Latest news of the domain name industry

Recent Posts

ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”

Kevin Murphy, September 3, 2020, Domain Policy

ICANN has been instructed to place the proposed .hotel gTLD in limbo after four applicants for the string raised “sufficiently serious questions” that ICANN may have whitewashed the “theft” of trade secrets.

The order was handed down last month by the emergency panelist in the Independent Review Process case against ICANN by claimants Fegistry, MMX, Radix and Domain Ventures Partners.

Christopher Gibson told ICANN to “maintain the status quo” with regards the .hotel contention set, meaning currently winning applicant Hotel Top Level Domain, which is now owned by Afilias, won’t get contracted or delegated until the IRP is resolved.

At the core of the decision (pdf) is Gibson’s view that the claimants raised “sufficiently serious questions related to the merits” in allegations that ICANN mishandled and acted less than transparently in its investigation into a series of data breaches several years ago.

You may recall that ICANN seriously screwed up its new gTLD application portal, configuring in such a way that any applicant was able to search for and view the confidential data, including financial information such as revenue projections, of any other competing applicant.

Basically, ICANN was accidentally publishing applicants’ trade secrets on its web site for years.

ICANN discovered the glitch in 2015 and conducted an audit, which initially fingered Dirk Krischenowski — who at time was the half-owner of a company that owned almost half of HTLD as well as a lead consultant on the bid — as the person who appeared to have accessed the vast majority of the confidential data in March and April 2014.

ICANN did not initially go public with his identity, but it did inform the affected applicants and I managed to get a copy of the email, which said he’d downloaded about 200 records he shouldn’t have been able to access.

It later came to light that Krischenowski was not the only HTLD employee to use the misconfiguration to access data — according to ICANN, then-CEO of HTLD Katrin Ohlmer and lawyer Oliver Süme had too.

HTLD execs have always denied any wrongdoing, and as far as I know there’s never been any action against them in the proper courts. Krischenowski has maintained that he had no idea the portal was glitched, and he was using it in good faith.

Also, neither Ohlmer nor Krischenowski are still involved with HTLD, having been bought out by Afilias after the hacking claims emerged.

These claims of trade secret “theft” are being raised again now because the losing .hotel applicants think ICANN screwed up its probe and basically tried to make it go away out of embarrassment.

Back in August 2016, the ICANN board decided that demands to cancel the HTLD application were “not warranted”. Ohlmer barely gets a mention in the resolution’s rationale.

The losing applicants challenged this decision in a Request for Reconsideration in 2016, known as Request 16-11 (pdf). In that request, they argued that the ICANN board had basically ignored Ohlmer’s role.

Request 16-11 was finally rejected by the ICANN board in January last year, with the board saying it had in fact considered Ohlmer when making its decision.

But the IRP claimants now point to a baffling part of ICANN’s rationale for doing so: that it found “no evidence that any of the confidential information that Ms. Ohlmer (or Mr. Krischenowski) improperly accessed was provided to HTLD”.

In other words, ICANN said that the CEO of the company did not provide the information that she had obtained to the company of which she was CEO. Clear?

Another reason for brushing off the hacking claims has been that HTLD could have seen no benefit during the application process by having access to its rivals’ confidential data.

HTLD won the contention set, avoiding the need for an auction, in a Community Priority Evaluation. ICANN says the CPE was wholly based on information provided in its 2012 application, so any data obtained in 2014 would have been worthless.

But the losing applicants say that doesn’t matter, as HTLD/Afilias still have access to their trade secrets, which could make the company a more effective competitor should .hotel be delegated.

This all seems to have been important to Gibson’s determination. He wrote in his emergency ruling (pdf) last month:

The Emergency Panelist determines that Claimants have raised “sufficiently serious questions related to the merits” in in relation to the Board’s denial of Request 16-11, with respect to the allegations concerning the Portal Configuration issues in Request 16-11. This conclusion is made on the basis of all of the above information, and in view of Claimants’ IRP Request claim that ICANN subverted the investigation into HTLD’s alleged theft of trade secrets. In particular, Claimants claim that ICANN refused to produce key information underlying its reported conclusions in the investigation; that it violated the duty of transparency by withholding that information; that the Board’s action to ignore relevant facts and law was a violation of Bylaws; and further, to extent the BAMC and/or Board failed to have such information before deciding to disregard HTLD’s alleged breach, that violated their duty of due diligence upon reasonable investigation, and duty of independent judgment.

