Recent Posts
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
ZACR hits a million .za names
South Africa’s .za ccTLD has crossed the one million domain mark, according to the registry.
ZA Central Registry is currently reporting on its web site that 1,000,666 names have been registered.
The millionth name was reportedly vulindlela-hpt.co.za, registered to a consulting firm and inexplicably redirecting to the typo vulindlela-htp.co.za.
CEO Lucky Masilela reportedly said: “ZACR has now joined a small group of registry operators worldwide who administer a six-figure domain space.”
So perhaps the numbers the company are reporting are not entirely reliable. [/snark]
US gives ICANN an extra year to complete transition
US government oversight of ICANN and the domain name system will end a year later than originally expected.
The National Telecommunications and Information Administration said last night that it has extended ICANN’s IANA contract until September 30, 2016, giving the community and others more time to complete and review the transition proposals.
NTIA assistant secretary Larry Strickling wrote that “it has become increasingly apparent over the last few months that the community needs time to complete its work, have the plan reviewed by the U.S. Government and then implement it if it is approved.”
Simultaneously, NTIA has finally published a proposal — written by ICANN and Verisign — for how management of the DNS root will move away from hands-on US involvement.
The extension of the IANA contract from its September 30, 2015 end date was not unexpected. The current contract allows for such extensions.
As we recently reported, outgoing ICANN CEO Fadi Chehade had guessed a mid-2016 finalization of the transition.
Regardless, expect op-eds in the coming days to claim this as some kind of political victory against the Obama administration.
Part of the reason for the extension, beyond the fact that the ICANN community hasn’t finished its work yet, is legislation proposed in the US.
The inappropriately named DOTCOM Act, passed by the House but frozen for political reasons in the Senate by Tea Party presidential hopeful Sen Ted Cruz, would give Congress 30 legislative days (which could equal months of real time) to review the IANA transition proposals.
There are basically three prongs to the transition, each with very long names.
The “Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community” is the first.
That was created by the multistakeholder IANA Stewardship Transition Coordination Group (ICG) and deals with how the IANA contract will be managed after the US government goes away.
The second prong comes from the Cross Community Working Group on Enhancing ICANN Accountability, which deals with how ICANN itself can improve its accountability to the internet community without the Damoclean sword of US intervention hanging over it.
The CCWG’s latest draft report would strengthen the ICANN board against capture by, for example, making certain bylaws harder to amend and giving the community the right to fire directors.
Both of these proposals are currently open for public comment here.
The third prong, which only appears to have been published this week, deals with the nuts and bolts of how changes to the DNS root zone are made.
The current system is a tripartite arrangement between IANA, NTIA and Verisign.
When a TLD operator needs a change to the DNS root — for example adding a name server for its TLD — the request is submitted to and processed by IANA, sent to NTIA for authorization, then actually implemented on the primary root server by Verisign.
Under the new proposal (pdf) to phase the NTIA out of this arrangement, the NTIA’s “authorization” role would be temporarily complemented by a parallel “authentication” role.
The proposal is not written in the clearest English, even by ICANN standards, but it seems that the current Root Zone Management System would be duplicated in its entirety and every change request would have to be processed by both systems.
The output of both would be compared for discrepancies before Verisign actually made the changes to the root.
It seems that this model is only being proposed as a temporary measure, almost like a proof of concept to demonstrate that the NTIA’s current authorization role isn’t actually required and won’t be replaced in this brave new world.
New gTLDs not an illegal conspiracy, court rules
ICANN has beaten off a lawsuit from alternate root provider name.space for a second time, with a US appeals court ruling that the new gTLD program was not an illegal conspiracy.
name.space sued ICANN in 2012, claiming that the program broke competition laws and that “conflicted” ICANN directors conspired with the industry in an “attack” on its business model.
The company runs an alternate DNS root containing hundreds of TLDs that hardly anyone knows about, cares about, or has access to.
Almost 200 of the strings in its system had matching applications in the 2012 new gTLD round; many have since been delegated.
The company’s complaint asked for an injunction against all 189 matching TLDs.
But a court ruled against it in 2013, saying that name.space had failed to make a case for breaches of antitrust law.
Last week, an appeals court upheld that ruling, saying that the company had basically failed to cross the legal threshold from simply making wild allegations to showing evidence of an illegal conspiracy.
