Governments erect bulk-reg barrier to new gTLD next round
No new gTLDs should be added to the internet until ICANN develops policies addressing the abuse of bulk domain name registrations, according to the Governmental Advisory Committee.
The GAC this afternoon drafted formal Advice for the ICANN board stating that policy work on bulk regs should get underway before ICANN 84, which takes place in Muscat, Oman in late October.
While the wording still may change before it is sent to ICANN, the current draft advice reads:
The GAC advises the board: To urge the GNSO Council to undertake all necessary preparation prior to ICANN84 towards enabling targeted and narrowly scoped Policy Development Processes (PDPs) on DNS Abuse issues, prioritizing the following: to address bulk registration of malicious domain names; and the responsibility of registrars to investigate domains associated with registrar accounts that are the subject of actionable reports of DNS Abuse.
The advice on bulk regs is fairly self-explanatory: the GAC has become aware that spammers typically shop around for the cheapest TLDs then register huge amounts of domains on the assumption that some will start getting blocked quite quickly.
The second part of the advice probably needs some explanation: under the current ICANN contracts, registrars have to deal with abuse reports concerning domains they sponsor, but they’re under no obligation to investigate other domains belonging to the registrants of those domains.
So, if a scumbag registers 100 domains for a spam campaign and only one of them is reported as abusive, the registrar can comply with its contract by simply suspending that one domain. The GAC thinks it should be obliged to proactively investigate the other 99 names too.
The advice seems to have been inspired by two sources: NetBeacon’s recent Proposal for PDPs on DNS Abuse (pdf) and data from Interisle Consulting.
Both pieces of advice obviously could have an impact on registrars’ top and bottom lines. They could lose revenue if they currently make a lot of money from bulk regs, and their costs could be increased with new obligations to investigate abuse.
An added wrinkle comes in the GAC’s rationale for its advice, which suggests that dealing with bulk regs and abuse probes should be a gating factor for the next round of new gTLDs going ahead. It reads:
Before new strings are added to the DNS as a result of the next round, further work on DNS Abuse is needed to stem the increasing cost to the public of phishing, malware, botnets, and other forms of DNS Abuse.
The core text of the advice was compiled in furtive huddles on the edges of sessions at ICANN 83, and I believe Switzerland held the pen, but it seems the US government was the driving force behind the push to make abuse a barrier to the next round.
As I reported on Monday, the US GAC rep said that “in light of the global phishing problem… and similar concerns the United States is of the view that we should not expand the DNS too broadly”.
Little interest in cheapo gTLD program
ICANN’s program to offer heavily discounted new gTLD application fees to certain organizations has so far seen little uptake, and some governments are not happy about it.
The Applicant Support Program offers up to 45 qualified applicants a discount of up to 85% on their application fees. That’s worth almost $200,000 each. ICANN will also hook applicants up with pro-bono application consultants and help out with auctions if necessary.
While 40 applications are in the process of being drafted, according to ICANN’s latest monthly stats, only four finalized applications have been submitted and there’s no way of telling whether the other 40 will convert to full applications.
The low number has members of ICANN’s Governmental Advisory Committee concerned, partly because of a deal it struck with ICANN last year that would encourage a change of strategy if it turned out some regions were more represented than others.
The arrangement saw ICANN promise to refocus its outreach efforts on under-served regions after tallying up the home nations of the first 20 submitted applications. With the 12-month program application window now well past the half-way mark, the GAC is worried that by the time the 20th bid is logged, it will be too late to course-correct.
It now seems likely that the GAC’s formal Advice from the ongoing ICANN 83 meeting in Prague will see language included saying ICANN should conduct its review of the applications now, while there’s still time to adjust the strategy.
Currently, the stats show a strange and surprising mix of geographies.
North America has the most applications in draft at 15. This is weird because entities based in the US and Canada don’t qualify for the discount, ICANN doesn’t count Mexico as North American, and the only other economies in the region are US island territories like Puerto Rico and Guam.
Meanwhile, the whole of Latin America and the Caribbean region, with all its half a billion citizens, has just two applications in draft. That’s the just one more than Europe, which has just a handful of qualifying nations.
Africa and Asia-Pacific both have seven applications in draft, and Asia-Pac also has three fully submitted bids.