The Emergency Panelist echoes concerns that were raised initially by the Despegar IRP Panel regarding the Portal Configuration issues, where that Panel found that “serious allegations” had been made188 and referenced Article III(1) of ICANN’s Bylaws in effect at that time, but declined to make a finding on those issues, indicating “that it should remain open to be considered at a future IRP should one be commenced in respect of this issue.” Since that time, ICANN conducted an internal investigation of the Portal Configuration issues, as noted above; however, the alleged lack of disclosure, as well as certain inconsistencies in the decisions of the BAMC and the Board regarding the persons to whom the confidential information was disclosed and their relationship to, or position with HTLD, as well as ICANN’s decision to ultimately rely on a “no harm no foul” rationale when deciding to permit the HTLD application to proceed, all raise sufficiently serious questions related to the merits of whether the Board breached ICANN’s Article, Bylaws or other polices and commitments.

It’s important to note that this is not a final ruling that ICANN did anything wrong, it’s basically the ICANN equivalent of a ruling on a preliminary injunction and Gibson is saying the claimants’ allegations are worthy of further inquiry.

And the ruling did not go entirely the way of the claimants. Gibson in fact ruled against them on most of their demands.

For example, he said their was insufficient evidence to revisit claims that a review of the CPE process carried out by FTI Consulting was a whitewash, and he refused to order ICANN to preserve documentation relating to the case (though ICANN has said it will do so anyway).

He also ruled against the claimants on a few procedural issues, such as their demands for an Ombudsman review and for IRP administrator the International Center for Dispute Resolution to recuse itself.

Some of their claims were also time-barred under ICANN’s equivalent of the statute of limitations.

But ICANN will be prevented from contracting with HTLD/Afilias for now, which is a key strategic win.

ICANN reckons the claimants are just using the IRP to try to force deep-pocketed Afilias into a private auction they can be paid to lose, and I don’t doubt there’s more than a grain of truth in that claim.

But if it exposes another ICANN cover-up in the process, I for one can live with that.

The case continues…

ICANN meeting got “Zoombombed” with offensive material

Kevin Murphy, April 27, 2020, Domain Policy

An ICANN meeting held over the Zoom conferencing service got “Zoombombed” by trolls last month.

According to the organization, two trolls entered an ICANN 67 roundup session for Spanish and Portuguese speakers on March 27 and “shared inappropriate and offensive audio and one still image” with the legitimate participants.

The session was not password protected (rightly) but the room had (wrongly) not been configured to mute participants or disable screen-sharing, which enabled the offensive material to be shared.

The trolls were quickly kicked and the loopholes closed, ICANN said in its incident report.

ICANN appears to have purged the meeting entirely from its calendar and there does not appear to be an archive or recording, so I sadly can’t share with you the gist of the shared content.

Zoombombing has become an increasingly common prank recently, as the platform sees many more users due to the coronavirus-related lockdowns worldwide.