“We cannot… infer an anticompetitive agreement when factual allegations ‘just as easily suggest rational, legal business behavior.’,” the court ruled, citing precedent.
“Here, ICANN’s decision-making was fully consistent with its agreement with the DOC [US Department of Commerce] to operate the DNS and the Root,” it wrote. “In transferring control to ICANN, the DOC specifically required it to coordinate the introduction of new TLDs onto the Root. This is exactly what ICANN did in the 2012 Application Round”.
“The 2012 rules and procedures were facially neutral, and there are no allegations that the selection process was rigged,” the panel ruled.
The court further ruled that ICANN is not a competitor in the markets for domain names as registry, registrar or defensive registration services, therefore it could not be subject to antitrust claims for those markets.
A few other claims against ICANN were also dismissed.
In short, it’s a pretty decisive victory for ICANN. General counsel John Jeffrey said in a statement that ICANN is “pleased” to have won.
All the major documents in the case, including the latest opinion, can be downloaded here.
While the lawsuit has been making its way through the courts, the .space gTLD has actually been delegated and the domain name.space is owned by its new registry, Radix.
There’s some salt in the wounds.
Neustar becomes “world’s largest registry” with $87m ARI buy
Consolidation in the domain name industry continued last night with Neustar’s $87 million acquisition of Bombora Technologies, the holding group for ARI Registry Services and AusRegistry.
Bombora CEO Adrian Kinderis told DI that the deal makes Neustar the “biggest registry services back-end provider on the market”, as measured by the number of TLDs on its platform, which now weighs in at over 400.
Kinderis and Neustar registry VP Sean Kaine said that the acquisition — conceived as so many deals are, Kinderis joked, in a “drunken ICANN bar” — is not so much about consolidation and more about growth opportunities.
Neustar will be able to cross-sell its suite of identity, security and marketing services, which Bombora does not offer, into ARI’s 100+ TLD client base. It will also be able to pitch ARI’s consulting services to its own clients.
Neustar also gets a “beachhead” in the Asia-Pacific region. While Bombora may not be a hell of a lot closer to Asia than Neustar, it’s in a much more convenient time zone.
Neustar currently faces the losing about half of its annual revenue — some $475 million — due to the loss of its contract to administer telephone number portability in North America.
That contract has been won by Ericsson, but Neustar has sued the US Federal Communications Commission in an attempt to keep it.
The Bombora acquisition won’t exactly fill the gap. The company had $20.6 million in revenue in 2014 and is expected to contribute $8 million to Neustar’s top line in 2015.
The deal is for AUD 118 million, which works out to roughly USD 87 million. Kinderis and business partner Simon Delzoppo will be the primary beneficiaries — between them they held a majority shareholding in Bombora.
The deal includes all of the company’s subsidiaries: ARI, AusRegistry and new gTLD operators such as dotShabaka.
ARI clients will notice a change of branding — the ARI and Bombora brands are to go almost immediately — but no technical changes at first.
“We’re going to continue to operate two registry systems right now,” Kaine said.
One business where there will be even less visible change is AusRegistry, which operates .au.
The AusRegistry brand is staying and .au will continue to be run in Australia, per the terms of the company’s contract with ccTLD policy overseer auDA.
“The .au contract is very important to Bombora,” Kinderis said. “If we had thought there would be any negative impact to that contract we would not have embarked on a deal.”
Kinderis, whose new job title has yet to be agreed, said he expects to take a “prominent role” in Neustar’s registry business. He said he expects to stay with the company “for a long time yet”.
“I want to see Neustar snapping at the heels of Verisign and I’d love to be able to contribute to that,” he said. “We’ve been punching above our weight and now we’re one of the heavyweights.”
Grogan hopeful of content policing clarity within “a few weeks”
ICANN may be able to provide registrars, intellectual property interests and others with clarity about when domain names should be suspended as early as next month, according to compliance chief Allen Grogan.
With ICANN 53 kicking off in Buenos Aires this weekend, Grogan said he intends to meet with a diverse set of constituents in order to figure out what the Registrar Accreditation Agreement requires registrars to do when they receive abuse complaints.
“I’m hopeful we can publish something in the next few weeks,” he told DI. “It depends to some extent on what direction the discussions take.”
