ICANN gets hacked, again

ICANN has been hacked again and your user names and passwords may have been compromised.
The organization said tonight that it thinks “usernames/email addresses and encrypted passwords for profile accounts created on the ICANN.org public website were obtained by an unauthorized person.”
The stolen information includes “user preferences for the website, public bios, interests, newsletter subscriptions, etc”, ICANN said.
No critical systems seem to have been affected, ICANN said.
ICANN said that an “external service provider” was responsible for the hashed passwords that were nabbed.
It recommends an abundance of caution: changing passwords, or simply (and unrealistically) not using the same password across multiple sites.
ICANN gets hacked constantly. It’s barely even news any more. Many of the stories can be found with this search.

Dozens of dot-brands finally sign ICANN contracts

Dot-brand gTLD applicants that were playing wait-and-see with ICANN’s contracting process signed Registry Agreements in droves last week.
At least 67 new RAs were signed in the last three days of July, on or around the ICANN’s July 29 deadline, ICANN’s web site shows.
This means that there are still about 50 applicants that have not pulled the trigger and may have to apply for an 60-day last-chance extension.
A week before the deadline, roughly 170 brands had still not signed contracts.
The July 29 deadline was put in place for dot-brands last year due to delays creating Specification 13 of the RA, which gives brands special opt-out clauses dealing with things like sunrise periods.
Those that have still not obtained RAs are expected to be flagged as “Will Not Proceed” and will have to apply to ICANN for the extension under its Application Eligibility Reinstatement process.

African Union slams “dysfunctional” IRP as ICANN tries to fend off cover-up claims

The African Union Commission has criticized ICANN’s “dysfunctional accountability process” that has kept the proposed .africa gTLD in limbo for the last few years.
In a communique yesterday (pdf), the AUC also reiterated that .africa applicant ZA Central Registry has the support of both the AUC and its member states, and that governments used almost every avenue available to them to object to the rival DotConnectAfrica bid.
The letter reads:

The Africa region, African Internet stakeholders, the ZACR and AUC are the unfortunate victims of a dysfunctional accountability process and an independent review panel that did not delve more deeply to understand the new gTLD process, the role of governments in that process, and how the ICANN multistakeholder model functions in general.

A few weeks ago, an Independent Review Process panel controversially ruled that ICANN had treated DCA’s application unfairly, in violation of its bylaws, when it accepted Governmental Advisory Committee advice to reject it.
The panel said that ICANN should have at least asked the GAC for the rationale behind its advice, something that the new gTLD program’s rules did not require it to do.
One of the issues at the heart of the subsequent debate is whether ICANN inappropriately helped out ZACR’s bid by drafting an AUC letter of support and then tried to cover its actions up by inappropriately redacting information from the IRP ruling before publication.
On Friday, ICANN published a new version of the ruling that had these references restored, while retaining redactions related to the actions of Kenyan government officials.
We know what the still-redacted text says because Kieren McCarthy, writing for The Register, obtained a clean copy and published it a couple of weeks ago.
ICANN also promised to publish its reasoning if it makes redactions to any documents in future.
In a blog post on Friday, general counsel John Jeffrey said that ICANN helping the AUC draft its letter of support was not a unique case, nor was it inappropriate:

ICANN staff has helped many applicants and their supporters understand how to properly document support. Not only did we make a template support letter publicly available to all as part of the New gTLD Program Applicant Guidebook (see Appendix to Module 2), we have answered questions, received through our customer service channel, as to how interested parties can document support for a given gTLD application. In the case of ZA Central Registry, ICANN appropriately assisted the applicant in documenting support from the AUC.
Our actions surrounding the .AFRICA applications were not unique, since we assist any applicant who requests assistance, or who needs clarification in learning how best to document support or other matters. We have provided assistance to all applicants regarding their applications to the maximum extent possible.

