Whois policy published without life-saving disclosure rule

ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.

When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.

But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.

The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).

It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.

But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.

I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.

The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.

But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.

For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window

The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.

An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.

In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.

From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.

Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?

But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.

ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:

the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.

ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.

It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.

There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.

But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.

The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.

And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.

UK gov takes its lead from ICANN on DNS abuse

The UK government has set out how it intends to regulate UK-related top-level domain registries, and it’s taken its lead mostly from existing ICANN policies.

The Department for Science, Innovation and Technology said last year that it was to activate the parts of the Digital Economy Act of 2010 that allow it to seize control of TLDs such as .uk, .london, .scot, .wales and .cymru, should those registries fail to tackle abuse in future.

It ran a public consultation that attracted a few dozen responses, but has seemingly decided to stick to its original definitions of abuse and cybersquatting, which were cooked up with .uk registry Nominet and others and closely align to industry norms.

DSIT plans to define abuse in the same five categories as ICANN does — phishing, pharming, botnets, malware and vector spam (spam that is used to serve up the first four types of attack) — in its response to the consultation, published yesterday (pdf).

But it’s stronger on child sexual abuse material than ICANN. While registries and registrars have developed a “Framework to Address Abuse” that says they “should” take down domains publishing CSAM, ICANN itself has no contractual prohibitions on such content.

DSIT said it will require UK-related registries to have “adequate policies and procedures” to combat CSAM in their zones. The definition of CSAM follows existing UK law in being broader than elsewhere in the world, including artworks such as cartoons and manga where no real children are harmed.

DSIT said it will define cybersquatting as “the pre-emptive, bad faith registration of trade marks as domain names by third parties who do not possess rights in such names”. The definition omits the “and is being used in bad faith” terminology used in ICANN’s UDRP. DSIT’s definition includes typosquatting.

In response to the new document, Nominet tweeted:

The response highlights that Government recognises the work registries already do to support law enforcement agencies prevent the registration of domains to carry out illegal activity and "expect the existing voluntary arrangements to be used as the first port of call".

— Nominet (@Nominet) February 23, 2024

DSIT said it will draft its regulations “over the coming months”.

Twitter “completely unresponsive” on clickable domains

Elon Musk’s Twitter is “completely unresponsive” to outreach about Universal Acceptance of domain names, including problems such as the lack of linkification of new gTLD domains, according to an ICANN technologist.

Speaking at an ICANN 79 Prep Week session yesterday, senior UA technology manager Arnt Gulbrandsen said the Org has been attempting to work with major platforms such as Google’s Gmail and WordPress to encourage support for newer, longer gTLDs and internationalized domain names, but with mixed results.

“What we are doing is identifying the most important, the biggest actors… testing, reaching out or contributing changes,” he said. “We don’t work equally with all. If someone’s unresponsive, then we more or less stop talking to them and hope that they grow less important as time passes.”

“This means Twitter,” he said. “Twitter is completely unresponsive.”

Twitter and other platforms such as WhatsApp have been criticized recently by the people behind gTLDs including .music and .tube for failing to “linkify” their domains. When you tweet a .music domain without the http:// prefix it will not automatically become clickable, for example.

Twitter’s cut-off point for recognizing TLDs appears to be mid-2020. The three gTLDs delegated after that — .spa, .music and .kids — do not currently linkify.

Gulbrandsen said ICANN has been getting a more encouraging response from developers within the WordPress ecosystem, where ICANN discovered that UA support relies a great deal on just three software components maintained by volunteer developers — linkify-it, phpautolink and phpmailer.

“I’m really happy about the responses from some of these obscure, open-source maintainers,” he said. “They really want to do the best for the world, and they are volunteers mostly.”

Two of the identified components currently support UA and ICANN is working with phpmailer, he said. ICANN has also been contributing UA code even further down the stack, to programming languages such as Java, Python and Ruby, he said.

Gulbrandsen’s presentation came during the ICANN 79 Prep Week session on UA, which included contributions from members of various UA working groups and focused largely on IDN and email problems. You can listen to the session in full here.

ICANN spends $5 million more than planned in first fiscal half

ICANN published its second fiscal quarter financials yesterday, revealing a roughly $5 million overspend in the second half of 2023.

The Org spent $72 million of its $74 million revenue in the six months to December 31, more than the $67 million spend it had budgeted for.

ICANN said the overspend came mainly in its Community and Engagement reporting segment, with the $4 million excess “driven by higher than planned costs for ICANN78, community programs, and meetings support”.

The same report shows that ICANN 78, which took place in Hamburg last October, cost about $900,000 more than expected largely because it spent more on air fares and had to put on more sessions than it originally expected.

It also spent about $100,000 on its 25th anniversary celebration, a line item that had not appeared in its budget. Because who can predict an anniversary, right?

Hamburg was the most-expensive meeting since the pandemic ended, costing about $5.4 million and attracting over 2,500 attendees. The Kuala Lumpur meeting a year earlier had cost $4.7 million.

