Mutually assured destruction? Now Afilias faces .web disqualification probe

Afilias’ ongoing quest to have Verisign’s winning bid for the .web gTLD thrown out may have backfired, with ICANN now launching a probe into whether Afilias’ own bid should be disqualified.

Afilias and Verisign could now BOTH be kicked out of the .web fight, delivering the coveted gTLD into the hands of the third-placed bidder for a knock-down price.

There’s even the possibility that Verisign’s winning $135 million bid could be more than cut in half, taking tens of millions out of ICANN’s coffers.

ICANN’s board of directors on Thursday said it will investigate not only whether Verisign broke new gTLD program rules by using a Nu Dot Co as proxy to bid, but also whether Afilias broke the rules when an executive texted NDC during a pre-auction comms blackout period.

It’s the first time board has resolved to take a look at the allegations against Afilias, which so far have only come up in letters and arbitration filings from Verisign and NDC.

The .web auction in 2016 resulted in a winning bid of $135 million from NDC. It quickly emerged that its bid was bankrolled by Verisign, which had not directly applied for .web.

Afilias’ applicant subsidiary (now called Altanovo Domains, but we’re sticking with “Afilias” for this story) has been trying to use Verisign’s sleight-of-hand to get the auction overturned for years, on the basis that ICANN should have forced NDC to show its cards before the auction took place.

An Independent Review Process panel last year ruled that ICANN broke its own bylaws by failing to rule on Afilias’ allegations when they were first made, and told ICANN to put .web on hold while it finally formally decides whether Verisign broke the rules or not.

What the IRP panel did NOT do was ask ICANN to rule on Verisign’s counter-allegations about Afilias violating the auction blackout period. ICANN’s decided to do that all by itself, which must piss off Afilias no end.

The board resolved last week, with my emphasis:

Resolved (2022.03.10.06), the Board hereby: (a) asks the [Board Accountability Mechanisms Committee] to review, consider and evaluate the allegations relating to the Domain Acquisition Agreement (DAA) between NDC and Verisign and the allegations relating to Afilias’ conduct during the Auction Blackout Period; (b) asks the BAMC to provide the Board with its findings and recommendations as to whether the alleged actions of NDC and/or Afilias warrant disqualification or other consequences, if any, related to any relevant .WEB application; and (c) directs ICANN org to continue refraining from contracting for or delegation of the .WEB gTLD until ICANN has made its determination regarding the .WEB application(s).

I see four possible outcomes here.

• Nobody gets disqualified. Verisign wins .web and ICANN gets to keep its $135 million. Afilias will probably file another IRP or lawsuit.
• Verisign gets disqualified. Afilias gets .web and ICANN probably gets paid no more than $79.1 million, which was its maximum bid before the auction became a two-horse race. Verisign will probably file an IRP or lawsuit.
• Afilias gets disqualified. Verisign wins .web and then it has to be figured out how much it pays. I believe the high bid before the third-place bidder pulled out was around $54 million, so it could be in that ball-park. Afilias will probably file another IRP or lawsuit.
• Both Afilias and Verisign get disqualified. The third-placed bidder — and I don’t thinks its identity has ever been made public — wins .web and pays whatever their high bid was, possibly around $54 million. Everyone sues everyone else and all the lawyers get to buy themselves a new summer home.

The other remaining applicants are Donuts, Google, Radix and Schlund. Web.com has withdrawn its application.

The people who will decide whether to disqualify anyone are the six members of the Board Accountability Mechanisms Committee who are not recusing themselves due to conflicts of interest (Edmon Chung has a relationship with Afilias).

Given that the board has already ruled that it has a fiduciary duty to dip into the new gTLD auction proceeds pretty much whenever it pleases, can’t we also assume that it has a fiduciary duty to make sure that auction proceeds pool is as large as possible?

Closed generic gTLDs likely to be allowed, as governments clash with ICANN

So-called “closed generics” seem to be on a path to being permitted in the next new gTLD application round.

The issue reconfirmed itself at ICANN 73 last week as a major point of disagreement between governments and ICANN, and a major barrier to the next round of new gTLDs going ahead.

But a way forward was proposed that seems likely to to permit closed generics in some form in the next round, resolving an argument that has lasted the better part of a decade.

It seems ICANN now expects that closed generics WILL be permitted, but restricted in some yet-to-be-decided way.

