Whois rule changes that nobody likes get approved anyway

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

Island demands return of its “naked” ccTLD

The Pacific island nation of Niue is loudly demanding that ICANN hand over control of its ccTLD, .nu, after two decades of bitter argument.

The government has taken the highly unusual move of filing a redelegation request with ICANN’s IANA unit publicly, forwarding it to other governments and the media.

The request is backed by UNR, the former Uniregistry, which is being put forward as the proposed back-end provider.

Niue claims, as it has since at least 2000, that the string was misappropriated by an American entrepreneur in the 1990s and has been used to generate tens of millions of dollars in revenue, with almost no benefit to the country.

The word “nu” is Swedish for “now”. It’s also the masculine form of “naked” in French, which enables lazy reporters to write click-baity headlines.

The Swedish meaning was first spotted by Massachusetts-based Bill Semich in 1997. Together with Niue-based Kiwi ex-pat Stafford Guest, he obtained the delegation for .nu from pre-ICANN root zone supremo Jon Postel.

They used the name Internet Users Society Niue (IUSN) and started selling .nu names to Swedes as a meaningful alternative to .se and .com.

As of today, there are about 264,000 registered .nu names, retailing for about $30 a year. Pre-2018 data is not available, but a couple of years ago, it had over 500,000 names under management.

That kind of money would be incredibly useful to Niue, which has a population of under 2,000 and few other natural resources to speak of. The country relies on hand-outs from New Zealand and, historically, dubious offshore banking schemes and the sale of postage stamps to collectors.

The government has said in the past that .nu cash would enable it to boost its internet infrastructure, thereby boosting its attractiveness as a tourist destination.

IUSN and Niue signed a memorandum of understanding in 1999, but a year later the government passed a law decreeing “.nu is a National resource for which the prime
authority is the Government of Niue”.

It’s been trying to get control of .nu ever since, but IUSN has consistently refused to recognize this law, Niue has always claimed, and has always refused to cooperate in a redelegation.

The company made headlines back in 2003 for claiming that it was rolling out free nationwide Wi-Fi in Niue, but there are serious questions about whether that ever actually happened.

Now, Niue claims:

The Wi-Fi has been continuously unstable and exceedingly limited. As of today, the ccTLD.NU administration and local presence of the IUSN in Niue consists of a motel with a PO Box and the Wi-Fi is covering a [n]egligible are[a] surrounding the motel. There is no operational management of the ccTLD.NU by the IUSN present in Niue.

I believe the motel in question is Coral Gardens, north of capital Alofi, which is or was run by Guest.

While IUSN is still the official ccTLD manager for .nu, according to IANA records, the business operations and technical back-end were transferred to Swedish ccTLD manager IIS in 2013.

IIS agreed to pay IUSN a minimum of $14.7 million over 15 years for the license to .nu, but the domain remains delegated to IUSN.

Niue, represented by its Swedish special envoy Pär Brumark (who until recently was also vice-chair of ICANN’s Governmental Advisory Committee, representing Niue) sued IIS in late 2018 in an attempt to gain control of the ccTLD.

The government argues that under Swedish control, profits from .nu can only be earmarked for the development of the Swedish internet, at the expense of Niue.

Brumark tells us the case is currently being delayed due to the coronavirus pandemic.

The problem Niue has now is pretty much the same as it always has been — IANA rules state that the losing party in a redelegation has to consent to the change of control, and IUSN really has no incentive to do so.

Niue’s best chance appears to be either the Swedish lawsuit or the possibility that it can get the GAC on board to support its request.

In-progress redelegation requests are also exempt by convention from ICANN’s transparency rules, so we’re not going to hear anything other than what Niue releases or the GAC can publicly squeeze out of ICANN leadership.

You can read the redelegation request (pdf) here.

Europe’s top dogs could decide the future of Whois

ICANN is pleading with the European Commission for legal clarity to help solve the two-year-old fight over the future of Whois in the age of GDPR.

CEO Göran Marby has written to three commissioners to ask for a definitive opinion on whether a centralized, mostly automated Whois system would free up registries and registrars from legal liability if their customers’ data is inappropriately disclosed.

It’s a question ICANN has been asking for years, but this time it comes after the ICANN community has come up with a set of policy recommendations that would create something called SSAD, for System for Standardized Access/Disclosure.