ICANN’s revenue was described as “flat”, but a breakdown shows a roughly $1 million (rounded) shortfall in both registry and registrar transaction fees compared to the budget. This is likely linked to shrinkages in Verisign’s .com sales over the period.

New gTLD lottery to return in 2026

Remember The Draw? It was the mechanism ICANN used to figure out which new gTLDs from the 2012 application round would get a first-mover advantage, and it’s coming back in 2026.

The Org is currently considering draft Applicant Guidebook language setting out the rules for how to pick which order to process applications in the next round.

There’s no mention of Digital Archery this time. ICANN is sticking to the tried-and-tested Prioritization Draw, a lottery method in which applicants buy a paper ticket for a nominal sum ($100 last time) and ICANN pulls them out of a big bucket to see who goes first.

Applicants for internationalized domain names will have an advantage again, but it’s arguably not as strong as in the 2012 round, when all the IDN applicants that had bought tickets were processed first.

This time, the draw will take place in batches of 500 applications, according to the latest version of the draft AGB language.

The first batch will contain at least 125 IDN applications — assuming there are 125 — and they will be drawn first, before any Latin-script strings get a look. In subsequent batches, the first 10% of tickets drawn will belong exclusively to IDN applicants.

In the 2012 round, the first 108 applications selected were IDNs. The Vatican won the lucky #1 spot with .天主教, the Chinese term for the Catholic Church, while Amazon was the first Latin-script application with .play (which Google eventually won but still hasn’t launched, over 11 years later).

Due to California’s gambling laws, applicants will have to show up to buy a ticket in person. If they can’t make it, they can select an Angeleno proxy from a list provided by ICANN to pick it up on their behalf.

Last time around, The Draw took over nine hours to sort all 1,930 applications and was the social highlight of the community’s calendar. Santa Claus even showed up.

D3 signs up crypto gTLD client number five

New gTLD consultancy D3 Global has signed up its fifth blockchain gTLD client since launching last September.

The company today announced a deal with Core Chain to apply for .core when ICANN next opens a new gTLD application window, currently expected mid-2026.

Core Chain makes a software platform for developers that want to building decentralized applications on blockchains. It says it has over five million connected cryptocurrency wallets.

D3 has recently announced similar partnerships with NEAR Foundation (.near), Gate.io (.gate), Viction (.vic) and Shiba Inu (.shib).

The company says its mission is to help blockchain companies operate on the traditional DNS as well as the blockchain-based alternate naming systems.

How to qualify for a $40,000 gTLD

Organizations from most of the countries of the world, including some very wealthy economies, could find themselves eligible for a discount of up to 85% on ICANN new gTLD application fees, according to draft rules published for public comment today.

By my count, small businesses from 177 of the world’s countries and territories could qualify for cheap applications in the next round, expected in 2026, assuming they meet the new Applicant Support Program’s other criteria.

The list of qualifying nations includes the BRIC countries (Brazil, Russia, India, China), oil-rich nations such as Saudi Arabia and the UAE, wealthy Asian territories such as Hong Kong and South Korea, and some European nations, such as Serbia and Montenegro.

The draft ASP rules propose to subsidize applications from non-profits, intergovernmental organizations, indigenous/tribal groups, and small businesses that provide a “social impact or public benefit” from anywhere in the world.

It also promises subsidies to small businesses located in and owned by people based in several UN-designated economic regions: Small Island Developing States, Least Developed Countries, Economies in Transition, and Developing Economies.

Lists of these countries can be found in this UN document. China, Singapore, South Korea and Hong Kong are among dozens on the “developing economies” list. Russia counts as an “economy in transition” along with a handful of other east European and west Asian nations.

There’s no requirement to have a public benefit or charitable mission to qualify as a “Micro or small sized business from a less-developed economy”, you just need to have fewer than 50 employees, less than $5 million in the bank, and less than $5 million of annual sales (or meet two of those three criteria).

According to my tally, there are 177 distinct territories on the applicable UN lists. The same UN document lists just 36 nations that qualify as “developed” economies.

Because the application fees for the next round are not yet fixed, the discount eligible applicants can get isn’t either. The placeholder text in the current draft says the discount will be in the range of 50% to 85%.

ICANN has previously said that the base fee could be as much as $270,000, so an 85% discount would be worth almost $230,000, reducing the fee to about $40,000. Each applicant would be limited to one gTLD.

Support applicants under any category also have to pass various background screening checks — they can’t be affiliated with another registry, for example — and have to show that paying the full base gTLD application fee would be a “financial hardship”.

This is defined as: “Cost of the subsidized base gTLD application fee ([X%] of the [$X] USD fee) is greater than 20 percent of the organization’s annual revenue”. So, if we assume a discounted fee of $40,000, only companies with revenue under $200,000 would qualify.

The 2012 round’s Applicant Support Program worked a little differently. Applicants could be from anywhere in the world, but they could earn points under the score-based rules by being from a developing nation.

There were only three applicants using the ASP in 2012, and only one — DotKids Foundation, based in Hong Kong and founded by the same businessman who founded DotAsia and currently sits on the ICANN board of directors — ended up qualifying for the cheaper application fee.

