was your biggest takeaway from ICANN 66?

And this, in no particular order, is what they said:
Frank Schilling, CEO, Uniregistry

What a great industry… So many stable players with fresh ideas. Innovators who cross pollinate and stay with the industry in spite of the fact that there is no new gold and obvious money-making opportunity at the moment. Many stable operators trying new things and growing the industry from the inside out.

Michele Neylon, CEO, Blacknight

There weren’t any big surprises at ICANN 66. As I expected there were a couple of topics that many people were focussed on and they ignored pretty much everything else.
The biggest single topic was “abuse”. It’s not a “new” topic, but it’s definitely one that has come to the fore in recent months.
Several of us signed on to a “framework to address abuse” in the run up to the ICANN meeting and that, in many respects, may have helped to shift the focus a little bit. It’s pretty clear that not all actors within the eco system are acting in good faith or taking responsibility for their actions (and inactions). It’s also pretty clear that a lot of us are tired of having to pay the cost for other people’s lack of willingness to deal with the issues.
Calls for adding more obligations to our contracts are not welcome and I don’t think they’ll help deal with the real outliers anyway.
There’s nothing wrong in theory with offering cheap domain names but if you consciously choose to adopt that business model you also need to make sure that you are proactive in dealing with fraud and abuse.

Ben Crawford, CEO, CentralNic

That M&A has become the dominant business activity in the domain industry.

Milton Mueller, Professor, Georgia Tech

My takeaways are shaped by my participation on the EPDP, which is trying to build a “standardized system of access and disclosure” for redacted Whois data. The acronym is SSAD, but it is known among EPDP aficionados as the “So-SAD.” This is because nearly all stakeholders think they want it to exist, but the process of constructing it through an ICANN PDP is painful and certain to make everyone unhappy with what they ultimately get.
The big issue here concerns the question of where liability under the GDPR will sit when private data is released through a So-SAD. Registrars and registries would like to fob off the responsibility to ICANN; ICANN tells the world that it wants responsibility to be centralized somehow in a So-SAD but ducks, dodges and double-talks if you ask it whether ICANN org is willing to take that responsibility.
ICANN’s CEO, who fancies himself a European politician of sorts, has driven the EPDP team batty with a parallel process in which he ignores the fact that the EPDP team has all stakeholders represented, lawyers from contracted parties and data users, and privacy experts on it, as well as formal legal advice from Bird and Bird. Instead he feels compelled to launch a parallel process in which ICANN org goes about trying to make proposals and then ask European authorities about them. He has asked a bunch of techies unaware of the policy issues to design a So-SAD for us and is now badgering various European agencies for “advice” and “guidance” on whether such a system could centralize legal responsibility for disclosure decisions. The parallel process, known as the Strawberry team, was featured in the public meeting on Whois reform as if it was of equal status as the formally constituted EPDP.
But a great ICANN 66 takeaway moment occurred during that moment. The European Commission’s Pearce O’Donoghue told the assembled multitudes that a SoSAD “WOULD NOT…REMOVE THE LIABILITY OF THE DATA CONTROLLER, WHICH IS THE REGISTRAR OR THE REGISTRY. SO WE WOULD HAVE A QUESTION AS TO WHETHER IT IS ACTUALLY WORTH THAT ADDED COMPLEXITY.” So, bang, the request for European advice blew up right in Goran Marby’s face. Not only did he get a critical piece of advice on the most important issue facing the SoSAD and the EPDP, but he got it without going through the elaborate parallel process. No doubt there is now furious behind the scenes lobbying going on to reverse, change or step back from O’Donoghue’s comment. Marby has been quoted (and directly seen, by this writer) as claiming that with the submission of the Strawberry team’s formal request for “guidance” from the European Data Protection Board being submitted, he is now “done” with this. Let’s hope that’s true. My takeaway: ICANN org and all of its fruity concoctions needs to get out of the way and let the PDP work.
The final EPDP-related takeaway is that the biggest decision facing the EPDP as it makes policy for the So-SAD is who makes the disclosure decision: registrars who hold the data, or ICANN? Everyone agrees with centralizing the process of requesting data and hooking up to a system to receive it. But who makes the decision is still contested, with some stakeholders wanting it to be ICANN and others wanting it to reside with the contracted parties. It seems obvious to me that it has to be the registrar, and we should just accept that and get on with designing the So-SAD based on that premise.

