“We own your name” government tells Amazon in explosive slapdown

Amazon suffered a blistering attack from South American governments over its controversial .amazon gTLD applications this weekend.
A Peruvian official today excoriated Amazon’s latest peace offering, telling the tech giant in no uncertain terms that the word “Amazon” is not its property and demanding an apology for the company’s alleged behavior during recent legal proceedings.
“We will be giving you permission to use a certain word, not the other way around,” she said. “We are the owners of the Amazonian region.”
Speaking for almost 10 minutes during a session at the ICANN 60 meeting in Abu Dhabi this afternoon, Peru’s representative to the Governmental Advisory Committee pulled rank and scolded Amazon like a naughty schoolchild.
She claimed that Amazon had been bad-mouthing Peru by saying former GAC reps had “lied to and manipulated” the rest of the GAC in order to get support for its objection. She then demanded an apology from the company for this.
She was speaking in support of the idea that the string “Amazon” belongs to the people of the Amazonas region, which covers as many as eight South American countries, rather than the American company, despite the fact that none of those countries use the English word to describe the region.
Her remarks drew applause from parts of the audience.
Amazon had showed up at the session — described by two GAC reps later as a “lion’s den” — to offer a “strong, agreed-upon compromise that addresses the needs of the governments”.
The proposed deal would see the GAC drop its objections to .amazon in exchange for certain safeguards.
Amazon is promising to reserve geographically and culturally sensitive words at the second level in .amazon.
The domain rainforest.amazon, its associate general counsel Dana Northcott said by way of example, would be never be used by anyone.
Affected governments would get to negotiate a list of such terms before .amazon went live and there’d be an ongoing consultation process for more such terms to be protected in future.
The company has also promised not to object to — and in fact to actively support with hard resources — any future applications for .amazonas or other local-language variants by the people of the region.
But Peru was not impressed, telling the company that not only is the English version of the name of the region not its property but also that it must show more respect to governments.
“No government is going to accept any impositions from you,” she said, before appealing to fellow GAC members that the issue represents a kind of existential threat.
“The core issue here… is our survival as governments in this pseudo-multi-stakeholder space that has been invented,” she said.
“They want us to believe this is a place where we have dignity but that is increasingly obvious that this is not the case,” she said. “We don’t have it. And that is because of companies like yours… Companies that persist in not respecting the governments and the people they represent.”
The Peruvian GAC rep, listed on the GAC web site as María Milagros Castañon Seoane but addressed only as “Peru” during the session, spoke in Spanish; I’ve been quoting the live interpretation provided by ICANN.
Her remarks, in my opinion, were at least partially an attempt to strengthen her side’s negotiating hand after an Independent Review Process panel this July spanked ICANN for giving too much deference to GAC advice.
The IRP panel decided that ICANN had killed the .amazon applications — in breach of its bylaws — due to a GAC objection that appeared on the face of the public record to be based on little more than governmental whim.
The panel essentially highlighted a clash between ICANN’s bylaws commitments to fairness and transparency and the fact that its New gTLD Applicant Guidebook rules gave the GAC a veto over any application for any reason with no obligation to explain itself.
It told ICANN to reopen the applications for consideration and “make an objective and independent judgment regarding whether there are, in fact, well-founded, merits-based public policy reasons for denying Amazon’s applications”.
That was back in July. Earlier today, the ICANN board of directors in response to the IRP passed a resolution calling for the GAC to explain itself before ICANN 61 in March next year, resolving in part:

Resolved (2017.10.29.02), the Board asks the GAC if it has: (i) any information to provide to the Board as it relates to the “merits-based public policy reasons,” regarding the GAC’s advice that the Amazon applications should not proceed; or (ii) any other new or additional information to provide to the Board regarding the GAC’s advice that the Amazon applications should not proceed.

