New gTLD fees could be kept artificially high

More windfalls for ICANN? It’s possible that application fees for new gTLDs could be artificially propped up in order to discourage gaming.
In the newly published draft policy recommendations for the next new gTLD round, ICANN volunteers expressed support for keeping fees high “to deter speculation, warehousing of
TLDs, and mitigating against the use of TLDs for abusive or malicious purposes”.
It’s one of the ideas posed in the the Initial Report on the New gTLD Subsequent Procedures Policy Development Process, published this week.
It recommends that ICANN continues to price its application fees on a revenue-neutral basis, but with one big exception.
The report notes that there’s support for an “application fee floor” — a minimum fee threshold that would not be crossed no matter how cheap application processing actually becomes:

there might be a case where a revenue neutral approach results in a fee that is “too low,” which could result in an excessive amount of applications (e.g., making warehousing, squatting, or otherwise potentially frivolous applications much easier to submit), reduce the sense of responsibility and value in managing a distinct and unique piece of the Internet, and diminish the seriousness of the commitment to owning a TLD.

The subgroup looking at fees was “generally supportive” of the notion of a floor, the report says.
If the fee floor were used, excess funds would have to be pumped into efforts such as “universal acceptance”, the ongoing outreach project that hopes to persuade developers to ensure their software supports all TLDs.
It could also be used to support applications from the poorer regions of the world.
I wonder how much of a deterrent to warehousing an artificially high application fee would be; deep-pocketed Google and Amazon appear to have warehoused dozens of TLDs they applied for in the 2012 round.
The application fee in 2012 was $185,000 per string, priced on a “cost recovery” basis. The idea was that ICANN shouldn’t use the fees to subsidize its regular operations and vice versa.
But with roughly one third of that amount earmarked for unexpected contingencies — basically a legal defense fund — ICANN currently has close to $100 million in unspent fees sitting idle in a dedicated bank account.
The Initial Report also discusses whether application fees should be varied based on application type, as well as posing dozens of other questions for the community on the rules for the next round of new gTLDs.
Comment here.

No, I don’t get what’s going on with GDPR either

GDPR comes into effect next week, changing the Whois privacy landscape forever, and like many others I still haven’t got a clue what’s going on.
ICANN’s still muddling through a temporary Whois spec that it hopes will shield itself and the industry from fines, special interests are still lobbying for special privileges after May 25, EU privacy regulators are still resisting ICANN’s begging expeditions, and registries and registrars are implementing their own independent solutions.
So what will Whois look like from next Friday? It’s all very confusing.
But here’s what my rotting, misfiring, middle-aged brain has managed to process over the last several days.
1. Not even the ICANN board agrees on the best way forward
For the best part of 2018, ICANN has been working on a temporary replacement Whois specification that it could crowbar into its contracts in order to enforce uniformity across the gTLD space and avoid “fragmentation”, which is seen as a horrific prospect for reasons I’ve never fully understood (Whois has always been fragmented).
The spec has been based on legal advice, community and industry input, and slim guidance from the Article 29 Working Party (the group comprising all EU data protection authorities or DPAs).
ICANN finally published a draft (pdf) of the spec late last Friday, May 11.
That document states… actually, forget it. By the time the weekend was over it and I had gotten my head around it, it had already been replaced by another one.
Suffice it to say that it was fairly vague on certain counts — crucially, what “legitimate purposes” for accessing Whois records might be.
The May 14 version came after the ICANN board of directors spent 16 hours or so during its Vancouver retreat apparently arguing quite vigorously about what the spec should contain.
The result is a document that provides a bit more clarity about that it hopes to achieve, and gets a bit more granular on who should be allowed access to private data.
Importantly, between May 11 and May 14, the document started to tile the scales a little away from the privacy rights of registrants and towards towards the data access rights of those with the aforementioned legitimate purposes for accessing it.
One thing the board could agree on was that even after working all weekend on the spec, it was still not ready to vote to formally adopt it as a Temporary Policy, which would become binding on all registries and registrars.
It now plans to vote on the Temporary Policy tomorrow, May 17, after basically sleeping on it and considering the last-minute yowls and cries for help from the variously impacted parts of the community.
I’ll report on the details of the policy after it gets the nod.
2. ICANN seems to have grown a pair
Tonally, ICANN’s position seems to have shifted over the weekend, perhaps reflecting an increasingly defiant, confident ICANN.
Its weekend resolution asserts:

the global public interest is served by the implementation of a unified policy governing aspects of the gTLD Registration Data when the GDPR goes into full effect.