On the claims that ICANN tried to “cover up” this assistance by redacting the IRP’s ruling and previous IRP filings, Jeffrey said that the information was covered by a confidentiality agreement agreed to by itself and DCA and endorsed by the IRP panel.
He said that ICANN was “motivated by our obligation to the community to post the document quickly and the competing, yet mandatory obligation, to respect confidential information while being as transparent as possible.”
He said ICANN attempted to reach out to those affected by the “confidential” parts of the ruling to seek permission to remove the redactions.
But McCarthy also seems to have seen emails exchanged between DCA and ICANN, and he says that ICANN redacted it over DCA’s objections.
McCarthy further says that ICANN only became interested in removing the redactions after he had already published the clean version of the ruling at The Reg — five days after the initial publication by ICANN.
Jeffrey’s post, which refers to “erroneous reporting” in an apparent allusion to McCarthy’s articles, nevertheless fails to address this claim, lending credibility to the cover-up allegations.
The .africa gTLD has been contracted to ZACR, but DCA’s rejected application has been returned to evaluation per the IRP’s ruling, where it is broadly expected to fail for want of governmental support.
Disclosure #1: I recently filed a Documentary Information Disclosure Policy request seeking the release of all the unredacted exhibits in DCA v ICANN. Given ICANN’s wont to usually respond to such requests only at the end of the full 30 days permitted by the policy, I should not expect to see an answer one way or the other until the last week of August.
Disclosure #2: As regular readers may already be aware, due to my long-held and never-disguised view that DCA was mad to apply for .africa without government support, I was once accused of being a part of a “racial conspiracy” against DCA on a blog I believe to be controlled by DCA. Naturally, after I stopped laughing, this libelous allegation pissed me off no end and enhanced my belief that DCA is nuts. Around the same time DCA also, under its own name, filed an “official complaint” (pdf) with ICANN, omitting the race card, alleging that I was part of a conspiracy against it.

New gTLDs not an illegal conspiracy, court rules

ICANN has beaten off a lawsuit from alternate root provider name.space for a second time, with a US appeals court ruling that the new gTLD program was not an illegal conspiracy.
name.space sued ICANN in 2012, claiming that the program broke competition laws and that “conflicted” ICANN directors conspired with the industry in an “attack” on its business model.
The company runs an alternate DNS root containing hundreds of TLDs that hardly anyone knows about, cares about, or has access to.
Almost 200 of the strings in its system had matching applications in the 2012 new gTLD round; many have since been delegated.
The company’s complaint asked for an injunction against all 189 matching TLDs.
But a court ruled against it in 2013, saying that name.space had failed to make a case for breaches of antitrust law.
Last week, an appeals court upheld that ruling, saying that the company had basically failed to cross the legal threshold from simply making wild allegations to showing evidence of an illegal conspiracy.
“We cannot… infer an anticompetitive agreement when factual allegations ‘just as easily suggest rational, legal business behavior.’,” the court ruled, citing precedent.
“Here, ICANN’s decision-making was fully consistent with its agreement with the DOC [US Department of Commerce] to operate the DNS and the Root,” it wrote. “In transferring control to ICANN, the DOC specifically required it to coordinate the introduction of new TLDs onto the Root. This is exactly what ICANN did in the 2012 Application Round”.
“The 2012 rules and procedures were facially neutral, and there are no allegations that the selection process was rigged,” the panel ruled.
The court further ruled that ICANN is not a competitor in the markets for domain names as registry, registrar or defensive registration services, therefore it could not be subject to antitrust claims for those markets.
A few other claims against ICANN were also dismissed.
In short, it’s a pretty decisive victory for ICANN. General counsel John Jeffrey said in a statement that ICANN is “pleased” to have won.
All the major documents in the case, including the latest opinion, can be downloaded here.
While the lawsuit has been making its way through the courts, the .space gTLD has actually been delegated and the domain name.space is owned by its new registry, Radix.
There’s some salt in the wounds.

Most governments keep restrictions on country names in new gTLDs

Just one out of every 10 governments in the ICANN Governmental Advisory Committee is happy for people to register its country name in new gTLDs.
That’s according to a new GAC database detailing which countries want to keep tabs on how their names are being used.
Out of 80 GAC members contributing to the database, just eight have said registries can sell their country names with no restrictions.
The eight countries and territories are the UK, the USA, Denmark, Finland, Netherlands, Sweden, Guernsey and Pitcairn.
New gTLD registries will therefore be able to auction off, for example, finland.guru or pitcairn.news, to whoever wants them.
Another 10 governments — Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Montenegro, New Zealand, Romania, Spain and Switzerland — have relinquished oversight in the case of dot-brand registries that have signed Specification 13 of the ICANN Registry Agreement.
So if Sony wants to register brazil.sony to itself, it can without restrictions.
Under the new gTLD Registry Agreement, all country and territory names in the six official UN languages have to be reserved by all registries unless they can reach agreement with the applicable government.
The 18 governments mentioned above have basically waived this right to be notified in whole or in part.
The remaining 62 governments say they still wish to be notified when a registry wants to release its name.
GAC chair Thomas Schneider told ICANN (pdf) that countries not yet listed in the database should be treated as if they’re still restricted, so the actual number is closer to 200.
In short, this database is not a lot of help to dot-brands and other registries that want to start using or selling country names.
Critics have pointed out that many governments wanting to regulate their names in new gTLDs have not done so in their own ccTLDs.
Of the 62, ownership of country names is mixed. Italy owns italy.it and italia.it, for example, while germany.de and deutschland.de appear to be in private hands.

