Feds warn of Covid risk from “dark” Whois
The US Food and Drug Administration has escalated its beef with ICANN, warning that inaccessible Whois data is making it harder to tackle bogus Covid-19 “cures” and the country’s opioid crisis.
Catherine Hermsen from the FDA’s Office of Criminal Investigations wrote to ICANN CEO Göran Marby last week to complain that some registrars do not adequately respond to abuse complaints and that ICANN ignores follow-up complaints from government agencies.
She doubled down on the FDA’s previous complaint that ICANN’s inaction may be because it is funded by the industry, but back-pedaled on previous insinuations that ICANN’s leadership were putting their own big salaries ahead of public safety.
The beef started in early June, when an organization called Coalition for a Secure & Transparent Internet — basically a front for the likes of DomainTools and other companies whose business models are threatened by privacy legislation — held a one-sided webinar entitled “The Threat of a Dark WHOIS”.
On that webinar, Daniel Burke, chief of the FDA’s Investigative Services Division, lamented the lack of cooperation his agency gets when requesting private Whois data from “certain” registrars, and pointed to cases where the FDA’s inability to quickly get fake pharma sites, including those related to Covid-19, shut down have led to deaths.
He also said that complaints to ICANN about non-compliant registrars fall on deaf ears, to the point that it no longer bothers complaining, and suggested that ICANN and domain companies are financially incentivized to be uncooperative.
Burke quoted the writer Upton Sinclair: “It is difficult to get a man to understand something when his salary depends on his not understanding it.”
“I have found that’s the case with my interactions with ICANN and certain registries and registrars,” Burke said. “They just don’t want to listen… it’s a money-maker for them right now, it’s not profitable for them to deal with it.”
Marby also “spoke” on the CSTI webinar, but his brief intervention was actually just an out-of-context snippet — the “GDPR is not my fault!” T-shirt speech — taken from a recording of an ICANN webinar back in January and presented — dishonestly in my opinion — as if it had been filmed as a contribution to the CSTI discussion.
His inability to directly respond to Burke live led him to write to the FDA (pdf) a couple of weeks later to dispute some of his claims.
First, Marby said the the FDA does not need to obtain a subpoena to get access to Whois data. Registrars are obliged to respond to “legitimate interest” requests, when balanced against the privacy rights of the registrant, he said. He added:
In a few instances, government agencies have submitted complaints to ICANN Contractual Compliance regarding registrars’ refusal to provide non-public registration data. These agencies were ultimately successful in gaining access to the requested data without having to obtain a subpoena or lawful order.
Second, Marby disputed the financial motivation claims, writing: “ICANN’s leadership’s salaries are in no way tied to or dependent upon domain name registrations.”
Third, he offered a (pretty weak, in my view) defense against the claim that ICANN ignores complaints from government agencies, pointing out: “ICANN is not political and, therefore, takes actions to ensure that the workings of the Internet are not politicized.”
He also pointed out that ICANN operates a system called DNSTICR which monitors reports of DNS abuse related to the pandemic and alerts the relevant registries and registrars.
The problem here is that ICANN’s definition of abuse is pretty narrow and does not extend to web sites that sell industrial bleach as a Covid cure. That would count as “content” and ICANN is not the “content police”.
That’s pretty much what Hermsen says in the latest missive (pdf) in this row.
DNS security threats such as malware and phishing, however, were not what SA Burke was referring to in his presentation. Given the agency’s public health mission, FDA has been working during the pandemic to protect Americans from unproven or fraudulent medical products claiming to treat, cure, prevent, mitigate or diagnose COVID-19…
Given your stated concerns regarding COVID-19-related malware and phishing activity, we trust that you are equally concerned about registrars who may not be following the [Registrar Accreditation Agreement’s] requirements to “investigate” and “respond appropriately” following receipt of notifications about abuse, particularly complaints reporting activity involving COVID-19-related fraud or activity exacerbated the current opioid addiction crisis — especially in light of ICANN’s singular ability to enforce the terms of RAAs.
She also comes back, splitting hairs in my opinion, on the ICANN salaries claim, stating: “SA Burke was not referring to ICANN’s leadership salaries… SA Burke was referring more generally to the substantial source of funding ICANN receives from domain name registries and registrars.”
ICANN has just started work on a Whois Disclosure System that, while pretty weak, may make it slightly easier for government agencies to obtain the data they want.
