Latest news of the domain name industry

Recent Posts

“GDPR is not my fault!” — ICANN fears reputational damage from Whois reform

Kevin Murphy, January 28, 2022, Domain Policy

Damned if we do, damned if we don’t.

That seems to an uncomfortable message emerging from ICANN’s ongoing discussions about SSAD, the proposed Standardized System for Access and Disclosure, which promises to bring some costly and potentially useless reform to the global Whois system.

ICANN’s board of directors and the GNSO Council met via Zoom last night to share their initial reactions to the ICANN staff’s SSAD Operational Design Assessment, which had been published just 48 hours earlier.

I think it’s fair to say that while there’s still some community enthusiasm for getting SSAD done in one form or another, there’s much more skepticism, accompanied by a fear that the whole sorry mess is going to make ICANN and its vaunted multistakeholder model look bad/worse.

Some say that implementing SSAD, which could take six more years and cost tens of millions of dollars, would harm ICANN’s reputation if, as seems quite possible, hardly anyone ends up using it. Others say the risk comes from pissing away years of building community consensus on a set of policy recommendations that ultimately don’t get implemented.

GNSO councillor Thomas Rickert said during yesterday’s conference call:

One risk at this stage that I think we need to discuss is the risk to the credibility of the functionality of the multi-stakeholder model. Because if we give up on the SSAD too soon, if we don’t come up with a way forward on how to operationalize it, then we will be seen as an organization that takes a few years to come up with policy recommendations that never get operationalized and that will certainly play into the hands of those who applaud the European Commission for coming up with ideas in NIS2, because obviously they see that the legislative process at the European and then at the national state level is still faster than ICANN coming up with policies.

NIS2 is a formative EU Directive that is likely to shake up the privacy-related legal landscape yet again, almost certainly before ICANN’s contractors even type the first line of SSAD code.

While agreeing with Rickert’s concerns, director Becky Burr put forward the opposing view:

The flip side of that is that we build it, we don’t have the volume to support it at a reasonable cost basis and it does not change the outcome of a request for access to the Whois data… We build it, with all its complexity and glory, no one uses it, no one’s happy with it and that puts pressure on the multi-stakeholder model. I’m not saying where I come out on this, but I feel very torn about both of those problems.

The ODA estimates the cost of building SSAD at up to $27 million, with the system not going live until 2027 or 2028. Ongoing annual operating costs, funded by fees collected from the people requesting private Whois data, could range from $14 million to $107 million, depending on how many people use it and how frequently.

These calculations are based on an estimated user base of 25,000 and three million, with annual queries of 100,000 and 12 million. The less use the system gets, the higher the per-query cost.

But some think the low end of these assumptions may still be too high, and that ultimately usage would be low enough to make the query fees so high that users will abandon the system.

Councillor Kurt Pritz said:

I think there’s a material risk that the costs are going to be substantially greater than what’s forecast and the payback and uptake is going to be substantially lower… I think there’s reputational risk to ICANN. We could build this very expensive tool and have little or no uptake, or we could build a tool that becomes obsolete before it becomes operational.

The low-end estimates of 25,000 users asking for 100,000 records may be “overly optimistic”, Pritz said, given that only 1,500 people are currently asking registrars for unredacted Whois records. Similarly, there are only 25,000 requests per year right now, some way off the 100,000 low-end ODA assumption, he said.

If SSAD doesn’t even hit its low-end usage targets, the fee for a single Whois query could be even larger than the $40 high-end ODA prediction, creating a vicious cycle in which usage drops further, further increasing fees.

SSAD doesn’t guarantee people requesting Whois data actually get it, and bypassing SSAD entirely and requesting private data directly from a registrar would still be an option.

There seems to be a consensus now that GDPR always requires registries and registrars to ultimately make the decision as to whether to release private data, and there’s nothing ICANN can do about it, whether with SSAD or anything else.

CEO Göran Marby jokingly said he’s thinking about getting a T-shirt printed that says “GDPR was not my fault”.