Sharp wants dot-brand Whois requirement relaxed

Electronics firm Sharp wants to remove part of its new gTLD registry contract relating to Whois.
The company has filed a Registry Services Evaluation Process request to get its requirement to offer “searchable Whois” dropped. RSEP is the mechanism registries use to amend their contracts.
ICANN’s initial review has not found any security, stability or competition problems and has now opened the request up for public comment.
Because .sharp will be a dot-brand, all the domains would belong to Sharp and its affiliates, reducing the value of searchable Whois.
Searchable Whois is an enhanced Whois service that allows users to search on all fields (such as registrant, email address, etc) rather than just the domain name.
Such services are not mandatory under ICANN’s new gTLD rules, but applicants that said they would offer them could score an extra point in their Initial Evaluation.
In Sharp’s case, a one-point difference would not have affected the outcome of its IE. In any event, it did not score the extra point.
Sharp said it was requesting the change because it’s switching back-ends from GMO Internet to JPRS, which apparently does not or does not want to support searchable Whois.

As deadline looms, over 100 dot-brands still in contract limbo

With the minutes ticking down to the deadline for scores of dot-brands to sign registry agreements with ICANN, over 100 have not, according to ICANN’s web site.
New gTLD applicants had until July 29 to sign their contracts or risk losing their deposits.
I reported a week ago that roughly 170 would-be dot-brands had yet to sign on the dotted line, and my records show that only 35 have done so in the meantime.
Another four applications have been withdrawn.
One of the newly contracted parties is Go Daddy, which signed an RA for .godaddy last week. Others include .nike, .comcast and .mitsubishi.
Unless we see a flood of new contracts published over the next day or two, it seems likely well over 100 strings will soon be flagged as “Will Not Proceed” — the end of the road for new gTLD applications.
That may not be the final nail in their coffins, however.
Last week, ICANN VP Cyrus Namazi said that applicants that miss today’s deadline will receive a “final notice” in about a week. They’ll then have 60 days to come back to the process using the recently announced Application Eligibility Reinstatement process.

IDN .com hits the root

Eleven variants of .com and .net in non-Latin scripts joined the internet today.
Verisign’s whole portfolio of internationalized domain name new gTLDs were added to the DNS root at some point in the last 24 hours, and the company is planning to start launching them before the end of the year.
But the company has been forced to backtrack on its plans to guarantee grandfathering to thousands of existing [idn].com domains in the new domains, thereby guaranteeing a backlash from IDN domainers.
The eleven gTLDs are: .कॉम, .ком, .点看, .คอม, .नेट, .닷컴, .大拿, .닷넷, .コム, .كوم and .קוֹם. Scripts include Arabic, Cyrillic and Hebrew.
Verisign signed registry agreements with ICANN back in January, but has been trying to negotiate a way to allow it to give the owners of [idn].com domains first rights to the matching domain in the “.com” in the appropriate script.
The company laid out its plans in 2013. The idea was to reduce the risk of confusion and minimize the need for defensive registrations.
So what happened? Trademark lawyers.
Verisign CEO Jim Bidzos told financial analysts last week that due to conversations with the “community” (read: the intellectual property lobby) and ICANN, it won’t be able grandfather all existing [idn].com registrants.
All of the new IDN gTLDs will be subject to a standard ICANN Sunrise period, which means trademarks owners will have first dibs on every string.
If you own водка.com, and somebody else owns a trademark on “водка”, the trademark owner will get the first chance to buy водка.ком.
According to SeekingAlpha’s transcript, Bidzos said:

Based primarily on feedback from domain name community stakeholders, we have revised our IDN launch strategy. We will offer these new IDN top-level domains as standalone domain names, subject to normal introductory availability and rights protection mechanisms, available to all new gTLDs. This revised approach will not require ICANN approval and is designed to provide end users and businesses with the greatest flexibility and, for registrars, a simple and straightforward framework to serve the market.
Finally, we believe this approach should provide the best opportunity for increased universal acceptance of IDNs. We expect to begin a phased rollout of the IDNs towards the end of this year, and we’ll provide more information on our launch plans when appropriate.