For ICANN to state baldly, in a Resolved clause, that something is in the “global public interest” is notable, given what a slippery topic that has been in the past.
New language in the May 14 spec (pdf) also states, as part of its justification for continuing to mandate Whois as a tool for non-technical purposes: “While ICANN’s role is narrow, it is not limited to technical stability.”
The board also reaffirmed that it’s going to reject Governmental Advisory Committee advice, which pressured ICANN to keep Whois as close to its current state as possible, and kick off a so-called “Bylaws consultation” to see if there’s any way to compromise.
I may be reading too much into all this, but it seems to me that having spent the last year coming across as a borderline incompetent johnny-come-lately to the GDPR conversation, ICANN’s becoming more confident about its role.
3. But it’s still asking DPAs for a moratorium, kinda
When ICANN asked the Article 29 Working Party for a “moratorium” on GDPR enforcement, to give itself and the industry some breathing space to catch up on its compliance initiatives, it was told no such thing was legally possible.
Not to be deterred, ICANN has fired back with a long list of questions (pdf) asking for assurances that DPAs will not start fining registrars willy-nilly after the May 25 deadline.
Sure, there may be no such thing as a moratorium, ICANN acknowledges, but can the DPAs at least say that they will take into account the progress ICANN and the industry is making towards compliance when they consider their responses to any regulatory complaints they might receive?
The French DPA, the Commission Nationale de L’informatique & Libertés, has already said it does not plan to fine companies immediately after May 25, so does that go for the other DPAs too? ICANN wants to know!
It’s basically another way of asking for a moratorium, but one based on aw-shucks reasonableness and an acknowledgement that Whois is a tricky edge case that probably wasn’t even considered when GDPR was being developed.
4. No accreditation model, yet
There’s no reference in the new spec to an accreditation model that would give restricted, tiered access to private Whois data to the likes of security researchers and IP lawyers.
The board’s weekend resolution gives a nod to ongoing discussions, led by the Intellectual Property Constituency and Business Constituency (and reluctantly lurked on by other community members), about creating such a model:

The Board is aware that some parts of the ICANN community has begun work to define an Accreditation Model for access to personal data in Registration Data. The Board encourages the community to continue this work, taking into account any advice and guidance that Article 29 Working Party or European Data Protection Board might provide on the topic.

But there doesn’t appear to be any danger of this model making it into the Temporary Policy tomorrow, something that would have been roundly rejected by contracted parties.
While these talks are being given resource support by ICANN (in terms of mailing lists and teleconferencing), they’re not part of any formal policy development process and nobody’s under any obligation to stick to whatever model gets produced.
The latest update to the accreditation model spec, version 1.5, was released last Thursday.
It’s becoming a bit of a monster of a document — at 46 pages it’s 10 pages longer than the ICANN temporary spec — and would create a hugely convoluted system in which people wanting Whois access would have to provide photo ID and other credentials then pay an annual fee to a new agency set up to police access rights.
More on that in a later piece.
5. Whois is literally dead
The key technical change in the temporary Whois spec is that it’s not actually Whois at all.
Whois is not just the name given to the databases, remember, it’s also an aging technical standard for how queries and responses are passed over the internet.
Instead, ICANN is going to mandate a switch to RDAP, the much newer Registration Data Access Protocol.
RDAP makes Whois output more machine-readable and, crucially, it has access control baked in, enabling the kind of tiered access system that now seems inevitable.
ICANN’s new temporary spec would see an RDAP profile created by ICANN and the community by the end of July. The industry would then have 135 days — likely a late December deadline — to implement it.
Problem is, with a few exceptions, RDAP is brand-new tech to most registries and registrars.
We’re looking at a steep learning curve for many, no doubt.
6. It’s all a bit of a clusterfuck
The situation as it stands appears to be this:
ICANN is going to approve a new Whois policy tomorrow that will become binding upon a few thousand contracted parties just one week later.
While registries and registrars have of course had a year or so’s notice that GDPR is coming and will affect them, and I doubt ICANN Compliance will be complete assholes about enforcement in the near term, a week’s implementation time on a new policy is laughably, impossibly short.
For non-contracted parties, a fragmented Whois seems almost inevitable in the short term after May 25. Those of us who use Whois records will have to wait quite a bit longer before anything close to the current system becomes available.