A closed generic is a gTLD representing a dictionary word that is not also a brand, operated by a registry that declines to sell domains to anyone other than itself and its close affiliates.

Imagine McDonald’s operating .burgers, but no other fast food chain, cow-masher, or burger afficionado is allowed to register a .burgers domain.

ICANN’s 2012 application round implicitly allowed applications for such gTLDs — at least, it did not disallow them — which prompted outrage from the governments.

The GAC’s Beijing communique (pdf), from April 2013, urged ICANN to retroactively ban these applications unless they “serve a public interest goal”.

The GAC identified 186 applications from the 2012 round that appeared to be for closed generics.

ICANN, taking the GAC’s lead, gave these applicants a choice to either convert their application to an open generic, withdraw for a refund, or maintain their closed generic status and defer their applications to the next round.

Most opted to switch to an open model. Some of those hacked their way around the problem by making registrations prohibitively restrictive or expensive, or simply sitting on their unlaunched gTLDs indefinitely.

The GNSO policy for the next round is inconclusive on whether closed generics should be permitted. The working group contained two or three competing camps, and nobody conceded enough ground for a consensus recommendation to be made.

It’s one of those wedge issues that highlights the limitations of the multistakeholder model.

The working group couldn’t even fall back on the status quo since they couldn’t agree, in light of ICANN’s specific request for a clear policy, what the status quo even was.

Policy-makers are often also those who stand to financially benefit from selling shovels to new gTLD applicants in the next round. The fewer restrictions, the wider the pool of potential clients and the more attractive the sales pitch.

The working group ended up recommending (big pdf) further policy work by disinterested economics and competition law experts, which hasn’t happened, and the GNSO Council asked the ICANN board for guidance, which it refused to provide.

The GAC has continued to press ICANN on the issue, reinforcing its Beijing advice, for the last year or so. It seems to see the disagreement on closed generics as a problem that highlights the ambiguity of its role within the multistakeholder process.

So ICANN, refusing to create policy in a top-down fashion, is forcing the GAC and the GNSO to the table in bilateral talks in an attempt to create community consensus, but the way the Org is framing the issue may prove instructive.

A framework for these discussions (pdf) prepared by ICANN last week suggests that, when it comes to closed generics, an outright-ban policy and an open-door policy would both be ruled out from the outset.

The paper says:

It is evident from the PDP deliberations and the community’s discussions and feedback that either of the two “edge outcomes” are unlikely to achieve consensus; i.e.:

• 1. allowing closed generics without restrictions or limitations OR
• 2. prohibiting closed generics under any circumstance.

As such, the goal could be to focus the dialogue on how to achieve a balanced outcome that does not represent either of these two scenarios. The space to be explored in this dialogue is identifying circumstances where closed generics could be allowed (e.g., when they serve the public interest, as noted by the GAC Advice). This will likely require discussions as to the types of possible safeguards that could apply to closed generics, identifiable public interest goals for that gTLD and how that goal is to be served, with potential consequences if this turns out not to be the case.

It sounds quite prescriptive, but does it amount to top-down policy making? Insert shrugging emoji here. It seems there’s still scope for the GAC and GNSO to set their own ground rules, even if that does mean relitigating entrenched positions.

The GAC, in its ICANN 73 communique (pdf) said yesterday that it welcomes these talks, and the GNSO Council has already started to put together a small team of councillors (so far also former PDP WG members) to review ICANN’s proposal.

ICANN expects the GNSO-GAC group to begin its work, under an ICANN-supplied facilitator, on one or more Zoom calls before ICANN 74 in June.

ICANN bigwigs support sanctions on Russian domains

Current and former ICANN directors are among 36 high-profile tech policy veterans to support the creation of a new domain block-list that could be deployed in humanitarian crises such as the current war in Ukraine.

An open letter (pdf), published last night, calls to effectively create a list of sanctioned domain names and IP addresses that could be blocked in much the same way as current lists help network operators block spam and malware.

The letter says:

We call upon our colleagues to participate in a multistakeholder deliberation… to decide whether the IP addresses and domain names of the Russian military and its propaganda organs should be sanctioned, and to lay the groundwork for timely decisions of similar gravity and urgency in the future.

