Tech giants gunning for AlpNames over new gTLD “abuse”

A small group of large technology companies including Microsoft and Facebook have demanded that ICANN Compliance take a closer look at AlpNames, the budget registrar regularly singled out as a spammers’ favorite.
The ad hoc coalition, calling itself the Independent Compliance Working Party, wrote to ICANN last week to ask why the organization is not making better use of statistical data to bring compliance actions against the small number of companies that see the most abuse.
AlpNames, the Gibraltar-based registrar under common ownership with new gTLD portfolio registry Famous Four Media, is specifically singled out in the group’s letter.
The letter, sourcing the August 2017 Statistical Analysis of DNS Abuse in gTLDs (pdf), says there “is a clear problem with one particular contracted party”.
AlpNames was the registrar behind over half of the new gTLD domains blacklisted by SpamHaus over the study period, for example, the letter states.
The tiny territory of Gibraltar also frequently ranks unusually highly on abuse lists due to AlpNames presence there, the letter and report say.
The ICWP letter also says that the four gTLDs .win, .loan, .top, and .link were used by over three quarters of abusive domains over the SADAG study period.
The letter calls the abuse rates “troublesome” and says:

We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates.

It goes on to wonder whether high levels of unaddressed abuse could amount to violations of new gTLD Registry Agreements and Registrar Accreditation Agreements, and to ask whether there any barriers to ICANN Compliance pursuing breach claims against such potential violations.
The ICWP comprises Adobe, DomainTools, eBay, Facebook, Microsoft and Time Warner. It’s represented by Fabricio Vayra of Perkins Coie.
Other than the letter (pdf), the Independent Compliance Working Party does not appear to have any web presence, and a spokesperson has not yet responded to DI’s request for more information.
The SADAG report also singled out Chinese registrar Nanjing Imperiosus Technology Co, aka DomainersChoice.com, as having particularly egregious levels of abuse, but noted that this abuse disappeared after ICANN terminated its RAA last year.
AlpNames has not to date had any public breach notices issued against it, but this is certainly not the first time it’s been singled out for public censure.
In November last year, ICANN’s Competition, Consumer Trust, and Consumer Choice Review Team (CCT) named it in a report that claimed: “Certain registries and registrars appear to either positively encourage or at the very least willfully ignore DNS abuse.”
AlpNames seems to have been used often by abusers due to its bargain-basement, often sub-$1 prices — making disposable domains more cost effective — and its tool that allowed up to 2,000 domains to be registered simultaneously.
If not actively soliciting abusive behavior, these factors certainly don’t make abuse any more difficult.
But will ICANN Compliance take action in response to the criticism leveled by CCT and now ICWP?
The main problem with the ICWP letter, and the SADAG report it is based upon, is that the data it uses is now rather old.
The SADAG report sourced abuse databases only up to January 2017, a time when AlpNames’ total gTLD domains under management was at its peak of around three million names.
Since then, the company has been hemorrhaging DUM, losing hundreds of thousands of domains every month. At the end of November 2017, the most recent data compiled by DI shows that it was down to around 838,000 domains.
It’s quite possible that AlpNames’ customer base is no longer the den of abuse it once was, whether due to natural attrition or a proactive purge of bad actors.
A month ago, in a press release connected with a $5.4 million buy-out of an co-founder, AlpNames chairman Iain Roache said he has a “10-year strategic plan” to turn AlpNames into a “Tier-1” registrar and “bring the competition to the incumbents”.

Get drunk on Neustar’s tab and it will donate money to hurricane relief

Neustar has promised to donate thousands of dollars to a Puerto Rican hurricane relief charity, providng enough people show up to its open bar event in San Juan next week.
It’s fairly standard for domain companies of Neustar’s size to host free after-hours social events during ICANN meetings, but this time the company said it will donate $25 for each attendee to charity.
The beneficiary is the Puerto Rico Resistance Fund, operated by Americas for Conservation and the Arts, which is helping rebuild the island after Hurricane Maria hit it for six last September.
“We want to bring together the community, help spread awareness of the hardship and devastation in Puerto Rico, and make our community proud they are contributing in a small way financially,” Neustar VP Lori Anne Wardi told DI.
With the company telling me it expects 500 guests or more to the invitation-only event, expect a total donation topping $12,500.
The venue is the Antiguo Casino, which appears to be about a 10-minute taxi ride from the Puerto Rico Convention Center, at which the ICANN 61 public meeting is being held.
The event runs from 1900 to 2330 local time.
The official death toll in Puerto Rico from Maria was 64, but a New York Times analysis puts the number at closer to 1,000. Parts of the island, a US territory, are still suffering from infrastructure problems such as power outages.