Other governments speaking today expressed doubt about whether the IRP ruling should have any jurisdiction over such GAC advice.
“It is not for any panelist to decided what is public policy, it is for the governments to decide,” Iran’s Kavouss Arasteh said.
During a later session today the GAC, talking among itself, made little progress in deciding how to formally respond to the ICANN board’s resolution.
A session between the GAC and the ICANN board on Tuesday is expected to be the next time the issue raises its increasingly ugly head.

Verisign and Afilias testing Whois killer

Verisign and Afilias have become the first two gTLD registries to start publicly testing a replacement for Whois.
Both companies have this week started piloting implementations of RDAP, the Registration Data Access Protocol, which is expected to usurp the decades-old Whois protocol before long.
Both pilots are in their very early stages and designed for a technical audience, so don’t expect your socks to be blown off.
The Verisign pilot offers a web-based, URL-based or command-line interface for querying registration records.
The output, by design, is in JSON format. This makes it easier for software to parse but it’s not currently very easy on the human eye.
To make it slightly more legible, you can install a JSON formatter browser extension, which are freely available for Chrome.
Afilias’ pilot is similar but does not currently have a friendly web interface.
Both pilots have rudimentary support for searching using wildcards, albeit with truncated result sets.
The two new pilots only currently cover Verisign’s .com and .net registries and Afilias’ .info.
While two other companies have notified ICANN that they intend to run RDAP pilots, these are the first two to go live.
It’s pretty much inevitable at this point that RDAP is going to replace Whois relatively soon.
Not only has ICANN has been practically champing at the bit to get RDAP compliance into its registry/registrar contracts, but it seems like the protocol could simplify the process of complying with incoming European Union privacy legislation.
RDAP helps standardize access control, meaning certain data fields might be restricted to certain classes of user. Cops and IP enforcers could get access to more Whois data than the average blogger or domainer, in other words.
As it happens, it’s highly possible that this kind of stratified Whois is something that will be legally mandated by the EU General Data Protection Regulation, which comes into effect next May.

ICANN shifts dates on five public meetings to avoid holidays

ICANN has changed the proposed dates of five out of nine forthcoming public meetings in order to avoid clashes with religious festivals and national holidays.
The meetings affected — ICANNs 70 through 78 — are all scheduled for 2021, 2022 and 2023 and naturally don’t have any venue selected yet, so nobody is going to have to change any travel plans.
The biggest shift will see the usual October meeting in 2022 moved a full month earlier to September due to a clash with the Jewish holiday Sukkot and its subsequent holy days.
Ramadan in 2023 will see the March meeting moved a week earlier.
Midsummer, something celebrated mainly in Sweden and neighboring countries, will see the June meetings in all three years moved back a week.
Interestingly, a clash with Midsummer was highlighted as a selling point of the Helsinki meeting a couple of years ago. ICANN’s latest CEO, a Swede, is no doubt more sensitive to the cultural significance of the holiday.
The changes were all made in response to comments from the At-Large Advisory Committee and the Non-Commercial Stakeholders Group.
The list of changes and rationale can be found here (pdf).
ICANN’s latest meeting, ICANN 60, kicks off in Abu Dhabi this weekend.

Amsterdam refuses to publish Whois records as GDPR row escalates

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.
Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.
ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.
dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.
Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.
That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.
It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.
Legal entities such as companies do not count as “private persons”.
Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.
It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.
But the registries have lawyered up already, regardless.
A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.
The GDPR is perhaps the most pressing issue for ICANN at the moment.
It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.
It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.
One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.
According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.
These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.
During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.
“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”
ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.
It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.
ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.
But the domain industry has accused ICANN the organization of not doing enough fast enough.
Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.
They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.
Complaining that ICANN is moving too slowly, the October 13 letter states:

The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.
…
GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.

For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.
Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.
The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.
UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.