Hacking claims resurface as .hotel losers force ICANN to lawyer up again

Kevin Murphy, February 7, 2020, Domain Policy

The fight over .hotel has been escalated, with four unsuccessful applicants for the gTLD whacking ICANN with a second Independent Review Process appeal.
The complaint resurrects old claims that a former lead on the successful application, now belonging to Afilias, stole trade secrets from competing applicants via a glitched ICANN web site.
It also revives allegations that ICANN improperly colluded with the consultant hired to carry out reviews of “community” applications and then whitewashed an “independent” investigation into the same.
The four companies filing the complaint are new gTLD portfolio applicants MMX (Minds + Machines), Radix, Fegistry, and Domain Venture Partners (what we used to call Famous Four).
The IRP was filed November 18 and published by ICANN December 16, but I did not spot it until more recently. Sorry.
There’s a lot of back-story to the complaint, and it’s been a few years since I got into any depth on this topic, so I’m going to get into a loooong, repetitive, soporific, borderline unreadable recap here.
This post could quite easily be subtitled “How ICANN takes a decade to decide a gTLD’s fate”.
There were seven applicants for .hotel back in 2012, but only one of them purported to represent the “hotel community”. That applicant, HOTEL Top Level Domain, was mostly owned by Afilias.
HTLD had managed to get letters of support from a large number of hotel chains and trade groups, to create a semblance of a community that could help it win a Community Priority Evaluation, enabling it to skip to the finish line and avoid a potentially costly auction against its rival applicants.
CPEs were carried out by the Economist Intelligence Unit, an independent ICANN contractor.
Surprisingly to some (including yours truly), back in 2014 it actually managed to win its CPE, scoring 15 out of the 16 available points, surpassing the 14-point winning threshold and consigning its competing bidders’ applications to the scrap heap.
There would be no auction, and no redistribution of wealth between applicants that customarily follows a new gTLD auction.
Naturally, the remaining applicants were not happy about this, and started to fight back.
The first port of call was a Request for Reconsideration, which all six losers filed jointly in June 2014. It accused the EIU of failing to follow proper procedure when it evaluated the HTLD community application.
That RfR was rejected by ICANN, so a request for information under ICANN’s Documentary Information Disclosure Policy followed. The losing applicants reckoned the EIU evaluator had screwed up, perhaps due to poor training, and they wanted to see all the communications between ICANN and the EIU panel.
The DIDP was also rejected by ICANN on commercial confidentiality grounds, so the group of six filed another RfR, asking for the DIDP to be reconsidered.
Guess what? That got rejected too.
So the applicants then filed an IRP case, known as Despegar v ICANN, in March 2015. Despegar is one of the .hotel applicants, and the only one that directly plays in the hotel reservation space already.
The IRP claimed that ICANN shirked its duties by failing to properly oversee and verify the work of the EIU, failing to ensure the CPE criteria were being consistently applied between contention sets, and failing in its transparency obligations by failing to hand over information related to the CPE process.
While this IRP was in its very early stages, it emerged that one of HTLD’s principals and owners, Dirk Krischenowski, had accessed confidential information about the other applicants via an ICANN web site.
ICANN had misconfigured its applicant portal in such a way that any user could very access any attachment on any application belonging to any applicant. This meant sensitive corporate information, such as worst-case-scenario financial planning, was easily viewable via a simple search for over a year.
Krischenowski appears to have been the only person to have noticed this glitch and used it in earnest. ICANN told applicants in May 2015 that he had carried out 60 searches and accessed 200 records using the glitch.
Krischenowski has always denied any wrongdoing and told DI in 2016 that he had always “relied on the proper functioning of ICANN’s technical infrastructure while working with ICANN’s CSC portal.”
The applicants filed another DIDP, but no additional information about the data glitch was forthcoming.
When the first IRP concluded, in February 2016, ICANN prevailed, but the three-person IRP panel expressed concern that neither the EIU nor ICANN had any process in place to ensure that community evaluations carried out by different evaluators were consistently applying the CPE rules.
The IRP panel also expressed concern about the “very serious issues” raised by the ICANN portal glitch and Krischenowski’s data access.
But the loss of the IRP did not stop the six losing applicants from ploughing on. Their lawyer wrote to ICANN in March 2016 to denounce Krischenowski’s actions as “criminal acts” amounting to “HTLD stealing trade secrets of competing applicants”, and as such HTLD’s application for .hotel should be thrown out.