“The consequences of GDPR on the whole system is not something that ICANN can fix, that’s something for the legislative, European Commission and other ones to fix,” he said. “We can’t fix the law.”

One idea to rescue SSAD, which has been floated before and was raised again last night, is to cut away the accreditation component of the system, which Marby reckons accounts for about two thirds of the costs, and basically turn SSAD into a simplified, centralized “ticketing system” (ironically, that’s the term already used derisively to describe it) for handling data requests.

But the opposing view — that the accreditation component is actually the most important part of bringing Whois into GDPR compliance — was also put forward.

Last night’s Zoom call barely moved the conversation forward, perhaps not surprisingly given the limited amount of time both sides had to digest the ODA, but it seems there may be future conversations along the same lines.

ICANN’s board, which was in “listening mode” and therefore pretty quiet last night, is due to consider the SSAD recommendations, in light of the ODA, at some point in February.

I would be absolutely flabberghasted if they were approved in full. I think it’s far more likely that the policy will be thrown back to the GNSO for additional work to make it more palatable.

No SSAD before 2028? ICANN publishes its brutal review of Whois policy

Kevin Murphy, January 25, 2022, Domain Policy

Emergency measures introduced by ICANN to reform Whois in light of new privacy laws could wind up taking a full decade, or even longer, to bear dead-on-the-vine fruit.

That’s arguably the humiliating key takeaway from ICANN’s review of community-created policy recommendations to create a Standardized System for Access and Disclosure (SSAD), published this evening.

The Org has released its Operational Design Assessment (pdf) of SSAD, the first-ever ODA, almost nine months after the Operational Design Phase was launched last April.

It’s a 122-page document, about half of which is appendices, that goes into some detail about how SSAD and its myriad components would be built and by whom, how long it would take and how much it would cost.

It’s going to take a while for the community (and me) to digest, and while it generally veers away from editorializing it does gift opponents of SSAD (which may include ICANN itself) with plenty of ammunition, in the form of enumerated risk factors and generally impenetrable descriptions of complex systems, to strangle the project in the crib.

Today I’m just going to look at the timing.

Regular DI readers will find little to surprise them among the headline cost and timeline predictions — they’ve been heavily teased by ICANN in webinars for over a month — but the ODA goes into a much more detailed breakdown.

SSAD, ICANN predicts, could cost as much as $27 million to build and over $100 million a year to operate, depending on adoption, the ODA says. We knew this already.

But the ODA contains a more detailed breakdown of the timeline to launch, and it reveals that SSAD, at the most-optimistic projections, would be unlikely to see the light of day until 2028.

That’s a decade after the European Union introduced the GDPR privacy law in May 2018.

Simply stated, the GDPR told registries and registrars that the days of unfettered access to Whois records was over — the records contain personal information that should be treated with respect. Abusers could be fined big.

ICANN had been taken off-guard by the law. GDPR wasn’t really designed for Whois and ICANN had not been consulted during its drafting. The Org started to plan for its impact on Whois barely a year before it became effective.

It used the unprecedented top-down emergency measure of the Temporary Specification to force contracted parties to start to redact Whois data, and the GNSO Council approved an equally unprecedented Expedited Policy Development Process, so the community could create some bottom-up policy.

The EPDP was essentially tasked with creating a way for the people who found Old Whois made their jobs easier, such as intellectual property lawyers and the police, to request access to the now-private personal data.

It came up with SSAD, which would be a system where approved, accredited users could funnel their data requests through a centralized gateway and have some measure of assurance that they would at least be looked at in a standardized way.

But, considering the fact that they would not be guaranteed to have their requests approved, the system would be wildly complex, potentially very expensive, and easily circumvented, the ODP found.

It’s so complex that ICANN reckons it will take between 31.5 and 42 months for an outsourced vendor to build, and that’s after the Org has spent two years on its Implementation Review Team activities.