Signatories include current ICANN director Ihab Osman, former chair Steve Crocker, founding CEO Mike Roberts, former CSO Jeff Moss and former director Alejandro Pisanty.

Other signatories include three members of the European Parliament, various academics and security researchers, the bosses of networking coordination groups, and the CEOs of several ccTLD registries.

Dmitry Kohmanyuk, founder of Ukrainian ccTLD registry Hostmaster, also signed the letter.

The letter deconstructs Ukraine’s recent requests for internet sanctions against Russian, including its request for ICANN to turn off Russia’s .ru domain, and concludes “the revocation, whether temporary or permanent, of a ccTLD is not an effective sanction because it disproportionately harms civilians”.

Such a sanction would be trivially circumvented and would lead to the proliferation of alt-roots, harming international interoperability, they say.

Having ruled out sledgehammers, the letter goes on to suggest a nutcracker approach, whereby the domain names and IP addresses of sanctioned entities are blocked by consensus of network operators like they’re no more than filthy spammers. The letter reads:

Blocklisting of domain names allows full precision and specificity, which is the problem that precludes action by ICANN. The system is opt-in, voluntary, consensual, and bottom-up, all values the Internet governance community holds dear. Yet, at the same time, it has achieved broad adoption.

We conclude that the well-established methods of blocklisting provide the best mechanism for sanctioning both IP routes and traffic and domain names, and that this mechanism, if implemented normally by subscribing entities, has no significant costs or risks.

The billion-dollar question is of course: Who would decide what goes on the list?

The letter, which says it’s designed to be a conversation-starter, is a bit vague on the policy-making aspect of the proposal.

It calls for the formation of “a new, minimal, multistakeholder mechanism” that would publish a block-list data feed after “due process and consensus”, adding:

This process should use clearly documented procedures to assess violations of international norms in an open, multistakeholder, and consensus-driven process, taking into account the principles of non-overreach and effectiveness in making its determinations. This system mirrors existing systems used by network operators to block spam, malware, and DDoS attacks, so it requires no new technology and minimal work to implement.

While such a system might well help protect gullible (to pick a nationality at random) Americans from the Kremlin’s misinformation campaigns, it’s not immediately clear to me how such a system would help shield blameless everyday Russians from their own government’s propaganda.

If rt.com, for example, were on the block-list, and Russia wanted RT available to its citizens, presumably Russian ISPs would just be told, at the barrel of a metaphorical gun, to stop using the block-list.

It will be interesting to see where this conversation leads.

Soviet Union “no longer considered eligible for a ccTLD”, ICANN chair confirms

The former Soviet Union’s .su domain could soon embark along the years-long path to getting kicked off the internet, ICANN’s chair has indicated.

The .su ccTLD, which survived the death of the USSR thirty years ago “is no longer considered eligible for a ccTLD”, Martin Botterman said in response to a question by yours truly at the ICANN 73 Public Forum yesterday.

It seems ICANN will no longer turn a blind eye to .su’s continued existence, and that the policy enabling ccTLDs to be “retired” could be invoked in this case, after it is finalized.

The question I asked, per the transcript, was:

While it is generally accepted that ICANN is not in the business of deciding what is or is not a country, do you agree that the Soviet Union does not meet the objective criteria for ccTLD eligibility? And would you support dot SU entering the ccTLD retirement process as and when that process is approved?

I went into a lot of the background of .su in a post a couple weeks ago, and I’m not going to rehash it all here.

I wasn’t expecting much of a response from ICANN yesterday. Arguments over contested ccTLDs, which usually involve governments, are one of the things ICANN is almost always pretty secretive about.

So I was pleasantly surprised that Botterman, while he may have dodged a direct answer to the second part of the question, answered the first part with pretty much no equivocation. He said, per the recording:

It is correct that the Soviet Union is no longer assigned in the ISO 3166-1 standard and therefore is no longer considered eligible for a ccTLD.

ICANN Org has actually held discussions with the managers of the .su domain in the past to arrange an orderly retirement of the domain, and the ccNSO asked ICANN Org starting in 2010 and reiterated in 2017 to pause its efforts to retire the domain so that the Policy Development Process could be conducted. And that is a request we have honored.

So we’re glad to report that the ccNSO recently concluded that Policy Development Process and sent its policy recommendations to the ICANN board.

We will soon evaluate the ccNSO policy recommendations, and we will do so in line with the bylaws process.