Again, to the best of my knowledge, Krischenowski has never been charged with, let alone convicted of, any criminal act.
Afilias wrote to ICANN not many weeks later, April 2016, to say that it had bought out Krischenowski’s 48.8% stake in HTLD and that he was no longer involved in the company or its .hotel application.
And ICANN’s board of directors decided in August 2016 that Krischenowski may well have accessed documents he was not supposed to, but that it would have happened after the .hotel CPE had been concluded, so there was no real advantage to HTLD.
A second, parallel battle against ICANN by an unrelated new gTLD applicant had been unfolding over the same period.
A company called Dot Registry had failed in its CPE efforts for the strings .llc, .llp and .inc, and in 2014 had filed its own IRP against ICANN, claiming that the EIU had “bungled” the community evaluations, applying “inconsistent” scoring criteria and “harassing” its supporters.
In July 2016, almost two years later, the IRP panel in that case ruled that Dot Registry had prevailed, and launched a withering attack on the transparency and fairness of the ICANN process.
The panel found that, far from being independent, the EIU had actually incorporated notes from ICANN staff into its CPE evaluations during drafting.
It was as a result of this IRP decision, and the ICANN board’s decision that Krischenowski’s actions could not have benefited HTLD, that the losing .hotel applicants filed yet another RfR.
This one lasted two and a half years before being resolved, because in the meantime ICANN launched a review of the CPE process.
It hired a company called FTI Consulting to dig through EIU and ICANN documentation, including thousands of emails that passed between the two, to see if there was any evidence of impropriety. It covered .hotel, .music, .gay and other gTLD contention sets, all of which were put on hold while FTI did its work.
FTI eventually concluded, at the end of 2017, that there was “no evidence that ICANN organization had any undue influence on the CPE reports or engaged in any impropriety in the CPE process”, which affected applicants promptly dismissed as a “whitewash”.
They began lobbying for more information, unsuccessfully, and hit ICANN with yet another RfR in April 2018. Guess what? That one was rejected too.
The .hotel applicants then entered into a Cooperative Engagement Process — basically pre-IRP talks — from October 2018 to November 2019, before this latest IRP was filed.
It’s tempting to characterize it as a bit of a fishing expedition, albeit not a baseless one — any allegations of ICANN’s wrongdoing pertaining the .hotel CPE are dwarfed by the applicants’ outraged claims that ICANN appears to be covering up both its interactions with the EIU and its probe of the Krischenowski incident, partly out of embarrassment.
The claimants want ICANN to be forced to hand over documentation refused them on previous occasions, relating to: “ICANN subversion of the .HOTEL CPE and first IRP (Despegar), ICANN subversion of FTI’s CPE Process Review, ICANN subversion of investigation into HTLD theft of trade secrets, and ICANN allowing a domain registry conglomerate to takeover the ‘community-based’ applicant HTLD.”
“The falsely ‘independent’ CPE processes were in fact subverted by ICANN in violation of Bylaws, HTLD stole trade secrets from at least one competing applicant, and Afilias is not a representative of the purported community,” the IRP states.
“HTLD’s application should be denied, or at least its purported Community Priority relinquished, as a consequence not only for HTLD’s spying on its competitors’ secret information, but also because HTLD is no longer the same company that applied for the .HOTEL TLD. It is now just a registry conglomerate with no ties to the purported, contrived ‘Community’ that it claims entitled to serve,” it goes on.
ICANN is yet to file its response to the complaint.
Whether the IRP will be successful is anyone’s guess, but what’s beyond doubt is that if it runs its course it’s going to add at least a year, probably closer to two, to the delay that .hotel has been languishing under since the applications were filed in 2012.
Potentially lengthening the duration of the case is the claimants’ demand that ICANN “appoint and train” a “Standing Panel” of at least seven IRP panelists from which each three-person IRP panel would be selected.
The standing panel is something that’s been talked about in ICANN’s bylaws for at least six or seven years, but ICANN has never quite got around to creating it.
ICANN pinged the community for comments on how it should go about creating this panel last year, but doesn’t seemed to have provided a progress report for the last nine months.
The .hotel applicants do not appear to be in any hurry to get this issue resolved. The goal is clearly to force the contention set to auction, which presumably could happen at Afilias’ unilateral whim. Time-to-market is only a relevant consideration for the winner.
With .hotel, and Afilias’ lawsuit attempting to block the .web sale to Verisign, the last round of new gTLD program, it seems, is going to take at least a decade from beginning to end.