SSAD is supported by registries, registrars and non-commercial interests, but has been broadly criticized by governments, intellectual property interests, security experts and others as being not fit for purpose.

While it would create a centralized gateway for funneling Whois queries to contracted parties, and an accreditation system for those making the queries, the decision to accept or refuse the query would still lie with registries and registrars and be largely human-powered.

It’s been described as a glorified, $9 million-a-year ticketing system that will fail to provide better access to Whois to those who say they need it (largely the IP interests).

But registries and registrars say they cannot accept a solution that offloads decision-making to a centralized third party such as ICANN, unless that third party shoulders all the legal liability for mistakes, and whether that’s possible is far from clear this early in the life of GDPR.

As Marby told the commissioners:

Legal clarity could mean the difference between ICANN having a fragmented system that routes most requests for access to non-public registration data from requestors to thousands of individual registries and registrars for a decision, on the one hand, versus ultimately being able to implement a centralized, predictable solution in which decisions about whether or not to disclose non-public registration data in most or all cases could be made consistently, predictably, in a manner that is transparent and accountable to requestors and data subjects alike.

In GDPR lingo, the question is who becomes the “controller” of the data in a centralized system. The controller is the one that could get slapped with huge fines in the event of a privacy breach.

There’s a concept of “successive controllers”, where data is passed through a chain of handlers. ICANN wants clarity on whether, should a registrar send data to an ICANN central gateway, its liability ends there, before the final disclosure decision is made.

It’s asking the European Commission to exercise its authority under the GDPR to force the European Data Protection Board to issue a blanket opinion clarifying these issues, with the expectation that SSAD as currently envisaged could evolve over time to be something more like what the IP folk want.

For ICANN, such a ruling could help quell criticism from its influential advisory bodies, notably the Governmental Advisory Committee, which have come out strongly against the SSAD proposals.

If ICANN chooses to wait for the European Commission and EDPB responses to its new request, it’s highly unlikely we’re going to see the ICANN board fully approve SSAD at its annual general meeting later this month.

ICANN playing ping-pong on closed generics controversy

ICANN’s board of directors has refused to comment on the issue of “closed generic” gTLDs, bouncing the thorny issue back to the community.

In its response to the SubPro working group’s draft final report this week, the board declined to be drawn on whether it thinks closed generics should be allowed in future application rounds, and urged the GNSO to figure it out, writing:

the Board is not in a position to request policy outcomes… we will base our decision on whether we reasonably believe that the policy proposal is or is not in the best interests of the ICANN community or ICANN

A closed generic is a gTLD representing a non-trademark dictionary word, where the registry is the only eligible registrant. Dozens of companies tried to snap up such TLDs in 2012

ICANN changed the rules to disallow them, based largely on government advice, before punting the issue to the community, in the form of the GNSO, back in 2015.

But despite five years of thinking, the GNSO’s SubPro working group was unable to reach a consensus on whether closed generics should be allowed or not, or whether they should be allowed, but only when there’s a “public interest” purpose.

As I noted last month, it presented three possible ways closed generics could be permitted, none of which have consensus support.

So it asked the board for guidance, and the board’s response is basically “not our problem, figure it out yourselves”.

It would be churlish to criticize the board for refusing to make policy from the top-down, of course.

Much better to wait for the next time it does make policy from the top-down, and criticize it then.

Has ICANN cut off its regulatory hands?

ICANN may have voluntarily cut off its power to enforce bans on things like cyberbullying, pornography and copyright infringement in future new gTLDs.

Its board of directors yesterday informed the chairs of SubPro, the community group working on new gTLD policy for the next round, that its ability to enforce so-called Public Interest Commitments may be curtailed in future.

A PIC is a contractual promise to act in the public interest, enforceable by ICANN through a PIC Dispute Resolution Process. All 2012 new gTLDs have them, but some have additional PICs due to the gTLD’s sensitive nature.

They were created because ICANN’s Governmental Advisory Committee didn’t like the look of some applications for gTLD strings it considered potentially problematic.

.sucks is a good example — registry Vox Populi has specific commitments to ban cyberbullying, porn, and parking in its registry agreement.

Should ICANN receive complaints about bullying in .sucks, it would be able to invoke the PICDRP and, at least in theory, terminate Vox Pop’s registry contract.

But these are all restrictions on content, and ICANN is singularly focused on not being a content regulator.