This is who won the .inc, .llc and .llp gTLD auctions

The winners of the auctions to run the gTLD registries for company identifiers .inc, .llc and .llp have emerged due to ICANN application withdrawals.
All three contested gTLDs had been held up for years by appeals to ICANN by Dot Registry — an applicant with the support of US states attorneys general — but went to private auction in September after the company gave up its protests for reasons its CEO doesn’t so far want to talk about.
The only auction won by Dot Registry was .llp. That stands for Limited Liability Partnership, a legal construct most often used by law firms in the US and probably the least frequently used company identifier of the three.
Google was the applicant with the most cash in all three auctions, but it declined to win any of them.
.inc seems to have been won by a Hong Kong company called GTLD Limited, run by DotAsia CEO Edmon Chong. DotAsia runs .asia, the gTLD granted by ICANN in the 2003 application round.
My understanding is that the winning bid for .inc was over $15 million.
If that’s correct, my guess is that the quickest, easiest way to make that kind of money back would be to build a business model around defensive registrations at high prices, along the lines of .sucks or .feedback.
My feedback would be that that business model would suck, so I hope I’m wrong.
There were 11 original applicants for .inc, but two companies withdrew their applications years ago.
Dot Registry, Uniregisty, Afilias, GMO, MMX, Nu Dot Co, Google and Donuts stuck around for the auction but have all now withdrawn their applications, meaning they all likely shared in the lovely big prize fund.
MMX gained $2.4 million by losing the .inc and .llc auctions, according to a recent disclosure.
.llc, a US company nomenclature with more potential customers of lower net worth, went to Afilias.
Dot Registry, MMX, Donuts, LLC Registry, Top Level Design, myLLC and Google were also in the .llc auction and have since withdrawn their applications.

One in three women say they have seen sexism at ICANN

Almost a third of female members of the ICANN community say they have witnessed sexism in the community, according to the results of a recent survey.
Asked “Have you ever experienced or witnessed what you perceive to be sexism or gender bias within the ICANN community?”, 30% of women respondents said “Yes”.
Only 17% of men answered in the affirmative. Overall, 75% of respondents said they had not seen such biases in action.
The broad survey into gender balance at ICANN was carried out over a month in June and July with a web-based tool and got 584 responses.
Participants were self-selecting, and there were slightly more female respondents than male (going against the grain of usual participation data), so the results should probably not be considered completely scientific.
The survey did not offer its own definition of sexism, so respondents were able to use their own judgement.
Of those who said they’d seen sexism in the community, most said they’d seen it at ICANN’s regular public meetings. Over a third said they’d witnessed it on mailing lists.
The older the participant, the more likely it was that they had seen behavior they considered sexist.
ICANN suggests that this could be because behaviors have changed as ICANN has matured, or that younger people have different definitions of sexism than their older peers.
Of those who said they had witnessed sexism, only four people chose to report it through ICANN channels such as the Ombudsman. Three of those people were men.
Almost half said they “chose” not to report the behavior, while 41% said they were unsure how to go about reporting it.
Some people who chose to add additional color to their responses said that they had only heard about the reportable incident second-hand.
The survey also found that almost 60% of respondents believe that there are barriers to participating in the ICANN community.
Those people were given the opportunity to rank factors that could act as barriers. Cost came out in a strong lead, but gender was found to be just as much a barrier as language.
That may be not so much a critique of the community itself, but rather of the backwards attitudes to women in some of the countries in which ICANN hosts its meetings.
Only 9% of women respondents said they have personally experienced a gender-related barrier to participation. Cost, lack of time, knowledge and geography all came out ahead.
When it came to solutions, the survey found that almost three quarters of respondents supported voluntary targets to promote gender balance in the community.
However, fewer than half of respondents — still a rather high 41% — said there should be “mandatory” quotas of women.
Unsurprisingly, support for affirmative action along mandatory lines was much higher among women than men, and much higher among the younger crowd than the old-timers.
The full report and a rather pretty infographic can be downloaded in the UN language of your choosing from here.