For the next round, ICANN has penciled in a Q4 2024 date to start accepting applications for the discount. The application window is expected to close a year later, at least six months before the new gTLD application window opens.

Anyone thinking about trying to game the system should note that ICANN promises that anyone “found to have abused the intent of the program” will be banned from the new gTLD program forever.

The proposed ASP rules are open for comment for 50 days here.

Registry service provider evaluation handbook published

ICANN has released the first draft of its RSP Handbook, the guidelines and questionnaire for registry service providers that want to get pre-approved by the Org ahead of the next new gTLD application round.

The Handbook is aimed at the few dozen companies that offer back-end services to gTLD registries — companies such as GoDaddy, Identity Digital and CentralNic — to guide them through the process of getting approved under the new Registry Service Provider Evaluation Program.

The program was called for by the GNSO community in order to minimize the amount of time-consuming, expensive evaluation work required for each new gTLD application. If a gTLD applicant’s selected RSP has been pre-approved by ICANN, it’s an automatic pass on the technical part of the application.

The new Handbook 1.0 envisages four types of RSP. A “Main RSP” is a full-service provider that looks after all technical aspects of a registry back-end. There are also categories for companies that provide DNS resolution only and DNSSEC services.

A fourth type, the “Proxy RSP”, is aimed primarily at companies that provide secondary registry services in countries that have very restrictive domain licensing rules. That basically means China, and proxies such as ZDNS.

Incumbent gTLD RSPs have a distinct advantage in the Handbook process. If they’re in good standing with ICANN and have complied with their service level agreements for the last six months, they can skip the second, technical part of the evaluation.

Incumbents also get a streamlined process for additional registry services — stuff like name-blocking and registry locks — they wish to offer. If they already offer them in an existing gTLD, they get to skip the full Registry Services Evaluation Process.

The Handbook is a first draft and does not currently include things like fees and dates. It’s not yet open for public comment but you can read the 108-page PDF here.

ICANN expects to launch the pre-evaluation program 18 months before it starts accepting new gTLD applications, so applicants have a list of approved RSPs to choose from. With a Q2 2026 target date for the next application window, that means the RSP program could launch later this year.

WebUnited inks deal to “mirror” country’s TLD in the blockchain

Blockchain domains startup WebUnited says it has signed up its first registry client to a service that allows domain names to be “mirrored” on a blockchain naming service.

The company has inked a deal with Global Domains International, the registry for Samoa’s .ws ccTLD (sometimes marketed as a generic for “web site”), that will let its registrars up-sell matching .ws names on the Polygon blockchain.

WebUnited, a Swiss-based joint venture of domain registry ShortDot and “Web3” naming player Freename, says registrants will be able to use their mirrored .ws names to address cryptocurrency wallets, for example.

The company essentially acts as a registry service provider for its registry clients in much the same way as regular RSPs do now, except instead of putting domains into EPP databases and the consensus DNS, it adds them to a blockchain.

Registrars that choose to sign up to the service will use an “EPP-like” API to access the registry, ShortDot COO Kevin Kopas said. He expects .ws to charge about five bucks a year for the blockchain add-on domains.

Kopas said WebUnited is also mirroring policies found in regular domain names, so if somebody loses their domain in a UDRP case, for example, they also lose their matching blockchain name.

After .ws, ShortDot’s own TLDs — .bond, .sbs, .icu, .cyou and .cfd — are also expected to offer the mirroring service. Because these are gTLDs governed by ICANN contracts, ShortDot first has to go through the Registry Service Evaluation Process for approval.

Kopas said that once ShortDot has completed its RSEP it will be able to supply gTLD clients with template language to get their own RSEPs approved. He said WebUnited has a pipeline of potential ccTLD and gTLD registries that have expressed an interest in the service.

Report: Monster “misappropriated” millions from Epik

Epik former CEO Rob Monster “misappropriated” over $3.5 million from the company before his departure last year, according to a report in Wired yesterday.

In a fairly in-depth piece on the registrar’s turbulent 2023, the tech publication said it has had eyes on a forensic accounting document that made the allegations:

An accounting firm hired by Epik to conduct a forensic investigation alleged that Monster had misappropriated more than $3.5 million, according to an internal preliminary report obtained by WIRED. More than $1.5 million was attributed to Monster personally withdrawing funds from the company. Nearly $2 million of Epik funds was used in Kingdom Ventures, Monsters’ venture capital firm, according to the report.

The article does not make it clear whether any criminality is alleged and Monster did not respond to the magazine’s request for comment.

The article also shed some extra light on the takeover of the former Epik Inc registrar by Epik LLC, a new company confirmed by ICANN to be owned by a company-formation outfit in Wyoming called Registered Agents Inc and not affiliated with Monster.

Registered Agents’ lawyer Bryce Myrvang told Wired that the plan is to offer its clients domains and web hosting when they form their companies, apparently confirming that the company is in it for the synergies rather than to hide Epik’s true owner.

Myrvang also offered his apologies to anyone offended by the recent weirdness coming out of its official Twitter account, which led some to believe that Monster was still pulling the strings at the company despite the new ownership.