MMX rejected three takeover bids before buying .xxx

MMX talked to three other domain name companies about potentially selling itself before deciding instead to go on the offensive, picking up ICM Registry for about $41 million.
The company came out of a year-long strategic review on Friday with the shock news that it had agreed to buy the .xxx, .adult, .porn and .sex registry, for $10 million cash and about $31 million in stock.
CEO Toby Hall told DI today that informal talks about MMX being sold or merged via reverse takeover had gone on with numerous companies over the last 11 months, but that they only proceeded to formal negotiations in three cases.
Hall said he’d been chatting to ICM president and majority owner Stuart Lawley about a possible combination for over two years.
ICM itself talked to four potential buyers before going with MMX’s offer, according to ICM.
Lawley, who’s quitting the company, will become MMX’s largest shareholder following the deal, with about 15% of the company’s shares. Five other senior managers, as well as ICM investor and back-end provider Afilias, will also get stock.
Combined, ICM-related entities will own roughly a quarter of MMX after the deal closes, Hall said.
ICM, with its high-price domains and pre-2012 early-mover advantage, is the much more profitable company.
It had sales of $7.3 million and net income of $3.5 million in 2017, on approximately 100,000 registrations.
Compared to MMX, that’s about the same amount of profit on about half the revenue. It just reported 2017 profit of $3.8 million on revenue of $14.3 million.
There’s doesn’t seem to be much need or desire to start swinging the cost-cutting axe at ICM, in other words. Jobs appear safe.
“This isn’t a business in any way that is in need of restructuring,” Hall said.
He added that he has no plans to ditch Afilias as back-end registry provider for the four gTLDs. MMX’s default back-end for the years since it ditched its self-hosted infrastructure has been Nominet.
The deal reduces MMX’s exposure to the volatile Chinese market, where its .vip TLD has proved popular, accounting for over half of the registry’s domains under management.
It also gives MMX ownership of ICM’s potentially lucrative portfolio of reserved premium names.
There are over 9,700 of these, with a combined buy-now price of just shy of $135 million.
I asked Hall whether he had any plans to get these names sold. He laughed, said “the answer is yes”, and declined to elaborate.
ICM currently has a sales staff of three people, he said.
“It’s a small team, but their track record is exceptional,” he said.
The company’s record, I believe, is sex.xxx, which sold for $3 million. It has many six-figure sales on record. Premiums renew at standard reg fee, around $60.
With the ICM deal, MMX has recast itself after a year of uncertainty as an acquirer rather than an acquisition target.
While many observers — including yours truly — had assumed a sale or merger were on the cards, MMX has gone the other route instead.
It’s secured a $3 million line of credit from its current largest shareholder, London and Capital Asset Management Ltd, “to support future innovation and acquisition orientated activity”.
That’s not a hell of a lot of money to run around snapping up rival gTLDs, but Hall said that it showed that investors are supportive of MMX’s new strategy.
So does this mean MMX is going to start devouring failing gTLDs for peanuts? Not necessarily, but Hall wouldn’t rule anything out.
“Our long-term strategy is ultimately based around being an annuity-based business,” he said. He’s looking at companies with a “strong recurring revenue model”.
About 78% of ICM’s revenue last year came from domain renewals. The remainder was premium sales. For MMX, renewal revenue doubled to $4.8 million in 2017, but that’s still only a third of its overall revenue (though MMX is of course a less-mature business).
So while Hall refused to rule out looking at buying up “struggling” gTLDs, I get the impression he’s not particularly interested in taking risks on unproven strings.
“You can never say never to any opportunity,” he said. “If we come across and asset and for whatever reason we believe we can monetize it, it could become an acquisition target.”
The acquisition is dependent on ICANN approving the handover of registry contracts, something that doesn’t usually present a problem in this kind of M&A.