It’s so focused on staying away from content that four years ago, during the IANA transition, it amended its bylaws to specifically handcuff itself. The bylaws now state, front and center:

ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet’s unique identifiers or the content that such services carry or provide… For the avoidance of doubt, ICANN does not hold any governmentally authorized regulatory authority.

There’s a specific carve-out grandfathering contracts inked before October 1, 2016, so PICs agreed to by 2012-round applicants are still enforceable.

But it’s doubtful that any PICs not related to the security and stability of the DNS will be enforceable in future, the board told SubPro.

The issue is being raised now because SubPro is proposing a continuation of the PICs program, baking it into policy in what it calls Registry Voluntary Commitments.

Its draft final report acknowledges that ICANN’s not in the content regulation business, but most of the group were in favor of maintaining the status quo.

But the board evidently is more concerned. It told SubPro’s chairs:

The language of the Bylaws, however, could preclude ICANN from entering into future registry agreements (that materially differ in form from the 2012 round version currently in force) that include PICs that reach outside of ICANN’s technical mission as stated in the Bylaws. The language of the Bylaws specifically limits ICANN’s negotiating and contracting power to PICs that are “in service of its Mission.” The Board is concerned, therefore, that the current Bylaws language would create issues for ICANN to enter and enforce any content-related issue regarding PICs or Registry Voluntary Commitments (RVCs)

There’s a possibility that it could now be more difficult for future applicants to get their applications past GAC concerns or other complaints, particularly if their chosen string addresses a “highly sensitive or regulated industry”.

There was a “chuck it in the PICs” attitude to many controversies in the 2012 round, but with that option perhaps not available in future, it may lead to an increase in withdrawn applications.

Could .sucks get approved in future, without a cast-iron, enforceable commitment to ban bullying?

Should YOU have to pay when lawyers access your private Whois info?

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

Amazon finally gets its dot-brands despite last-minute government plea

Amazon’s three long-sought dot-brand gTLDs were added to the DNS root last night, despite an eleventh-hour attempt by South American governments to drag the company back to the negotiating table.

.amazon, along with the Japanese and Chinese translations — .アマゾン (.xn--cckwcxetd) and .亚马逊 (.xn--jlq480n2rg) — and its NIC sites have already gone live.

Visiting nic.amazon today will present you with a brief corporate blurb and a link to Amazon’s saccharine social-responsibility blog. As a dot-brand, only Amazon will be allowed to use .amazon domains.

The delegations come despite a last-minute plea to ICANN by the eight-government Amazon Cooperation Treaty Organization, which unsuccessfully tried to insert itself into the role of “joint manager” of the gTLDs.

ACTO believes its historical cultural right to the string outweighs the e-commerce giant’s trademark, and that its should have a more or less equal role in the gTLD’s management.

This position was untenable to Amazon, which countered with a collection of safeguards protecting culturally sensitive strings and various other baubles.

Talks fell through last year and ICANN approved the gTLDs over ACTO’s objections.

ACTO’s secretary-general, Alexandra Moreira, wrote to ICANN (pdf) May 21 to take one last stab at getting Amazon back in talks, telling CEO Göran Marby:

the name “Amazon” pertains to a geographical region constituting an integral part of the heritage of its countries. Therefore, we Amazonians have the right to participate in the governance of the “.amazon” TLD.

…

Our side is ready to resume negotiations on the TLD’s governance with the Amazon Corporation., from the point where their side interrupted it, with a view to arriving at a satisfactory agreement.

Her letter came in response to an earlier Marby missive (pdf) that extensively set out ICANN’s case that talks fell apart due to ACTO repeatedly postponing and cancelling scheduled meetings.

Despite the fact that Amazon’s basically got what it wanted, seven years after filing its gTLD applications, ACTO’s members didn’t get nothing.

The contracts Amazon signed with ICANN back in December have Public Interest Commitments in them that allow the governments to reserve up to 1,500 culturally sensitive strings from registration, as well as giving each nation its own .amazon domain.

Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay

Coronavirus may have claimed another victim at ICANN — closure on talks designed to reopen private Whois data to the likes of law enforcement and trademark owners.

In a remarkable U-turn, the Governmental Advisory Committee, which has lit a series a fires under ICANN’s feet on this issue for over a year, late last week urged that the so-called Expedited Policy Development Process on Whois should not wrap up its work in June as currently planned.

