The slow crawl to closed generics at ICANN 74

Last Monday saw the 10th anniversary of Reveal Day, the event in London where ICANN officially revealed the 1,930 new gTLD applications submitted earlier in 2012 to a crowd of excited applicants and media.

Dozens of those applications were for closed generics — where the registry operator is the sole registrant, but the string isn’t a trademark — but now, a decade later, the ICANN community still hasn’t decided what to do about that type of gTLD.

At ICANN 74 last week, the Generic Names Supporting Organization and Governmental Advisory Committee inched closer to agreeing the rules of engagement for forthcoming talks on how closed generics should be regulated.

The GNSO’s working group on new gTLDs — known as SubPro — had failed to come to a consensus on whether closed generics should even be allowed, failing even to agree on whether the status quo was the thousand-year-old earlier GNSO policy recommendations that permitted them or the later GAC-influenced ICANN retconning that banned them.

But ever since SubPro delivered its final report, the GAC has been reminding ICANN of its 2013 Beijing communique advice, which stated: “For strings representing generic terms, exclusive registry access should serve a public interest goal.”

At the time, this amounted to an effective ban, but today it’s become an enabler.

ICANN has for the last several months been coaxing the GNSO and the GAC to the negotiating table to help bring the SubPro stalemate into line with the Beijing communique, and the rules of engagement pretty much guarantee that closed generics will be permitted, as least in principle, in the next application round.

GAC chair Manal Ismail told ICANN (pdf) back in April:

discussion should focus on a compromise to allow closed generics only if they serve a public interest goal and that the two “edge outcomes” (i.e. allowing closed generics without restrictions/limitations, and prohibiting closed generics under any circumstance) are unlikely to achieve consensus, and should therefore be considered out of scope for this dialogue.

Remarkably, the GNSO agreed to these terms with little complaint, essentially allowing the GAC to set at least the fundamentals of the policy.

Last week, talks centered on how these bilateral negotiations — or trilateral, as the At-Large Advisory Committee is now also getting a seat at the table — will be proceed.

The rules of engagement were framed by ICANN (pdf) back in March, with the idea that talks would begin before ICANN 74, a deadline that has clearly been missed.

The GNSO convened a small team of members to consider ICANN’s proposals and issued its report (pdf) last week, which now seems to have been agreed upon by the Council.

Both GNSO and GAC are keen that the talks will be facilitated by an independent, non-conflicted, knowledgeable expert, and have conceded that they may have to hire a professional facilitator from outside the community.

That person hasn’t been picked yet, and until he/she has taken their seat no talks are going to happen.

ICANN said a few months ago that it did not expect the closed generics issue to delay the SubPro Operational Design Phase, which is scheduled to wind up in October, but the longer the GAC, GNSO and ICANN dawdle, the more likely that becomes.

All that has to happen is for a group of 14-16 community members to agree on what “public interest” means, and that should be easy, right? Right?

New gTLDs or Whois access? What’s more important?

Should ICANN focus its resources on getting the next round of new gTLDs underway, or making some baby steps towards a post-GDPR system of Whois access?

That’s a question the community is going to have to address when ICANN 74 rolls around next month, after the ICANN board presented it with a divisive question on two of the industry’s most pressing issues that split the GNSO Council along predictable lines at its monthly meeting last week.

It turns out that ICANN doesn’t have the resources to both design a new “SSAD Light” system for handling Whois requests and also carry on its new gTLDs Operational Design Phase, “SubPro”, at the same time.

If the community wants ICANN staff to start work on SSAD Light, work will be paused on the ODP for at least six weeks, ICANN has said. If they want the system also built, the delay to new gTLDs could be much, much longer.

Intellectual property lawyers are of course keen to at least start undoing some of the damage caused by privacy legislation such as GDRP, while registries and consultants are champing at the bit for another expansion of the gTLD space.

This split was reflected on the Council’s monthly call last week, where registry employees Maxim Alzoba, Kurt Pritz and Jeff Neuman were opposed by IP lawyers Paul McGrady and John McElwaine.