The discussions center on whether registrars are doing enough to take down domains that are being used, for example, to host pirated content or to sell medicines across borders.
Specifically at issue is section 3.18 of the 2013 RAA.
It requires registrars to take “reasonable and prompt steps to investigate and respond appropriately” when they receive abuse reports.
The people who are noisiest about filing such reports — IP owners and pharmacy watchdogs such as LegitScript — reckon “appropriate action” means the domain in question should be suspended.
The US Congress heard these arguments in hearings last month, but there were no witnesses from the ICANN or registrar side to respond.
Registrars don’t think they should be put in the position of having to turn off what may be a perfectly legitimate web site due to a unilateral complaint that may be flawed or frivolous.
ICANN seems to be erring strongly towards the registrars’ view.
“Whatever the terms of the 2013 RAA mean, it can’t really be interpreted as a broad global commitment for ICANN to enforce all illegal activity or all laws on the internet,” Grogan told DI.
“I don’t think ICANN is capable of that, I don’t think we have the expertise or resources to do that, and I don’t think the ICANN multistakeholder community has ever had that discussion and delegated that authority to ICANN,” he said.
CEO Fadi Chehade recently told the Washington Post that it isn’t ICANN’s job to police web content, and Grogan has expanded on that view in a blog post last week.
Grogan notes that what kind of content violates the law varies wildly from country to country — some states will kill you for blasphemy, in some you can get jail time for denying the Holocaust, in others political dissent is a crime.
“Virtually everybody I’ve spoken with has said that is far outside the scope of ICANN’s remit,” he said.
However, he’s leaving some areas open for discussion,
“There are some constituents, including some participants in the [Congressional] hearing — from the intellectual property community and LegitScript — who think there’s a way to distinguish some kinds of illegal activities from others,” he said. “That’s a discussion I’m willing to have.”
The dividing line could be substantial risk to public health or activities that are broadly, globally deemed to be illegal. Child abuse material is the obvious one, but copyright infringement — where Grogan said treaties show “near unanimity” — could be too.
So is ICANN saying it’s not the content police except when it comes to pharmacies and intellectual property?
“No,” said Grogan. “I’m saying I’m willing to engage in that dialogue and have that conversation with the community to see if there’s consensus that some activities are different to others.”
“In a multistakeholder model I don’t think any one constituency should control,” he said.
In practical terms, this all boils down to 3.18 of the RAA, and what steps registrars must take to comply with it.
It’s a surprisingly tricky one even if, like Grogan, you’re talking about “minimum criteria” for compliance.
Should registrars, for example, be required to always check out the content of domains that are the subject of abuse reports? It seems like a no-brainer.
But Grogan points out that even though there could be broad consensus that child abuse material should be taken down immediately upon discovery, in many places it could be illegal for a registrar employee to even check the reported URL, lest they download unwanted child porn.
Similarly, it might seem obvious that abuse reports should be referred to the domain’s registrant for a response. But what of registrars owned by domain investors, where registrar and registrant are one and the same?
These and other topics will come up for discussion in various sessions next week, and Grogan said he’s hopeful that decisions can be made that do not need to involve formal policy development processes or ICANN board action.
US Congresspeople tell ICANN to ignore GAC “interference”
A bispartisan group of US Congresspeople have called on ICANN to stop bowing to Governmental Advisory Committee meddling.
Showing characteristic chutzpah, the governmental body advises ICANN that advice from governments should be viewed less deferentially in future, lest the GAC gain too much power.
The members wrote (pdf):
Recent reports indicate that the GAC has sought to increase its power at the expense of the multistakeholder system. Although government engagement in Internet governance is prudent, we are concerned that allowing government interference threatens to undermine the multistakeholder system, increasing the risk of government capture of the ICANN Board.
The letter was signed by 11 members of the House Judiciary Subcommittee on Courts, Intellectual Property and the Internet, which is one of the House committees that most frequently hauls ICANN to Capitol Hill to explain itself.
Most of the signatories are from the Republican majority, but some are Democrats.
It’s not entirely clear where they draw the line between “engagement” and “interference”.
The letter highlights two specific pieces of GAC input that the signatories seem to believe constitute interference.