Based on the current stats, you’d have to assume ICANN would need beef up its outreach in Latin America if it wanted to rebalance the numbers. Europe probably doesn’t need as much love because so few countries there qualify.
As well as encouraging ICANN to analyse its number immediately, the GAC is also considering text that would connect applicants in drafting with their local governments, to see if they need any assistance getting over the final hurdle.
US government opposes most new gTLDs
The US government has come out against most of the new gTLDs likely to be applied for in next year’s application round, saying they will contribute to the “global phishing problem”.
The eyebrow-raising revelation came during an intervention from Susan Chalmers, the country’s senior representative on the Governmental Advisory Committee, at the ICANN 83 meeting in Prague this afternoon.
Chalmers said the US is not opposed to the next round in general, but “has some reservations” that the expansion could make DNS abuse worse and that ICANN should “consider how to limit the expansion appropriately”.
Here are her remarks in full:
The United States has some reservations about the next round of new gTLDs. Specifically we have concerns that expanding the DNS too broadly can lead to more spam and DNS abuse for everyone on the internet. Our concerns are not for a next round in general to be clear. We see value in certain categories of applications such as for geo-TLDs and for internationalized domain names. In some cases it makes sense to add new strings to the DNS, but in light of the global phishing problem (which we will learn more about tomorrow) and similar concerns the United States is of the view that we should not expand the DNS too broadly. As the GAC did in 2013 we must consider how to limit the expansion appropriately to take into account public interest impacts.
The US, which has at least five civil servants attending the GAC meetings in Prague, was the only government to openly oppose new gTLDs during this afternoon’s session.
The position puts the US at odds with likely the majority of next-round new gTLD applicants, which could be a cause for concern.
While there will no doubt be some worthy geographic TLDs and IDNs applied for, if 2026 is anything like the 2012 round most applications will be commercial in nature, with as broad an appeal as possible.
Sadly, no doubt some applicants will be the kind of chancers who want to make their millions selling disposable domains for a buck apiece to spammers.
While Chalmers’ remarks may be somewhat surprising, the US position under Trump isn’t a million miles away from the Obama administration’s position in the run-up to the 2012 round.
Back then, the US tried successfully to strong-arm ICANN into giving the GAC more powers over which gTLDs could and could not enter the root. Those powers have been grandfathered in to the rules for next year’s round.
But the political landscape was different back then. ICANN was still a US government contractor, which irked other governments. Some nations wanted ICANN’s powers to be expatriated and given to a body like the International Telecommunications Union. The US was keen to keep the Org under its jurisdiction, and thought a beefed-up GAC was the way to do it.
It seems unlikely that the US could derail the next round entirely. Technically, it would have to win over the full GAC to produce a consensus against the expansion, but one of the hallmarks of the Trump administration so far has been its refusal to play nicely or respect multilateralism, so who knows what might happen.
The US could also use ICANN’s own rules to object to individual new gTLD applications it deems risky or unworthy.
A GAC consensus advice objection against an applications has historically been enough to kill it dead, but any nation can also choose to go it alone by issuing a so-called GAC Early Warning.
An Early Warning is a unilateral notice to an applicant that a government doesn’t like their application and may try to get it rejected or changed in some way. Applicants are free to ignore such warnings, but are encouraged to engage with the government in question to resolve their concerns.
Could Chalmers’ remarks today be the first early warning?
.TOP promises to play nice on DNS abuse
.TOP Registry is off the ICANN naughty step, almost a year after it became the first registry to be hit by a public contract-breach notice over ICANN’s latest rules on DNS abuse.
The Org took the highly unusual step yesterday of publishing a blog post drawing attention to what it clearly sees as a big Compliance win, ahead of its public meeting in Prague later this month, at which abuse will no doubt, as usual, be a key discussion topic.
ICANN said that it has been working with .TOP for months to put in systems aimed at reducing the abuse of .top domains. It posted:
.TOP Registry expressed its commitment to maintaining compliance with the DNS Abuse obligations and continuously strengthening its abuse detection and mitigation processes through newly established collaboration channels and a structured approach designed to drive ongoing enhancement. ICANN Compliance acknowledged that the remedial measures were sufficient to cure the Notice of Breach. We noted that future violations of these requirements will result in expedited compliance action, up to and including the issuance of additional Notices of Breach.