It looked and sounded very much like he was reading these words from his screen, rather than riffing off-the-cuff, suggesting the answer had been prepared in advance.

I wasn’t able to attend the forum live, and I’d submitted the question via email to the ICANN session moderator a few hours in advance, giving plenty of time for Botterman or somebody else at ICANN to prepare a response.

The ccNSO policy referred to (pdf), which has yet to be approved by the ICANN board, creates a process for the removal of a ccTLD from the DNS root in scenarios such as the associated country ceasing to exist.

It’s creatively ambiguous — deliberately so, in my view — when it comes to .su’s unique circumstances, presenting at least two hurdles to its retirement.

First, the Soviet Union stopped being an officially recognized country in the early 1990s, long before this policy, and even ICANN itself, existed.

Second, the .su manager, ROSNIIROS, is not a member of the ccNSO and its debatable whether ICANN policies even apply to it.

In both of these policy stress tests, the ccNSO deferred to ICANN, arguably giving it substantial leeway on whether and how to apply the policy to .su.

I think it would be a damn shame if the Org didn’t at least try.

While it’s widely accepted that ICANN made the correct call by declining to remove Russia’s .ru from the root, allowing .su to continue to exist when it is acknowledged to no longer be eligible for ccTLD status, and the policy tools exist to remove it, could increasingly look like an embarrassing endorsement in light of Russian hostilities in former Soviet states.

DNSSEC claims another victim as entire TLD disappears

A country’s top-level domain disappeared from the internet for many people yesterday, apparently due to a DNSSEC key rollover gone wrong.

All domains in Fiji’s ccTLD, .fj, stopped resolving for anyone behind a strict DNSSEC resolver in the early hours of the morning UTC, afternoon local time, and stayed down for over 12 hours.

Some domains may still be affected due to caching, according to the registry and others.

The University of the South Pacific, which runs the domain, said that it had to contact ICANN’s IANA people to get the problem fixed, which took a while because it had to wait for IANA’s US-based support desk to wake up.

IANA head Kim Davies said that in fact its support runs 24/7 and in this case IANA took Fiji’s call at 2.47am local time.

Analyses on mailing lists and by Cloudflare immediately pointed to a misconfiguration in the country’s DNSSEC.

It seems Fiji rolled one of its keys for the first time and messed it up, meaning its zone was signed with a non-existent key.

Resolvers that implement DNSSEC strictly view such misconfigurations as a potential attack and nix the entire affected zone.

It happens surprisingly often, though not usually at the TLD level. That said, a similar problem hit thousands of Sweden’s .se domains, despite the registry having a decade’s more DNSSEC experience than Fiji, last month.

Domain Incite had a similar problem recently when its registrar carried on publishing DNSSEC information for the domain long after I’d stopped paying for it.

UPDATE: This post was updated with comment from IANA.

Ukraine’s emotional plea to ICANN 73

A Ukrainian government representative has delivered a powerful speech at ICANN 73, calling on ICANN, the community, and the domain name industry to do more to help the war-ravaged country.

Speaking at the opening plenary session of ICANN’s Governmental Advisory Committee, Ukraine representative Andrii Nabok gave his personal account of coming under Russian fire at his home near Kyiv, and praised the “heroic” efforts of ISPs and local ccTLD registry Hostmaster in keeping the internet functional for many Ukrainians.

He went on to condemn the invasion in the strongest terms, calling the Russian Federation “the empire of evil, the terrorist state number one, the fascist of the 21st century”.

Nabok welcomed ICANN’s offer of $1 million to aid with connectivity, saying that Ukraine is in need of satellite terminals, but questioned ICANN’s decision to refuse the country’s request to disconnect .ru from the DNS root.

He went on to call for the domain industry to contribute to anti-Russian sanctions, and questioned whether it is still appropriate for ICANN to have a Russian as one of its DNSSEC “trusted community representative” key-holders.

His speech was followed by prepared expressions of solidarity from the UK, France, the European Union, Switzerland, Australia, the US, Canada, Burkina Faso, Argentina, and Burundi.

Russia took the floor briefly to say that it does not believe ICANN is a suitable forum to discuss “political issues”.

No government echoed Ukraine’s call for ICANN to use its DNS root management powers to sanction Russia, with most expressing support for the Org’s neutrality and the multi-stakeholder model.