Jothan Frakes, Executive Director, Domain Name Association

A few: WHOIS (or Lookup) remains challenging territory, registries and registrars > are not inactive about addressing abuse while avoiding becoming content police, and poutine is delicious.

Christa Taylor, CMO, MMX

From my perspective, the biggest takeaway is the level of industrious efforts, transformation and passion throughout the industry. Every meeting and dinner consisted of a broad range of organizations and people with diverse perspectives on industry topics resulting in thought-provoking debates or conceptual brainteasers. Compared to a year ago, the conversations have materially changed — impacted from industry consolidations, system updates and developments along with organizational transitions to streamline business in one method or another. While there is still plenty of work ahead of us, both within the industry and ICANN, it’s satisfying to reflect and realize that progress is being achieved, cooperation benefits all and no matter how long the tunnel might be, there is light.

ICANN board meets to consider PIR acquisition TODAY

ICANN’s board of directors will gather today to consider whether the acquisition of Public Interest Registry by a private equity company means that it should reverse its own decision to allow PIR to raise .org prices arbitrarily.
Don’t get too excited. It looks like it’s largely a process formality that won’t lead to any big reversals, at least in the short term.
But I’ve also learned that the controversy could ultimately be heading to an Independent Review Process case, the final form of appeal under ICANN rules.
The board is due to meet today with just two named agenda items: Reconsideration Request 19-2 and Reconsideration Request 19-3.
Those are the appeals filed by the registrar Namecheap in July and rights group the Electronic Frontier Foundation in August.
Namecheap and EFF respectively wanted ICANN to reverse its decisions to remove PIR’s 10%-a-year price-raising caps and to oblige the registry to enforce the Uniform Rapid Suspension anti-cybersquatting policy.
Both parties now claim that the sale by the Internet Society of PIR to private equity firm Ethos Capital, announced last week, casts new light on the .org contract renewal.
The deal means PIR will change from being a non-profit to being a commercial venture, though PIR says it will stick to its founding principles of supporting the non-profit community.
I reported a couple of weeks ago that the board had thrown out both RfRs, but it turns out that was not technically correct.
The full ICANN board did in fact consider both appeals, but it was doing so in only a “preliminary” fashion, according to an ICANN spokesperson. ICANN told me:

On 3 November the Board considered “proposed determinations” for both reconsideration request 19-2 and 19-3. In essence, the Board was taking up the Board Accountability Mechanism Committee (BAMC) role, as the BAMC had not been able to reach quorum in early November due to certain recusals by BAMC members.
Once the Board adopted the proposed determinations (in lieu of the BAMC issuing a recommendation to the Board) the parties that submitted the reconsideration requests had 15 days to submit a rebuttal, for the Board’s full consideration of the matter, which is now on the agenda.

Normally, RfRs are considered first by the four-person BAMC, but in this case three of the members — Sarah Deutsch, Nigel Roberts, and Becky Burr — recused themselves out of the fear of appearing to present conflicts of interest.
The committee obviously failed to hit a quorum, so the full board took over its remit to give the RfRs their first pass.
The board decided that there had been no oversights or wrongdoing. Reconsideration always presents a high bar for requestors. The .org contract was negotiated, commented on, approved, and signed completely in compliance with ICANN’s governing rules, the board decided.
But the ICANN bylaws allow for a 15-day period following a BAMC recommendation during which rejected RfR appellants can submit a rebuttal.
And, guess what, both of them did just that, and both rebuttals raise the PIR acquisition as a key reason ICANN should think again about the .org contract changes.
The acquisition was announced a week ago, and it appears to have come as much of a surprise to ICANN as to everyone else. It’s a new fact that the ICANN board has not previously taken into account when considering the two RfRs, which could prove important.
Namecheap reckons that the deal means that PIR is now almost certain to raise .org prices. New gTLD registry Donuts was bough by Ethos affiliate Abry Partners last year, and this year set about raising prices across the large majority of its 200-odd gTLDs. Namecheap wrote in its rebuttal:

Within months of be acquired by Abry Partners, it raised prices in 2019 for 220 out of its 241 TLDs. Any statements by PIR now to not raise prices unreasonably are just words, and without price caps, there is no way that .org registrants are not used a source to generate revenue for acquisitions or to pay dividends to its shareholders.

It also said:

The timing and the nature of this entire process is suspicious, and in a well-regulated industry, would draw significant scrutiny from regulators. For ICANN not to scrutinize this transaction closely in a completely transparent and accountable fashion (including public disclosure of pertinent information regarding the nature, cost, the terms of any debt associated with the acquisition, timeline of all parties involved, and the principals involved) would demonstrate that ICANN org and the ICANN Board do not function as a trusted or reliable internet steward.

Namecheap also takes issue with the fact that ICANN’s ruling on its RfR (pdf) draws heavily on a 2009 economic analysis by Professor Dennis Carlton, which concluded that price caps were unnecessary in the new gTLD program.
The registrar trashes this analysis as being based on more opinion than fact, and says it is based on outdated market data.
Meanwhile, the EFF’s rebuttal makes the acquisition one of four reasons why it thinks ICANN should reverse course. It said;

ICANN must carefully reexamine the .ORG Registry Agreement in light of this news. Without the oversight and participation of the nonprofit community, measures that give the registry authority to institute new [Rights Protection Mechanisms] or make other major policy changes invite management decisions that conflict with the needs of the .ORG community.

Quite often, RfRs are declined by ICANN because the requestor does not present any new information that the board has not already considered. But in this case, the fact of the PIR acquisition is empirically new information, as it’s only week-old news.
Will this help Namecheap and the EFF with their cause? The board will certainly have to consider this new information, but I still think it’s unlikely that it will change its mind.
But I’ve also learned that Namecheap has filed with ICANN to trigger a Cooperative Engagement Process procedure.
The CEP is an often-lengthy bilateral process where ICANN and an aggrieved party attempt to resolve their differences in closed-door talks.
When CEP fails, it often leads to an Independent Review Process complaint, when both sides lawyer up and three retired judges are roped in to adjudicate. These typically cost both sides hundreds of thousands of dollars in legal fees.
CEP and IRP cases are usually measured in years rather than months, so the PIR acquisition could be under scrutiny for a long time to come.

DI Leaders Roundtable #2 — Should we kill off “Whois”?

Should we stop using the word “Whois” to describe registration data lookup services?
That’s the question I posed for the second DI Leaders Roundtable.
I’m sure you’re all very well aware that the Registration Data Access Protocol (RDAP) is the imminent replacement for the Whois protocol, as the technical method by which domain registrant contact information is stored, transmitted and displayed.
ICANN also regularly refers to Registration Data Directory Services (RDDS) as a protocol-independent blanket term covering the concept of looking up Whois or RDAP data.
You may also recall that ICANN, which is ostensibly a technical body, appears to bedeprecating the word “Whois” in favor of “Lookup” on its own web-based query service.
ICANN has a track record of introducing new acronyms to describe already well-understood functions. The IANA has technically been called “Public Technical Identifiers” for years, but does anyone actually call it “PTI”? No, everyone still talks about “IANA”.
So I wanted to know:

Should we continue to call it “Whois” after the technical transition to RDAP is complete? Will you continue to refer to “Whois”? Should we change to a different word or acronym? Should the industry standardardize its language one way or the other?