This would mean that access to Whois data, rendered largely redacted worldwide since May 2018 due to the GDPR regulation in Europe, won’t be restored to those who want it as quickly as they’ve consistently said that they want it.

Surprisingly (or perhaps not), pro-access groups including the Intellectual Property Constituency and Business Constituency sided with the GAC’s request.

In an email to the EPDP working group’s mailing list on Thursday, GAC chair Manal Ismail indicated that governments simply don’t have the capacity to deal with the issue due to the coronavirus pandemic:

In light of the COVID-19 pandemic, and its drastic consequences on governments, organizations, private sector and individuals worldwide, I would like to express our serious concerns, as GAC leaders, that maintaining the current pace of work towards completion of Phase 2 by mid-June could jeopardize the delivery, efficacy and legitimacy of the EPDP’s policy recommendations.

While recognizing that the GAC has continually advised for swiftly completing policy development and implementing agreed policy on this critical public policy matter, we believe that given the current global health emergency, which puts many in the EPDP and the community under unprecedented stress (for example governments has been called to heightened duties for the continuity of essential public services), pressing important deliberations and decisions in such a short time frame on already strained participants would mean unacceptably sacrificing the product for the timeline.

We understand there are budget and human resources considerations involved in the completion of Phase 2 of the EPDP. However, we are all living through a global health pandemic, so we call on the EPDP Team to seriously reassess its course and expectations (be it on the duration of its calls, the turn-around time of reviews, its ultimate timeline and budget) emulating what numerous governments, global organizations, and households are doing to adapt during these challenging times across the world.

In April last year, before the EPDP group had even formally started its current phase of talks, Ismail wrote to ICANN to say the GAC expected the discussions to be more or less wrapped up by last November and that the new policy be implemented by this April.

Proponents of the access model such as Facebook have taken to suing registrars for not handing over Whois data in recent months, impressing the need for the issue to be urgently resolved.

So to now request a delay beyond June is a pretty big U-turn.

While Ismail later retracted her request for delay last Thursday, it was nevertheless discussed by the working group that same day, where the IPC, the BC and the ALAC all expressed support for the GAC’s position.

The registrars and registries, the non-commercial users and the ISPs were not supportive.

Delay might be tricky. For starters, hard-sought neutral working group chair Janis Karklins, has said he can’t continue working on the project beyond June 30, and the group has not secured ICANN funding for any further extensions to its work.

It will be up to the GNSO Council to decide whether to grant the extension, and the ICANN board to decide on funding.

The working group decided on Thursday to ask the Council for guidance on how to proceed.

What’s worrying about the request, or at least the IPC and BC’s support of it, is that coronavirus may just be being deployed as an excuse to extend talks because the IP owners don’t like the proposal currently on the table.

“The reality is we’re looking at a result that is… just not going to be sufficient from our perspective,” MPAA lawyer Frank Journoud, an IPC rep on the working group, said on its Thursday call. “We don’t want the perfect to be the enemy of the good, but right now we’re not even going to get to good.”

The current state of play with the working group is that it published its initial report (pdf) for public comment in February.

The group is recommending something called SSAD, for Standardized System for Access and Disclosure, in which a central gateway provider, possibly ICANN itself, would be responsible for granting Whois access credentials and fielding requests to the relevant registries and registries.

The almost 70 comments submitted before the March 23 deadline have been published in an unreadable, eye-fucking Google spreadsheet upon which transparency-loving ICANN may as well have hung a “Beware of the Leopard” sign. The staff summary of the comments is currently nine days late.

Amazon governments vow revenge for “illegal and unjust” ICANN decision on .amazon

The eight nations of the Amazon Cooperation Treaty Organization are unhappy that ICANN is giving .amazon to Amazon the retailer and have vowed to spread the word that ICANN has acted “illegally”.
ACTO secretary general Alexandra Moreira has written (pdf) to ICANN CEO Göran Marby to say: “We consider this decision an illegal and unjust expropriation of our culture, tradition, history and image before the world.”
She said that ACTO is now “committed to disseminating news of this situation to all relevant groups”, adding:

the international community should be aware of the very real consequences or ramifications (be it economic, environmental, cultural or related to questions of sovereignty) of granting exclusive access to the domain “.Amazon” to a single company.