“Six weeks is a sneeze in a hurricane,” McGrady said. “We are right on the cusp of taking first steps to solve a problem that has plagued the Community since GDPR came out. I don’t think a six-week delay on SubPro, which again we’re years into and it looks like will be years to go, is a material change to SubPro… a very minor delay seems well worth it.”

At this point, ICANN is still planning to have the SubPro ODP wrapped up in October, thought it has warned that there could be other unforeseen delays.

Neuman warned that even a six-week pause could provide more than six weeks delay to SubPro. Staff can’t just down tools on one project and pick up again six weeks later without losing momentum, he said.

Pritz seemed to echo this concern. The Registries Stakeholder Group hasn’t finished discussing the issue yet, he said, but would be concerned about anything that caused “inefficiencies” and “switching costs”.

The discussion was pretty brief, and no votes were taken. It seems the conversation will pick up again in The Hague when ICANN meets for its short mid-year public meeting on June 13.

ICANN highlights “not getting things done” risk

ICANN’s board of directors addressed a number of existential threats at its latest workshop, including the perception that it’s simply “not getting things done.”

Chair Maarten Botterman disclosed the discussions, which took place at the end of April, in a blog post Friday.

He described how the board broke up into four “brainstorming” groups, which returned with strikingly similar views on the risks ICANN faces.

There’s a worry that the lack of in-person meetings due to the pandemic is harming ICANN’s ability to work and that various unspecified “geopolitical initiatives” may get in the way of the mission. He added:

Moreover, we recognized the risk of ICANN being seen as “not getting things done.” On the opportunity side is the broad awareness within ICANN that we need to continue to deliver on our mission in the face of new challenges, as demonstrated by the prioritization efforts of the Board, Org, and Community, and our ability to adapt to changing circumstances.

The Org and the community have been faced with what I would call organizational inertia in recent months and years.

I wrote a few months ago about how ICANN hadn’t implemented a policy since December 2016 — more than five years previously.

Major issues facing the industry seem to be either stuck in endless feedback loops of community arguments or interminable Org preparatory work.

The SSAD, pitched as a solution to the problem of Whois access, appears doomed to be scrapped entirely or approved in a much-reduced form that many believe will not address the problem of identifying registrants in a post-GDPR world.

And even if the stripped-back SSAD Light gets approved, there’s a good chance this will add many months to the runway of the next round of new gTLDs, which itself is at an impasse because the Governmental Advisory Committee and the the GNSO cannot agree on whether to allow closed generics.

As it stands, 10 years after the last application round new gTLD policy is in the Operational Design Phase within Org, and not expected to come before the board until late this year. Much of what has been disclosed about the ODP to date looks a lot like wheel-spinning.

UDRP comments reveal shocking lack of trust in ICANN process

Is trust in the ICANN community policy-making process on the decline? Submissions to a recent public comment period on UDRP reform certainly seem to suggest so.

Reading through the 41 comments filed, it’s clear that while many community members and constituencies have pet peeves about UDRP as it stands today, there’s a disturbing lack of trust in ICANN’s ability to reform the policy without breaking it, and very little appetite for a full-blown Policy Development Process.

It’s one area where constituencies not traditionally allied or aligned — such as domain investors and intellectual property interests — seem to be on the same page.

Both the Intellectual Property Constituency and the Internet Commerce Association are among those calling for any changes to UDRP to be drafted rapidly by subject-matter experts, rather than being opened to full community discussion.

The IPC called the UDRP “a vital and fundamental tool that has a long and proven track record”, saying it has “generally been consistently and predictably applied over the course of its more than 20-year history”. Its comment added:

it is critically important that future policy work regarding the UDRP not diminish, dilute, or otherwise undermine its effectiveness. Such policy work should be extremely deferential to and reliant on the input of experts who have actual experience working with and within the UDRP system, and resistant to efforts that would weaken the UDRP system; any such work should be based on facts and evidence of problems in need of a systematic policy-level solution, and not merely to address specific edge cases, differences of opinion, or pet issues.