Whois privacy will soon be free for most domains

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.
ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.
The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.
Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.
After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.
Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.
Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.
Registrants would have the right to opt in to having their full record displayed in the public Whois.
Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.
The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.
This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.
The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.
The model would apply to all gTLD domains where there is some connection to the European Economic Area.
If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.
Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.
While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.
The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.
Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.
The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.
Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.
Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.
[table id=50 /]
The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.
With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

ICANN loses comms chief to Fannie Mae

ICANN’s top PR guy has quit for a job at Fannie Mae.
Duncan Burns, senior vice president of global communications and managing director of the Washington DC office, will leave the organization next month after the ICANN 61 meeting in Puerto Rico.
Burns has been leading comms at ICANN for five years. Last year, he also took over as ICANN’s lead DC lobbyist, a reduced role in the post-IANA-transition world.
He told DI that he’s going to be VP of external communications at Fannie Mae, the mortgage finance company.
ICANN said that while a permanent replacement is found his deputy Gwen Carlson will take over the comms role while Chris Mondini, VP of stakeholder engagement, will cover US government relations.
If anyone’s wondering how this affects ICANN’s current budget discussions, Burns received total compensation in excess of $415,000 in 2016, ICANN’s last-reported tax year.

Should ICANN cut free travel, or its own staff?

Is ICANN’s suddenly limited budget best spent on its staff wages or on flights and hotels for certain volunteers?
That’s the debate that’s been emerging in the ICANN community in the last few weeks since ICANN revealed it would have to make some “tough choices” in the face of lower than expected revenue from a stagnant domain industry.
Members of the ICANN Fellowship program have started a petition calling for the organization to look at its own staffing needs before cutting the number of Fellows it supports in half.
The petition is not signed (though I have a pretty good idea who started it) and at time of publication, it has 194 signatures.
The Fellowship program sees ICANN pay for the travel and lodging, along with a per diem allowance, of up to 60 community members at each of its three annual major meetings.
They’re usually ICANN newbies and generally from less-developed regions of the world.
But because ICANN is trying to cut $5 million from its fiscal 2019 budget it wants to reduce the number of supported Fellows down to 30 per meeting.
ICANN says (pdf) that the average cost to send a Fellow to a meeting is $3,348, which would work out at or $200,880 per meeting or $602,640 per year.
Cutting the program in half would presumably therefore save a tad over $300,000 a year.
It’s not nothing, but it’s chickenfeed in a budget penciled in at $138 million for FY19.
While Fellows are not the only people seeing budget cutbacks, the only one of five broad areas that will actually see growth in ICANN’s FY19 budget is staffing costs.
The organization said personnel spend will go up from $69.5 million to $76.8 million in its next fiscal year.
That’s based on the staff growing by 34 people in the fiscal year to June 30. Those people will then earn a full year’s wages in FY19, rather than the partial year they earned in FY18.
It also plans to increase headcount by four people in FY19, and to give employees an average of 2% pay rises (cut from 4%).
The end-of-year headcount would be 425. That means headcount will have doubled since about September 2013. It was at under 150 when the new gTLD program kicked off in 2012.
Does ICANN really need so many staff? It’s a question people have been asking since before headcount even broke into three digits (over 10 years ago).
The petition organizers wrote that ICANN could not only maintain but increase funding for Fellows by just lowering staffing levels by one or two people, adding:

Given that most of the fellows are from developing countries, the Fellowship Program is not only a learning platform for capacity building to empower volunteers with the skills needed to create a positive impact both within ICANN and in their home countries, but also it is practically the only way to overcome the insurmountable financial burden faced by individuals coming from world regions where even access to drinking water is problematic, not to mention access to computers and quality IT infrastructure that is taken for granted in developed countries.

