ICANN attendance soars but “females” stay away

ICANN attendees identifying themselves as female plummeted to 20% of the total at ICANN 63, even as overall attendance rocketed.
According to just-published stats from ICANN, 2,639 people checked in at the Barcelona venue for the late-October meeting.
That compares favorably to the Abu Dhabi meeting a year earlier, which saw 1,929 participants show up, to the last European meeting, Copenhagen in March last year, where there were 2,089 attendees, and to the last European AGM, 2015’s Dublin meeting with its 2,395 people.
Oddly, the number of people self-declaring their femaleness was down hugely. It reliably hovers around the 33% mark usually, but in Barcelona it was down to one in five.
The number of “males” was also down, from 59% in Abu Dhabi to 53% in at 63.
It seems very likely that the gender balance has not substantially changed, but that fewer people are ticking the gender box when they sign up.
The number of participants who chose not to disclose their gender was 27%, up from 10% in Abu Dhabi, 11% at ICANN 61 and 14% at ICANN 62.
There were wide regional differences in gender balance.
There were 1,440 attendees from Europe in Barcelona, more than half the total, and 28% of them did not disclose their gender. That number was just 8% among North Americans and 9% for Africans.
I’m at a loss to explain why the number of undeclareds would see such a sharp increase — did ICANN change how it gathers gender data this time around, or are people, women in particular, becoming more reticent to disclose their gender?
Perhaps Europeans registering on-site, where perhaps the gender option was easier to ignore on the terminals, tilted the balance? I’m speculating.
In other stats, it seems the number of sessions and session-hours is (thankfully) on the decline.
There were 338 session at 63, down from 407 a year ago, and the number of hours was down by 100, from 696 to 596.
The numbers also show a strong bias towards sessions involving the Governmental Advisory Committee when it comes to attendance, but that’s probably due to the GAC being so bloody big compared to other groups.
All this, and more additional statistics than anyone could possibly ever find useful, can be found here.

Kirikos lawyers up after ICANN etiquette fight

Domain investor George Kirikos has hired lawyers to send nastygrams to ICANN after a fight over the rules of etiquette on a working group mailing list.
Kirikos claims there’s a “campaign of intimidation” against him by fellow volunteers who do not agree with his opinions and forthright tone, but that he “has not done anything wrong”.
In response, ICANN CEO Goran Marby this evening revealed that he has assigned his general counsel and new deputy, John Jeffrey, to the case.
Even by ICANN standards, it’s a textbook case of a) manufacturing mountains out of molehills, and b) how it can become almost impossible to communicate like sensible human beings when everyone’s tangled in red tape.
The dispute started back in May, when Kirikos got into a fight with IP lawyer Greg Shatan on the mailing list of the Rights Protection Mechanisms working group.
Both men are volunteers on the group, which seeks to refine ICANN policy protecting trademark owners in gTLDs.
The argument was about the content of a World Intellectual Property Organization web page listing instances of UDRP cases being challenged in court.
Kirikos took a strident tone, to which Shatan took exception.
Shatan then reported Kirikos to the working group’s co-chairs, claiming a breach of the Expected Standards of Behavior — the informal code of conduct designed to prevent every ICANN discussion turning into a flame war and/or bare-knuckle alley fight.
Under GNSO PDP rules, working group volunteers have to agree to abide by the ESB. Group chairs have the ability to kick participants who repeatedly offend.
At this point, the sensible thing to do would have been for Shatan and Kirikos to hug it out and move on.
But this is ICANN.
What actually happened was a pointless procedural back-and-forth between Kirikos, Shatan, and working group chairs Phil Corwin of Verisign and Brian Beckham of WIPO, which resulted in Kirikos hiring two lawyers — Andrew Bernstein of Torys and regular ICANN participant Robin Gross of IP Justice.
It’s believed to be the first time a WG participant has hired counsel over a mailing list argument.
Far too boring to recount here, Corwin’s timeline of events can be found from page 24 of this transcript (pdf) of remarks delivered here in Barcelona during ICANN 63, while the Bernstein/Kirikos timeline can be found here (pdf).
The rub of it is that Kirikos reckons both Corwin and Beckham are biased against him — Beckham because Kirikos voted against his chairship, Corwin because of a similar dispute in a related working group earlier this year — and that the ESB is unenforceable anyway.
According to Bernstein: “Mr. Kirikos has strong concerns that whatever process ICANN purports to operate with respect to Mr. Shatan’s complaint, it will not be fairly or neutrally adjudicated.”
He added that Kirikos had said that “due to the precise language of Section 3.4 of the Working Group Guidelines, Mr. Shatan lacked a basis to initiate any complaint”.
That language allows complaints to be filed if the ESB is “abused”. According to Corwin’s account, Kirikos — well-known as a detail-oriented ICANN critic — reckons the correct term should be “violated”, which rendered the ESB “null and void and unenforceable” in this instance.
Bernstein has since added that the ICANN board of directors never intended the ESB to be anything but voluntary.
The sum of this appears to be that the dispute has had a chilling effect on the RPM working group’s ability to get anything done, consuming much of its co-chairs’ time.
Kirikos lawyering up seems to have compounded this effect.
Now, as ICANN 63 drew to a close this evening, CEO Marby said in a brief prepared statement that the WG’s work has “more or less stalled for the last several months” and that he’s assigned general counsel John Jeffrey to “look into the issues surrounding this matter”.
ICANN “takes the issue very seriously”, he said.
As well it might. The Kirikos/Shatan incident may have been blown waaaaay out of proportion, but at its core is a serious question about civil discourse in ICANN policy-making.
Personally, I hold out hope it’s not too late for everyone to hug it out and move on.
But this is ICANN.