I’m going to publish Nabok’s entire speech here, taken from the official transcript with only minor formatting edits. Recordings of the session can be found on its web page (registration required).

“One world, one Internet.” This slogan in our opinion is wonderful. Multistakeholder model, a community-based, consensus-driven approach to policymaking, this model is great. Ukraine admires both the slogan and this model. Ukraine believes both in this slogan and this model. The Ukrainian government showed its support for them in its numerous actions and statements before.

On February 24th at 5:00 am, my family woke up from explosions. We saw a little fire and smoke in the window. Our city near Kyiv was shelled by rockets. I cannot put into words the feeling when you have to explain to your seven-year-old daughter that we urgently need to leave home to save our lives. In a few minutes, my friends from all parts of Ukraine confirmed that there had been missile strikes in the whole country. At once, all the values you lived with yesterday cease to exist, and now the main task is to save our families, relatives, and friends.

So Russian missiles attacked Ukraine. Putin said it is a special military operation in the territory of independent country. Putin said the goal is demilitarization and denazification to ensure the security of Russia. Security of the largest country in the world with the most enormous nuclear potential seems to be defending itself against [inaudible] without nuclear weapons.

Logic has left our chat. Today is the 12th day of the war. Not some operation, but a war. A war in Europe, undeclared Russian war on Ukraine. It is the 12th day of Russian bombing in our peaceful Ukrainian cities and even villages, schools, kindergartens, maternity clinics, even nuclear stations. But Putin’s blitzkrieg became blitz failure. The whole world admires the courage of Ukrainian soldiers and civilians, on social media, in private messages, on TV. Unfortunately, thousand Ukrainians have been killed, including 38 children.

Millions of Ukrainians have been forced to leave their homes. Many of you sent us many words of support, sheltered us, and helped our army. Many thanks to you. Many of you understood that the real goal of Kremlin and Russian dictatorship is to destroy freedom, peace and human rights, right to life, right to dignity, right to freedom, and right to Internet.

Last year our team carried out a large state infrastructure project for deploying fiber optics networks in the most remote villages of our country. According to our last data, we had the highest level of coverage of high-capacity networks among all the European countries. About 97% of the Ukrainian population had the opportunity to connect to Internet based on fiber optic technologies.

Those settlements where the Russian army enters are cut off from the Internet. For example, in one of the villages where my relatives live, there are currently several thousand Russians. As soon as they captured the village, they immediately cut the optical cable and shot at the mobile operator’s base station with a machine gun. People are now cut off from the world.

Today is the 12th day of destroying Ukrainian Internet infrastructure by Russian bombs. Our heroic ISPs rebuild it under fire, risking their lives to save communications for people. Thanks to our heroic ISPs and Elon Musk’s support, people in bomb shelters still have a chance to know whether their relatives are safe or not, whether they are alive, or unfortunately, no more.

Our cybersecurity is also under threat. Thanks to heroic efforts, the .UA domain is stable. All services have been moved to backup positions and function independently from the Ukrainian infrastructure. Hostmaster LLC strengthened Anycast secondaries to prevent possible attacks on domain service.

“ICANN has been built to ensure that the Internet works, not for its coordination role to be used to stop it from working.”

I fully support these words of Göran Marby, ICANN CEO. But I would like to ask you, will it be okay for you if Internet is working for all except Ukrainians? Just because Russian assassins will kill Ukrainians. Of course, this is an apocalyptic scenario that will not be implemented. Ukrainians will not allow this. Ukraine has already received invaluable support from nearly all ICANN constituencies and at individual level. We are grateful for your help in strengthening the cybersecurity of .UA as well as other items of our critical infrastructure. We welcome the decision of ICANN Board to allocate an initial sum of 1 million US dollars to be used to provide financial assistance to support access to Internet infrastructure in emergency situations.

It will be great to spend a part of this sum to buy more Starlinks for Ukrainian Internet users. Of course, ICANN cannot close the sky over Ukraine, but I would like to ask all of you to appeal to your governments to protect Ukraine, and the infrastructure of the Internet for that matter, from the barbaric actions of Putin’s Russia. We fully support ICANN’s commitment to ensure a single and global Internet. Moreover, we have already asked to limit the Kremlin’s influence on our common free digital space since the national Russian peculiarities of Internet governance are known worldwide. Kremlin wants and will be happy to get the sovereign Internet, and they will get it by destroying “one world, one Internet” if we do not unite against such threats.