There’s no denying that attending ICANN meetings can be a pricey undertaking. I come from the developed world and I’ve skipped a few for cost reasons.
But there’s no point ICANN splashing out its cash (which is after all a quasi-tax gathered ultimately from domain registrants) on a Fellowship program unless it knows what the ROI is.
Are the Fellows worth the money?
There’s a kind of running joke — that, disclosure alert, I participate in regularly — that Fellows are mainly good for being strong-armed into singing ICANN’s praises at the open-mic Public Forum sessions held at two of the three meetings each year.
But that’s probably not entirely fair. The program has supported some committed community members who are certainly not slackers.
There are two former Fellows — Léon Felipe Sanchez Ambia and Rafael Lito Ibarra — currently sitting on the ICANN board of directors, and at least one I know of on the GNSO Council.
There are also about 10 members of ICANN staff who were former fellows and ICANN has documented several more participants who are still active in formal roles in ICANN.
Would these people have gotten so involved with ICANN if that financial support had not been there for them originally? I don’t know.
ICANN has attempted in the past to put some hard numbers on the value of the program, and the results are perhaps not as encouraging as when one cherry-picks the success stories.
It conducted a survey last year (pdf) of all 602 former Fellows and managed to get a hold of 597 of them. It wanted to know whether they were still engaged in the ICANN community.
But only 53%, 317 people, even bothered to respond to the survey. Of those who did respond, 198 said they were still involved in the ICANN community.
Basically, of the 600 Fellows ICANN has subsidized to attend ICANN meetings over the last 10 years, just one third say they are still participating.
Is that a good hit rate?
Would it be worth firing a couple of ICANN staffers — or at least allowing a position or two to fall to attrition — in order to keep the Fellowship program funded at current levels?
I honestly have no strong opinion either way on this one, but I’d be interested to hear what you have to say.
No doubt ICANN is too. Its public comment period on the FY19 budget is still open.

ICANN would reject call for “diversity” office

ICANN’s board of directors would reject a call for an “Office of Diversity”, due to its current budget crunch.
The board said as much in remarks filed to a public comment period that got its final report this week.
The report of the CCWG-Accountability Work Stream 2 working group had recommended several potential things ICANN could do to improve diversity in the community, largely focused on collecting and publishing data on diversity.
“Diversity” for the purposes of the recommendations does not have the usual racial connotations of the word. Instead it means: geography, language, gender, age, physical disability, skills and stakeholder group.
Some members of the working group had proposed an independent diversity office, to ensure ICANN sticks to diversity commitments, but this did not gain consensus support and was not a formal recommendation.
Some commenters, including (in a personal capacity) a current vice chair of the Governmental Advisory Committee and a former ICANN director, had echoed the call for an office of diversity.
But ICANN’s board said it would not be able to support such a recommendation:

Given the lack of clarity around this office, lack of consensus support within the subgroup (and presumably within the CCWG-Accountability and the broader community), and noting the previously-mentioned budget and funding constraints and considerations, the Board is not in a position to accept this item if it were to be presented as a formal consensus-based recommendation

In general terms, it encouraged the working group to consider ICANN’s “limited funding” when it makes its final recommendations.
It added that it may be difficult for ICANN to collect personal data on community members, in light of the General Data Protection Regulation, the EU privacy law that kicks in this May.
All the comments on the report can be found here.

Registries reject lower fees for anti-abuse prowess

Registries have largely rejected a proposal for them to be offered financial incentives to lower the amount of abuse in their gTLDs.
That’s despite the idea gaining broad support from governments, intellectual property interests and restricted-registration registries.
The concept of ICANN offering discounted fees to registries that proactively fight abuse was floated by the Competition, Consumer Trust, and Consumer Choice Review Team (CCT) back in November.
It recommended in its draft report, among other things:

Consider directing ICANN org, in its discussions with registries, to negotiate amendments to existing Registry Agreements, or in negotiations of new Registry Agreements associated with subsequent rounds of new gTLDs to include provisions in the agreements providing incentives, including financial incentives for registries, especially open registries, to adopt proactive anti-abuse measures.

“Proactive” in this case would mean measures such as preventing known bad actors from registering domains, rather than just waiting for complaints to be filed.
Given that registries have been calling for lower ICANN fees in other instances, one might expect to see support from that constituency.
However, the Registries Stakeholder Group said in a document filed to ICANN’s public comment period on the CCT’s latest recommendations that, it “opposes” the idea of such financial incentives. It said:

The RySG supports recognizing and supporting the many [registry operators] that take steps to discourage abuse, but opposes amending the RA as recommended, to mandate or incentivize ‘proactive’ anti-abuse measures.

