ICANN urged to crack down on new gTLD abuse
Registries selling dirt-cheap new gTLD domains should be rewarded with lower ICANN fees when they get proactive about abuse, while registrars that turn a blind eye to spammers should be suspended, an ICANN working group will recommend.
In its second batch of findings, the Competition, Consumer Trust, and Consumer Choice Review Team (CCT) said that financial incentives and a new complaints procedure should be used to persuade registries and registrars to fight DNS abuse.
The CCT said it “proposes the development of incentives to reward best practices preventing technical DNS abuse and strengthening the consequences for culpable or complacent conduits of technical DNS abuse” in a paper published today.
The review, which drew on multiple sources of market and abuse data, original research, and analysis of third-party research, is probably the most comprehensive study into the impact of the new gTLD program to date.
It concluded that overall rates of DNS abuse did not increase as a result of the program, but that bad actors are increasingly migrating away from legacy gTLDs such as .com to 2012-round TLDs such as .top, .gdn and Famous Four Media’s stable.
Indeed, much of the paper appears to be a veiled critique of FFM’s practices.
The registrar AlpNames, known to be affiliated with FFM and responsible for most of its retail sales, is singled out as the currently accredited registrar particularly favored by abusers.
The CCT report notes that AlpNames regularly sells domains for under $1, or gives them away for free, and offered a tool allowing registrants to randomly generate up to 2,000 available domains in 27 different gTLDs, pretty much inviting abuse.
“Certain registries and registrars appear to either positively encourage or at the very least willfully ignore DNS abuse. Such behavior needs to be identified rapidly and action
must be taken by ICANN compliance as deemed necessary,” the paper says.
The review found that gTLDs with no registration restrictions and the lowest prices had the most abuse. Duh.
“Generally, the DNS Abuse Study indicates that the introduction of new gTLDs did not increase the total amount of abuse for all gTLDs,” its report says. “[F]actors such as registration restrictions, price, and registrar-specific practices seem more likely to affect abuse rates.”
Drawing on data provided by 11 domain block-lists (SURBL, SpamHaus, etc), the paper states that at least one TLD (FFM’s .science) had an abuse rate excess of 50%.
Using SpamHaus data, the paper identities FFM’s .science, .stream, .trade, .review, .download and .accountant as having over 10% abuse during the period of its study. Also on that list: Uniregistry’s low-price .click and the China-based .top and .gdn.
One thing they all have in common is that AlpNames is a leading registrar, usually accounting for at least a quarter of domains under management.
There’s no way AlpNames/FFM is not aware of the amount of bad actors in its customer base, the question is what can ICANN do about it?
The CCT team recommends that registries and registrars with over 10% of their names used for abusive purposes should be tasked by ICANN with proactively cleaning up their zones. Those that fail to do so should be subject to a new Domain Abuse Dispute Resolution Process, it said.
These companies should have their contracts suspended when they’re “associated with unabated, abnormal and extremely high rates of technical abuse”, the report recommends.
There’s a big boilerplate specifying, tellingly, that registry operators that control registrars are affected by this recommendation too.
It should be noted that there was not a full consensus of support for the idea of a DADRP. Half a dozen working group members filed minority statements opposing it.
It’s not all stick in the report, however. There’s some carrot, too.
The CCT report recommends financial incentives such as fee reductions for registries that have “proactive anti-abuse measures” in place.
It noted that there is precedent for ICANN doing this kind of thing when it implemented an anti-tasting policy that seriously restricted registrars’ ability to get registry refunds.
The CCT Review Team was formed to figure out what impacts the 2012 new gTLD round had on the domain name market.
The completion of its work is one of several gating factors to the next new gTLD application round under ICANN’s new bylaws and the old Affirmation of Commitments with the US government.
It published initial recommendations earlier this year. This new set of recommendations is now open for public comment until January 8.
Aussie gov refuses to spill the beans on ICANN vice chair’s firing
The Australian government has refused to release documents concerning alleged “financial irregularities” at local ccTLD manager auDA that have been linked to the firing of former CEO Chris Disspain.
A request under the Freedom of Information Act sought documents detailing Disspain’s March 2016 termination, as well as high levels of travel expenses and apparent under-reporting of “fringe benefit tax” under his watch.
The request was filed in September by by industry consultant Ron Andruff, who is known to have beef with Disspain after having been passed over for an important ICANN leadership role.
One of the specific documents sought by Andruff was an unpublished audit by PPB Advisory known to have uncovered slack historical expenses management practices and high levels of travel expenditure.
While rumors have circulated, there have been no substantiated allegations of wrongdoing by Disspain.
The Australian Department of Communications and the Arts told Andruff this weekend that 13 relevant documents had been identified and reviewed, but that all were exempt from disclosure under the FOI Act.