The delegation of .amazon to Amazon the company, “jeopardizes the continued well-being of the societies that live there”, she wrote, with no elaboration.
Amazon was last month told it could have the gTLD after a years-long battle with ACTO and the ICANN Governmental Advisory Committee, which had advised ICANN by consensus to reject the .amazon application.
That consensus broke last year when the US government basically said enough was enough and refused to continue back the eight South American governments’ plight.
Under the terms of Amazon’s contract, it has to protect hundreds of culturally sensitive second-level domains of ACTO’s choosing, and to give each of its members a single domain that they can use to promote their portion of the Amazonian region.
ACTO had wanted more, basically demanding joint ownership of .amazon, which Amazon refused.
It remains to be seen whether ACTO’s reaction will be limited to harsh language, or whether its members will actively try to disrupt ICANN activities. The next GAC-ICANN face-to-face, set for Cancun in March, could be interesting viewing.

Amazon beats South America! Dot-brand contracts now signed

Amazon has prevailed in its seven-year battle to obtain the right to run .amazon as a branded top-level domain.
The company signed contracts for .amazon and the Chinese and Japanese translations on Thursday, despite years-long protests from the eight South American governments that comprise the Amazon Cooperation Treaty Organization.
This means the three gTLDs are likely to be entered into the DNS root system within a matter of weeks, after ICANN has conducted pre-delegation testing to make sure the registry’s technical systems are up to standard. The back-end is being provided by Neustar, so this is pretty much a formality.
.amazon is pretty much a done deal, in other words, and there’s pretty much nothing ACTO can do within the ICANN system to get the contract unsigned.
ACTO was of course angry about .amazon because it thinks the people of the Amazonia region have greater rights to the string than the American e-commerce giant.
It had managed to muster broad support against the gTLD applications from its Governmental Advisory Committee colleagues until the United States, represented on the GAC by the National Telecommunications Administration did a U-turn this November and withdrew its backing for the consensus.
This coincided with Amazon hiring David Redl, the most-recent former head of the NTIA, as a consultant.
The applications were originally rejected by ICANN due to a GAC objection in 2013.
But Amazon invoked ICANN’s Independent Review Process to challenge the decision and won in 2017, with the IRP panel ruling that ICANN had paid too much deference to unjustified GAC demands.
More recently, ACTO had been demanding shared control of .amazon, while Amazon had offered instead to protect cultural interests through a series of Public Interest Commitments in its registry agreements that would be enforceable by governments via the PIC Dispute Resolution Procedure.
This wasn’t enough for ACTO, and the GAC demanded that ICANN facilitate bilateral talks with Amazon to come to a mutually acceptable solution.
But these talks never really got underway, largely due to ACTO internal disputes during the political crisis in Venezuela this year, and eventually ICANN drew a line in the sand and approved the applications.
After rejecting an appeal from Colombia in September, ICANN quietly published Amazon’s proposed PICs (pdf) for public comment.
Only four comments were received during the month-long consultation.
As a personal aside, I’d been assured by ICANN several months ago that there would be a public announcement when the PICs were published, which I even promised you I would blog about.
There was no such announcement, so I feel like a bit of a gullible prick right now. It’s my own stupid fault for taking this on trust and not manually checking the .amazon application periodically for updates — I fucked up, so I apologize.
PICs commenters, including a former GAC vice-chair, also noticed this lack of transparency.
ACTO itself commented:

The proposed PIC does not attend to the Amazon Countries public policy interests and concerns. Besides not being the result of a mutually acceptable solution dully endorsed by our countries, it fails to adequately safeguard the Amazon cultural and natural heritage against the the risks of monopolization of a TLD inextricably associated with a geographic region and its populations.

Its comments were backed up, in pretty much identical language, by the Brazilian government and the Federal University of Rio de Janeiro.
Under the Amazon PICs, ACTO and its eight members each get a .amazon domain that they can use for their own web sites.
But these domains must either match the local ccTLD or “the names of indigenous peoples’ groups, and national symbols of the countries in the Amazonia region, and the specific terms OTCA, culture, heritage, forest, river, and rainforest, in English, Dutch, Portuguese, and Spanish”.
The ACTO nations also get to permanently block 1,500 domains that have the aforementioned cultural significance to the region.
The ACTO and Brazilian commenters don’t think this goes far enough.
But it’s what they’ve been given, so they’re stuck with it.