SSAD timeline

That’s up to almost six years from the moment ICANN’s board of directors approves the GNSO’s SSAD recommendations. That could come as early as next month (but as I reported earlier today, that seems increasingly unlikely).

The ODA points out that this timetable could be extended due to factors such as new legislation being introduced around the world that would affect the underlying privacy assumptions with which SSAD was conceived.

And this is an “expedited” process, remember?

Ten years ago, under different management and a different set of bylaws, ICANN published some research into the average duration of a Policy Development Process.

The average PDP took 620 days back then, from the GNSO Council kicking off the process to the ICANN board voting to approve or reject the policy. I compared it to an elephant pregnancy, the longest gestation period of all the mammals, to emphasize how slow ICANN had become.

Slow-forward to today, when the “expedited” PDP leading to SSAD has so far lasted 1,059 days, if we’re counting from when Phase 2 began in March 2019. It’s taken 1,287 days if we’re being less generous and counting from the original EPDP kicking off.

Nelly could have squeezed out two ankle-nibblers in that time. Two little elephants, one of which would most assuredly be white.

ICANN board not happy with $100 million Whois reform proposals

Kevin Murphy, January 25, 2022, Domain Policy

ICANN’s board of directors has given its clearest indication yet that it’s likely to shoot down community proposals for a new system for handling requests for private Whois data.

Referring to the proposed System for Standardized Access and Disclosure, ICANN chair Maarten Botterman said “the Board has indicated it may not be able to support the SSAD recommendations as a whole”.

In a letter (pdf) to the GNSO Council last night, Botterman wrote:

the complexity and resources required to implement all or some of the recommendations may outweigh the benefits of an SSAD, and thus may not be in the best interests of ICANN nor the ICANN community.

The SSAD would be a centralized way for accredited users such as trademark lawyers, security researchers and law enforcement officers to request access to Whois data that is currently redacted due to privacy laws such as GDRP.

The system was the key recommendation of a GNSO Expedited Policy Development Process working group, but an ICANN staff analysis last year, the Operational Design Phase, concluded that it could be incredibly expensive to build and operate while not providing the functionality the trademark lawyers et al require of it.

ICANN was unable to predict with any accuracy how many people would likely use SSAD. It will this week present its final ODP findings, estimating running costs of between $14 million and $107 million per year and a user base of 25,000 to three million.

At the same time, ICANN has pointed out that its own policies cannot overrule GDPR. Registries and registrars still would bear the legal responsibility to decide whether to supply private data to requestors, and requestors could go to them directly to bypass the cost of SSAD altogether. Botterman wrote:

This significant investment in time and resources would not fundamentally change what many in the community see as the underlying problem with the current process for requesting non-public gTLD registration data: There is no guarantee that SSAD users would receive the registration data they request via this system.

ICANN management and board seem to be teasing the GNSO towards revising and scaling back its recommendations to make SSAD simpler and less costly, perhaps by eliminating some of its more expensive elements.

This moves ICANN into the perennially tricky territory of opening itself up to allegations of top-down policy-making.

Botterman wrote:

Previously, the Board highlighted its perspective on the importance of a single, unified model to ensure a common framework for requesting non-public gTLD registration data. However, in light of what we’ve learned to date from the ODP, the Board has indicated it may not be able to support the SSAD recommendations as a whole as envisioned by the EPDP. The Board is eager to discuss next steps with the Council, as well as possible alternatives to design a system that meets the benefits envisioned by the EPDP

The board wants to know whether the GNSO Council shares its concerns. The two parties will meet via teleconference on Thursday to discuss the matter. The ODP’s final report may be published before then.

ICANN splits $9 million new gTLD ODP into nine tracks

Kevin Murphy, January 20, 2022, Domain Policy

ICANN has added a little more detail to its plans for the Operational Design Phase for the next round of the new gTLD program.

VP and ODP manager Karen Lentz last night blogged that the project is being split into nine work tracks, each addressing a different aspect of the work.