Over 900 people show up for ICANN 74
Has community participation in ICANN meetings rebounded now that in-person meetings have returned? That’s one possible interpretation of data released by the Org today.
ICANN said that ICANN 74, which concluded yesterday, had 1,817 attendees, of whom 917 showed up in The Hague in person, their first opportunity to travel to an ICANN meeting since November 2019. The remaining 900 participated remotely via Zoom.
If we take the top-line number, that’s the highest attendance of the pandemic era, and comparable to the Montréal meeting immediately prior to the arrival of the Covid-19, ICANN 66, where 1,894 people showed up.
But the top-line number from Montréal does not include off-site Zoom participants, which were counted separately and amounted to 1,752 people.
So the number of people “attending” ICANN meetings one way or the other has either returned to pre-pandemic levels, or has been cut in half, or even quartered, over the last two and a half years, depending on how you’re counting.
The fact that the 66 was an Annual General Meeting, with a longer, more cluttered agenda and more opportunities to engage for a broader range of people than the mid-year Policy Forum, probably had some impact on the numbers.
The 2019 Policy Forum, held in Morocco, attracted 1,186 in-person attendees and 2.909 off-site Zoom participants.
Regardless of whether you think Zoom users count as full participants or not, 917 bums on seats is the smallest attendance for any meeting since ICANN started counting.
High fives, or elbows only? ICANN 74 intros traffic light system for socializing
People attending ICANN 74 in The Hague this week are being encouraged to outwardly express their social distancing preferences with their choice of meeting lanyards.
The Org has made lanyards with straps in four colors available to those who have shown up to ICANN’s first face-to-face public meeting in over two and a half years.
A red strap indicates that you should back off, because the wearer desires “extreme physical distancing and precautions”. Yellow is “elbows only” when it comes to greetings. Green means you can shake hands, high-five, and get a little more intimate.
There’s also black, for those who don’t want to wear their Covid-19 anxiety levels around their necks, can’t make their minds up, or think the system is silly.
Five days of masks and Covid-19 tests have been issued to attendees at the door, along with a supply of hand sanitizer. The masks are compulsory, and sanitizer use is being encouraged for those who are choosing to press the flesh.
In-person attendees are also being issued with wrist-bands, like you might get in hospital or at a music festival or nightclub, to prove their vaccination status has been verified.
I’m observing ICANN 74 remotely, and I’ve only viewed one session so far, but my impression based on that limited sample size is that most people seem to have opted for green or yellow lanyards.
It’s tempting to mock the system as another example of ICANN bureaucracy but I think it makes sense, particularly when you’ve got hundreds of people from dozens of countries, each at their own stages of pandemic recovery and with their own levels of endemic covidiocy, in the same building.
Seat reservations and waiting lists on the cards for ICANN 74
As if health screenings and cumbersome legal waivers weren’t irritating enough, it seems now even in-person attendees at ICANN 74 won’t necessarily be able to attend the meetings they want to attend in-person due to mandatory social distancing.
The Org announced last night that Covid-19 restrictions mean there will be a limit on how many people are allowed to enter a room, and you’ll have to reserved your seat in advance as a result. Waiting lists could be used in cases where rooms are over-booked.
Fortunately, the venue is the World Forum in the Hague and its rooms seem to be pretty big.
ICANN also seems to have done a pretty good job at matching room size to likely demand, so it seems very possible no waiting lists will be required.
The major plenary sessions likely to attract the most attendees are in a room with a capacity of 469, which would have been more than enough seats for almost every session at 2019’s Annual General Meeting in Montreal, which of course had no physical distancing.
The GNSO has a room for 80 people, the GAC has 157, and the ccNSO 74. These limits may have been onerous pre-pandemic, but I feel will be plenty for the likely turnout in The Hague.
That being said, seats are being claimed already three weeks in advance via the online scheduling tool, so if there’s a session you simply must attend it makes sense to grab your spot sooner rather than later.
ALAC’s brutal takedown of that “aggressive” ICANN 74 coronavirus waiver
ICANN’s At-Large Advisory Committee has accused ICANN of being aggressive, intimidating and insensitive by demanding attendees at next month’s public meeting in the Netherlands sign a far-reaching legal waiver.