This is how AppDetex works

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.
AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.
Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.
In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.
First off, Whois Requester appears to be only partially automated.
Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.
“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.
“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.
But, according to AppDetex, these assumptions are not correct.
Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.
AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.
It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.
Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.
The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.
Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.
At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.
If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.
The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.
Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.
Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.
As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.
Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.
Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.
This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.
The fact that human review is required before requests are sent out “just makes it worse”, they also said.

US not happy with Donuts hiring Atallah

The US government appears to have reservations about Donuts’ recent hiring of ICANN bigwig Akram Atallah as its new CEO.
Speaking at a session of ICANN 63 here in Barcelona today, National Telecommunications and Information Administration head David Redl alluded to the recent hire.
Atallah was president of the Global Domains Division and twice interim CEO.
While most of Redl’s brief remarks today concerned internet security and Whois, he concluded by saying:

While the community has greatly improved ICANN’s accountability through the IANA stewardship transition process, there are still improvements to be made.
As one example, we need safeguards to ensure that ICANN staff and leadership are not only grounded ethically in their professional actions at ICANN, but also in their actions when they seek career opportunities outside of ICANN.
One potential fix could be “cooling off periods” for ICANN employees that accept employment with companies involved in ICANN activities and programs. This is an ethical way to ensure that conflicts of interest or appearances of unethical behavior are minimized.

ICANN faced similar scrutiny back in the 2011, when ICANN chair Peter Dengate Thrush pushed through the new gTLD program and almost immediately began working for a new gTLD applicant.
That was the same year Redl moved from being head of regulatory affairs at CTIA — lobbying for wireless industry legislation — to counsel to the House of Representatives Energy and Commerce Committee — helping to craft wireless industry legislation.
Here are his remarks. Redl starts speaking at around the 38-minute mark.

ICANN denies it’s in bed with trademark lawyers

ICANN chair Cherine Chalaby has strongly denied claims from non-commercial stakeholders that its attitude to Whois reform is “biased” in favour of “special interests” such as trademark lawyers.
In a remarkably fast reply (pdf) to a scathing October 17 letter (pdf) from the current and incoming chairs of the Non-Commercial Stakeholders Group, Chalaby dismissed several of the NCSG’s claims of bias as “not true”.
The NCSG letter paints ICANN’s efforts to bring Whois policy into line with the General Data Protection Regulation as rather an effort to allow IP owners to avoid GDPR altogether.
It even suggests that ICANN may be veering into content regulation — something it has repeatedly and specifically disavowed — by referring to how Whois may be used to combat “fake news”.
The “demonstrated intention of ICANN org has been to ensure the unrestrained and unlawful access to personal data demanded by special interest groups”, the NCSG claimed.
It believes this primarily due to ICANN’s efforts to support the idea of a “unified access model” — a way for third parties with “legitimate interests” to get access to private Whois data.
ICANN has produced a couple of high-level framework documents for such a model, and CEO Goran Marby has posted articles playing up the negative effects of an inaccessible Whois.
But Marby has since insisted that a unified access model is still very much an “if”, entirely dependent on whether the community, in the form of the Whois EPDP working group, decides there should be one.
That message was reiterated in Chalaby’s new letter to the NCSG.

