Now GNSO mulls emergency response to GDPR deadline

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.
With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.
Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.
Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.
CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.
(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)
The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.
A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.
The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.
While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.
It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.
The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.
It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.
If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.
Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.
It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.
UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.

ICANN confirms GoDaddy Whois probe

ICANN is looking into claims that GoDaddy is in breach of its registrar accreditation contract.
The organization last week told IP lawyer Brian Winterfeldt that his complaint about the market-leading registrar throttling and censoring Whois queries over port 43 is being looked at by its compliance department.
The brief note (pdf) says that Compliance is “in receipt of the correspondence and will address it under its process”.
Winterfeldt is annoyed that GoDaddy has starting removing contact information from its port 43 Whois responses, in what the company says is an anti-spam measure.
It’s also started throttling port 43 queries, causing no end of problems at companies such as DomainTools.
Winterfeldt wrote last month “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny port 43 Whois access to any particular IP address”.
It’s worth saying that ICANN is not giving any formal credibility to the complaint merely by looking into it.
But while it’s usual for ICANN to publish its responses to correspondence it has received and published, it’s rather less common for it to disclose the existence of a compliance investigation before it has progressed to a formal breach notice.
It could all turn out to be moot anyway, given the damage GDPR is likely to do to Whois across the industry in a matter of weeks.

Marby ponders emergency powers to avoid fragmented Whois

ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.
That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.
Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.
But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.
“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”
I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.
Marby has asked European DPAs for two things.
First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.
Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.
“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.
A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.
If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.
“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”
While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.
It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.
ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.
But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.
Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”
He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.
The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.
Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.
Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.
But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.
This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.
Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.
A temporary policy could be replaced by a compatible, community-created Consensus Policy.
It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.
But that’s perhaps getting ahead of ourselves.
Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.
If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.
If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.
And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.
“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.
“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”
The community awaits the DPAs’ guidance with baited breath.

Registrars will miss GDPR deadline by a mile

Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.
That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.
While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.
Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.
Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.
And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.
The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.
But the timetable lists many other sources of potential delay too.
Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.
Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.
Likewise, the more granular the controls on the data, the longer the implementation window.
For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.
Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.
The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.
The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).
It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.
But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.
The letter notes that the timetable is an estimate and does not apply to all contracted parties.
As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.
Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.