There seems to be a general consensus that “Whois” ain’t going anywhere.
The responses, in no particular order.
Jothan Frakes, Executive Director, Domain Name Association

The term WHOIS won’t quickly leave the zeitgeist due to the decades of its use as a description of the lookup process. Lookup is somewhat confusing, as there is DNS Query lookup that works across the resolution system, and WHOIS Lookup that works to find registrant info via the registration system. As far as the term “Lookup” as the label for the new normal that is poised to replace WHOIS? It is better than the acronym “RDDS”. The general public probably would not assume that RDDS is a way to find out about a domain owner or registration information, because it sounds like it involves dentistry (DDS) if one is not following the ICANN world as close as insiders. Despite the evolutionary path the basic function seems to be on, it is likely that WHOIS continues to be what the nickname for the lookup process called, regardless of the support technology layers below it not literally being WHOIS.

Frank Schilling, CEO, Uniregistry

WHOIS IS DEAD, LONG LIVE WHOIS.
The echo of “Whois” will live long after Whois is dead and gone. The very nature of its replacement word “Lookup” ensures that the information hungry public will expect more fulsome data than ICANN intends the word to provide. There will continue to be services who try to engineer a Whois hack and provide accurate underlying data for paying customers. Whois is going to outlive all of us. Even those who diet, exercise, and eat organic food.

Dave Piscitello, Partner, Interisle Consulting Group

Just as most of the world isn’t familiar with new TLDs, most have no appreciation for the differences between Whois and RDAP. The term “Whois” is convenient, memorable, and embedded. It also represents a service to most users, not a protocol, so if we do “standardize” we should use “RDS”. While we sort out the disastrous effects of ICANN’s Temp Spec policy on both investigators and victims of DNS abuse, most parties involved with educating policy makers and legislators should continue to use Whois for consistency’s sake.

Christa Taylor, CMO, MMX

As the old adage goes, “Don’t fix what’s not broken.” While “Whois” may have lost some of its luster due to GDPR I prefer to retain the term — it’s simple, representative of the information it provides and avoids adding any confusion especially for people outside of ICANN. Employing standardized language is, of course, logical and after twenty years of using “Whois” it is the accepted term both inside and outside the industry.

Sandeep Ramchamdani, CEO, Radix Registry

First up, the transition to the RDAP system is much needed given the fundamental flaws of Whois.
It would help in placing some guardrails around customers’ privacy while still providing agencies such as law enforcement authenticated access that they need to do their work.
Whois is a major cause of spam and in the age where privacy is top currency, public, unauthenticated availability of personal data is unacceptable.
It should also smooth out inter-registrar transfers and lower customer frustration while moving out to a different service provider.
When it comes to its name, calling it “RDAP” or “Lookup” would be a branding error. It would cause some confusion and for those not intimately involved in the industry, who may find it hard to discover the new system.
In my mind, keeping the original nomenclature “Whois”, while making it clear that it’s a newer avatar of the same solution would be the way to go.
Can’t think of a better term than “Whois 2.0”.
Very easy to understand that it’s a newer, more advanced iteration of the same product.

Michele Neylon, CEO, Blacknight

Whois was originally a simple little protocol that allowed network operators to contact each other to address technical issues. It predates the usage of domain names or the “web”.
When domains were introduced the same concept was simply transposed over to the new identifiers.
However over the past 20 plus years the way that people viewed Whois has morphed dramatically. The first time I spoke at an ICANN meeting 12 years ago was on the subject of Whois!
Now the term is used both to talk about the technical protocol, which is being replaced in the gTLD space and the data that it is used to store and possibly display. We talk about “Thin Whois”, “Thick Whois” and so many other services and issues linked back to it.
Whois as a protocol is far from perfect, which is why replacing the technical side of it makes a lot of sense.
So with the world slowly moving towards a new technical method for processing domain registration data then maybe we should come up with another word for it. However I’m not sure if there’s much to be gained by doing that.
We are all used to the floppy disk icon to save a document, even if floppy disks are no longer used. With the term “Whois” being part of people’s vocabulary for the nearly a quarter of a century. it’d be pretty hard to find a simple replacement and have people adopt it widely. Sure, in the more technical conversations it makes sense to use more accurate terms like “RDAP”, but the average punter just wants to be able to use a term that they can understand.
Those of us who work with domains and internet technology in our day jobs might care about the “correct” terminology, but we’re in a minority. We all get excited when the mainstream media picks up on a story involving domain names or the DNS and even gets half of it right! If we conjure up some new term that we think is accurate it’ll take years before anyone outside our bubble is comfortable with it. So I don’t think we should.
We should simply accept that “Whois” is a term used to refer to domain registration data no matter what technology under the hood is used to handle it.