First, the GAC’s objection to Amazon’s application for .amazon. The letter says this objection came “without legal basis” and that ICANN “succumbed to political pressure” when it rejected the application.
In reality, the GAC’s advice was consensus advice as envisaged by the Application Guidebook rules. It was the US government that succumbed to political pressure, when it decided to keep its mouth shut and allow the rest of the GAC to reach consensus.
The one thing the GAC did wrong was filing its .amazon objection outside of the window envisaged by the Guidebook, but that’s true of almost every piece of advice it’s given about new gTLD applications.
Second, the Congresspeople are worried that the GAC has seized for its members the right to ban the two-letter code representing their country from any new gTLD of their choosing.
I’ve gone into some depth into how stupid and hypocritical this is before.
The letter says that it has “negative implications for speech and the world economy”, which probably has a grain of truth in it.
But does it cross the line from “engagement” to “interference”?
The Applicant Guidebook explicitly “initially reserved” all two-letter strings at the second level in all new gTLDs.
It goes on to say that they “may be released to the extent that Registry Operator reaches agreement with the government and country-code manager.”
While the rule is pointless and the current implementation convoluted, it comes as a result of the GAC engaging before the new gTLD program kicked off. It was something that all registries were aware of when they applied for their gTLDs.
However, the GAC’s more recent behavior on the two-letter domain subject has been incoherent and looks much more like meddling.
At the ICANN meeting in Los Angeles last October, faced with requests for two-character domains to be released, the GAC issued formal advice saying it was “not in a position to offer consensus advice on the use of two-character second level domain names”.
ICANN’s board of directors accordingly passed a resolution calling for a release mechanism to be developed by ICANN staff.
But by the time February ICANN meeting rolled around, it had emerged that registries’ release requests had been put on hold by ICANN due to letters from the GAC.
The GAC then used its Singapore communique to advise ICANN to “amend the current process… so that relevant governments can be alerted as requests are initiated.” It added that “Comments from relevant governments should be fully considered.”
ICANN interpreted “fully considered” to mean an effective veto, which has led to domains such as it.pizza and fr.domains being banned.
So it does look like thirteenth-hour interference but that’s largely because the GAC is often incapable of making its mind up, rarely talks in specifics, and doesn’t meet frequently enough to work within timelines set by the rest of the community.
However, while there’s undoubtedly harm from registries being messed around by the GAC recently, governments don’t seem to have given themselves any powers that they did not already have in the Applicant Guidebook.
.bank doing surprisingly well in sunrise
The forthcoming .bank gTLD has received over 500 applications for domains during its sunrise period, according to the registry.
fTLD Registry Services tweeted the stat earlier this week.
.BANK surpasses 500 Sunrise applications and this period ends on June 17 (see http://t.co/qkb8lwNInB), #.BANK
— fTLD Registry (@fTLD_Registry) June 9, 2015
Its sunrise period doesn’t even end until June 17. Sunrise periods tend to be back-weighted, so the number could get a lot higher.
Five hundred may not sound like a lot — and applications do not always convert to registrations — but in the context of new gTLDs it’s very high.
Discounting .porn and .adult, both of which racked up thousands of names across their various sunrise phases, the previous high for a sunrise was .london, with just over 800 names registered.
It’s not unusual for a sunrise to get under 100 names. A year ago, I calculated that the average was 144.
The 500+ .bank number is especially surprising as it’s going to be a very tightly controlled gTLD where the chance of cybersquatting is going to be virtually nil.
All .bank registrants will be manually vetted to ensure they really are banks, substantially mitigating the need for defensive registrations.
Could this be an indication that .bank will actually get used?
Businesses call on regulators to stop .sucks “extortion”
ICANN’s Business Constituency wants US and Canadian regulators to intervene to prevent Vox Populi Registry, which runs .sucks, “extorting” businesses with its high sunrise fees.
The BC wrote to ICANN, the US Federal Trade Commission and the Canadian Office for Consumer Affairs on Friday, saying .sucks has employed “exploitive [sic] pricing and unfair marketing practices”.
The constituency adds its voice to Intellectual Property Constituency, which complained last month, causing ICANN to refer the matter to US and Canadian regulators.