That’s pretty much in line with the ICA’s comments, which state that participants in future UDRP reform talks “should be experts… individuals who have extensive personal and practical knowledge of the UDRP through direct personal involvement”.

That language — in fact several paragraphs of endorsement for an expert-driven effort — appears almost verbatim in the separately filed comments of the Business Constituency, of which the ICA is a member.

The ICA’s reluctance to endorse a full-blown PDP appears to come from the experience of the Review of all Rights Protection Mechanisms in all gTLDs PDP, or “Phase 1”, which ran from 2016 to 2020.

That working group struggled to reach consensus on even basic stuff, and at one point frictions reached a point where allegations of civility rules breaches caused warring parties to lawyer up.

“Phase 1 was lengthy, unproductive, inefficient, and an unpleasant experience for all concerned,” the ICA wrote in its comments.

“Perhaps the biggest problem with Phase 1 was that structurally it was inadvertently set up to encourage disagreements between interest groups rather than to facilitate collaboration, negotiation, and problem solving,” it said.

The BC arguable goes further in its deference to experts, calling on ICANN to invoke section 13.1 of its bylaws and drag the World Intellectual Property Organization — leading UDRP provider and drafter of the original 1999 policy — as an expert consultant.

The BC also wrote:

It is imperative that stakeholders do not unnecessarily open up a can of worms with the UDRP through destabilizing changes; rather, they should take a focused and targeted approach, only entertaining improvements and enhancements which stand a reasonable chance of gaining consensus amongst stakeholders

WIPO itself is thinking along the same lines:

If the choice is made to review the UDRP, the process should be expert-driven and scoped

To avoid undoing the UDRP’s success, ICANN needs to give serious consideration to the weight to be accorded to the various opinions expressed. So-called “community feedback” referred to, for example, in section 4 of the PSR seems to lack specific depth and can seem more ideological or anecdotal

Comments from ICANN’s contracted parties also expressed concerns about a PDP doing more harm than good.

The Registries Stakeholder Group has almost nothing to say about ICANN’s report, but the Registrars Stakeholder Group expressed concerns that “any updates could have unintended consequences resulting in a less effective UDRP”.

It uniquely brought up the issue of volunteer fatigue and ICANN’s cumbersome backlog of work, writing:

Although the RrSG recognizes that there are some minor areas for improvement in the UDRP, it is the position of the RrSG that a full policy development process (PDP) is not necessary. The UDRP was adopted in 1999, and has been utilized for over 60,000 UDRP cases. The RrSG is not aware of any major issues with the UDRP, and is concerned that any updates could have unintended consequences resulting in a less effective UDRP. Additionally, not only is there a backlog of policy recommendations waiting for ICANN Board approval or implementation, but the RrSG is also aware of substantial community volunteer fatigue even for high-priority issues.

These comments were filed in response to a public comment period on an ICANN-prepared policy status report.

Not every comment expressed skepticism about the efficacy of a PDP. Notably, the Non-Commercial Stakeholders Group — the constituency arguably most likely to upset the apple cart if a Phase 2 PDP goes ahead — appears to fully expect that such work will take place.

There were also many comments from individuals, mostly domainers, recounting their own experiences of, and reform wish-lists for, UDRP.

ICANN’s report will be revised in light of these comments and submitted to the GNSO, which will decide what to do with it.

More friction over closed generics

ICANN’s Generic Names Supporting Organization and Governmental Advisory Committee seem to be headed to bilateral talks on the thorny issue of whether “closed generic” gTLDs should be allowed, but not without discontent.

The GNSO’s Non-Commercial Stakeholder Group last week opposed these talks, suggesting that the GAC is trying to acquire more policy-making power and take a second bite at the apple on a issue it has already advised on.

The NCSG wrote (pdf) to the GNSO Council last Thursday to oppose GAC talks, which are being encouraged by ICANN management and board.

Closed generics are dictionary-word gTLDs that do not match the registry’s trademarks but which nevertheless act as though they are a dot-brand, where only the registry may register domains.