Rick Schwartz, domain investor

Hate to give the same basic answer to two questions in a row, but who cares?
Really!! Who cares? Nobody!
This is inside baseball that doesn’t affect anyone on the entire planet except for a handful of domain investors and ICANN etc.
Call it whatever you like just make sure it’s public info.

Emoji domains get a 😟 after broad study

Domain names containing emojis are a security risk and not recommended, according to a pretty comprehensive review by an ICANN study group.
The Country-Code Names Supporting Organization has delivered the results of its 12-person, 18-month Emoji Study Group, which was tasked with looking into the problems emoji domains can cause, review current policy, and talk to ccTLD registries that currently permit emoji domains.
The ESG didn’t have a lot of power, and its recommendations are basically an exercise in can-kicking, but it’s easily the most comprehensive overview of the issues surrounding emoji domains that I’ve ever come across.
It’s 30 pages long, and you can read it here (pdf).
Emojis are currently banned in gTLDs, where ICANN has to approve new Unicode tables before they can be used by registries at the second level, under its internationalized domain name policy, IDNA 2008.
But ccTLDs, which are not contracted with ICANN, have a lot more flexibility. There are 15 ccTLDs — almost all representing small islands or low-penetration African nations — that currently permit emoji domains, the ESG found.
That’s about 6% of Latin-script ccTLDs out there today. These TLDs are .az, .cf, .fm, .je, .ga, .ge, .gg, .gq, .ml, .st, .to, .tk, .uz, .vu, and .ws.
Five of them, including .tk, are run by notorious freebie registry Freenom, but perhaps the best-known is .ws, where major brands such as Budweiser and Coca-Cola have run marketing campaigns in the past.
The main problem with emojis is the potential for confusing similarity, and the ESG report does a pretty good job of enumerating the ways confusability can arise. Take its comparison of multiple applications’ version of the exact same “grinning face” emoji, for example:

If you saw a domain containing one of those in marketing on one platform, would you be able to confidently navigate to the site on another? I doubt I would.
There’s also variations in how registrars handle emojis on their storefronts, the report found. On some you can search with an emoji, on others you’ll need to type out the xn-- prefixed Punycode translation longhand.
In terms of recommendations, the ESG basically just asked ICANN to keep an eye on the situation, to come to a better definition of what an emoji actually is, and to reach out for information to the ccTLDs accepting emojis, which apparently haven’t been keen on opening up so far.
Despite the lack of closure, it’s a pretty good read if you’re interested in this kind of thing.

DI Leaders Roundtable #1 — How many new gTLDs will be applied for next time around?

How many new gTLDs will be applied for in the next application round?
This is the first question I put to the DI Leaders Roundtable, which you may recall I announced a couple weeks back.
As a reminder, the panel is comprised of leading thinkers in the domain name industry or ICANN community, covering as broad a cross-section of expertise as I could muster.
The question I posed each panelist this time was:

There were 1,930 applications for new gTLDs in 2012. Given everything we’ve learned over the last seven years, how many applications do you think there will be in the next round?