ICANN flips off governments over Whois privacy

ICANN has formally extended its middle finger to its Governmental Advisory Committee for only the third time, telling the GAC that it cannot comply with its advice on Whois privacy.
It’s triggered a clause in its bylaws used to force both parties to the table for urgent talks, first used when ICANN clashed with the GAC on approving .xxx back in 2010.
The ICANN board of directors has decided that it cannot accept nine of the 10 bulleted items of formal advice on compliance with the General Data Protection Regulation that the GAC provided after its meetings in Puerto Rico in March.
Among that advice is a direction that public Whois records should continue to contain the email address of the registrant after GDPR goes into effect May 25, and that parties with a “legitimate purpose” in Whois data should continue to get access.
Of the 10 pieces of advice, ICANN proposes kicking eight of them down the road to be dealt with at a later date.
It’s given the GAC a face-saving way to back away from these items by clarifying that they refer not to the “interim” Whois model likely to come into effect at the GDPR deadline, but to the “ultimate” model that could come into effect a year later after the ICANN community’s got its shit together.
Attempting to retcon GAC advice is not unusual when ICANN disagrees with its governments, but this time at least it’s being up-front about it.
ICANN chair Cherine Chalaby told GAC chair Manal Ismail:

Reaching a common understanding of the GAC’s advice in relation to the Interim Model (May 25) versus the Ultimate Model would greatly assist the Board’s deliberations on the GAC’s advice.

Of the remaining two items of advice, ICANN agrees with one and proposes immediate talks on the other.
One item, concerning the deployment of a Temporary Policy to enforce a uniform Whois on an emergency basis, ICANN says it can accept immediately. Indeed, the Temporary Policy route we first reported on a month ago now appears to be a done deal.
ICANN has asked the GAC for a teleconference this week to discuss the remaining item, which is:

Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

Basically, the GAC is trying to prevent the juicier bits of Whois from going dark for everyone, including the likes of law enforcement and trademark lawyers, two weeks from now.
The problem here is that while ICANN has tacit agreement from European data protection authorities that a tiered-access, accreditation-based model is probably a good idea, no such system currently exists and until very recently it’s not been something in which ICANN has invested a lot of focus.
A hundred or so members of the ICANN community, led by IP lawyers who won’t take no for an answer, are currently working off-the-books on an interim accreditation model that could feasibly be used, but it is still subject to substantial debate.
In any event, it would be basically impossible for any agreed-upon accreditation solution to be implemented across the industry before May 25.
So ICANN has invoked its bylaws fuck-you powers for only the third time in its history.
The first time was when the GAC opposed .xxx for reasons lost in the mists of time back in 2010. The second was in 2014 when the GAC overstepped its powers and told ICANN to ignore the rest of the community on the issue of Red Cross related domains.
The board resolved at a meeting last Thursday:

the Board has determined that it may take an action that is not consistent or may not be consistent with the GAC’s advice in the San Juan Communiqué concerning the GDPR and ICANN’s proposed Interim GDPR Compliance Model, and hereby initiates the required Board-GAC Bylaws Consultation Process required in such an event. The Board will provide written notice to the GAC to initiate the process as required by the Bylaws Consultation Process.

Chalaby asked Ismail (pdf) for a call this week. I don’t know if that call has yet taken place, but given the short notice I expect it has not.
For the record, here’s the GAC’s GDPR advice from its Puerto Rico communique (pdf).

the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;
ii. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;
iii. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;
iv. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;
v. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;
vi. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory crossreferencing needs; and
vii. Ensure confidentiality of WHOIS queries by law enforcement agencies.
b. the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;
ii. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and
iii. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.