Now, the BC has told the OCA and FTC:
We do not believe that exploitative and unfair business practices are conducive either to promoting end-user confidence in the Internet or to fair competition in the domain name space. On the contrary, the pricing structure adopted by Vox Populi for .sucks domain names is predicated purely on expecting the businesses and brands that drive global growth to pay extortionate fees for no consumer or market benefit.
…
Vox Populi’s tactics exploit businesses that neither want nor need these domain name registrations but feel unfairly pressured to register purely for defensive purposes.
The BC’s letter chooses to focus on saying sunrise names cost “$2,499 and up” (original emphasis). That’s based on the MSRP Vox Pop publishes on its web site.
In reality, Vox Pop is charging a registry fee of $1,999 per year for .sucks sunrise registrations.
Retail registrars can add hundreds of dollars in mark-up fees, but the leading corporate registrars that are selling the most .sucks sunrise names — MarkMonitor, CSC and Com Laude among them — have said that as a matter of principle they are only charging a nominal $20 to $25 processing fee.
It’s not the highest sunrise fee I’ve come across. The Chinese registry behind .top asked for $3,500 during its sunrise.
But the semantics of the .sucks TLD makes brand owners nervous and makes many of them feel that a defensive registration is a must-have.
The BC now write to regulators to “urge the FTC and OCA to expeditiously determine whether these practices constitute unfair trade practices”.
The letter points to US and Canadian regulations covering consumer protection for examples of where Vox Pop’s practices may fall short of the law.
The free speech opportunities afforded by .sucks do not outweigh the harms, the BC says.
It’s also interesting to note that while the BC appears to be running to regulators for assistance, it notes that it still fully supports the ICANN model.
There may be a degree of cognitive dissonance within the BC.
In a separate letter to ICANN, also signed by BC chair Elisa Cooper and sent yesterday, the BC seems to take issue with the fact that ICANN felt the need to report .sucks to regulators in the first place, writing:
We would like to understand the rationale for doing so. ICANN has ample authority, a clear obligation and the resources available to stop rogue practices through its contractual agreements with registries, its Compliance Department, and its broad duty to protect the public interest and the security and stability of the Internet, particularly for issues with global reach. Like all other gTLDs launched under ICANN’s program, .sucks has a global reach. It is not clear why ICANN feels it should seek clarification from these two North American agencies.
It’s worth noting that Vox Pop CEO Berard is a member of the BC via his PR agency, Credible Context. He was Cooper’s immediate predecessor as BC chair, leaving the post last year.
Correction: Thanks to the many readers who pointed out that Berard was actually the BC’s representative to the GNSO, not its chair. Apologies for the error.
The letter tells Global Domains Division president Akram Atallah that “viewed in its entirety, Vox Populi’s pricing scheme is a violation of the Rights Protection Mechanisms (RPMs)” developed for the new gTLD program, alleging it discourages use of the RPMs and encourages cybersquatting.
It claims that if Vox Pop populated its Sunrise Premium list (now known as Market Premium, it seems) with data from the Trademark Clearinghouse it could be in violation of its Registry Agreement with ICANN.
My sense has been that the names on that list were actually culled from zone files. Vox Pop has said it was compiled from lists of names that have previously been defensively registered. Most of the names in the TMCH have not been defensively registered.
The BC asks for ICANN “to take strong action”, but does not specify what, exactly, it wants.
The letter to the OCA and FTC can be read here. The letter to ICANN is here. Both are PDF files.
Most ICANN new gTLD breaches were over a year ago
Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.
Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.
Most — 244 of the 330 — happened before April 30 last year.
The first breach, discovered by an independent audit of the portal, was January 22 2014.
ICANN says it was first notified of there being a problem on February 27, 2015.
The improper data disclosures were announced by ICANN last week.
As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.
Documents revealed could have included sensitive financial projections and registry technical details.
My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.
In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.
ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.
Ninety-six applicants and 21 registries were affected.
Dumb ICANN bug revealed secret financial data to new gTLD applicants
Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.
Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.
That’s according to ICANN, which released the results of a third-party audit this afternoon.
Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.
It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.
But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.
While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.
The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.
Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.
What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.
It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.
“The public/private data sharing setting can be On or Off and here it was set to On,” he said.
On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.
The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.
What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.
The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.
Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.
Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.
“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”
ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.
As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.
It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.
At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.
Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.
Recent Comments