Reasons given include the right to privacy of the individual concerned and the fact that the information could fuel “unsubstantiated allegations of misconduct”.
The Department also thought that disclosing the documents could make it harder to it to obtain information from auDA in future, particularly relevant given that it recently kicked off a review of the organization.
While acknowledging there were some public interest reasons to publish the documents, on balance it said that the public interest reasons not to publish were more numerous.
auDA has been plagued by problems such as high turnover of staff and board, unpopular policies, and the member-instigated ouster of its chair, since Disspain left.
Separately, Disspain became ICANN’s vice chair earlier this month, having sat on the board for the last seven years as a representative of the ccTLD community.
He’s one of four community-nominated ICANN directors who have agreed to undergo the same background checks as their Nominating Committee-appointed counterparts, in part due to pressure applied by Andruff.
The FOI response can be viewed here (pdf).
Hurricane victims get a renewal pass under ICANN rules
ICANN has given registries and registrars the ability to delay the cancellation of domain names owned by victims of Hurricane Maria and other similar natural disasters.
In a note to contracted parties, published by Blacknight boss Michele Neylon this weekend, Global Domains Division president Akram Atallah said:
registrars will be permitted to temporarily forebear from canceling domain registrations that were unable to be renewed as a result of the natural disaster.
Maria and other hurricanes caused widespread damage to infrastructure in the Caribbean earlier this year — not to mention the loss of life — making it difficult for many people to get online to renew their registrations.
ICANN’s Registrar Accreditation Agreement ties registrars to a fairly strict domain name renewal and expiration life-cycle, but there’s a carve out for certain specified “extenuating circumstances” such as bankruptcy or litigation.
Atallah’s note makes it clear that ICANN considers hurricane damage such a circumstance, so its contractual compliance department will not pursue registrars who fail to expire domains on time when the registrant has been affected by the disaster.
He added that perhaps it’s time for the ICANN community to come up with a standardized policy for handling such domains. There’s already been mailing list chatter of such an initiative.
ICANN is heading to Puerto Rico, which was quite badly hit by Maria, for its March 2018 public meeting.
While attendees have been assured that the infrastructure is in place for the meeting to go ahead, large parts of the island are reportedly still without power.
Even post-Weinstein, no sexual harassment complaints at ICANN
There have been no formal complaints of sexual harassment in the ICANN community since the organization introduced a zero tolerance policy back in March, according to the Ombudsman.
That’s even after the current media storm about such behavior, precipitated by the revelations about movie producer Harvey Weinstein, which has given men and women in many industries the confidence to level accusations against others.
“There have been no complaints of sexual harassment since the implementation of the Community Anti-Harassment Policy nor the uptake of [post-Weinstein] media coverage,” ICANN Ombudsman Herb Weye told DI in response to an inquiry today.
The anti-harassment policy was adopted in March, and there have been three full, in-person ICANN meetings since then.
Face-to-face meetings are of course where one would expect to see such incidents, if any were to occur.
The policy bans everything from groping to wolf-whistling to dirty jokes to repeated, unwanted requests for dates.
At the time the policy was approved, ICANN general counsel John Jeffrey noted that there had been more than one such complaint since the infamous Cheesesandwichgate incident in March 2016.
No complaints since March does not necessarily mean no incidents, of course.
One recent recommendation to reform the office of the Ombudsman (or Ombudsperson, or simply Ombuds, in recent ICANN documentation) is to ensure a gender-mixed staff to perhaps make it more likely for issues related to gender to be reported.
A recent, non-scientific survey of ICANN participants found that about a third of women had knowledge or experience of sexism in the community.
Weye said that most complaints about non-sexual “harassment” occur at social events where alcohol is involved. He said that ICANN participants should be discreet when discussing “sensitive” cultural issues in such contexts, lest they inadvertently offend those within earshot.
There is “no place for disrespect in ICANN’s multi-cultural diverse environment” he said.
Amazon and Google to fight over .kids at auction
Amazon, Google and a third applicant are scheduled to fight for control of the new gTLDs .kid or .kids at auction.
It’s the first ICANN gTLD auction to be scheduled since a Verisign puppet paid $135 million for .web in July 2016.
According to ICANN documentation, .kid and .kids will go to auction January 25, 2018.
The winning bid will be added to ICANN’s quarter-billion-dollar stash of auction proceeds, rather than shared out between the applicants.
Even though two different strings are at stake, it will be a so-called “direct contention” auction, meaning only .kids or .kid will ultimately go live.
Google, the sole applicant for .kid, had filed String Confusion Objections against .kids applications from Amazon and DotKids Foundation and won both, meaning the three applications were lumped into the same contention set.
Unless DotKids has a secret sugar daddy, it seems probable that the internet will next year either get a .kid gTLD operated by Google or a .kids gTLD operated by Amazon.