.com adds 5.5 million names, renewals back over 70%

Verisign reported first-quarter financial results that reflected a healthier .com namespace following the spike caused by Chinese speculation in 2016.
The company Friday reported that .com was up to 133.9 million domains at the end of March, an increase of 5.5 million over the year.
The strong showing was tempered slightly by a further decline in .net, where domains were down from 15.2 million to 14.4 million.
Over the quarter, there was a net increase of 1.9 million names across both TLDs and the renewal rate was an estimated 74.9%, a pretty damn good showing.
Actual renewals for Q4, measurable only after Verisign announced its earnings, were confirmed at 72.5%, compared to a worryingly low 67.6% in Q4 2016.
In a call with analysts, CEO James Bidzos confirmed that the turnaround was due to the surge in Chinese domainer speculation that drove numbers in 2016 finally working its way out of the system.
In Q1, the cash-printing company saw net income of $134 million, compared to $116 million a year earlier, on revenue up 3.7% at $299 million.
Bidzos told analysts that it’s “possible” that the company may get to launch .web in 2018, but said Verisign has not baked any impact from the contested gTLD into its forecasts.

Now GNSO mulls emergency response to GDPR deadline

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.
With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.
Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.
Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.
CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.
(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)
The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.
A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.
The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.
While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.
It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.
The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.
It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.
If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.
Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.
It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.
UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.

ICANN confirms GoDaddy Whois probe

ICANN is looking into claims that GoDaddy is in breach of its registrar accreditation contract.
The organization last week told IP lawyer Brian Winterfeldt that his complaint about the market-leading registrar throttling and censoring Whois queries over port 43 is being looked at by its compliance department.
The brief note (pdf) says that Compliance is “in receipt of the correspondence and will address it under its process”.
Winterfeldt is annoyed that GoDaddy has starting removing contact information from its port 43 Whois responses, in what the company says is an anti-spam measure.
It’s also started throttling port 43 queries, causing no end of problems at companies such as DomainTools.
Winterfeldt wrote last month “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny port 43 Whois access to any particular IP address”.
It’s worth saying that ICANN is not giving any formal credibility to the complaint merely by looking into it.
But while it’s usual for ICANN to publish its responses to correspondence it has received and published, it’s rather less common for it to disclose the existence of a compliance investigation before it has progressed to a formal breach notice.
It could all turn out to be moot anyway, given the damage GDPR is likely to do to Whois across the industry in a matter of weeks.

Marby ponders emergency powers to avoid fragmented Whois

ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.
That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.
Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.
But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.
“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”
I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.
Marby has asked European DPAs for two things.
First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.
Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.
“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.
A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.
If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.
“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”
While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.
It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.
ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.
But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.
Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”
He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.
The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.
Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.
Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.
But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.
This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.
Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.
A temporary policy could be replaced by a compatible, community-created Consensus Policy.
It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.
But that’s perhaps getting ahead of ourselves.
Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.
If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.
If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.
And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.
“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.
“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”
The community awaits the DPAs’ guidance with baited breath.

Registrars will miss GDPR deadline by a mile

Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.
That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.
While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.
Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.
Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.
And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.
The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.
But the timetable lists many other sources of potential delay too.
Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.
Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.
Likewise, the more granular the controls on the data, the longer the implementation window.
For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.
Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.
The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.
The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).
It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.
But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.
The letter notes that the timetable is an estimate and does not apply to all contracted parties.
As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.
Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.