ICANN got hacked by crypto bots

Kevin Murphy, April 16, 2019, Domain Tech

ICANN had to take down its community wiki for several hours last week after it got hacked by crypto-currency miners.
The bad guys got in via one of two “critical” vulnerabilities in Confluence, the wiki software that ICANN licences from Atlassian Systems, which ICANN had not yet patched.
ICANN’s techies noticed the wiki, which is used by many of its policy-making bodies to coordinate their work, was running slowly April 11.
They quickly discovered that Atlassian had issued a vulnerability warning on March 20, but ICANN was not on its mailing list (doh!) so hadn’t been directly notified.
They also determined that a malicious “Crypto-Miner” — software that uses spare CPU cycles to attempt to create new cryptocurrency coins — had been installed and was responsible for the poor performance.
ICANN said it took the wiki down, restored it to a recent backup, patched Confluence, and brought the system back online. It seems to have taken a matter of hours from discovery to resolution.
The organization said it has now subscribed to Atlassian’s mailing list, so it will be notified of future vulnerabilities directly.

ICANN found a zero-day hole in Adobe Connect

Kevin Murphy, April 23, 2018, Domain Tech

It’s looking like ICANN may have found a zero-day vulnerability in Adobe Connect, until recently its default collaboration tool.
The organization on Friday announced the results of a “forensic investigation” into the bug, and said it has reported its findings to Adobe, which is now “working on a software fix to address the root cause of the issue”.
If Adobe didn’t know about it, it looks rather like ICANN — or at least the unnamed member of the security advisory committee who found it — has bagged itself a zero-day.
ICANN had previously said that the glitch “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”.
The review found that the only person who exploited the bug was the person who discovered and disclosed it.
AC is used not only in ICANN’s public meetings but also, I understand, in closed sessions of ICANN staff, board and committees, where secret information is most likely to be shared.
After the bug was discovered, ICANN shut off the system and started using alternatives such as WebEx, to a mixed reception.
In the absence of an immediate patch from Adobe, ICANN has been testing workarounds and said it hopes to have two working ones deployed by May 3.
This would allow the tool to come back online in time for its board workshop, GDD Summit and ICANN 62, the organization said.

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.
The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.
Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.
At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.
At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.
It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.
ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.
We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.
I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.
Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.
I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.
While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.
In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.
Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.

.hotel losers gang up to threaten ICANN with legal bills

Kevin Murphy, August 30, 2016, Domain Registries

The six losing applicants for the .hotel new gTLD are collectively threatening ICANN with a second Independent Review Process action.
Together, they this week filed a Request for Reconsideration with ICANN, challenging its decision earlier this month to allow the Afilias-owned Hotel Top Level Domain Sarl application to go ahead to contracting.
HTLD won a controversial Community Priority Evaluation in 2014, effectively eliminating all rival applicants, but that decision was challenged in an IRP that ICANN ultimately won.
The other applicants think HTLD basically cobbled together a bogus “community” in order to “game” the CPE process and avoid an expensive auction.
Since the IRP decision, the six other applicants — Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry — have been arguing that the HTLD application should be thrown out due to the actions of Dirk Krischenowski, a former key executive.
Krischenowski was found by ICANN to have exploited a misconfiguration in its own applicants’ portal to download documents belonging to its competitors that should have been confidential.
But at its August 9 meeting, the ICANN board noted that the timing of the downloads showed that HTLD could not have benefited from the data exposure, and that in any event Krischenowski is no longer involved in the company, and allowed the bid to proceed.
That meant the six other applicants lost the chance to win .hotel at auction and/or make a bunch of cash by losing the auction. They’re not happy about that.
It doesn’t matter that the data breach could not have aided HTLD’s application or its CPE case, they argue, the information revealed could prove a competitive advantage once .hotel goes on sale:

What matters is that the information was accessed with the obvious intent to obtain an unfair advantage over direct competitors. The future registry operator of the .hotel gTLD will compete with other registry operators. In the unlikely event that HTLD were allowed to operate the .hotel gTLD, HTLD would have an unfair advantage over competing registry operators, because of its access to sensitive business information

They also think that HTLD being given .hotel despite having been found “cheating” goes against the spirit of application rules and ICANN’s bylaws.
The RfR (pdf) also draws heavily on the findings of the IRP panel in the unrelated Dot Registry (.llc, .inc, etc) case, which were accepted by the ICANN board also on August 9.
In that case, the panel suggested that the board should conduct more thorough, meaningful reviews of CPE decisions.
It also found that ICANN staff had been “intimately involved” in the preparation of the Dot Registry CPE decision (though not, it should be noted, in the actual scoring) as drafted by the Economist Intelligence Unit.
The .hotel applicants argue that this decision is incompatible with their own IRP, which they lost in February, where the judges found a greater degree of separation between ICANN and the EIU.
Their own IRP panel was given “incomplete and misleading information” about how closely ICANN and the EIU work together, they argue, bringing the decision into doubt.
The RfR strongly hints that another IRP could be in the offing if ICANN fails to cancel HTLD application.
The applicants also want a hearing so they can argue their case in person, and a “substantive review” of the .hotel CPE.
The HTLD application for .hotel is currently “On Hold” while ICANN sorts through the mess.