In a remarkable submission to the ICANN board of directors, ALAC says the waiver, which basically amounts to a get-out-of-jail-free card for the Org, leaves a “lasting unpleasant taste in the mouths” of the volunteers who make up the ICANN community.
ALAC wants the board to clarify whether it had any involvement in the drafting of the waiver or in approving it but asks that it “take control of the situation and ensure that this waiver does not endanger both its relationship with the ICANN Community”.
The waiver requires in-person attendees to absolve ICANN of all blame if they catch Covid-19 — or anything else — “even if arising from the negligence or fault of ICANN”. Virtual attendees don’t have to sign it.
ICANN has suggested in a separate FAQ that it may not be worth the pixels it’s written with, which ALAC points out is inconsistent with the plan language of the waiver.
ALAC also includes a list of 10 reasons the waiver is a terrible idea. Here’s a few:
10. It is insensitive to the global community as it can be interpreted as an exportation of U.S.-based litigious culture.
4. This kind of blanket waiver could be unenforceable and, in that case, serves only as intimidation.
3. The waiver infringes on individual rights.
1. It leaves a lasting unpleasant taste in the mouths of participants contributing to ICANN’s multistakeholder model — which is presented as a source of pride and accomplishment to the internet governance community.
The waiver already the subject of a Request for Reconsideration by the heads of registrar Blacknight and the Namibian ccTLD registry, but ALAC’s comprehensive takedown, which has dozens of signatories, arguably carries more weight.
ALAC’s letter can be downloaded here. It’s not been published on ICANN’s correspondence page. Hat tip to Rubens Kuhl for the link.
ICANN reports shocking increase in pandemic scams
The number of gTLD domains being used for malware and phishing related to the Covid-19 pandemic has increased markedly in the last eight months, according to data released by ICANN this week.
The Org revealed that since it started tracking this kind of thing in May 2020 it has flagged 23,452 domains as “potentially active and malicious”.
The data is collected by checking zone files against a list of 579 keywords and running the results through third-party abuse blocklists. Blocked domains are referred to the corresponding registrars for action.
I’m not sure you could technically call these “takedown requests”, but there’s a pretty strong implication that registrars should do the right thing when they receive such a report.
The 23,452 notices is a sharp rise from both the 12,860 potentially abusive flagged names and 3,791 “high confidence” reports ICANN has previously said it found from the start of the project until August 2021.
It’s not clear whether the rise is primarily due to an increase in abusive practices or ICANN’s improved ability to detect scams as it adds additional keywords to its watch-list.
ICANN said in March that it is now also tracking keywords related to the Russian invasion of Ukraine.
It’s also asking organizations in frequently targeted sectors to supply keyword suggestions for languages or scripts that might be under-represented.
The data was processed by ICANN’s Domain Name Security Threat Information Collection and Reporting (DNSTICR or “DNS Ticker”), which Org management previously discussed at ICANN 73.
A sign of things to come? Verisign slashes outlook in post-pandemic slowdown
Verisign is warning that its business is going to grow slower than expected in 2022, due to the after-effects of the pandemic and general economic conditions.
The registry tonight reported first-quarter revenue of $347 million, up 7% on the comparable period a year ago, after raising its .com prices 7% last year.
But the company has slashed its sales estimates for the year.
CEO Jim Bidzos told analysts this evening that the company and its registrars have started to see a post-pandemic slowdown in sales, exacerbated by other unspecified “macro-economic factors”.
“Incremental demand for new registrations that grew during the pandemic is subsiding,” Bidzos said.
Many domain companies, including Verisign, saw growth spikes during the pre-vaccine pandemic, when many small businesses moved to online sales to stay afloat during recurring lockdown restrictions.
But that’s all over now, and the economic fallout most of us are feeling seems to also be affecting domain sales.
The company said its net income for the first quarter was $158 million, up from $150 a year ago. Its operating margin slipped a little, however, from an enormous 65% to an enormous 64.8%.
Verisign ended the quarter with 161.3 million .com domains and 13.4 million .net domains under management, up 4% combined at 174.7 million.
The renewal rate for .com and .net domains was estimated at 74.8%, up from 73.5% a year ago.
The company expects its domain base to grow between 1.75% and 3.5% this year. That’s down quite significantly from its February estimate of growth between 2.5% and 4.5%.