There aren’t any right now, because ICANN, acting in 2014 in response to 2013 GAC advice, retroactively banned them from the 2012 application round, even though they were initially permitted.

It’s such a divisive issue that the GNSO working group (known as SubPro) that made the policy recommendations for the next round was, I believe uniquely, unable to come up with a even a fudged recommendation.

The GAC is sticking to its view that closed generics are potentially harmful, and since the GNSO couldn’t make its mind up, ICANN has suggested an informal dialogue between the two parties, to encourage a solution both deem acceptable that could then be thrown back at the GNSO for formal ratification.

The NCSG objected to this idea because it appears, NCSG said, that a new policy process is being created that increases the GAC’s powers to intervene in policy-making when it sees something it doesn’t like.

But the constituency appeared to stand alone during a GNSO Council meeting last Thursday, where the prevailing opinion seemed to be that dialogue is always a good thing and it would be bad optics to refuse to talk.

The Council has formed a small team of four to decide whether to talk to the GAC, which is in favor of the move.

Closed generic gTLDs likely to be allowed, as governments clash with ICANN

So-called “closed generics” seem to be on a path to being permitted in the next new gTLD application round.

The issue reconfirmed itself at ICANN 73 last week as a major point of disagreement between governments and ICANN, and a major barrier to the next round of new gTLDs going ahead.

But a way forward was proposed that seems likely to to permit closed generics in some form in the next round, resolving an argument that has lasted the better part of a decade.

It seems ICANN now expects that closed generics WILL be permitted, but restricted in some yet-to-be-decided way.

A closed generic is a gTLD representing a dictionary word that is not also a brand, operated by a registry that declines to sell domains to anyone other than itself and its close affiliates.

Imagine McDonald’s operating .burgers, but no other fast food chain, cow-masher, or burger afficionado is allowed to register a .burgers domain.

ICANN’s 2012 application round implicitly allowed applications for such gTLDs — at least, it did not disallow them — which prompted outrage from the governments.

The GAC’s Beijing communique (pdf), from April 2013, urged ICANN to retroactively ban these applications unless they “serve a public interest goal”.

The GAC identified 186 applications from the 2012 round that appeared to be for closed generics.

ICANN, taking the GAC’s lead, gave these applicants a choice to either convert their application to an open generic, withdraw for a refund, or maintain their closed generic status and defer their applications to the next round.

Most opted to switch to an open model. Some of those hacked their way around the problem by making registrations prohibitively restrictive or expensive, or simply sitting on their unlaunched gTLDs indefinitely.

The GNSO policy for the next round is inconclusive on whether closed generics should be permitted. The working group contained two or three competing camps, and nobody conceded enough ground for a consensus recommendation to be made.

It’s one of those wedge issues that highlights the limitations of the multistakeholder model.

The working group couldn’t even fall back on the status quo since they couldn’t agree, in light of ICANN’s specific request for a clear policy, what the status quo even was.

Policy-makers are often also those who stand to financially benefit from selling shovels to new gTLD applicants in the next round. The fewer restrictions, the wider the pool of potential clients and the more attractive the sales pitch.

The working group ended up recommending (big pdf) further policy work by disinterested economics and competition law experts, which hasn’t happened, and the GNSO Council asked the ICANN board for guidance, which it refused to provide.

The GAC has continued to press ICANN on the issue, reinforcing its Beijing advice, for the last year or so. It seems to see the disagreement on closed generics as a problem that highlights the ambiguity of its role within the multistakeholder process.

So ICANN, refusing to create policy in a top-down fashion, is forcing the GAC and the GNSO to the table in bilateral talks in an attempt to create community consensus, but the way the Org is framing the issue may prove instructive.

A framework for these discussions (pdf) prepared by ICANN last week suggests that, when it comes to closed generics, an outright-ban policy and an open-door policy would both be ruled out from the outset.

The paper says:

It is evident from the PDP deliberations and the community’s discussions and feedback that either of the two “edge outcomes” are unlikely to achieve consensus; i.e.:

• 1. allowing closed generics without restrictions or limitations OR
• 2. prohibiting closed generics under any circumstance.