There seemed to be a rough consensus that it’s a little early to put any concrete predictions out there, and that perhaps I should have eased the panel in with something a little less challenging, but some very interesting — and divergent — opinions were nevertheless expressed.
Some of the participants asked me to note that they were speaking in a personal capacity rather than with them wearing a specific one of their various professional/volunteer hats. To save time, readers should just assume that every opinion being expressed below is personal to the expert concerned.
In no particular order…
Jeff Neuman, Senior VP, Com Laude

Without wanting to sound like I’m trying to avoid answering the question or hedge my bets, we have to consider this question in the context of the current landscape. The number of applications in the next round will be dependent on the outcomes of the current Subsequent Procedures PDP Working Group, alongside macroeconomic business factors. So therefore I’ll put a range on the possible answer — at the low end (if the application fee remains as is and world economies are facing significant troubles) around 1,000; at the top end (with application fee reduced to a level that operates as far less of a barrier, a fair economic wind behind us and some targeted promotion of the opportunities) there could be up to 10,000.
One thing that is clear is that many of the applications will come from brands that would like to actively use their domains. Those who were forward-thinking and have taken bold steps in the first round are the ones who are benefiting most from the new gTLD program. That’s not to say that there have not also been issues with brands. In 2012 many brands were pressured to apply for TLDs by third parties who advised them to apply for purely defensive reasons. Others gave up after the many fits and starts of the program as well as the overly lengthy period it took ICANN to evaluate the TLDs, approve Specification 13, respond to name collision, and the change of rules to temporarily disallow “closed generic” TLDs. Not surprisingly, we have seen a number of these brands drop out of the program.
However, many of the ones that have stuck it out are doing well. Some have even made transitions from their “.com” or their ccTLDs to their brand TLDs. Others have used their TLDs for marketing campaigns, corporate social responsibility programs, internal corporate intranets, job sites, geolocation tools, social media programs, events and customer service. And this is just the beginning.
What we need to ensure for the future is that application fees represent the true costs of the program and that the process is predictable, reliable and flexible enough to allow brands and others to innovate. Over-regulation due to the fear of unlikely edge cases or paranoia due to how potential applicants for purely generic open TLDs cannot be allowed to happen. All TLDs should not be painted with the same regulatory brush and the community needs to understand that we should be encouraging different business models for TLDs that do not necessarily include the unfettered ability for the public to register domain names in all TLDs. Ultimately, we need to do what is best for end users on the Internet.
Incentives should be provided for TLDs like .bank and .pharmacy to validate their registrants and ensure the safety of their end users by curbing abusive behavior. This could come in the form of reduced fees to ICANN or even ensuring that other similarly sensitive strings have similar verification requirements before allowing them to be delegated.
Finally, in order for the program to succeed, we need to stimulate growth of registries and registrars in the developing world. Support for these organizations should not only be in the form of monetary contributions, but also training programs, consulting services, legal support, and even operational support (eg., the free or low-cost use of third party DNS servers globally, security monitoring and other critical services).

Rick Schwartz, domain investor

Who cares?? Nobody in the real world. Totally meaningless except to the 1,930 applicants and a totally corrupt and out of control ICANN that needs oversight! SHAMEFUL!

Christa Taylor, CMO, MMX

“Will you walk into my parlour and tell me how many applications there will be for the next round, said a Spider to a Fly”
Oh, poor fly, good luck getting out of this one. There have been some exceptionally large volumes thrown around — 10k, 20k, but this fly would prefer to utilize data gathered from statistical surveys. Unfortunately, my workload didn’t allow me to conduct a survey this week so instead, I’ll utilize a less scientific approach and seek the same leniency ICANN received in their volume prediction used in the 2012 round.
A multitude of variables may impact the volume of applications including: notice period, application fees, auctions and delegation rates with each factor being additive to the prior factor.