Compliance had hit .TOP with the breach notice last year over allegations that it repeatedly ignored abuse reports submitted by security researchers, and that it was ignoring Uniform Rapid Suspension notices.
Security outfit URLAbuse later revealed it was the party that had reported .TOP to ICANN.
.TOP is a Chinese registry that sells mainly via Chinese registrars, typically at under a couple bucks retail. A non-scientific perusal of its zone files reveals that the majority of the many thousands of domains it sells every day are nothing but disposable junk — random strings of characters with no meaning in any language.
While .top is far from alone in that regard, it is the most successful at the abuse-attractive low-price-high-volume business model. Its zone grew by almost 1.2 million domains in the last 12 months — the biggest growth spurt of any TLD — and it has just shy of four million domains today.
Despite this implausibly rapid growth, ICANN says that abuse reports for .top domains started falling in April and there has been a “noticeable decrease in reported abuse”.
The Org says it will “actively monitor the effectiveness of these new [.TOP] systems and processes, the Registry Operator’s abuse rankings and their compliance with the requirements.”
The registry has told ICANN it has already “mitigated” over 100,000 abusive domain names with its new systems and processes.
Court denies ICANN’s #MeToo “cover up” attempt
A Los Angeles court has ruled against ICANN’s attempt to have a former employee’s sexual harassment lawsuit against it thrown out, which the plaintiff claims was an attempt to “silence” her.
Tanzanica King, one of ICANN’s longest-serving employees, sued ICANN last August, claiming that had been repeatedly sexually harassed by her superior and others, as well as being paid less than male counterparts and passed over for promotions.
She was ultimately let go in ICANN’s round of layoffs last year. King, who has given her consent to be named in this reporting, claims that she was fired for becoming a whistleblower.
ICANN’s response to the suit was to point out that King’s employment contract, signed in 2002, requires her to take all disagreements to arbitration, rather than the courts, so the case should be dismissed.
But a US Federal law signed onto the statute books in 2023 in the wake of the #MeToo movement — the Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act (EFAA) — says that employees cannot be forced into arbitration.
ICANN argued, according to the court’s ruling (pdf) that the EFAA did not apply and local California state arbitration law should apply instead, but the judge disagreed.
The Superior Court in LA last week ruled, following precedent from Casey v. Superior Court last year:
The EFAA prohibits enforcing arbitration agreements against persons who allege sexual harassment… The EFAA applies to any dispute arising or accruing on or after the enactment of the act, May 2022
King’s lawyer, Jonathan Delshad, said in a statement:
ICANN tried to silence Ms. King and suppress the truth behind the secret walls of arbitration. This ruling affirms her right to tell her story in a public forum so that all can see what ICANN did to her. The Court’s decision makes clear that companies cannot use California law to escape accountability for sexual harassment and retaliation and make an end around the EFAA.
A trial date in July 2027 (not a typo) has been set.
An end to “Club Med for geeks” ICANN?
ICANN has dragged its community to 60 cities around the world over the 26 years and 75 in-person meetings since its foundation, but that degree of globe-trotting could soon come to an end.
A recently closed public comment period saw mixed responses to ICANN’s plan to reform its meetings strategy, but there was little dissent on one proposal; the community seems to be cool with ICANN narrowing the diversity of its venues.
The community was asked whether ICANN should prioritize affordability when it picks its host cities, even if that means it has to sign up to discounted long-term commitments on venues and hotels and return to the same locations over and over again.
They all said “Yes”. There was no division along the usual party lines.
ICANN is obligated by its bylaws to rotate its meetings around five geographic regions, but there’s no requirement to visit a diversity of nations. Hub cities such as Los Angeles, Singapore and Buenos Aires have played host multiple times.
Many commenters said that ICANN should stick to its geographic rotation commitments even if it means visiting fewer locations. Tucows suggested that one meeting per year should be in a “unique” location.
Perhaps the most on-point comment came from Blacknight Solutions boss Michele Neylon. He wrote: “ICANN meetings are work, so returning to well equipped facilities in accessible locations shouldn’t be a problem.”