A lazy blogger’s wish-list for ICANN remote participation

Remote participation at ICANN meetings is pretty damn good, but I’m an ungrateful asshole and I want more.
I’ve had a personal wish-list of remote participation features during and immediately after every ICANN meeting for a few years now, but when ICANN turned off Adobe Connect for the back half of ICANN 61 last week I was inspired to put pen to paper and rant about it in public.
Make no mistake, these are minor quibbles and no diss to the thoroughly lovely people on the ICANN meetings team.
In a community where are great many people are tasked with herding cats, the meetings guys are the only ones who have to physically herd the cats into their windowless pens through the sheer power of their organizational skills.
Not to mention they have to ensure all the cats are fed, watered, caffeinated, inebriated, and have trays of gravel into which to do their dirty business.
(Sorry, that metaphor got away from me a little there.)
My point is, the fact that anyone ever gets anything done at an ICANN meeting is due in no small part to the folk who actually organize the events, including the remote participation.
With all those disclaimers in mind, here are a few things I would like to see in future.
Archive the scribe feeds
The ICANN scribe feed, provided for as long as I can remember by Brewer & Darrenougue and StreamText is excellent.
It provides a live, scrolling, text transcription, in English, of whatever is being said in a session. It’s not 100% accurate all of the time, but it’s damn close.
Over the years, the scribes seem to have gained an ear for the regular speakers. It’s increasingly rare to see “[SAYING NAME]” in a feed, and we don’t often see pleas from the scribes for speakers to slow down any more.
This allows Anglo monoglot basement-dwellers such as myself to identify who’s talking and get a rough idea what they’re saying, even when they are Catalan registry operators speak quickly in heavily accented, non-native English.
The problem with the feed is that they disappear immediately after each session ends, usually at lunch time and again at the end of the day. Remote participants then have to wait anywhere from a day to several days for the full, edited transcript to be published.
I think the resource cost of immediately publishing the full, warts-and-all scribe transcript would be negligible.
Even if StreamText doesn’t offer it as an automated feature, copy-pasting a session transcript from a browser window into a PDF and banging it on the ICANN web site shouldn’t take more than a few minutes. I know; for several meetings I did it myself on selected sessions as a public service.
Bring back the MP3s
Not too long ago, the audio-only streams were recorded into MP3 files and dumped on the meeting web site in short order, often the same day.
Now, instead, we get M3U files, which are basically just links to streams. And the streams are extremely temperamental, regularly skipping around, restarting or simply stopping for no readily apparent reason.
Today, attempting to re-listen to the M3U of last Thursday’s Public Forum, I had to restart the stream and go hunting for the position I’d been kicked out maybe a dozen times. It was very irritating.
MP3s have the added advantage that they can be listened to offline, allowing you to catch up on sessions you missed while, for example, loitering at an airport with crappy wifi.
I want the MP3s back, dammit!
Consider YouTube maybe?
Recent meetings have seen the introduction of Livestream.com as an alternative to Adobe Connect for viewing live video.
I assume ICANN is paying for this service, probably five figures per year, but I have no idea what benefit (if any) the service offers over YouTube live streaming.
It doesn’t even always work. Try getting Thursday’s Public Forum recording to play. I couldn’t.
Is there any particular reason YouTube is not a viable option? As far as I know it’s free and reliable. YouTubers with far greater audiences than ICANN seem to get away with using it on a daily basis.
It could even be monetized, turning an expense into a small source of additional revenue.
Bring back meaningful filenames
ICANN is pretty good about publishing transcripts, presentations and other documentation as PDFs on the pages for each session. But for some reason in Puerto Rico it started naming the files with apparently meaningless numerical strings.
In all the meetings I can recall before ICANN 61, a downloadable transcript might be named something like “transcript-public-forum-10mar16-en.pdf”. Now, you’ll get something like “1521076292.pdf” instead, which is a step backwards.
Sure, I could manually rename the file to something meaningful myself, but that would take me at least 30 seconds — 30 seconds I could better use listening to Marilyn Cade introduce herself, Goran Marby apologize for something, or literally anyone else in the community complain that nobody listens to them any more.
Keep the redundancy!
Finally, as ICANN discovered this week, redundancy is essential to maintaining uninterrupted remote participation.
Even with Adobe Connect offline across the board for half of the week, it was still possible for those of us in the cheap seats to see video, hear audio, read the scribes, and submit questions and comments.
It wasn’t perfect, but it did the job well enough (previous complaints notwithstanding).
Even when Adobe is turned on, the alternative methods of listening in are extremely useful for overcoming its occasional limitations.
Often, AC rooms are barely audible. This problem occurs on an almost daily basis during ICANN. It affects some rooms but not others and I’ve yet to spot a predictable pattern.
But when you can’t hear what’s going on in AC, it’s always possible to mute the room and launch the always-audible live M3U stream separately.
Similarly, on the rare occasions the audio or video is down, the scribes can often allow us to follow the gist of the discussion while the nerds work on a fix.
In short, redundancy is good.
UPDATE (MARCH 21): Josh Baulch from the ICANN meetings team has left a comment addressing some of these points. It turns out MP3s are actually available elsewhere on the ICANN web site and Livestream costs ICANN far, far less than I had estimated based on Livestream’s published price list.

Namecheap’s Move Your Domain Day actually works

Namecheap appears to have done a year’s worth of transfers in a single day, on its annual Move Your Domain Day promotion.
The company said this week that the promotion, which ran on March 6 this year, saw 20,590 domains transferred in from other registrars.
That’s pretty good compared to its usual transfer activity.
Registry report data shows that Namecheap usually gets 1,000 to 1,500 inbound transfers per month, across all gTLDs.
Move Your Domain Day was originally set up to capitalize on protests over GoDaddy’s support for the Stop Online Piracy Act in late 2011.
That year, when it benefited from greater publicity, the company said it saw over 40,000 transfers.
During the promotion, Namecheap discounts transfers and donates $1.50 per domain to the Electronic Frontier Foundation.
This year, the EFF will be getting a check for $30,885.
Namecheap said earlier in the week that it was having problems processing inbounds from GoDaddy, which it claimed was throttling automated Whois queries, but said it would process the transfers regardless.

auDA probably won’t pass on full Afilias savings to registrants

Switching .au’s back-end to Afilias will cut auDA’s per-domain costs by more than half, but registrants are not likely to benefit from the full impact of the savings.
auDA’s Bruce Tonkin, who led the committee that selected Afilias to replace incumbent Neustar, told DI this week that the organization is likely to take a bigger cut of .au registration fees in future, in order to invest in marketing.
That would include marketing the ability of Aussies to register .au domains at the second level for the first time — a controversial, yet-to-roll-out proposal.
Tonkin confirmed that the back-end fee auDA will be paying Afilias is less than half of what it is currently paying Neustar — the unconfirmed rumor is that it’s 40% of the current rate — but said that Afilias was not the cheapest of the nine bidders.
While .au names are sold for a minimum of two years, the current wholesale price charged to registrars works out to AUD 8.75 ($6.85) per year, of which Neustar gets AUD 6.33; auDA receives the other AUD 2.42.
A back-end fee of roughly $5 (US) per domain per year is well above market rates, so it’s pretty clear why auDA chose to open the contract to competition.
Tonkin explained the process by which Afilias was selected:

We first considered scoring without price, and Afilias received the highest score for non-financial criteria.
We then considered pricing information to form an assessment of value for money. The average pricing across the 9 [Request For Tender] responses was less than half of the present registry back-end fee ($6.33). Afilias was close to the average pricing, and while it was not the cheapest price — it was considered best value for money when taking into account the highest score in non-financial criteria.