The RySG complained that such a system would require lots of complex work to arrive at a definition of abuse and what kinds of measures would qualify as “proactive”.
Even if such definitions could be found, and amendments to the standard RA successfully negotiated, there’s still no guarantee that bad registries would sign up for the incentives or stick to their promises, “resulting in no net improvement to the current situation”, the RySG said.
The group is also concerned that adding more anti-abuse clauses to the RA could increase registries’ risk of liability should they be sued over abuse carried out by their customers.
Not all registries agreed with the RySG position, however.
The informal Verified Top-Level Domains Consortium, which comprises the two registries behind .bank, .insurance and .pharmacy, filed comments supporting the proposal.
It said that gTLDs with vetted eligibility requirements see no abuse but have lower registration volumes and therefore pay higher ICANN fees on a per-domain basis. It said:

ICANN should help to offset these costs to create a more level playing field with high-volume unrestricted registries, i.e., to enhance competition as well as consumer trust. If ICANN made it more financially advantageous to verify eligibility, other registries may be encouraged to adopt this model. The outcome would be the elimination of abuse in these verified TLDs.

Outside of the industry itself, the Governmental Advisory Committee and IP interests such as the Intellectual Property Constituency and INTA, filed comments supporting anti-abuse incentives.
The IPC “strongly” supported the recommendation, but added that the finer details would need to be worked out to ensure that lower ICANN fees did not translate automatically to lower registration fees and therefore more abuse.
Shocking nobody, it added that “abuse” should include intellectual property infringements.
Conversely, the Non-Commercial Stakeholders Group said it “strongly” opposes the recommendation, on the basis that it would push ICANN into a “content policeman” role in violation of its technical mandate:

ICANN is not a US Federal Trade Commission or an anti-fraud unit or regulatory unit of any government. Providing guidance, negotiation and worse yet, financial incentives to ICANN-contracted registries for anti-abuse measures is completely outside of our competence, goals and mandates. Such acts would bring ICANN straight into the very content issues that passionately divide countries — including speech laws, competition laws, content laws of all types. It would invalidate ICANN commitments to ourselves and the global community. It would make ICANN the policemen of the Internet, not the guardians of the infrastructure. It is a role we have sworn not to undertake; a role beyond our technical expertise; and a recommendation we must not accept.

Also opposed to incentivizing anti-abuse measures was the Messaging, Malware and Mobile Anti-Abuse Working Group (an independent entity, not an ICANN working group), which said there’s no data to support such a recommendation.

The reports provide no data that showcase what the implications of altering the economic underpinnings of a highly competitive market may entail, including inadvertent side effects such as registries that already sell low price domains being rewarded with lower ICANN fees. In fact, it may ultimately result in a race to the bottom and higher rates of domain abuse.

Instead, M3AAWG said that ICANN should concentrate is contractual compliance efforts on those registries that the data shows already have large amounts of abuse — presumably meaning the likes of .top, .gdn and the Famous Four Media stable.
ICANN itself filed a comment on the proposal, pointing out that it is not able to unilaterally impose anti-abuse measures into registry agreements.
One imagines that lowering fees at a time when its own budget is under a lot of pressure would probably not be something ICANN would be eager to implement.
These comments and more were summarized in ICANN’s report on the CCT public comment period, published yesterday. The comments themselves can be found here.
The comments feed back into the CCT review team’s work ahead of its final report, which is due to be published some time during Q1.
Under its bylaws, the CCT review is one of the things that ICANN has to complete before it opens the next round of new gTLD applications.

ICANN chief to lead talks over blocked .amazon gTLD

ICANN CEO Goran Marby has been asked to help Amazon come to terms with several South American governments over its controversial bid for the .amazon gTLD.
The organization’s board of directors passed a resolution last week accepting the suggestion, which came from the Governmental Advisory Committee. The board said:

The ICANN Board accepts the GAC advice and has asked the ICANN org President and CEO to facilitate negotiations between the Amazon Cooperation Treaty Organization’s (ACTO) member states and the Amazon corporation