As such, the goal could be to focus the dialogue on how to achieve a balanced outcome that does not represent either of these two scenarios. The space to be explored in this dialogue is identifying circumstances where closed generics could be allowed (e.g., when they serve the public interest, as noted by the GAC Advice). This will likely require discussions as to the types of possible safeguards that could apply to closed generics, identifiable public interest goals for that gTLD and how that goal is to be served, with potential consequences if this turns out not to be the case.

It sounds quite prescriptive, but does it amount to top-down policy making? Insert shrugging emoji here. It seems there’s still scope for the GAC and GNSO to set their own ground rules, even if that does mean relitigating entrenched positions.

The GAC, in its ICANN 73 communique (pdf) said yesterday that it welcomes these talks, and the GNSO Council has already started to put together a small team of councillors (so far also former PDP WG members) to review ICANN’s proposal.

ICANN expects the GNSO-GAC group to begin its work, under an ICANN-supplied facilitator, on one or more Zoom calls before ICANN 74 in June.

“It’s not our fault!” — ICANN blames community for widespread delays

ICANN may be years behind schedule when it comes to getting things done on multiple fronts, but it’s the community’s fault for making up rubbish policies, bickering endlessly, and attempting to hack the policy-making process.

That’s me paraphrasing a letter sent last week by chair Maarten Botterman to the Registries Stakeholder Group, in which he complained about the community providing “ambiguous, incomplete, or unclear policy recommendations”.

RySG chair Samantha Demetriou had written to Botterman (pdf) in December to lament the Org and board’s lack of timely progress on many initiatives, some of which have been in limbo for many years.

Policies and projects related to Whois, new gTLDs and the Independent Review Process have been held up for a long time, in the latter case since 2013, she wrote, leading to community volunteers feeling “disempowered or discouraged”.

As I recently reported, ICANN has not implemented a GNSO policy since 2016.

The lack of board action on community work also risks ICANN’s legitimacy and credibility, Demetriou wrote.

But Botterman’s response (pdf), sent Thursday, deflects blame back at the community, denying that the delays are “simply because of failure at the level of the organization and Board.”

He wrote:

we need to continue to find our way forward together to address the challenges that affect the efficiency of our current decision-making processes, including, for example, ambiguous, incomplete, or unclear policy recommendations, the relitigation of policy issues during implementation, and the use of the review process to create recommendations that should properly be addressed by policy development

In other words, the community is providing badly thought-out policy recommendations, continuing to argue about policy after the implementation stage is underway, and using community reviews, rather than the Policy Development Process, to create policy.

The RySG, along with their registrar counterparts, put their concerns to the board at ICANN 72 in October, warning of “volunteer burnout” and a “chilling effect” on community morale due to board and Org inaction.

At that meeting, director Avri Doria presented staff-compiled stats showing that across five recent bylaws-mandated community reviews (not PDPs), the board had received 241 recommendations.

She said that 69% had been approved, 7% had been rejected, 18% were placed in a pending status, and 6% were “still being worked on”.

CEO Göran Marby provided a laundry list of excuses for the delays, including: reconciling differing community viewpoints, the large number of recommendations being considered, the potential for some recommendations to break ICANN bylaws, sensitivity to the bottom-up nature of the multi-stakeholder process, lack of staff, and the extra time it takes to be transparent about decision-making.

Just this week, ICANN has posted eight job listings, mostly in policy support.

In his letter last week, Botterman pointed to a “Prioritization Framework”, which is currently being piloted, along with further community conversations at ICANN 73 next month and a “thought paper” on “evolving consensus policies”.

Because why fix something when you can instead create another layer of bureaucracy and indulge in more navel-gazing?

ICANN hasn’t implemented a policy since 2016

It’s been over five years since ICANN last implemented a policy, and many of its ongoing projects are in limbo.

Beggars belief, doesn’t it?

The ongoing delays to new gTLD program policy and the push-back from ICANN on Whois policy recently got me thinking: when was the last time ICANN actually did anything in the policy arena apart from contemplate its own navel?