I asked Afilias for comment on rumors that its price was 60% down on the current rate and received this statement:

Afilias believes auDA chose us based on the best overall value for the Australian internet community. The evaluation heavily weighted expertise, quality and breadth of service over price. While we don’t know what others bid, Afilias works to be competitive in today’s market. Attempts to price significantly higher than market without a value proposition are unrealistic and could even be considered price gouging.

It’s not known what price Neustar bid for the continuation of the contract, but I expect it will have also offered a deep discount to its current rate.
By switching, auDA is basically going to be saving itself over AUD 3 per domain per year, which works out to a total of AUD 9 million ($7 million) per year at least.
But the organization has yet to decide how much of that money, if any, to pass on to its registrars and ultimately registrants.
The auDA board of directors will meet in March to discuss this, Tonkin (who is in charge of the registry transition project but not on the board) said.
“We don’t want to set expectations that the wholesale price is going to change massively,” he said.
“I don’t expect it’s going to be any higher than the current wholesale price,” he said.
But he said he expects auDA to increase its slice of the pie in order to raise more money for marketing. The organization does “basically no marketing” now, he said.
“There’s certainly strong interest in doing more to market and grow the namespace,” he said. “One option is that more money is put into marketing the namespace and growing awareness of .au… That AUD 2.42, I expect that to change.”
This would include marketing direct second-level registrations, an incoming change to how .au names are sold that has domain investors worried about confusion and market dilution.
Outrage over the 2LD proposal — it appears to be a done deal, even if the details and timeline have yet to be finalized — has started attracting the attention of business media in Australia recently.
But auDA’s own research shows that opposition is not that substantial outside of these “special interests”.
A survey last year showed that 40% of .com.au registrants “support” or “strongly support” the direct registration proposal, with 18% “opposed” or “strongly opposed” Another 42% were completely unaware of the changes.
Support among .org.au registrants was lower, and it was higher among .net.au registrants.
But 36% of “special interests” — which appears to mean people who discovered the survey due to their close involvement in the domain industry — were opposed to the plan.
There’s no current timeline for the introduction of direct registrations, but the back-end handover from Neustar to Afilias is set to happen July 1 this year.
Neustar acquired AusRegistry, which has been running .au since 2002, for $87 million a couple of years ago.

Economist would sue ICANN if it publishes private emails

The Economist Intelligence Unit has threatened to sue ICANN if it publishes emails related to its evaluations of “community” gTLDs.
That’s according to a document published by ICANN this week, in which the organization refused to reveal any more information about a controversial probe into the Community Priority Evaluations the EIU conducted on its behalf.
EIU “threatened litigation” should ICANN publish emails sent between the two parties, the document states.
New gTLD applicant DotMusic, which failed its CPE for .music but years later continues to fight for the decision to be overturned, filed a Documentary Information Disclosure Policy request with ICANN a month ago.
DIDP is ICANN’s equivalent of a Freedom of Information Act.
DotMusic’s request among many other items sought the release of over 100,000 emails, many sent between ICANN and the EIU, that ICANN had provided to FTI Consulting during FTI’s investigation into whether the CPEs were fair, consistent and absent ICANN meddling.
But in its response this week, ICANN pointed out that its contract with EIU, its “CPE Provider”, has confidentiality clauses:

ICANN organization endeavored to obtain consent from the CPE Provider to disclose certain information relating to the CPE Process Review, but the CPE Provider has not agreed to ICANN organization’s request, and has threatened litigation should ICANN organization breach its contractual confidentiality obligations. ICANN organization’s contractual commitments must be weighed against its other commitments, including transparency. The commitment to transparency does not outweigh all other commitments to require ICANN organization to breach its contract with the CPE Provider.

DotMusic’s DIDP sought the release of 19 batches of information, which it hopes would bolster its case that both the EIU’s original reviews and FTI’s subsequent investigation were flawed, but all requests were denied by ICANN on various grounds.
In more than one instance, ICANN claims attorney-client privilege under California law, as it was actually ICANN’s longstanding law firm Jones Day, rather than ICANN itself, that contracted with FTI.
The FTI report cleared ICANN of all impropriety and said the EIU’s CPE process had been consistent across each of the gTLD applications it looked at.
The full DIDP request and response can be found here.
ICANN has yet to make a decision on .music, along with .gay, .hotel, .cpa, and .merck, all of which were affected by the CPE reviews.