She also clarified that the ODP officially kicked off January 3, meaning the deadline for completion, barring unforeseen issues, is November 3. The specific dates hadn’t been clear in previous communications.

The nine work tracks are “Project Governance”, “Policy Development and Implementation Materials”, “Operational Readiness”, “Systems and Tools”, “Vendors”, “Communications and Outreach”, “Resources, Staffing, and Logistics”, “Finance”, and “Overarching”.

Thankfully, ICANN has not created nine new acronyms to keep track of. Yet.

Pro-new-gTLD community members observing how ICANN’s first ODP, which addressed Whois reform, seemed to result in ICANN attempting to kill off community recommendations may be worried by how Lenzt described the new ODP:

The purpose of this ODP, which began on 3 January, is to inform the ICANN Board’s determination on whether the recommendations are in the best interests of ICANN and the community.

I’d be hesitant to read too much into this, but it’s one of the clearest public indications yet that subsequent application rounds are not necessarily a fait accompli — the ICANN board could still decide force the community to go back to the drawing board if it decides the current recommendations are harmful or too expensive.

I don’t think that’s a likely outcome, but the thought that it was a possibility hadn’t seriously crossed my mind until quite recently.

Lentz also refers to “the work required to prepare for the next round and subsequent rounds”, which implies ICANN is still working on the assumption that the new gTLD program will go ahead.

The ICANN board has give Org 10 months and a $9 million budget, paid out of 2012-round application fee leftovers, to complete the ODP. The output will be an Operational Design Assessment, likely to be an enormous document, that the board will consider, probably in the first half of next year, before implementation begins.

Crain named ICANN CTO

Kevin Murphy, January 19, 2022, Domain Policy

ICANN veteran John Crain has been named the Org’s new chief technology officer.

He’s replacing David Conrad, who he’s been subbing in for since Conrad left at the end of September.

Crain has been with ICANN for 20 years and was most recently chief security, stability, and resiliency officer.

Battle for .web “far from over”, says Afilias lawyer

Kevin Murphy, January 19, 2022, Domain Registries

Altanovo Domains’ fight with Verisign and ICANN for the .web gTLD is not over, despite an adverse ruling late last month, according to a top lawyer for the company.

Altanovo, the company previously known as Afilias Domains No 3, has not thrown in the towel and left the path clear for Verisign to launch .web, Arif Ali of the law firm Dechert told DI last night.

“Bottom line: this matter is far from over and no, Verisign doesn’t ‘get to run .web after all;’ certainly if the Board does its job objectively and fairly,” he said in an email.

He said this just hours before ICANN published its latest, but by no means final, board resolution on the .web case.

Ali represented Afilias in its Independent Review Process complaint against ICANN’s decision to award .web to Verisign following a 2016 auction, which was won by a company called Nu Dot Co, secretly backed by $135 million of Verisign’s money.

Afilias technically won its IRP, with the panel ruling last May that ICANN broke its bylaws by shirking its duty to address Afilias’ claim that NDC broke new gTLD program rules. Afilias said ICANN should have forced NDC to disclose itself a Verisign pawn before the auction went ahead.

ICANN got close to signing a registry agreement for .web with NDC, despite it being an open question as to whether the auction was legit, the panel ruled. It ordered ICANN to pay Afilias its $450,000 in legal fees and $479,458 of IRP costs.

What the IRP did not do was void the Verisign/NDC bid, nor give Afilias rights to .web.

Instead, it instructed ICANN to stay the .web contract-signing until its board has formally “considered and pronounced upon the question of whether the [Verisign-NDC Domain Acquisition Agreement] complied with the New gTLD Program Rules”.

The board had held a secret, undocumented discussion about the case in November 2016 and decided to keep its mouth shut and just let the IRP play out, according to the IRP ruling, which essentially told the board to stop avoiding difficult questions and to actually make a call on the legitimacy of the Verisign play.