On March 11th, Russia will completely disconnect from the global Internet but the Russian representative will retain his role as one of the 12 holders of the DNSSEC root key. Are you serious? That is why we call on ICANN community, IANA, registrars and registries and the vendors who make the Internet free and available for everyone on the Earth to join the enforcement to the sanctions of the civilized world recently imposed on Kremlin, Russian companies and individuals. Do not allow them to use the Internet as a cyber battlefield against fundamental human rights and do not allow them to attack critical infrastructure for bloody warfare.

We also call on public and private entities to make steps in technological exodus from the Russian Federation, the empire of evil, the terrorist state number one, the fascist of 21st century. Last person out turns off the lights. I hope it will not be ICANN.

Thank you, dear community, for your support. We believe that you are also on the side of freedom and light.

ICANN extends Covid-19 abuse monitoring to Ukraine war

ICANN has started monitoring domains related to the war in Ukraine for potential abuse, expanding an ongoing project related to the Covid-19 pandemic.

CEO Göran Marby has during multiple sessions at ICANN 73 this week said that the Org will soon announce an extension of its DNSTICR project — pronounced “DNS Ticker” and standing for Domain Name Security Threat Information Collection & Reporting.

The plan is to alert registrars about Ukraine-related domain names being used to scam people or drop malware.

“There will be coming up more information about this very soon, but we have decided to also add names in relationship to the conflict in Ukraine,” Marby said during a session with the Commercial Stakeholders Group.

DNSTICR was launched in March 2020, when the pandemic was in full swing, to find new domains containing keywords such as “covid”, “pandemic” and “coronavirus”, and check them against domain abuse lists.

From May 2020 to August last year, it flagged 210,939 pandemic-related domains, and found that 3,791 of them were malicious with “high confidence”.

CTO John Crain said in a session on Monday: “There’s a lot of stuff in the press and some technical papers out there that show clearly that the bad guys, as always, have, once again, pivoted to whatever is happening in the world. So if we can do a little bit to help, we will.”

ICANN’s Ukraine relief may extend to Russians too

Russian domain name registrants affected by sanctions could benefit from ICANN’s relaxation of its renewal rules.

ICANN on Monday announced that it was classifying the war in Ukraine as an “extenuating circumstance” under the terms of its standard Registrar Accreditation Agreement.

This means that Ukrainians cut off from the internet due to the invasion could be cut some slack, at their registrar’s discretion, when it comes to renewing their gTLD domains.

But ICANN’s executive team was asked, during a session at ICANN 73 later that day, whether the same benefits could be extended to Russian registrants, perhaps unable to pay due to Western sanctions on payment systems.

Visa, Mastercard, American Express and Paypal are among those to restrict Russian accounts in recent days.

ICANN mostly ducked the question.

Co-deputy CEO Theresa Swinehart responded by deferring to the original blog post, and general counsel John Jeffrey followed up by quoting some of the post’s language:

“I think we’re clear in that the events in Ukraine and the surrounding region are now considered by ICANN to be an extending circumstance under the Registrar Accreditation Agreement, under 3.7.5.1,” he said.

The words “surrounding region”, found in the original post alongside “affected region” and “affected area”, seem to be key here.

They could just as easily refer to Russia as they could to places such as Poland and Hungary, which are currently accepting hundreds of thousands of Ukrainian refugees.

It seems the registrars may have the discretion here; ICANN was apparently in no hurry to provide clarity.

The exchange came during a 90-minute session in which ICANN’s executive team were peppered with community questions, many related to the war and how ICANN might be affected by US-imposed sanctions.

Execs said that ICANN would comply with any US laws related to sanctions but that so far it had not seen anything that would affect its ability to contract with Russian companies.

A question apparently related to whether ICANN was reviewing its relationships with law firms and banks that may be involved with Russian oligarchs, much like Tucows is doing, was ducked.

They were also asked how the $1 million ICANN at the weekend earmarked to help keep Ukraine online might be spent, and while CEO Göran Marby alluded to a broad request from Ukraine for satellite terminals, he said it had been less than a day since the resolution was passed and it was too early to say.

“We obviously will focus on what we can do that makes the maximum impact as close to our mission as we possibly can,” added Sally Costerton, senior VP of stakeholder engagement.