Double-charging claims as registries ramp up new gTLD refund demands

Registry operators have stepped up demands for ICANN to dip into its $100 million new gTLD cash pile to temporarily lower their “burdensome” accreditation fees.
A new missive from the Registries Stakeholder Group to ICANN this week also introduces a remarkable claim that ICANN may have “double charged” new gTLD applications to the tune of potentially about $6 million.
The RySG wants ICANN to reduce the quarterly fixed fees new gTLD registries must pay by 75% from the current $6,250, for a year, at a cost to ICANN of $16.87 million.
ICANN still has roughly $96 million in leftover money from the $185,000 per-TLD application fees paid in 2012, roughly a third of which had been earmarked for unexpected expenses.
When Global Domains Division president Akram Atallah refused this request in August, he listed some of the previously unexpected items ICANN has had to pay for related to the program, one of which was “implementation of the Trademark Clearinghouse”.
But in last week’s letter (pdf), the RySG points out that each registry was already billed an additional $5,000 fee specifically to set up the TMCH.

Your letter states that registry operators knew about the fee structure from the start and implies that changes of circumstance should be irrelevant. The TMCH charge, however, was not detailed in the applicant guidebook. ICANN added it on its own after all applications were accepted and without community input. Therefore, ICANN is very much in a position to refund registry operators for this overcharge, and we request that ICANN do so. Essentially, you would be refunding the amounts we paid with our own application fees, which should have been used to set up the TMCH in the first place.

These additional fees could have easily topped $6 million, given that there are over 1,200 live new gTLDs.
Was this a case of double-charging, as the RySG says?
My gut feeling is that Atallah probably just forgot about the extra TMCH fee and misspoke in his August letter. The alternative would be a significant accounting balls-up that would need rectifying.
RySG has asked ICANN for a “detailed accounting” of its new gTLD program expenses to date. If produced, that could clear up any confusion.
Group chair Paul Diaz, who signed the letter, has also asked for a meeting with Atallah at the Abu Dhabi public meeting later this month, to discuss the issue.
The letter also accuses ICANN of costing applicants lost revenue by introducing policies such as the ban on two-letter domains, increased trademark protections, and other government-requested restrictions that were introduced after application fees had already been paid.
The tone of the letter is polite, but seems to mask an underlying resentment among registries that ICANN has not been giving them a fair chance to grow their businesses.
UPDATE: This story was updated October 12 to correct the estimate of the total amount of TMCH setup fees collected.

Election season at ICANN

Two significant votes are coming up soon in the ICANN community, with the GNSO Council looking for a new chair and the ccNSO ready to select a new appointee for the ICANN board of directors.
The ccNSO election will see an actual contest for what is believed to be the first time, with at least two candidates fighting it out.
The GNSO vote is rather less exciting, with only one candidate running unopposed.
It seems Heather Forrest, an intellectual property lawyer, occasional new gTLD consultant, and professor at the University of Tasmania, will replace GoDaddy VP of policy James Bladel as Council chair a month from now.
Forrest, currently a vice-chair, was nominated by the Non-Contracted Parties House.
The Contracted Parties House (registries and registrars), evidently fine with Forrest taking over, decided not to field a candidate, so the November 1 vote will be a formality.
In the ccNSO world, the country-codes are electing somebody to take over from Mike Silber on the ICANN board, a rather more powerful position, when his term ends a year from now.
Nominations don’t close until a week from now, but so far there are two candidates: Nigel Roberts and Pierre Ouedraogo.
Roberts, nominated for the job by Puerto Rico, runs a collection of ccTLDs for the British Channel Islands.
Ouedraogo is from Burkina Faso but does not work for its ccTLD. He is a director of the Francophone Institute for Information and New Technologies. He was nominated by Kenya.
Both men are long-time participants in ICANN and the ccNSO.
Roberts, who currently sits on the ccNSO Council, tells me he believes it’s the first time there’s been a contested election for a ccNSO-appointed ICANN board seat since the current system of elections started in 2003.
Silber has been in the job for eight years and is term-limited so cannot stand again. The other ccNSO appointee, Chris Disspain, will occupy the other seat for another two years.