Senior VP Pat Kane added on the call that the grandfathering provisions, which would have required ICANN approval, have been “taken out”.
The question now is whether Verisign will introduce a post-sunrise mechanism to give rights to [idn].com.
That would not be unprecedented. ICM Registry ran into similar problems getting its grandfathering program for .porn approved by ICANN. It wound up offering a limited, secondary sunrise period for existing .xxx registrants instead.

OpenTLD suspension stayed in unprecedented arbitration case

“Cybersquatting” registrar OpenTLD, part of the Freenom group, has had its accreditation un-suspended by ICANN while the two parties slug it out in arbitration.
Filed three weeks ago by OpenTLD, it’s the first complaint to head to arbitration about under the 2013 Registrar Accreditation Agreement.
ICANN suspended the registrar for 90 days in late June, claiming that it “engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party”.
But OpenTLD filed its arbitration claim day before the suspension was due to come in to effect, demanding a stay.
ICANN — voluntarily, it seems — put the suspension on hold pending the outcome of the case.
The suspension came about due to OpenTLD being found guilty of cybersquatting its competitors in two UDRP cases.
In both cases, the UDRP panel found that the company had cybersquatted the trademarks of rival registrars in an attempt to entice their resellers over to its platform.
But OpenTLD claims that ICANN rushed to suspend it without giving it a chance to put forward its side of the story and without informing it of the breach.
It further claims that the suspension is “disproportionate and unprecedented” and that the public interest would not be served for the suspension to be upheld.
This is not an Independent Review Process proceeding, so things are expected to move forward relatively quickly.
The arbitration panel expects to hear arguments by phone August 14 and rule one way or the other by August 24.
Read the OpenTLD complaint here.

Flood of wait-and-see dot-brands expected this week

ICANN expects to sign as many as 170 new gTLD contracts with dot-brand applicants over the coming week.
Dot-brands that have been treading water in the program to date are up against a hard(ish) July 29 deadline to finally sign a Registry Agreement with ICANN.
VP of domain name services Cyrus Namazi told DI today that ICANN expects most of the backlog to be cleared in the next couple of weeks.
“The end of the July is a bit of a milestone for the program as a whole,” Namazi said. “A substantial number of contracts will be signed off and move towards delegation.”
“I think within a short period after the end of July most of these will be signed off,” he said.
There are currently 188 applications listed as “In Contracting” in the program. Namazi and myself estimate that roughly 170 are dot-brands, almost all of which have July 29 deadlines.
Namazi said that ICANN has planned for a last-minute rush of “hundreds” of applicants trying to sign contracts in the last month.
The July 29 deadline for dot-brands was put in place because of delays creating Specification 13 of the RA — that’s the part that allows dot-brands to function as dot-brands, by eschewing sunrise periods for example.
For most dot-brand wannabes, it was already an extension of nine months or more from their original deadline.
But it seems inevitable that some will miss the deadline.
Namazi said that those applicants that do miss the deadline will receive a “final notice” about a week later, which gives the applicant 60 days to come back to the process using the recently announced Application Eligibility Reinstatement process.
That creates a new deadline in early October. Applicants that miss that deadline might be shit outta luck.
“They’ll essentially just sit in a bucket that will not be proceeding,” Namazi said. “We don’t have a process to reactivate beyond that.”
So why are so many dot-brand applicants leaving it so late to sign their contracts?
The answer seems to be, essentially: lots of them are playing wait-and-see, and they still haven’t seen.
They wanted to see how other dot-brands would be used, and there’s not a lot of evidence to draw on yet. The number of dot-brands that have fully shown their cards could be counted on your fingers. Maybe even on just one hand.
“Some of them have a different level of enthusiasm for having their own TLD,” Namazi said. “Some of them don’t have their systems or process in place to accept or absorb a new TLD. Some of them don’t even know what to do with it. There may have been some defensive registrations in there. There were probably expectations in terms of market development for new TLDs that have gone a bit slower than some people’s business plans called for.”
“That has probably made some of the large brands more hesitant in terms of rushing to market with their new TLDs,” he said.