A change of policy on meeting locations could also incidentally go some way to address the perception (not, I think, held by people who actually attend them) that ICANN spaffs cash jetting its community around the world on a series of cocktail-fuelled exotic jollies.
The most famous expression of this belief came perhaps in a 2008 Computerworld article, picked up by the Wall Street Journal, that ICANN was little more than a borderline corrupt “Club Med for geeks”.
But the effort to reform the meetings strategy is purely a financial one. ICANN wants to cut the cost of meetings at a time when its revenues can no longer be relied upon to predictably head north every year.
Perhaps the key idea in the new batch of proposals is whether to cut the length of its early-year Community Forum from six days to five, perhaps by rejiggering some of the scheduling so larger rooms at the venue do not need to be rented for as long.
There was much less agreement here. Supporters of the idea included the Intellectual Property Constituency, which pointed out that IP lawyers have paid work with other clients that they could be getting on with with a day in hand.
Opponents of the idea included the Registrars Stakeholder Group, which said: “This is unlikely to save significant costs as travel needs, the biggest expense to ICANN, does not change, although hotel and venue costs would be reduced — at the expense of getting all the required work done.
Another idea that received mixed opinions was whether the ICANN board’s meetings with the community’s various stakeholder groups would be better consolidated into one community-wide session, to reduce what is often duplicative and navel-gazey work.
The Non-Commercial Stakeholders Group said the move was a good idea and would “significantly enhance transparency, promote collective understanding, and reduce redundancy from separate interactions”.
Opposing, the IPC said: “The perspective of an individual group can easily be diluted or ignored in community-wide engagement sessions. The IPC values its one-on-one time with the Board”.
Commenters addressed a range of other questions related to the ICANN-drafted proposals.
Notably, while ICANN already seems to have ruled out bringing in registration fees for its meetings, which are all currently free on the door, registrars as represented by the RrSG, Tucows and Blacknight all suggested a nominal attendance fee should still be considered.
Comments can be read here, or you can wait for the ICANN staff summary, which is due to be published next week.
Big .gdn registrar at risk
A registrar that exclusively sells .gdn domain names seems to have gone AWOL, and ICANN Compliance is on its case.
Dubai-based Intracom Middle East has been slapped with a breach notice alleging failures to operate a compliant RDAP server, publish the names of its officers, pay its ICANN fees, and escrow its registrant data.
Some of these breaches seem to be due to the fact that the company’s web site is missing in action, today returning NXDOMAIN errors, and has quite possibly been repeatedly hacked.
Archived versions of its site from last year show it was at various times a Polish risotto recipes splog, an Indian burger joint, and a manga cosplay porn site.
It’s Intracom’s second brush with Compliance. Three years ago the case was escalated to a three-month accreditation suspension for pretty much the same infractions.
Unlike most recent Compliance actions, which have been against registrars with essentially no domains under management, this times some domains are actually at risk — over 10,000 of them in fact.
Intracom specializes/d in selling .gdn domains for under a buck apiece. Apart from a few dozen registrations in a few other gTLDs, all of its 10,000 domains were in .gdn. It was once .gdn’s biggest registrar, though that’s no longer the case.
The company has been given to the end of the month to comply or risk termination.
ICANN “reaffirms its commitment to diversity and inclusion”
It’s not exactly a U-turn, but ICANN has issued a statement clarifying that it’s still committed to the values of “diversity and inclusion”, if perhaps not the words themselves.
CEO Kurt Lindqvist posted on the ICANN blog last night:
While some terminology may have changed, the values that guide our work have not. Our actions and commitments remain the same. We have not stepped back from, retreated from, or abandoned ICANN’s core values, or an environment where all voices are welcomed, respected, and valued.
The metadata summary of the post, which shows up in RSS feeds and such if not the visible components of the web page itself, reads: “ICANN reaffirms its commitment to diversity and inclusion amid recent updates to webpage language.”
There have been no changes to policy or ICANN programs like the Fellowship or NextGen, he wrote.
The post follows the revelation last Thursday that ICANN had expunged almost all references to “diversity” and “inclusion” from a page formerly called “Diversity at ICANN” and now called “Representation at ICANN”.
What Lindqvist’s clarification does not clarify, or even address, are the reasons why ICANN felt the need to suddenly and sharply distance itself from language it has been enthusiastically promoting for over a year.