DotKids had applied as a “community” application and attempted to shut out both rivals and avoid an auction by requesting a Community Priority Evaluation.
However, it comprehensively lost the CPE.
Child-friendly domain spaces have a poor track record, partly due to the extra restrictions registrants must agree to, and are unlikely to be high-volume gTLDS no matter who wins.
Neustar operated .kids.us for 10 years, following US legislation, but turned it off in 2012 after fewer than 100 web sites used the domain. It made the decision not to reintroduce it in 2015.
The Russian-language equivalent, .дети, has been live for over three years but has only around 1,000 domains in its zone file.
The .kids/.kid auction may not go ahead if the three applicants privately negotiate a deal soon, but they’ve had over a year to do so already and have apparently failed to come to an agreement.
ICANN chief tells industry to lawyer up as privacy law looms
The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.
That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.
The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.
“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.
“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.
GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.
For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.
But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.
The latest official line from ICANN is:
At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.
Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.
A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).
Even after this report, Marby said ICANN is still in “discovery” mode.
Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.
He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.
Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.
It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”
This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.
Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.
ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.
The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.
General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.
“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.
Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.
ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.
Up to 20 million people could get broken internet in domain security rollover
Twenty million people losing access to parts of the internet is considered an acceptable level of collateral damage for ICANN’s forthcoming DNS root security update.
That’s one of a number of facts and figures to emerge from recent updates from the organization, explaining its decision to delay the so-called “KSK rollover” from October 11 to some time in the first quarter next year.
The rollover will see a new Key Signing Key, used as the trust anchor for all DNSSEC-signed domains, replace the seven-year-old original.
DNSSEC protects internet users and registrants from domain-based man-in-the-middle attacks. It’s considered good practice to roll keys at each level of the DNS hierarchy periodically, to reduce the risk of successful brute-force attacks.
The root KSK update will affect hundreds of millions of people who currently use DNSSEC-compatible resolvers, such as Google DNS.
ICANN delayed the rollover after it, rather fortuitously, spotted that not all of these resolvers are configured to correctly handle the change.
The number of known incompatible servers is quite small — only about 500 of the 11,982 DNSSEC-using recursive servers initially surveyed (pdf). That represents only a very small minority of the world’s internet users, as most are not currently using DNSSEC.
Subsequent ICANN research, presented by principal researcher Roy Arends at ICANN 60 last week, showed that:
- There are currently about 4.2 million DNS resolvers in the world.
- Of those, 27,084 are configured to tell the root servers which KSKs they support (currently either the KSK-2011 or KSK-2017).
- Of those, 1,631 or 6.02% do not support KSK-2017
It was only possible to survey servers that have turned on a recent update to DNS software such as BIND and Unbound, so the true number of misconfigured servers could be much higher.
Matt Larson, ICANN’s VP of research, told DI that ICANN has identified 176 organizations in 41 countries that are currently not prepared to handle the new KSK. These organizations are fairly evenly spread geographically, he said.
Since making the decision to delay the rollover, ICANN has hired a contractor to reach out to these network operators to alert them to potential problems.
ICANN’s CEO Goran Marby has also been writing to telecommunications regulators in all countries to ask for assistance.
After the rollover, people using an incompatible resolver would be unable to access DNSSEC-signed domains. Again, that’s still quite a small minority of domains — there are only about 750,000 in .com by some accounts and apparently none of the top 25 site support it.
ICANN could roll back the change if it detects that a sufficiently large number of people are negatively affected, but that number turns out to be around 20 million.
According to its published rollover plan:
Rollback of any step in the key roll process should be initiated if the measurement program indicated that a minimum of 0.5% of the estimated Internet end-user population has been negatively impacted by the change 72 hours after each change has been deployed into the root zone.
According to InternetWorldStats, there were around 3,885,567,619 internet users in the world this June. It’s very likely more people now.
So a 0.5% threshold works out to about 19 million to 20 million people worldwide.
Larson agreed that in absolute terms, it’s a big number.
“The overall message to take away from that number, I suggest, is that a problem would have to be pretty serious for us to consider rolling back,” Larson, who was not on the team that came up with the threshold, said.
“I think that’s a reasonable position considering that, in the immediate aftermath of the rollover, there are two near-immediate fixes available to any operator experiencing problems: update their systems’ trust anchors with the new key or (less desirable from my perspective but still effective) simply disable DNSSEC validation,” he said.
He added that the 0.5% level is not a hard and fast rule, and that ICANN could be flexible in the moment.
“For example, if when we roll the key, we find out there’s some critical system with a literal life or death impact that is negatively affected by the KSK roll, I think I can pretty confidently state that we wouldn’t require the 0.5% of Internet user threshold to be met before rolling back if it looked like there would be a significant health and safety risk not easily mitigated,” he said.