ICANN offers $1 million to Ukraine projects, supports Ukrainian registrants

ICANN has allocated $1 million to help protect internet access in war-torn Ukraine.

Its board of directors at the weekend voted to set aside the “initial sum” of money “to provide financial assistance to support access to Internet infrastructure in emergency situations.”

There’s an expectation that the cash will be spent “on support for maintaining Internet access for users within Ukraine”, where the Russian invasion is described as “tragic and profoundly troubling”, over the next few months, the board said.

It’s not clear yet exactly how the money will be spent, though something related to the keeping the DNS up and running would seem to be the most probable. The resolution calls for the CEO to develop a process to figure it out.

Ukraine’s ccTLD manager, Hostmaster, moved its servers into other European countries shortly after the invasion, and signed up to Cloudlflare’s DDoS protection service. It’s not clear whether it had to spend money on these moves.

ICANN’s million will come from its regular operating budget, not the stash it has set aside from its new gTLD auctions. The auction money will probably be spent on similar things eventually, but the process for allocating that is still being worked out in a committee.

ICANN also said this week that it is, as I and others suggested, exercising section 3.7.5.1 of its Registrar Accreditation Agreement to declare the invasion an “extenuating circumstance”, meaning Ukrainians who are unable to renew their domain name registrations before they expire may not lose them.

Registrars now have the option to keep these domains registered after their usual expiration date and ICANN will not send its Compliance enforcers after them.

“We encourage registrars and registries to support this action and take these circumstances into consideration when reviewing impacted registrants’ renewal delinquencies in affected regions,” ICANN said.

It’s the first time ICANN has exercised this power in connection with a human-made disaster. It previously invoked 3.7.5.1 in response to Hurricane Maria in Puerto Rico and worldwide in response to the Covid-19 pandemic.

Hostmaster itself has extended the redemption period for .ua domains from 30 to 60 days.

ICANN says NO to Ukraine’s Big Ask

“ICANN has been built to ensure that the Internet works, not for its coordination role to be used to stop it from working.”

That’s ICANN’s response to Ukraine, which earlier this week asked for Russia to lose its top-level domains and IP addresses, to help prevent propaganda supporting its invasion of the country.

The request was arguably based on a misunderstanding of the extent of ICANN’s powers, and CEO Göran Marby says as much in his response last night (pdf) to Ukraine’s deputy prime minister Mykhailo Fedorov:

In our role as the technical coordinator of unique identifiers for the Internet, we take actions to ensure that the workings of the Internet are not politicized, and we have no sanction-levying authority

He goes on to warn about the “devastating and permanent effects” of ICANN suddenly deciding to take unilateral action against .ru, .рф and .su:

For country-code top-level domains, our work predominantly involves validating requests that come from authorized parties within the respective country or territory. The globally agreed policies do not provide for ICANN to take unilateral action to disconnect these domains as you request. You can understand why such a system cannot operate based on requests from one territory or country concerning internal operations within another territory or country. Such a change in the process would have devastating and permanent effects on the trust and utility of this global system.

He concludes:

Within our mission, we maintain neutrality and act in support of the global Internet. Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the Internet — regardless of the provocations. ICANN applies its policies consistently and in alignment with documented processes. To make unilateral changes would erode trust in the multistakeholder model and the policies designed to sustain global Internet interoperability.

The response is expected, and I believe broadly, if not unanimously, supported in the ICANN community.

In a line I wish I’d written, the Internet Society’s CEO Andrew Sullivan put it pretty succinctly in a blog post yesterday:

The idea of unplugging a country is as wrong when people want to do it to another country as it is when governments want to do it to their own.

And Sébastien Bachollet, chair of ICANN stakeholder group EURALO, insisted (pdf) that “the Internet must remain intact”.

RIPE NCC, which had been asked to revoke IP addresses supplied to Russian organizations, wrote that it “believes that the means to communicate should not be affected by domestic political disputes, international conflicts or war.”

ICANN may take a short-term PR hit in the wider world, which includes people who have a misunderstanding of how powerful ICANN is and how tenuous its grasp on the powers it does have.

While .ru appears to be safe, there’s nothing I read in Marby’s letter that would preclude it from initiating retirement proceedings against .su, when the proper policies have been approved.