The conversation on whether to adopt such a model must continue, but the outcomes of those discussions are for the community to decide. We expect that the community, using the bottom-up multistakeholder model, will take into account all stakeholders’ views and concerns.

He denied that coordinating Whois data is equivalent to content regulation, saying it falls squarely within ICANN’s mandate.
“ICANN’s mission related to ‘access to’ this data has always encompassed lawful third-party access and use, including for purposes that may not fall within ICANN’s mission,” he wrote.
The exchange of letters comes as parties on the other side of the Whois debate also lobby ICANN and its governmental advisors over the need for Whois access.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.
Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.
Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.
They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.
Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.
Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.
The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.
The main sticking point was the extent to which these third parties get a mention in the language.
Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.
The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.
Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.
GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.
It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.
The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.
The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.
While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.
All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.
One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.
Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).
But, yeah, they may have a point.
It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.
They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.
They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.
AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.
The IP crowd and registrars are not the only ones fighting in the corridors, though.
The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.
Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.
I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.
UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.
Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.
AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.
UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.

ICANN turns 20 today (or maybe not)

ICANN is expected to celebrate its 20th anniversary at its Barcelona meeting next month, but by some measures it has already had its birthday.
If you ask Wikipedia, it asserts that ICANN was “created” on September 18, 1998, 20 years ago today.
But that claim, which has been on Wikipedia since 2003, is unsourced and probably incorrect.
While it’s been repeated elsewhere online for the last 15 years, I’ve been unable to figure out why September 18 has any significance to ICANN’s formation.
I think it’s probably the wrong date.
It seems that September 16, 1998 was the day that IANA’s Jon Postel and Network Solutions jointly published the organization’s original bylaws and articles of incorporation, and first unveiled the name “ICANN”.
That’s according to my former colleague and spiritual predecessor Nick Patience (probably the most obsessive journalist following DNS politics in the pre-ICANN days), writing in now-defunct Computergram International on September 17, 1998.
The Computergram headline, helpfully for the purposes of the post you are reading, is “IANA & NSI PUBLISH PLAN FOR DNS ENTITY: ICANN IS BORN”.
Back then, before the invention of the paragraph and when ALL CAPS HEADLINES were considered acceptable, Computergram was published daily, so Patience undoubtedly wrote the story September 16, the same day the ICANN proposal was published.
A joint Postel/NetSol statement on the proposal was also published September 17.
The organization was not formally incorporated until September 30, which is probably a better candidate date for ICANN’s official birthday, archived records show.
Birthday meriments are expected to commence during ICANN 63, which runs from October 20 to 25. There’s probably free booze in it, for those on-site in Barcelona.
As an aside that amused me, the Computergram article notes that Jones Day lawyer Joe Sims very kindly provided Postel with his services during ICANN’s creation on a “pro bono basis”.
Jones Day has arguably been the biggest beneficiary of ICANN cash over the intervening two decades, billing over $8.7 million in fees in ICANN’s most recently reported tax year alone.