It added 10.1 million new names in the quarter, compared to 10.6 million in Q4 and 11.1 million in Q1 last year.
While Bidzos did not drill very deep into the other factors contributing to his pessimistic outlook, he did say that the war in Ukraine was not a factor. Sales in Ukraine, Russia and Belarus are “not material”, he said.
I suspect what we’re looking at here is probably related to what the media here in the UK is calling the “cost of living crisis”, which is seeing the price of staples such as food and energy skyrocket and many people cut back on luxuries as a result.
UPDATE: This article was updated July 28, 2022 to correct the number of .net registrations from 13.1 million to 13.4 million.
Covid surge scuppers ICANN LA meetings
ICANN has lost out on a chance to test a return to in-person meetings ahead of ICANN 74, due to a surge in Covid-19 cases in its home town of Los Angeles.
The US Centers for Disease Control has increased its risk rating for LA to “High”, compelling ICANN to scrap plans for a face-to-face board meeting next week.
Chair Maarten Botterman wrote:
The Board discussed the rising cases, the change in the CDC risk level, the trajectory, and the collective responsibility we have to ensure the health and safety of all of the participants, including ICANN Org staff who would support the events – and we recognized the additional risk of bringing all of ICANN leadership together in one place, under these circumstances – only six weeks before ICANN74.
The meeting will instead be held virtually by Zoom.
It’s not yet clear whether this will have any impact on ICANN’s next public meeting, which is due to take place in The Hague, the Netherlands, this June.
Botterman wrote that the Org is monitoring the situation on the ground and will provide updates as necessary.
ICANN has already announced a stringent set of restrictions, including mask wearing and social distancing, for ICANN 74.
ICANN’s Covid-19 waiver formally appealed
Two reliably regular ICANN meeting attendees have formally asked the Org to change the legal waiver it’s asking everyone to sign if they want to show up in The Hague for ICANN 74 this June.
Michele Neylon of registrar Blacknight Solutions and Eberhard Lisse of .na ccTLD registry Namibian Network Information Center filed an emergency Request for Reconsideration with ICANN last week.
They call the waiver, which absolves ICANN from liability if participants catch Covid-19 even through ICANN’s own gross negligence “unduly broad” and “unreasonable” and “unduly wide and harsh”.
They can’t ask their staff to sign such an all-encompassing waiver, they say.
ICANN’s Board Accountability Mechanisms Committee has already rejected the RfR, saying it doesn’t meet the timing requirements for an emergency request. It will consider it as a regular request in due course, it said.
As expected, ICANN also seems to have fixed the bug I spotted last week that allowed hybrid attendees to register without signing the waiver.
ICANN suggests its Covid waiver may be worthless
The controversial legal waiver ICANN is insisting you agree to before attending its next public meeting may not be worth the pixels it’s written with, judging by the Org’s latest statement on the matter.
In an updated FAQ, posted in response to a complaint from Blacknight, ICANN now states:
Attending an ICANN meeting remains a risk-based analysis for each attendee, recognizing that sometimes things can and do go wrong. A liability waiver helps enshrine that ICANN’s funds should not be used to defend ICANN against items for which ICANN itself should not be held liable. Protecting ICANN in this way helps support ICANN’s continued ability to serve its mission.
But it denies that the waiver is as all-encompassing as some fear:
There will be times, of course, where ICANN might not perform to an expected best practice, and that might be the cause of injury or damage to an attendee. Those claims against ICANN are not waived.
This apparently contradicts the waiver itself, which continues to say:
I knowingly and freely assume all risks related to illness and infectious diseases, including but not limited to COVID-19, even if arising from the negligence or fault of ICANN.
It also continues to require you to sign away your rights to sue, and your kids’ rights to sue, even if you die of Covid-19 due to ICANN’s “gross negligence”.
There may be a way to avoid the waiver.
Based on my experience, it appears that the waiver is presented in the registration path if you click the box indicating that you will be attending in-person, but if you ALSO check the box saying you’ll be attending remotely then the waiver does not appear.
So if you’re planning on attending in a hybrid fashion, perhaps in-person for only a day or two and on Zoom for the balance, ICANN doesn’t need you to waive your rights.
I expect this is a glitch in how the web form is configured that will probably be fixed not too long after I publish this article.
ICANN 74 will take place in The Hague, and Zoom, in June.
Recent Comments