The chances of such an impact are very slim, but not impossible, he suggested.
It’s not ICANN’s intention to put anyone’s internet access at risk, of course, which is why there’s a delay.
ICANN’s plan calls for any rollover to happen on the eleventh day of a given calendar quarter, so the soonest it could happen would be January 11.
Given the complexity of the outreach task in hand, the relative lack of data, and the holiday periods approaching in many countries, and ICANN’s generally cautious nature, I’d hazard a guess we might be looking at April 11 at the earliest instead.
Corwin joins Verisign
Phil Corwin, the face of the Internet Commerce Association for over a decade, today quit to join Verisign’s legal team.
He’s now “policy counsel” at the .com giant, he said in a statement emailed to industry bloggers.
He’s also closed down the consulting company Virtualaw, resigned from ICANN’s Business Constituency and from his BC seat on the GNSO Council.
But he said he would continue as co-chair of two ICANN working groups — one looking at rights protection for intergovernmental organizations (which is kinda winding down anyway) and the other on general rights protection measures.
“I have no further statement at this time and shall not respond to questions,” Corwin concluded his email.
He’s been with ICA, which represents the interests of big domain investors, for 11 years.
As well as being an ICANN working group volunteer, he’s produced innumerable public comments and op-eds fighting for the interests of ICA members.
One of his major focuses over the years has been UDRP, which ICA believes should be more balanced towards registrant rights.
He’s also fought a losing battle against ICANN “imposing” the Uniform Rapid Suspension process on pre-2012 gTLDs, due to the fear that it one day may be forced upon Verisign’s .com and .net, where most domain investment is tied up.
ICANN terminates 450 drop-catch registrars
Almost 450 registrars have lost their ICANN accreditations in recent days, fulfilling predictions of a downturn in the domain name drop-catch market.
By my reckoning, 448 registrars have been terminated in the last week, all of them apparently shells operated by Pheenix, one of the big three drop-catching firms.
Basically, Pheenix has dumped about 90% of its portfolio of accreditations, about 300 of which are less than a year old.
It also means ICANN has lost about 15% of its fee-paying registrars.
Pheenix has saved itself at least $1.2 million in ICANN’s fixed accreditation fees, not including the variable and transaction-based fees.
It has about 50 registrars left in its stable.
The terminated registrars are all either numbered LLCs — “Everest [1-100] LLC” for example — or named after random historical or fictional characters or magic swords.
The move is not unexpected. ICANN predicted it would lose 750 registrars when it compiled its fiscal 2018 budget.
VP Cyrus Namazi said back in July that the drop-catching market is not big enough to support the many hundreds of shell registrars that Pheenix, along with rivals SnapNames/Namejet and DropCatch.com, have created over the last few years.
The downturn, Namazi said back then, is material to ICANN’s budget. I estimated at the time that roughly two thirds of ICANN’s accredited registrar base belonged to the three main drop-catch firms.
Another theory doing the rounds, after Domain Name Wire spotted a Verisign patent filing covering a system for detecting and mitigating “registrar collusion” in the space, is that Verisign is due to shake up the .com drop-catch market with some kind of centralized service.
ICANN reckoned it would start losing registrars in October at a rate of about 250 per quarter, which seems to be playing out as predicted, so the purge has likely only just begun.
ICANN heading back to Morocco in 2019
ICANN has picked Morocco for its mid-year meeting in 2019.
The June 24-27 meeting, ICANN 65, will be hosted by the Mediterranean Federation of Internet Associations at the Palmeraie Resort in Marrakech. That’s the same venue as ICANN 55 in March 2016.
It’s a Policy Forum meeting, meaning it has an abridged agenda, an expected lower attendance, and a tighter focus on policy work than the other two annual meetings.
It will be sandwiched between the March meeting in Kobe, Japan and the November meeting in Montreal, Canada.
More pressingly, it now seems all but certain that ICANN is heading to Puerto Rico in March 2018 for ICANN 61, despite the extensive damage caused by Hurricane Maria in September.
During the public forum at ICANN 60 in Abu Dhabi last week, the customary spot where the next meeting’s hosts get five minutes to plug their city or nation was notably different.
Shots of landscapes, sunsets and cultural attractions were instead replaced by a series of government and local tourism officials encouraging ICANNers to visit. The message was basically: everything’s okay, it’s safe for you to come.
The convention center venue for ICANN 61 was so lightly damaged by Maria that it was actually used as the headquarters of the recovery effort immediately after the storm. You may have seen news footage of it when President Trump showed up.
ICANN said October 7 that it was monitoring the situation but that it still intended to have the March meeting in San Juan as planned.
The city would no doubt welcome the modest economic boost that a few thousand tech professionals and lawyers showing up for a week will provide.
I’m planning on attending.
Recent Comments