The Org’s raison d’être, or at least one of them, is to help the internet community build consensus policies about domain names and then implement them, but it turns out the last time it actually did that was in December 2016.

And the implementation projects that have come about since then are almost all frozen in states of uncertainty.

ICANN policies covering gTLD domains are usually initiated by the Generic Names Supporting Organizations. Sometimes, the ICANN board of directors asks the GNSO Council for a policy, but generally it’s a bottom-up, grass-roots process.

The GNSO Council kicks it off by starting a Policy Development Process, managed by working group stocked with volunteers from different and often divergent special interest groups.

After a few years of meetings and mailing list conversations, the working group produces a Final Report, which is submitted to the Council, and then the ICANN board, for approval. There may be one or more public comment periods along the way.

After the board gives the nod, the work is handed over to an Implementation Review Team, made up of ICANN staff and working group volunteers, which converts the policy into implementation, such as enforceable contract language.

The last time an IRT actually led to a GNSO policy coming into force, was on December 1, 2016. Two GNSO consensus policies became active that day, their IRTs having concluded earlier that year.

One was the Thick WHOIS Transition Policy, which was to force the .com, .net and .jobs registries to transition to a “thick” Whois model by February 2019.

This policy was never actually enforced, and may never be. The General Data Protection Regulation emerged, raising complex privacy questions, and the transition to thick Whois never happened. Verisign requested and obtain multiple deferrals and the board formally put the policy on hold in November 2019.

The other IRT to conclude that day was the Inter-Registrar Transfer Policy Part D, which tweaked the longstanding Transfer Dispute Resolution Policy and IRTP to streamline domain transfers.

That was the last time ICANN actually did anything in terms of enforceable, community-driven gTLD policy.

You may be thinking “So what? If the domain industry is ticking over nicely, who cares whether ICANN is making new policies or not?”, which would be a fair point.

But the ICANN community hasn’t stopped trying to make policy, its work just never seems to make the transition from recommendation to reality.

According to reports compiled by ICANN staff, there are 12 currently active PDP projects. Three are in the working group stage, five are awaiting board attention, one has just this month been approved by the board, and three are in the IRT phase.

Of the five PDPs awaiting board action, the average time these projects have been underway, counted since the start of the GNSO working group, is over 1,640 days (median: 2,191 days). That’s about four and a half years.

Counting since final policy approval by the GNSO Council, these five projects have been waiting an average of 825 days (median: 494 days) for final board action.

Of the five, two are considered “on hold”, meaning no board action is in sight. Two others are on a “revised schedule”. The one project considered “on schedule” was submitted to the board barely a month ago.

The three active projects that have made it past the board, as far as the IRT phase, have been there for an average of 1,770 days (median: 2,001 days), or almost five years, counted from the date of ICANN board approval.

So why the delays?

Five of the nine GNSO-completed PDPs, including all three at the IRT stage, relate to Whois policy, which was thrown into confusion by the introduction of the European Union’s introduction of the GDPR legislation in May 2018.

Two of them pre-date the introduction of GDPR in May 2018, and have been frozen by ICANN staff as a result of it, while three others came out of the Whois EPDP that was specifically designed to bring ICANN policy into line with GDPR.

All five appear to be intertwined and dependent on the outcome of the ICANN board’s consideration of the EPDP recommendations and the subsequent Operational Design Assessment.

As we’ve been reporting, these recommendations could take until 2028 to implement, by which time they’ll likely be obsolete, if indeed they get approved at all.

Unrelated to Whois, two PDPs relate to the protection of the names and acronyms of international governmental and non-governmental organizations (IGOs/INGOs).

Despite being almost 10 years old, these projects are on-hold because they ran into resistance from the Governmental Advisory Committee and ICANN board. A separate PDP has been created to try to untangle the problem that hopes to provide its final report to the board in June.

Finally, there’s the New gTLD Subsequent Procedures PDP, which is in its Operational Design Phase and is expected to come before the board early next year, some 2,500 days (almost seven years) after the PDP was initiated.