• Base volume: 2,000 applications is utilized as the initial value. While the type of applications may change, the overall volume is a logical starting point especially when considering the last round was in 2012.
• Notice period: A longer notice period on when the application period will begin will allow for more applicants to apply. Assuming a notice period of four months with a 10% increase in application volume for each additional four-month period. i.e. if there is a six month notice until application window opens, volume will increase by 100 (2,000 x 10% x (6-4/4)). Our total volume of applications is now 2,100.
• Application fee: The new gTLD program is expected to operate on a ‘revenue neutral’ basis. As such, the application fee should decrease from the 2012 fee of $185k. Since the volume of applications is inversely related to the fee, increasing the volume by say, 15% for every $10k less than $150k. For example, if the actual application fee is $125k, the volume of applications will increase by approximately ~800 (15% x 2,100 x ($150k – $125k/$10k) for a total of 2,900 applications.
• Auctions: One of the most significant items that could drive the volume of applications if auctions and other related resolution mechanisms. The windfalls from ‘losing’ in auctions are well-known and while other options have been discussed – Vickrey auctions, draws, etc. some applications will be submitted for financial gains. Additionally, the potential to gain from ‘losing’ in contention sets combined with reduced application fees and delegation rates (detailed below) will again impact the volume of applications. As such, the number of applications will increase similar to application fees but would suggest that for every $5k less than $150k application fee, the volume of applications will increase by 10%. If the application fee is $125k, the volume will increase by 1,250 (10% x 2,888 x ($150k-$125k/$5k) for a combined volume of 4,150 applications.
• Delegation rate: The final factor in this unscientific, simplistic volume projection is the delegation rate. In 2010, a rate of 1,000 per year was provided to minimize security and stability risks. If the delegation rate remains relatively the same, the processing of applications could take years and thereby, encourage potential applicants to apply knowing it will take years before their application is delegated. Additionally, a reduced application fee minimizes an applicant’s risk if they decide to withdraw at a later date. Applying another broad brushstroke of 5% per year for the length of time it will take for all applications to be delegated, excluding objections. If it is expected to take three years to process the subsequent round of applications, add in another ~750 applications (5% x 3 years X 4,150) for a total volume of 4,900, rounding to 5,000 applications.

“And take a lesson from this tale of the Spider and the Fly” — gather real data to project application volumes and escape these impossible questions.
Ref: Howitt, Mary. The Spider and the Fly. (1829)

Michele Neylon, CEO, Blacknight

It’s not one that’s easy to answer — I think we all got it terribly wrong the last time round.
I suspect, though I could be completely wrong, that there will be at least 1,000 applications if there is a new round. Of course, that number is not based on anything other than just a gut instinct. I don’t think there will be as many distributed retail TLDs in a next round. Apart from a couple of outliers the bulk of new TLDs haven’t been as big of a success as their backers expected.
I can imagine that some cities would pitch for a TLD in the next round but it’d be more of a play in terms of tourism rather than commercial gain.
Some would have us believe that a “lot” of brands want to apply for a TLD in a next round, but I do wonder how much of that demand is “real” and comes from brands and how much of it is being pushed by those who stand to gain from applications. Of course, there could be a lot of brands out there that feel a desire to get their own TLD, but it’s also very clear that many of the brands that got one the last time round haven’t done a lot with them (with a few notable exceptions)
It’s a very good question to ask, but until there’s more clarity about the rules and the costs we’re all going to be guessing.

Jon Nevett, CEO, Public Interest Registry

Check back with me in 2022 when we may know the application fee; how contention resolution would work (i.e. will there be speculative applications); and the role of the GAC in reviewing applications.

Dave Piscitello, Partner, Interisle Consulting Group

While I can’t speculate how many, I truly hope that we have fewer “generics” that only serve to create a larger set of TLDs that will be offered in bulk at fees as low as 1 yen to organized spam gangs or botnet operators. ICANN hasn’t provided a scientifically valid economic study that demonstrates a need for more of these; in fact, ICANN’s own DAAR data shows that nearly half of the abused or criminally-used domain names have migrated to the piddling 10-12% share of the total gTLD delegated (and resolving) domain names that the new TLDs represent.
Having said this, I do believe that there are some success stories that point would-be applicants to modestly profitable ventures. City TLDs for the most part have remained free of abuse or criminal misuse. A portfolio of these might be interesting. I think that brands still don’t really know how to use their TLD or migrate to these in a way that alters the threat landscape.