Before the board could do so, Afilias/Altanovo filed an unprecedented appeal with the IRP panel. Technically an “application for an additional decision and interpretation”, Afilias asked the IRP panel to definitively answer the question of whether Verisign broke the rules rather than merely passing the hot potato back to ICANN’s board.

But in a December 21 decision (pdf), the IRP panel denied Afilias’ request as “frivolous” in its entirely, writing:

The Panel has dismissed the [Afilias] Application in its entirety. In the opinion of the Panel, under the guise of seeking an additional decision, the Application is seeking reconsideration of core elements of the Final Decision. Likewise, under the guise of seeking interpretation, the Application is requesting additional declarations and advisory opinions on a number of questions, some of which had not been discussed in the proceedings leading to the Final Decision.

In such circumstances, the Panel cannot escape the conclusion that the Application is “frivolous” in the sense of it “having no sound basis (as in fact or law)”. This finding suffices to entitle the Respondent [ICANN] to the cost shifting decision it is seeking and obviates the necessity of determining whether the Application is also “abusive”.

The panel told Afilias to pay ICANN’s $236,884 legal fees and the panel’s costs of $140,335, leaving Afilias out of pocket and back to square one in terms of getting clarity on whether Verisign’s actions were kosher.

Afilias had basically accused the panel of shirking its duties and punting its decision on Verisign’s auction bid in much the same way as the panel decided that ICANN had shirked its duties and punted its decision on Verisign’s auction bid.

Nobody seems to want to make a call on whether the successful Verisign-NDC ploy to win the .web auction with a secretly bankrolled bid was legit.

On Sunday, the full ICANN board met to discuss the outcome of the IRP and — surprise surprise — it punted again, instructing a subcommittee to look more closely at the matter:

the Board asks the Board Accountability Mechanisms Committee (BAMC) to review, consider, and evaluate the IRP Panel’s Final Declaration and recommendation, and to provide the Board with its findings to consider and act upon before the organization takes any further action toward the processing of the .WEB application(s).

There’s not yet a publicly announced date for the next BAMC meeting. It tends to meet as and when needed, so we might not have too long to wait.

Once the committee has made a decision, it would be referred back to the full board for a final rubber stamp, and it seems that only after that would Afilias make its next move.

Ali, in an email sent to DI just a few hours before ICANN published its Sunday board resolution last night, said:

The [IRP] Panel also made it clear that the Board can’t just punt on the matter as it did previously, but must decide it, and that its decision is subject to review by a future IRP panel.

There’s nothing preventing Afilias filing another IRP to challenge the board’s ultimate decision, should it favor Verisign. Likewise, if it favors Afilias, Verisign could use IRP to appeal.

Verisign has been pursuing a counter-claim against Afilias, albeit so far only in the court of public opinion, accusing the company of breaking ICANN’s rules by trying to secretly “rig” the .web auction during a communications blackout period.

Ali calls this a “red herring”, among other things.

In my view, whichever way ICANN’s board goes, it’s going to wind up back in an IRP.

With IRP proceedings typically measured in years, and no indication that Afilias or Verisign are ready to back down, it seems the .web saga may still have some considerable time left on the clock.

If you’re desperate to register a .web domain, don’t hold your breath.

Note: most of Afilias was acquired by Donuts a year ago, but the .web application was not part of the deal. The IRP proceedings have continued to refer to “Afilias” interchangeably with “Altanovo”, and I’m doing the same in my coverage.

BMW porn site leads to registrar getting suspended

Kevin Murphy, January 18, 2022, Domain Registrars

A Hong Kong registrar has had its ICANN contract suspended after failing to transfer a cybersquatted domain to car maker BMW.

ThreadAgent.com, which has about 32,000 .com and .net domains under management, attracted the attention of ICANN compliance after a customer lost a UDRP case concerning the domain bmwgroup-identity.net.

The domain led to a site filled with porn and gambling content, and the UDRP was a slam-dunk win for BMW.