Root crypto rollover now slated for October

ICANN has penciled in October 11 as the new date for rolling the DNS root’s cryptographic keys, a delay of a year from its original plan.
The so-called KSK rollover will see ICANN remove the deprecated 2010 Key Signing Key, leaving only the 2017 KSK active.
The KSK acts as the “trust anchor” for DNSSEC across the whole internet.
After the rollover, any network not configured to use the latest KSK would see a service interruption.
This could mean many millions of internet users being affected, but ICANN doesn’t know the extent of the possible impact for sure.
ICANN told us in November that it knows of 176 organizations in 41 countries, fairly evenly spread across the globe, that are currently not prepared to handle the new KSK.
But its data is patchy because only a tiny number of DNS resolvers are actually configured to automatically report which KSKs they’re set up to use.
Key rollovers are recommended by DNSSEC experts to reduce the risk of brute force attacks against old keys. At the root, the original plan was to roll the keys every five years.
ICANN had named October 11 2017 as the date for the first such rollover, but this was pushed back to some time in the first quarter after ICANN became aware of the lack of support for the 2017 KSK.
This was pushed back again in December to Q3 at the earliest, after ICANN admitted it still didn’t have good enough data to measure the impact of a premature roll.
Since then, ICANN has been engaged in (not always successful) outreach to networks it knows are affected and has kicked off discussions among network operators (there’s a fairly lively mailing list on the topic) to try to gauge how cautious it needs to be.
It’s now published an updated plan that’s the same as the original plan but with a date exactly one year late — October 11, 2018.
Between now and then, it will continue to try to get hold of network operators not ready to use the new keys, but it’s not expecting to completely eliminate damage. The plan reads:

Implicit in the outreach plan is the same assumption that the community had for the earlier (postponed) plan: there will likely be some systems that will fail to resolve names starting on the day of the rollover. The outreach will attempt to minimize the number of affected users while acknowledging that the operators of some resolvers will be unreachable.

The plan is open for public comment and will require the assent of the ICANN board of directors before being implemented. You have until April 2 to respond.

CPE probe: “whitewash” or “fig leaf”?

A few weeks ago, when I was reporting the conclusions of a probe into ICANN’s new gTLD program, I wrote a prediction on a piece of paper and placed it into a sealed envelope.*
I wrote: “They’re gonna call this a whitewash.”
And I was correct! Ta-dah! I’m here all week.
The lawyer for applicants for .music and .gay gTLDs has written to ICANN to complain that a purportedly independent review of the Community Evaluation Process was riddled with errors and oversights and should not be trusted.
In a letter on behalf of dotgay LLC, Arif Ali calls the report a “whitewash”. In a letter on behalf of DotMusic, he calls it a “fig leaf”.
Both companies think that the CPE probe was designed to give ICANN cover to proceed with auctions for five outstanding gTLD contention sets, rather than to get to the bottom of perceived inconsistencies in the process.
Both of Ali’s clients applied for their respective gTLDs as “community” applicants, trying to avoid auctions by using the Community Priority Evaluation process.
During their CPEs, both carried out by the Economist Intelligence Unit, neither applicant scored highly enough to win the exclusive right to .gay or .music, meaning the next stage was to auction the strings off to the highest bidder.
After repeated complaints from applicants and an Independent Review Process finding that ICANN lacked transparency and that staff may have had inappropriate influence over the EIU, ICANN hired FTI Consulting to look into the whole CPE process.
FTI’s report was finally delivered late last year, clearing ICANN on all counts of impropriety and finding that the EIU’s evaluations had been consistent across each of the applications it looked at.
The remaining gTLDs affected by this are .music, .gay, .hotel, .cpa, and .merck.
ICANN’s board of directors is due to meet to discuss next steps this weekend, but Ali says that it should “critically evaluate the [FTI] Report and not accept its wholesale conclusions”. He wrote, on behalf of DotMusic:

The report reveals that FTI’s investigation was cursory at best; its narrow mandate and evaluation methodology were designed to do little more than vindicate ICANN’s administration of the CPE process.
…
It is evident that FTI engaged in a seemingly advocacy-driven investigation to reach conclusions that would absolve ICANN of the demonstrated and demonstrable problems that afflicted the CPE process.

Among the applicants’ list of complaints: their claim that FTI did not interview affected applicants or take their submissions seriously, and the fact that ICANN was less than transparent about who was conducting the probe and what its remit was.
The same letter quotes ICANN chair Cherine Chalaby, then vice-chair, saying in a January 2017 webinar that he had observed inconsistencies in how the CPEs were carried out; inconsistencies FTI has since found did not occur.
That should be enough to provoke discussion when the board meets to discuss this and other issues in Los Angeles on Saturday.
* I didn’t actually do this of course, I just thought about it, but you get my point.