A lazy blogger’s wish-list for ICANN remote participation

Remote participation at ICANN meetings is pretty damn good, but I’m an ungrateful asshole and I want more.
I’ve had a personal wish-list of remote participation features during and immediately after every ICANN meeting for a few years now, but when ICANN turned off Adobe Connect for the back half of ICANN 61 last week I was inspired to put pen to paper and rant about it in public.
Make no mistake, these are minor quibbles and no diss to the thoroughly lovely people on the ICANN meetings team.
In a community where are great many people are tasked with herding cats, the meetings guys are the only ones who have to physically herd the cats into their windowless pens through the sheer power of their organizational skills.
Not to mention they have to ensure all the cats are fed, watered, caffeinated, inebriated, and have trays of gravel into which to do their dirty business.
(Sorry, that metaphor got away from me a little there.)
My point is, the fact that anyone ever gets anything done at an ICANN meeting is due in no small part to the folk who actually organize the events, including the remote participation.
With all those disclaimers in mind, here are a few things I would like to see in future.
Archive the scribe feeds
The ICANN scribe feed, provided for as long as I can remember by Brewer & Darrenougue and StreamText is excellent.
It provides a live, scrolling, text transcription, in English, of whatever is being said in a session. It’s not 100% accurate all of the time, but it’s damn close.
Over the years, the scribes seem to have gained an ear for the regular speakers. It’s increasingly rare to see “[SAYING NAME]” in a feed, and we don’t often see pleas from the scribes for speakers to slow down any more.
This allows Anglo monoglot basement-dwellers such as myself to identify who’s talking and get a rough idea what they’re saying, even when they are Catalan registry operators speak quickly in heavily accented, non-native English.
The problem with the feed is that they disappear immediately after each session ends, usually at lunch time and again at the end of the day. Remote participants then have to wait anywhere from a day to several days for the full, edited transcript to be published.
I think the resource cost of immediately publishing the full, warts-and-all scribe transcript would be negligible.
Even if StreamText doesn’t offer it as an automated feature, copy-pasting a session transcript from a browser window into a PDF and banging it on the ICANN web site shouldn’t take more than a few minutes. I know; for several meetings I did it myself on selected sessions as a public service.
Bring back the MP3s
Not too long ago, the audio-only streams were recorded into MP3 files and dumped on the meeting web site in short order, often the same day.
Now, instead, we get M3U files, which are basically just links to streams. And the streams are extremely temperamental, regularly skipping around, restarting or simply stopping for no readily apparent reason.
Today, attempting to re-listen to the M3U of last Thursday’s Public Forum, I had to restart the stream and go hunting for the position I’d been kicked out maybe a dozen times. It was very irritating.
MP3s have the added advantage that they can be listened to offline, allowing you to catch up on sessions you missed while, for example, loitering at an airport with crappy wifi.
I want the MP3s back, dammit!
Consider YouTube maybe?
Recent meetings have seen the introduction of Livestream.com as an alternative to Adobe Connect for viewing live video.
I assume ICANN is paying for this service, probably five figures per year, but I have no idea what benefit (if any) the service offers over YouTube live streaming.
It doesn’t even always work. Try getting Thursday’s Public Forum recording to play. I couldn’t.
Is there any particular reason YouTube is not a viable option? As far as I know it’s free and reliable. YouTubers with far greater audiences than ICANN seem to get away with using it on a daily basis.
It could even be monetized, turning an expense into a small source of additional revenue.
Bring back meaningful filenames
ICANN is pretty good about publishing transcripts, presentations and other documentation as PDFs on the pages for each session. But for some reason in Puerto Rico it started naming the files with apparently meaningless numerical strings.
In all the meetings I can recall before ICANN 61, a downloadable transcript might be named something like “transcript-public-forum-10mar16-en.pdf”. Now, you’ll get something like “1521076292.pdf” instead, which is a step backwards.
Sure, I could manually rename the file to something meaningful myself, but that would take me at least 30 seconds — 30 seconds I could better use listening to Marilyn Cade introduce herself, Goran Marby apologize for something, or literally anyone else in the community complain that nobody listens to them any more.
Keep the redundancy!
Finally, as ICANN discovered this week, redundancy is essential to maintaining uninterrupted remote participation.
Even with Adobe Connect offline across the board for half of the week, it was still possible for those of us in the cheap seats to see video, hear audio, read the scribes, and submit questions and comments.
It wasn’t perfect, but it did the job well enough (previous complaints notwithstanding).
Even when Adobe is turned on, the alternative methods of listening in are extremely useful for overcoming its occasional limitations.
Often, AC rooms are barely audible. This problem occurs on an almost daily basis during ICANN. It affects some rooms but not others and I’ve yet to spot a predictable pattern.
But when you can’t hear what’s going on in AC, it’s always possible to mute the room and launch the always-audible live M3U stream separately.
Similarly, on the rare occasions the audio or video is down, the scribes can often allow us to follow the gist of the discussion while the nerds work on a fix.
In short, redundancy is good.
UPDATE (MARCH 21): Josh Baulch from the ICANN meetings team has left a comment addressing some of these points. It turns out MP3s are actually available elsewhere on the ICANN web site and Livestream costs ICANN far, far less than I had estimated based on Livestream’s published price list.