But ThreadAgent failed to transfer the domain to BMW within the 10 days required by ICANN policy, leading to Compliance reviewing the registrar for other areas of non-compliance.

A December 22 breach notice led to the registrar transferring the domain to BMW last week, but it had failed to resolve the other issues ICANN had identified, leading to a suspension notice the very next day.

ICANN wants ThreadAgent to explain why the UDRP was not processed according to the policy, and how it will be compliant in futre. It also says the company is not operating a web Whois service as required.

ICANN has told the company it will not be able to sell gTLD domains or accept inbound transfers between January 28 and April 28, and must display a notice to that effect prominently on its web site.

That second requirement may prove complicated, as ThreadAgent appears to be one of about 20 registrar accreditations belonging to XZ.com, a Chinese group based in Xiamen. It has not used the domain threadagent.com in several years, and its other accreditations, which use the same storefront, are all still unsuspended.

ICANN trying to strangle SSAD in the crib?

Kevin Murphy, January 14, 2022, Domain Policy

ICANN is trying to kill off or severely cripple Whois reform because it thinks the project stands to be too expensive, too time-consuming, and not fit for purpose.

That’s what many long-time community members are inferring from recent discussions with ICANN management about the Standardized System for Access and Disclosure (SSAD), a proposed method of normalizing how people request access to private, redacted Whois data.

The community has been left trying to read the tea leaves following a December 20 briefing in which ICANN staff admitted they have failed to even approximately estimate how well-used SSAD, which has been criticized by potential users as pointless, might be.

During the briefing, staff gave a broad range of implementation times and cost estimates, saying SSAD could take up to four years and $27 million to build and over $100 million a year to operate, depending on adoption.

The SSAD idea was thrown together in, by ICANN standards, super-fast time with a super-tenuous degree of eventual consensus by a cross-community Expedited Policy Development Process working group.

One of the EPDP’s three former chairs, Kurt Pritz, a former senior ICANN staffer who’s been heavily involved in community work since his departure from the Org in 2012, provided his read of the December webinar on a GNSO Council discussion this week.

“I’ve sat through a number of cost justification or cost benefit analyses in my life and got a lot of reports, and I’ve never sat through one that more clearly said ‘Don’t do this’,” Pritz said.

GNSO liaison to the Governmental Advisory Committee Jeff Neuman concurred moments later: “It seemed that we could imply from the presentation that that staff was saying ‘Don’t do it’… we should require them to put that in writing.”

“It was pretty clear from the meeting that ICANN Org does not want to build the SSAD. Many people in the community think its estimates are absurdly inflated in order to justify that conclusion,” Milton Mueller of the Internet Governance Project recently wrote of the same webinar.

These assessments seem fair, to the extent that ICANN appears seriously averse to implementing SSAD as the recommendations are currently written.

ICANN repeated the December 20 cost-benefit analysis in a meeting with the GAC this week, during which CEO Göran Marby described the limitations of SSAD, and how it cannot override privacy laws such as the GDPR:

It’s not a bug, it’s a feature of GDPR to limit access to data…

The SSAD is a recommended system to streamline the process of requesting data access. It cannot itself increase access to the data, as this is actually determined by the law. And so, in practice, the SSAD is expected to have little to no impact on the contracted parties’ ultimate disclosure or nondisclosure response to requests… it’s a ticketing system with added functionality.

While Marby stressed he was not criticizing the EPDP working group, that’s still a pretty damning assessment of its output.

Marby went on to reiterate that even if SSAD came into existence, people wanting private Whois data could still request it directly from registries and registrars, entirely bypassing SSAD and its potentially expensive (estimated at up to $45) per-query fees.

It seems pretty clear that ICANN staff is not enthused about SSAD in its current form and there’s a strong possibility the board of directors will concur.

So what does the policy-making community do?

There seems to be an emerging general acceptance among members of the GNSO Council that the SSAD proposals are going to have to be modified in some way in order for them to be approved by the board.