Mediators hired as Whois reformers butt heads

ICANN has hired professional mediators to help resolve strong disagreements in the working group tasked with reforming Whois for the post-GDPR world.
Kurt Pritz, chair of the Expedited Policy Development Process for Whois, last week told the group that ICANN has drafted in the Consensus Building Institute, with which it has worked before, to help “narrow issues and reach consensus”.
Three CBI mediators will brief the EPDP group today, and join them when the WG meets face-to-face for the first time at a three-day session in Los Angeles later this month.
Their goal is not to secure any particular outcome, but to help the disparate viewpoints find common ground, Pritz told the group.
It’s been Pritz’s intention to get the mediators in since day one — he knew in advance how divisive Whois policy is — but it’s taken until now to get the contracts signed.
The EPDP WG’s job is to create a new, privacy-conscious, consensus Whois policy that will apply to all gTLD registries and registrars. Its output will replace ICANN’s post-GDPR Temporary Specification for Registration Data, which in turn replaced the longstanding Whois policy attached to all ICANN registry and registrar contracts.
Since the working group first convened in early August — about 500 emails and 24 hours of painful teleconferences ago — common ground has been hard to find, and in fact the EPDP group did not even attempt to find consensus for the first several weeks of discussions.
Instead, they worked on its first deliverable, which was finalized last week, a “triage report” that sought to compile each faction‘s opinion of each section of ICANN’s Temp Spec.
The idea seemed sensible at the time, but with hindsight it’s arguable whether this was the best use of the group’s time.
The expectation, I believe, was that opposing factions would at least agree on some sections of text, which could then be safely removed from future debate.
But what emerged instead was this, a matrix of disagreement in which no part of the Temp Spec did not have have at least one group in opposition:
The table is potentially misleading, however. Because groups were presented with a binary yes/no option for each part of the spec, “no” votes were sometimes recorded over minor language quibbles where in fact there was agreement in principle.
By restricting the first few weeks of conversation to the language of the Temp Spec, the debate was arguably prematurely hamstrung, causing precious minutes to trickle away.
And time is important — the EPDP is supposed to deliver its consensus-based Initial Report to the ICANN 63 meeting in Barcelona about five weeks from now.
That’s going to be tough.
What’s becoming increasingly clear to me from the post-triage talks is that the WG’s task could be seen as not much less than a wholesale, ground-up, reinvention of the Whois wheel, recreated with GDPR as the legal framework.
Who is Whois for?
Discussions so far have been quite mind-expanding, forcing some fundamental rethinking of long-held, easy assumptions, at least for this lurker. Here’s an example.
One of the fundamental pillars of GDPR is the notion of “purposes”. Companies that collect private data on individuals have to do so only with specific, enumerated purposes in mind.
The WG has started by discussing registrars. What purpose does a registrar have when it collects Whois data from its registrants?
None whatsoever, it was claimed.
“To execute the contract between the registrant and the registrar, it’s really not necessary for registrars to collect any of this information,” GoDaddy head of policy James Bladel, representing registrars, told the group on its latest call Thursday.
Registrars collect data on their customers (not just contact data, but also stuff like credit card details) for billing and support purposes, but this is not the same as Whois data. It’s stored separately and never published anywhere. While covered by GDPR, it’s not covered by Whois policy.
Whois data is only collected by registrars for third parties’ purposes, whether that third party be a registry, ICANN, a data escrow agent, a cop, or an intellectual property enforcer.
“Other than a few elements such as domain name servers, there is nothing that is collected in Whois that is needed for the registrar to do their business,” At-Large Advisory Committee chair Alan Greenberg told the WG. “All of them are being collected for their availability to third parties, should they need it.”
While this may seem like a trivial distinction, drawing a hard line between the purposes of registries, registrars and ICANN itself on the one hand and law enforcement, cybersecurity and IP lawyers on the other is one of the few pieces of concrete advice ICANN has received from European data protection regulators.
There’s by no means unanimous agreement that the registrars’ position is correct, but it’s this kind of back-to-basics discussion that makes me feel it’s very unlikely that the EPDP is going to be able to produce an Initial Report with anything more than middling consensus by the October deadline.
I may be overly pessimistic, but (mediators or no mediators) I expect its output will be weighted more towards outlining and soliciting public comment on areas of disagreement than consent.
And the WG has not yet even looked in depth at the far thornier issue of “access” — the policy governing when third parties such as IP lawyers will be able to see redacted Whois data.
Parties on the pro-access side of the WG have been champing at the bit to bring access into the debate at every opportunity, but have been
Hey, look, a squirrel!
The WG has also been beset by its fair share of distractions, petty squabbles and internal power struggles.
The issues of “alternates” — people appointed by the various constituencies to sit in on the WG sessions when the principles are unavailable — caused some gnashing of teeth, first over their mailing list and teleconference privileges and then over how much access they should get to the upcoming LA meeting.
Debates about GDPR training — which some say should have been a prerequisite to WG participation — have also emerged, after claims that not every participant appeared clued-in as to what the law actually requires. After ICANN offered a brief third-party course, there were complaints that it was inadequate.
Most recently, prickly Iranian GAC rep Kavouss Arasteh last week filed a formal Ombudsman complaint over a throwaway god-themed pun made by Non-Com Milton Mueller, and subsequently defended by fellow non-resident Iranian Farzaneh Badii, in the Adobe Connect chat room at the September 6 meeting.
Mueller has been asked to apologize.