Afilias set to get .hotel despite hacking claims

Kevin Murphy, August 19, 2016, Domain Registries

Afilias is back on the path to becoming the registry for .hotel, after ICANN decided claims of hacking by a former employee of the applicant did not warrant a rejection.
The ICANN board of directors decided last week that HOTEL Top-Level Domain Sarl, which was recently taken over by Afilias, did not gain any benefit when employee Dirk Krischenowski accessed competing applicants’ confidential documents via an ICANN web site.
Because HTLD had won a Community Priority Evaluation, it should now proceed to contracting, barring any further action from the other six applicants.
ICANN’s board said in its August 9 decision:

ICANN has not uncovered any evidence that: (i) the information Mr. Krischenowski may have obtained as a result of the portal issue was used to support HTLD’s application for .HOTEL; or (ii) any information obtained by Mr. Krischenowski enabled HTLD’s application to prevail in CPE.

It authorized ICANN staff to carry on processing the HTLD application.
The other applicants — Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry — had called on ICANN in April to throw out the application, saying that to decline to do so would amount to “acquiescence in criminal acts”.
That’s because an ICANN investigation had discovered that Dirk Krischenowski, who ran a company with an almost 50% stake in HTLD, had downloaded hundreds of confidential documents belonging to competitors.
He did so via ICANN’s new gTLD applicants’ portal, which had been misconfigured to enable anyone to view any attachment from any application.
Krischenowski has consistently denied any wrongdoing, telling DI a few months ago that he simply used the tool that ICANN made available with the understanding that it was working as intended.
ICANN has now decided that because the unauthorized access incidents took place after HTLD had already submitted its CPE application, it could not have gained any benefit from whatever data Krischenowski managed to pull.
The board reasoned:

his searches relating to the .HOTEL Claimants did not occur until 27 March, 29 March and 11 April 2014. Therefore, even assuming that Mr. Krischenowski did obtain confidential information belonging to the .HOTEL Claimants, this would not have had any impact on the CPE process for HTLD’s .HOTEL application. Specifically, whether HTLD’s application met the CPE criteria was based upon the application as submitted in May 2012, or when the last documents amending the application were uploaded by HTLD on 30 August 2013 – all of which occurred before Mr. Krischenowski or his associates accessed any confidential information, which occurred from March 2014 through October 2014. In addition, there is no evidence, or claim by the .HOTEL Claimants, that the CPE Panel had any interaction at all with Mr. Krischenowski or HTLD during the CPE process, which began on 19 February 2014.

The HTLD/Afilias .hotel application is currently still listed on ICANN’s web site as “On Hold” while its rivals are still classified as “Will Not Proceed”.
It might be worth noting here — to people who say ICANN always tries to force contention sets to auction so it possibly makes a bit of cash — that this is an instance of it not doing so.

Afilias takes over .hotel, sidelines Krischenowski over hacking claims

Afilias has sought to distance itself from DotBerlin CEO Dirk Krischenowski, due to ongoing claims that he improperly accessed secret data on rival .hotel applicants.
The company revealed in a recent letter to ICANN that it has bought out Krischenowski’s 48.8% stake in successful .hotel applicant Hotel Top Level Domain Sarl and that Afilias will become the sole shareholder of HTLD.
The move is linked to claims that Krischenowski exploited a glitch in ICANN’s new gTLD applicants’ portal to access confidential financial and technical information belonging to rival .hotel applicants.
These competing applicants have ganged up to demand that HTLD should lose its rights to .hotel, which it obtained by winning a controversial Community Priority Evaluation.
Afilias chairman Philipp Grabensee, now “sole managing director” of HTLD, wrote ICANN last month (pdf) to explain the nature of the HTLD’s relationship with Krischenowski and deny that HTLD had benefited from the alleged data compromise.
He said that, at the time of the incidents, Krischenowski was the 50% owner and managing director of a German company that in turn was a 48.8% owner of HTLD. He was also an HTLD consultant, though Grabensee played down that role.
He was responding to a March ICANN letter (pdf) which claimed that Krischenowski’s portal credentials were used at least eight times to access confidential data on .hotel bids. It said:

It appears that Mr Krischenowski accessed and downloaded, at minimum, the financial projections for Despegar’s applications for .HOTEL, .HOTEIS and .HOTELES, and the technical overview for Despegar’s applications for .HOTEIS and .HOTEL. Mr Krischenowski appears to have specifically searched for terms and question types related to financial or technical portions of the application.