The question is whether these modifications are made preemptively, or whether the GNSO waits for more concrete feedback from Org and board before breaking out the blue pen.

Today, all the GNSO has seen is a few PowerPoint pages outlining the top-line findings of ICANN’s Operational Design Assessment, which is not due to be published in full until the board sees it next month.

Some Council members believe they should at least wait until the full report is out, and for the board to put something on the record detailing its reservations about SSAD, before any changes are made.

The next update on SSAD is an open community session, likely to cover much of the same ground as the GAC and GNSO meetings, scheduled for 1500 UTC on January 18. Details here.

The GNSO Council is then scheduled to meet January 20 for its regular monthly meeting, during which next steps will be discussed. It will also meet with the ICANN board later in the month to discuss its concerns.

ICANN trying to water down its transparency obligations

Kevin Murphy, January 13, 2022, Domain Policy

ICANN? Trying to be less transparent? Surely not!

The Org has been accused by some of its community members of trying to shirk its transparency obligations with proposed changes to its Documentary Information Disclosure Policy.

The changes would give ICANN “superpowers” to deny DIDP requests, and to deny them without explanation, according to inputs to a recently closed public comment period.

The DIDP is ICANN’s equivalent of a Freedom of Information Act, allowing community members to request documentation that would not be published during the normal course of business.

It’s often used, though certainly not exclusively so, by lawyers as a form of discovery before they escalate their beefs to ICANN accountability mechanisms or litigation.

It already contains broad carve-outs that enable ICANN to refuse disclosure if it considers the requested info too sensitive for the public’s eyes. These are the Defined Conditions for Nondisclosure, and they are used frequently enough that most DIDPs don’t reveal any new information.

The proposed new DIDP broadens these nondisclosure conditions further, to the extent that some commentators believe it would allow ICANN to deny basically any request for information. New text allows ICANN to refuse a request for:

Materials, including but not limited to, trade secrets, commercial and financial information, confidential business information, and internal policies and procedures, the disclosure of which could materially harm ICANN’s financial or business interests or the commercial interests of its stakeholders who have those interests.

The Registries Stakeholder Group noted that this is “broader” than the current DIDP, while the At-Large Advisory Committee said (pdf) it “essentially grants ICANN the right to refuse any and all requests”.

ALAC wrote that “rejecting a request because it includes commercial or financial information or documents an internal policy makes a mockery of this DIDP policy”.

Jeff Reberry of drop-catch registrar TurnCommerce concurred (pdf), accusing ICANN of trying to grant itself “superpowers” and stating:

Extremely generic terms such as “confidential business information” and “commercial information” were added. Frankly, this could mean anything and everything! Thus, ICANN has now inserted a catch-all provision allowing it to disclose nothing.

Other comments noted that the proposed changes dilute ICANN’s responsibility to explain itself when it refuses to release information.

Text requiring ICANN to “provide a written statement to the requestor identifying the reasons for the denial” has been deleted from the proposed new policy.

A collection of six lawyers, all prolific DIDP users, put their names to a comment (pdf) stating that “the change results in less transparency than the current DIDP”.

The lawyers point out that requests that are denied without explanation would likely lead to confusion and consequently increased use of ICANN’s accountability mechanisms, such as Requests for Reconsideration. They wrote:

Simply stated, the Revised Policy allows ICANN to obscure its decision-making and will ultimately cause disputes between ICANN and the Internet community — the complete opposite of the “accountable and transparent” and “open and transparent processes” required by ICANN’s Bylaws.

One change that didn’t get much attention in the public comments, but which certainly leapt out to me, concerns the turnaround time for DIDP responses.

Currently, the DIDP states that ICANN “will provide a response to the DIDP request within 30 calendar days from receipt of the request.”

In practice, ICANN treats this obligation like one might treat a tax return or a college essay — it almost provides its response exactly 30 days after it receives a request, at the last possible moment.