I’m not sure what conclusions to draw from all this, other than that ICANN has turned into a convoluted mess of bureaucracy and I thoroughly understand why some community volunteers believe their patience is being tested.

ICANN trying to strangle SSAD in the crib?

ICANN is trying to kill off or severely cripple Whois reform because it thinks the project stands to be too expensive, too time-consuming, and not fit for purpose.

That’s what many long-time community members are inferring from recent discussions with ICANN management about the Standardized System for Access and Disclosure (SSAD), a proposed method of normalizing how people request access to private, redacted Whois data.

The community has been left trying to read the tea leaves following a December 20 briefing in which ICANN staff admitted they have failed to even approximately estimate how well-used SSAD, which has been criticized by potential users as pointless, might be.

During the briefing, staff gave a broad range of implementation times and cost estimates, saying SSAD could take up to four years and $27 million to build and over $100 million a year to operate, depending on adoption.

The SSAD idea was thrown together in, by ICANN standards, super-fast time with a super-tenuous degree of eventual consensus by a cross-community Expedited Policy Development Process working group.

One of the EPDP’s three former chairs, Kurt Pritz, a former senior ICANN staffer who’s been heavily involved in community work since his departure from the Org in 2012, provided his read of the December webinar on a GNSO Council discussion this week.

“I’ve sat through a number of cost justification or cost benefit analyses in my life and got a lot of reports, and I’ve never sat through one that more clearly said ‘Don’t do this’,” Pritz said.

GNSO liaison to the Governmental Advisory Committee Jeff Neuman concurred moments later: “It seemed that we could imply from the presentation that that staff was saying ‘Don’t do it’… we should require them to put that in writing.”

“It was pretty clear from the meeting that ICANN Org does not want to build the SSAD. Many people in the community think its estimates are absurdly inflated in order to justify that conclusion,” Milton Mueller of the Internet Governance Project recently wrote of the same webinar.

These assessments seem fair, to the extent that ICANN appears seriously averse to implementing SSAD as the recommendations are currently written.

ICANN repeated the December 20 cost-benefit analysis in a meeting with the GAC this week, during which CEO Göran Marby described the limitations of SSAD, and how it cannot override privacy laws such as the GDPR:

It’s not a bug, it’s a feature of GDPR to limit access to data…

The SSAD is a recommended system to streamline the process of requesting data access. It cannot itself increase access to the data, as this is actually determined by the law. And so, in practice, the SSAD is expected to have little to no impact on the contracted parties’ ultimate disclosure or nondisclosure response to requests… it’s a ticketing system with added functionality.

While Marby stressed he was not criticizing the EPDP working group, that’s still a pretty damning assessment of its output.

Marby went on to reiterate that even if SSAD came into existence, people wanting private Whois data could still request it directly from registries and registrars, entirely bypassing SSAD and its potentially expensive (estimated at up to $45) per-query fees.

It seems pretty clear that ICANN staff is not enthused about SSAD in its current form and there’s a strong possibility the board of directors will concur.

So what does the policy-making community do?

There seems to be an emerging general acceptance among members of the GNSO Council that the SSAD proposals are going to have to be modified in some way in order for them to be approved by the board.

The question is whether these modifications are made preemptively, or whether the GNSO waits for more concrete feedback from Org and board before breaking out the blue pen.

Today, all the GNSO has seen is a few PowerPoint pages outlining the top-line findings of ICANN’s Operational Design Assessment, which is not due to be published in full until the board sees it next month.

Some Council members believe they should at least wait until the full report is out, and for the board to put something on the record detailing its reservations about SSAD, before any changes are made.

The next update on SSAD is an open community session, likely to cover much of the same ground as the GAC and GNSO meetings, scheduled for 1500 UTC on January 18. Details here.

The GNSO Council is then scheduled to meet January 20 for its regular monthly meeting, during which next steps will be discussed. It will also meet with the ICANN board later in the month to discuss its concerns.

Whois rule changes that nobody likes get approved anyway

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.