But perhaps no explanation is necessary. Anyone paying a modicum of attention to US politics this year can’t have failed to notice that the abbreviation “DEI” — diversity, equity, inclusion — has become politically toxic and the target of attacks from the Trump administration and its loyal MAGA followers.
What we seem to be looking at here is the ICANN equivalent of the Department of Defense panickedly erasing the Enola Gay from its web site.
While ICANN’s structural ties to the US government have been pretty loose and minimal since the IANA transition in 2016, it really doesn’t need to find itself fighting off a Trump attempt to renationalize the root.
ICANN kills off diversity and inclusion
ICANN seems to have become the latest American organization to back away from commitments to “diversity” and “inclusion” in the wake of a universe now controlled by the whims of Donald Trump.
The Org has recently started removing references to the D-word from its web site, sloppily editing its diversity-related web pages, replacing it with the less politically loaded term “representation”.
The “Diversity at ICANN” page is now called the “Representation at ICANN” page, and ICANN’s stated commitments have been changed from:
ICANN is entrusted with ensuring the stability, resiliency, and interoperability of the Internet’s unique identifier systems in an open Internet, and was founded on the belief that it should reflect the diversity of the Internet community.
to:
ICANN is entrusted with ensuring the stability, resiliency, and interoperability of the Internet’s unique identifier systems Internet and was founded on the belief that it should represent the broad Internet community.
The words “inclusive” and “inclusion”, also from the now apparently toxic “DEI” abbreviation, also seem to be deemed inappropriate. ICANN has changed its web site language from:
To live up to this responsibility, ICANN is committed to promoting greater diversity and supporting broad, inclusive participation in its processes.
to the apparently hastily edited (random comma in original):
To live up to this responsibility, ICANN is committed to supporting broad, participation in its processes.
The page no longer contains links to ICANN’s Diversity & Inclusion Toolkit, a set of educational materials designed to tell people that asking other community members where they come from means they’re a racist.
Also gone is the link to an ICANN Learn course on “Unconscious Bias”, which teaches you that not all nurses are female and not all CEOs are white men and apparently ICANN has money to burn.
While ICANN previously said it offers its staff “Diversity & Inclusion Training”, it now says it offers “Culture Training”.
All six references to “inclusion” present in the November 2024 archived page have been removed from today’s live page. All five uses of the word “inclusive” have also been deleted.
The November archive uses the word “diversity” 32 times and “diverse” twice. On the live page, those counts are down to two (where the word was used to refer to a named group or report), and none, respectively.
The link to “Diversity at ICANN” in the web site’s site-wide footer has also been removed.
Some of the edits are incredibly sloppy. The old page had a bullet point that read:
Community-wide surveys on Age Diversity and Participation and Gender Diversity and Participation
The findings offer insights into perceptions of gender and age diversity in the community, potential and perceived barriers to participation, and the community’s support for initiatives to enhance age and gender diversity.
But that now reads:
Community-wide surveys and
The findings offer insights into perceptions of gender and age in the community, potential and perceived barriers to participation, and the community’s support for initiatives to enhance understanding.
ICANN’s backtracking from earlier virtue signalling comes at a point in history when corporate America is steering away from DEI initiatives lest they incur the wrath of US President Donald Trump.
The question is: is this all just cosmetic, or will it affect ICANN policy?
The Org is currently considering changes to its Community Anti-Harassment Policy that would change the boundaries of what is considered acceptable behavior at ICANN meetings.
The proposed changes would either, depending on your point of view, a) make life more comfortable for people with protected characteristics, or b) make it easier to get cancelled for a cultural faux pas.
It’s been a few months since the public comments closed on the policy changes, so ICANN board action shouldn’t be far off. Will the Org’s retreat from DEI have an impact on its decision?
Kaufmann picked for ICANN board
Christian Kaufmann from Akamai has been reselected to represent the Address Supporting Organization on ICANN’s board of directors.
He’s the incumbent in Seat 10, having first been picked by the ASO in 2022, but he faced competition this time from Australian Karl Kloppenborg of Reset Data.
Kaufmann’s current term ends at ICANN 84 in October, but will be immediately extended for another three years.
Recent Comments