Ben Crawford, CEO, CentralNic

Our focus today at CentralNic is supporting the growth of existing ccTLD and gTLD registries. However there is no company more prepared for the next round than us, and based on our discussions with potential applicants, we expect more applications in this nTLD round that the last.
Generic TLD applicants obviously gravitate towards CentralNic Registry Solutions as the natural home of TLDs seeking meaningful growth. We are not only the market leaders with more registrars actively selling our nTLD domains than any other backend, but we have as many domains under management as the number 2, 3 and 4 players combined.
Brand owners are also very keen to sign up with BrandShelter as a low cost and flexible one-stop shop that can handle application, backend, registrar and domain management services under a single contract with a money back guarantee. They particularly like that we have the best value support for dot-brands that do want to actively use their TLDs (like .DVAG, .ALLFINANZ and .MINI) while we don’t employ pushy sales people to hassle our clients happy with a defensive strategy to “activate” their TLDs.

Milton Mueller, Professor, Georgia Tech

Is a negative number an acceptable answer? Will some of the past 1,930 be allowed to bring their TLDs back to the store for a refund? What exactly is ICANN’s return policy, is it as good as TJ Maxx’s? More seriously, I would expect quite a few less applications this time around. I’d be surprised if it exceeded 500. We don’t see any smashing successes from the first round.

Spam is not our problem, major domain firms say ahead of ICANN 66

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.
In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.
That abuse comprises malware, phishing, botnets, pharming and spam.
The companies agree that these are activities which registrars and registries “must” act upon.
But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.
The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.
It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.
Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.
Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.
They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.
However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.
The DAAR report for September shows that spam constituted 73% of all tracked abuse.
The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.
Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.
The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.
The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.
Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.
They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.
But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.
During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.
“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.
Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.
The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.
While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.
But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.
While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.
Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.
Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.
The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.
Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.
PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.
Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.
Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.
The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

Top ICANN advisor Tarek Kamel dies at 57

Tarek Kamel, a senior advisor to the ICANN CEO and one-time shortlisted candidate for the top job, died yesterday, according to ICANN. He was 57.
His cause of death was not released, but he apparently had been suffering from health challenges for some time.
At ICANN, Kamel was senior advisor to the president and senior vice president for government and IGO engagement, a role he was appointed to in 2012 by then-incoming CEO Fadi Chehadé.
Kamel had been one of three shortlisted candidates for the CEO role and was hired immediately after Chehadé took over.
Born in Egypt, Kamel was considered locally as an internet pioneer, helping to found, then deregulate and reform the sector in his country.
He trained as an electrical engineer in Egypt and Germany, and is said to have established Egypt’s first connection to the internet in the mid-1990s, a period in which he also founded the local chapter of the Internet Society.
But Kamel spend much of his career in government, acting as Egypt’s minister for information and communication technology between 2004 and 2011.
His tenure ended in January 2011, as a result of the revolution which ousted President Hosni Mubarak.
During the final weeks of Mubarak’s regime, the government attempted to disrupt popular resistance by shutting down internet access across the country, causing pleas from Kamel’s friends for him to restore connectivity and preserve his legacy.
But Chehadé later defended Kamel’s actions during the revolution, telling DI in 2012 that he was not responsible for the shutdown and that he showed “near-heroism”, putting himself and his family at great personal risk, in order to restore services as quickly as possible.
Kamel was described yesterday by current CEO Göran Marby as a “dear friend” with a “big heart” and a “great sense of humor” who helped open diplomatic doors for ICANN in the Middle East.
Former ICANN chair and father of the internet Vint Cerf said “our Internet community has lost a kindred spirit so devoted to the idea of a global Internet to hold and use in common”.
He added, “if heaven does not have broadband yet, Tarek will make it so.”
Kamel is survived by his wife and two children.
Marby yesterday encouraged friends and colleagues to leave a memorial in the comments section of this blog post, assuring commenters that their words will reach Kamel’s family.
His family and friends have my condolences.