Krischenowski has denied any wrongdoing and told DI last month that he simply used the portal assuming it was functioning as intended.
Grabensee said in his letter that any data Krischenowski may have obtained was not given to HTLD, and that his alleged actions were not done with HTLD’s knowledge or consent.
He added that obtaining the data would not have helped HTLD’s application anyway, given that the incident took place after HTLD had already submitted its application. HTLD did not substantially alter its application after the incident, he said.
HTLD’s rival .hotel applicants do not seem to have alleged that HTLD won the contention set due to the confidential data.
Rather, they’ve said via their lawyer that HTLD should be disqualified on the grounds that new gTLD program rules disqualify people who have been convicted of computer crime.
Even that’s a bit tenuous, however, given that Krischenowski has not been convicted of, or even charged with, a computer crime.
The other .hotel applicants are Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry.
ICANN is now pressing HTLD for more specific information about Krischenowski’s relationship with HTLD at specific times over the last few years, in a letter (pdf) published last night, so it appears that its overdue investigation is not yet complete.

.hotel fight gets nasty with “criminal” hacking claims

Kevin Murphy, April 19, 2016, Domain Registries

A group of would-be .hotel gTLD registries have called on ICANN to reject the winning applicant’s bid or be complicit in “criminal acts”.
The group, which includes Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry is threatening to file a second Independent Review Process complaint unless ICANN complies with its demands.
Six applicants, represented by Flip Petillion of Crowell & Moring, claim that Hotel Top Level Domain Sarl should forfeit its application because one of its representatives gained unauthorized access to their trade secrets.
That’s a reference to a story we covered extensively last year, where an ICANN audit found that DotBerlin CEO Dirk Krischenowski, or at least somebody using his credentials, had accessed hundreds of supposedly confidential gTLD application documents on ICANN’s web site.
Krischenowski, who has denied any wrongdoing, is also involved with HTLD, though in what capacity appears to be a matter of dispute between ICANN and the rival .hotel applicants.
In a month-old letter (pdf) to ICANN, only published at the weekend, Petillion doesn’t pull many punches.
The letter alleges:

Allowing HTLD’s application to proceed would go agaist everthing that ICANN stands for. It would amount to an acquiescence in criminal acts that were committed with the obvious intent to obtain an unfair advantage over direct competitors.

ICANN caught a representative of HTLD stealing trade secrets of competing applicants via the use of computers and the internet. The situation is even more critical as the crime was committed with the obvious intent of obtaining sensitive business information concerning a competing applicant.

It points out that ICANN’s Applicant Guidebook disqualifies people from applying for a new gTLD if they’ve been convicted of a computer crime.
To the best of my knowledge Krischenowski has not been convicted of, or even charged with, any computer crime.
What ICANN says he did was use its new gTLD applicants’ customer service portal to search for documents which, due to a dumb misconfiguration by ICANN, were visible to users other than their owners.
Krischenowski told DI in an emailed statement today:

According to ICANN, the failure in ICANN’s CSC and GDD portals was the result of a misconfiguration by ICANN of the software used (as mentioned at https://www.icann.org/news/announcement-2-2015-11-19-en). As a user, I relied on the proper functioning of ICANN’s technical infrastructure while working with ICANN’s CSC portal.

HTLD’s application for .hotel is currently “On Hold”, though it is technically the winner of the seven-application contention set.
It prevailed after winning a controversial Community Priority Evaluation in 2014, which was then challenged in an Independent Review Process case by the applicants Petillion represents.
They lost the IRP, but the IRP panelists said that ICANN’s failure to be transparent about its investigation into Krischenowski could amount to a breach of its bylaws.
In its February ruling, the IRP panel wrote:

It is not clear if ICANN has properly investigated the allegation of association between HTLD and D. Krischenowski and, if it has, what conclusions it has reached. Openness and transparency, in the light of such serious allegations, require that it should, and that it should make public the fact of the investigation and the result thereof.

The ruling seems to envisage the possibility of a follow-up IRP.
ICANN had told the panel that its investigation was not complete, so its failure to act to date could not be considered inaction.
The ICANN board resolved in March, two days after Petillion’s letter was sent, to “complete the investigation” and “provide a report to the Board for consideration”.
While the complaining applicants want information about this investigation, their clear preference appears to be that the HTLD application be thrown out.