The revised DIDP gives ICANN the new ability to extend this deadline for another 30 days, and I don’t think it’s unreasonable to assume, given past behavior, that ICANN will try to exploit this power whenever it’s advantageous to do so:

In the event that ICANN org cannot complete its response within that 30-calendar-day time frame, ICANN org will inform the requestor by email as to when a response will be provided, which shall not be longer than an additional 30 calendar days, and explain the reasons necessary for the extension of time to respond.

The predictably Orwellian irony of all of the above proposed changes is that they come in response to a community review called the Cross-Community Working Group on Enhancing ICANN Accountability Work Stream 2 (WS2), which produced recommendations designed to enhance accountability and transparency.

Whether they are adopted as-is or further revised to address community concerns is up to the ICANN board of directors, which is of course advised by the staff lawyers who drafted the proposed revisions.

ICANN staff’s summary of the seven comments submitted during the public comment period is due next week.

A decade after the last new gTLD round, Marby starts the clock on the next one

Kevin Murphy, January 12, 2022, Domain Policy

The next new gTLD application is moving a step closer this month, with ICANN chief Göran Marby promising the launch of its Operational Design Phase.

But it’s still unclear whether the ODP has officially started, and many community members are angry and frustrated that the process is taking too long, some 10 years after the last application window opened.

Marby published a blog post December 20 stating “the org has advised the Board that it is beginning the ODP”, but he linked to a December 17 letter (pdf) that told the board “the org is now transitioning to launch the ODP formally as of January”.

We’re well into January now, so does that mean the ODP has officially started? It’s not clear from what ICANN has published.

It seems either ICANN doesn’t yet want to pin down an exact date for the ODP being initiated, which starts the clock on its deadline for completion, or it’s just really bad at communications.

In September, the board gave Marby $9 million and 10 months for the ODP to come up with its final output, an Operational Design Assessment.

The project is being funded from the remaining application fees from the 2012 application round, rather than ICANN’s regular operations budget.

The text of the resolution gives the deadline as “within ten months from the date of initiation, provided that there are no unforeseen matters that could affect the timeline”.

Assuming the “date of initiation” is some point this month, the ODA would be therefore due to be delivered before the end of November this year, barring “unforeseen matters”.

The document would then be considered by the ICANN board, a process likely to be measured in a handful of months, rather than weeks or days, pushing a final decision on the next round out into the first quarter of 2023.

For avoidance of doubt, that’s the decision about whether or not to even have another new gTLD round.

As a reminder, the 2012 round Applicant Guidebook envisaged a second application round beginning about a year after the first.

Naturally, many would-be applicants are incredibly frustrated that this stuff is taking so long, none more so than the Brand Registry Group, which represents companies that want to apply for dot-brand gTLDs and the consultants that want to help them do so.

Overlapping with ICANN’s December 17 letter to the board, BRG president Karen Day wrote to ICANN (pdf) to complain about the lack of progress and the constant extensions of the runway, saying:

The constant delay and lack of commitment to commencing the next round of new gTLDs is unreasonable and disrespectful to the community that has worked diligently… these delays and lack of commitments to deliver the community’s work is an increasing pattern which risks disincentivizing the volunteer community and threatens the multistakeholder model

Day asked the board to provide more clarity about the ODP’s internal milestones and possible delaying factors, and called for future work to begin in parallel with the ODP in order to shorten the overall roadmap.

It’s worth noting that the ODP may wind up raising more questions than it answers, delaying the next round still further.

It’s only the second ODP ICANN has conducted. The first, related to Whois privacy reform, ended in December (after delays) with a report that essentially shat all over the community’s policy work, predicting that it would take several years and cost tens of millions of dollars to implement for potentially very little benefit.

The board is expected to receive that first ODP’s report in February and there’s no telling what conclusions it will reach.

While Marby has publicly indicated that he’s working on the assumption that there will be another new gTLD round, the ODP gives ICANN a deal of power to frustrate and delay that eventuality, if Org is so inclined.