Governments, prominently Peru and Brazil, have strongly objected to .amazon on the grounds that the “Amazon” river and rain-forest region, known locally as “Amazonas” should be a protected geographic term.
Amazon’s applications for .amazon and two Asian-script translations were rejected a few years ago after the GAC sided with its South American members and filed advice objecting to the gTLDs.
A subsequent Independent Review Process panel last year found that ICANN had given far too much deference to the GAC advice, which came with little to no evidence-based justification.
The panel told ICANN to “promptly” take another look at the applications and “make an objective and independent judgment regarding whether there are, in fact, well-founded, merits-based public policy reasons for denying Amazon’s applications”.
Despite this, the .amazon application is still classified as “Will Not Proceed” on ICANN’s web site. That’s basically another way of saying “rejected” or “denied”.
Amazon the company has promised to protect key domains, such as “rainforest.amazon”, if it gets to run the gTLDs. Governments would get to help create a list of reserved, sensitive domains.
It’s also promised to actively support any future bids for .amazonas supported by the governments concerned.
.amazon would be a dot-brand, so only Amazon would be able to register names there.

Economist would sue ICANN if it publishes private emails

The Economist Intelligence Unit has threatened to sue ICANN if it publishes emails related to its evaluations of “community” gTLDs.
That’s according to a document published by ICANN this week, in which the organization refused to reveal any more information about a controversial probe into the Community Priority Evaluations the EIU conducted on its behalf.
EIU “threatened litigation” should ICANN publish emails sent between the two parties, the document states.
New gTLD applicant DotMusic, which failed its CPE for .music but years later continues to fight for the decision to be overturned, filed a Documentary Information Disclosure Policy request with ICANN a month ago.
DIDP is ICANN’s equivalent of a Freedom of Information Act.
DotMusic’s request among many other items sought the release of over 100,000 emails, many sent between ICANN and the EIU, that ICANN had provided to FTI Consulting during FTI’s investigation into whether the CPEs were fair, consistent and absent ICANN meddling.
But in its response this week, ICANN pointed out that its contract with EIU, its “CPE Provider”, has confidentiality clauses:

ICANN organization endeavored to obtain consent from the CPE Provider to disclose certain information relating to the CPE Process Review, but the CPE Provider has not agreed to ICANN organization’s request, and has threatened litigation should ICANN organization breach its contractual confidentiality obligations. ICANN organization’s contractual commitments must be weighed against its other commitments, including transparency. The commitment to transparency does not outweigh all other commitments to require ICANN organization to breach its contract with the CPE Provider.

DotMusic’s DIDP sought the release of 19 batches of information, which it hopes would bolster its case that both the EIU’s original reviews and FTI’s subsequent investigation were flawed, but all requests were denied by ICANN on various grounds.
In more than one instance, ICANN claims attorney-client privilege under California law, as it was actually ICANN’s longstanding law firm Jones Day, rather than ICANN itself, that contracted with FTI.
The FTI report cleared ICANN of all impropriety and said the EIU’s CPE process had been consistent across each of the gTLD applications it looked at.
The full DIDP request and response can be found here.
ICANN has yet to make a decision on .music, along with .gay, .hotel, .cpa, and .merck, all of which were affected by the CPE reviews.

Full $185,000 refunds offered to risky new gTLD applicants

ICANN is to offer applicants for three new gTLDs identified as too risky to go live full refunds of their application fees.
Its board of directors acknowledged at its weekend retreat that it has no intention of delegating .corp, .home and .mail, and that each applicant should be able to get their entire $185,000 application fee back.
The applicants will have to withdraw their applications in order to get the refund.
Ordinarily, withdrawing an application would only qualify the applicants for a partial refund.
The ICANN board said in its resolution that it “does not intend to delegate the strings .CORP, .HOME, and .MAIL in the 2012 round of the New gTLD Program”.
It added that “the applicants were not aware before the application window that the strings .CORP, .HOME, and .MAIL would be identified as high-risk, and that the delegations of such high-risk strings would be deferred indefinitely.”
The three strings are considered risky because they already receive vast amounts of “name collision” traffic, largely from DNS queries that leak out from private networks.
There’s a concern that delegating any of them would create a big security risk in terms of confidential data leakage and stuff just generally breaking.
It’s been six years since the last new gTLD application window was open, and some applicants for the strings abandoned their bids years ago.
There are five remaining .corp applicants (and one withdrawal), five for .mail (two withdrawals) and ten for .home (one withdrawal).
The refunds will be taken from ICANN’s separate new gTLD program budget so presumably will not have an impact on its current operating budget woes.
The board noted that technically it did not have to give full refunds, under the terms of the Applicant Guidebook, but that it was doing so in the interest of “fairness”.
This may come as little comfort to applicants whose money has been tied up in limbo for the last six years.