In harsh tones, ccNSO rejects NomCom appointee

ICANN’s Country Code Names Supporting Organization has rejected the appointment to its Council of a Canadian registry director.
Saying NomCom ignored long-standing guidance to avoid appointing registry employees, the ccNSO Council has said the recent naming of Marita Moll to the role is “unacceptable”.
Moll will have to choose between sitting on the Council and being a director of .ca registry CIRA, the Council said in a letter to NomCom and the ICANN board.
Three of the Council’s 18 voting members are selected by NomCom. The rest are elected from ccTLD registries, three from each of ICANN’s five geographic regions.
To maintain balance, and promote independent views, the Council told NomCom most recently back in 2012 that it should refrain from appointing people connected to ccTLD registries.
The new Council letter (pdf) reads:

Council’s view (none dissenting) is that your Committee’s proposed selection directly contravenes this requirement, notwithstanding the clear and explicit assurance we received in 2012 from the then Chair of Nominating Committee that the Committee would be “avoiding any member already belonging to the ccTLD management participating in the ccNSO”.

The situation is exacerbated by the fact that CIRA already has representation on the Council in the form of CEO Byron Holland.
The letter concludes that the conflict is “irreconcilable” and the appointment “unacceptable”.
As the ccNSO does not appear to have refusal powers on NomCom appointees, it will presumably be up to Moll to decline the appointment.

New gTLDs still a crappy choice for email — study

New gTLDs may not be the best choice of domain for a primary email address, judging by new research.
Over 20% of the most-popular web sites do not fully understand email addresses containing long TLDs, and Arabic email addresses are supported by fewer than one in 10 sites, a study by the Universal Acceptance Steering Group has found.
Twitter, IBM and the Financial Times are among those sites highlighted as having only partial support for today’s wide variety of possible email addresses.
Only 7% of the sites tested were able to support all types of email address.
The study, carried out by Donuts and ICANN staff, looked at 749 websites (in the top 1,000 or so as ranked by Alexa) that have forms for filling in email addresses.
On each site, seven different email addresses were input, to see whether the site would accept them as valid.
The emails used different combinations of ASCII and Unicode before the dot and mixes of internationalized domain name and ASCII at the second and top levels.
These were the results (click to enlarge or download the PDF of the report here):

The problem with these numbers, it seems to me, is the lack of a control. There’s no real baseline to judge the numbers against.
There’s no mention in the paper about testing addresses that use .com or decades-old ccTLDs, which would have highlighted web sites that with broken scripts that reject all emails.
But if we assume, as the paper appears to, that all the tested web sites were 100% compliant for .com domains, the scores for new gTLDs are not great.
There are currently over 800 TLDs over four characters in length, but according to the UASG research 22% of web sites will not recognize them.
There are 150 IDN TLDs, but a maximum of 30% of sites will accept them in email addresses.
When it comes to right-to-left scripts, such as Arabic, the vast majority of sites are totally hopeless.
UASG dug into the code of the tested sites when it could and found that most of them use client-side code — JavaScript processing a regular expression — to verify addresses.
A regular expression is complex bit of code that can look something like this: /^.+@(?:[^.]+\.)+(?:[^.]{2,})$
It’s not every coder’s cup of tea, but it can get the job done with minimal client-side resource overheads. Most coders, the UASG concludes, copy regex they found on a forum and maybe tweak it a bit.
This should not be shocking news to anyone. I’ve known about it since 2009 or earlier when I first started ripping code from StackOverflow.
However, the UASG seems to be have been working on the assumption that more sites are using off-the-shelf software libraries, which would have allowed the problem to be fixed in a more centralized fashion.
It concludes in its paper that much greater “awareness raising” needs to happen before universal acceptance comes closer to reality.