SSAD: Whois privacy-busting white elephant to be shelved

ICANN is likely to put SSAD, the proposed system for handling requests for private Whois data, on the back-burner in favor of a simplified, and far less expensive, temporary fix.

But now ICANN is warning that even the temporary fix might be problematic, potentially delaying unrelated work on the next new gTLD round for months.

The GNSO Council has asked the ICANN board of directors that “consideration of the SSAD recommendations be paused” in favor of what it calls “SSAD Light”.

SSAD, for Standardized System for Access and Disclosure, is a sprawling, multifaceted proposal that would create a system whereby trademark owners, for example, can request Whois data from registrars.

After months of studying the proposal, ICANN decided it could cost as much as $27 million to build and might not go live before 2028.

There’s apparently substantial resistance within ICANN Org to committing to such a project, so the GNSO put together a small team of experts to figure out whether something simpler might be a better idea.

They came up with SSAD Light, which would be basically a stripped-down ticketing system for data requests designed in part to gauge potential uptake and get a better idea of what a full SSAD might cost.

But there’s some strong resistance to SSAD Light, notably from former ICANN chair Steve Crocker, who recently called it “nonsense” with a design that does not match its goals.

Nevertheless, the GNSO Council submitted the bare-bones proposal to the ICANN board in an April 27 letter (pdf).

Since then, it’s emerged that simply fleshing out the design for SSAD Light would add at least six weeks to the separate Operational Design Phase of the next new gTLD application round (known as SubPro). I assume this is due to ICANN staff workload issues as the two projects are not massively interdependent.

This delay could extend to “months” to SubPro if ICANN is then asked to build SSAD Light, according to Jeff Neuman, who’s acting as liaison between the GNSO and ICANN on the SubPro ODP.

In a nutshell, the GNSO Council is being asked what it wants more — Whois reform, or more new gTLDs. It’s a recipe for fireworks, and no mistake.

It will meet May 19 to discuss the matter.

ICANN reports shocking increase in pandemic scams

The number of gTLD domains being used for malware and phishing related to the Covid-19 pandemic has increased markedly in the last eight months, according to data released by ICANN this week.

The Org revealed that since it started tracking this kind of thing in May 2020 it has flagged 23,452 domains as “potentially active and malicious”.

The data is collected by checking zone files against a list of 579 keywords and running the results through third-party abuse blocklists. Blocked domains are referred to the corresponding registrars for action.

I’m not sure you could technically call these “takedown requests”, but there’s a pretty strong implication that registrars should do the right thing when they receive such a report.

The 23,452 notices is a sharp rise from both the 12,860 potentially abusive flagged names and 3,791 “high confidence” reports ICANN has previously said it found from the start of the project until August 2021.

It’s not clear whether the rise is primarily due to an increase in abusive practices or ICANN’s improved ability to detect scams as it adds additional keywords to its watch-list.

ICANN said in March that it is now also tracking keywords related to the Russian invasion of Ukraine.

It’s also asking organizations in frequently targeted sectors to supply keyword suggestions for languages or scripts that might be under-represented.

The data was processed by ICANN’s Domain Name Security Threat Information Collection and Reporting (DNSTICR or “DNS Ticker”), which Org management previously discussed at ICANN 73.

Washington DC picked for ICANN 77

ICANN is set for a rare visit to the mainland USA for one of its public meetings next year.

Capital Washington DC has been picked for ICANN 77, set to run 12-15 June, 2023, according to a vote of the board of directors published today.

It will be the first time ICANN has summoned its hordes to its native shores since 2014, when it held a meeting in Los Angeles.

Seattle had been picked for last October’s ICANN 73, but it was cancelled due to pandemic travel restrictions.

ICANN rotates its meetings through five geographic regions, and recent North American meetings have meant Canadian and Puerto Rican venues.

It will be the first time ICANN has picked DC for a public meeting. It has an office there.

ICANN salary porn: 2021 edition

It’s that time of year again when ICANN publishes its tax returns and we all get to ogle the phat paychecks its top brass are cutting themselves with domain registrants’ money.

Headlining, CEO Göran Marby actually got paid a bit less in fiscal 2021, which ended last June, than he did the previous year — $908,674, plus another $68,866 from “other” sources.

That total of $977,540 is lower than the total of $1,059,222 he received in fiscal 2020, largely due to receiving about $94,000 less in bonus payments.

Marby was given a 5% pay raise in February 2021, though not without some director dissent.

The Form 990 goes on to disclose the salaries of 35 ICANN management and directors, showing that 19 of them make over $300,00 a year. Five, including Marby, receive over half a million dollars.

Directors, if they choose to draw a salary, take home a flat $45,000, which is sometimes paid to their companies instead. Chair Maarten Botterman had $75,000 paid to his consulting company.

The filing reveals that VP Cyrus Namazi, who left the Org during the period after attracting sexual harassment complaints from at least two female colleagues, was given a $375,000 golden parachute.

And former COO Susanna Bennett was given $380,380 in severance payments, despite the fact that her departure was originally described by Marby as her own voluntary decision.

Law firm Jones Day was the best-paid contractor, billing $8,769,608 in the year. That was up from $5,513,028 in the previous year.

Software developers Architect, Zensar and OSTechnical received $2,769,856, $1,396,232 and $1,093,070 respectively, presumably for work on the ICANN web site.

ICANN’s revenue for the year was $163,942,482, of which $97.5 million came from registrars and registries.

The Org had $555,804,201 in assets at the end of the year.

You can download the forms here.

UDRP comments reveal shocking lack of trust in ICANN process

Is trust in the ICANN community policy-making process on the decline? Submissions to a recent public comment period on UDRP reform certainly seem to suggest so.

Reading through the 41 comments filed, it’s clear that while many community members and constituencies have pet peeves about UDRP as it stands today, there’s a disturbing lack of trust in ICANN’s ability to reform the policy without breaking it, and very little appetite for a full-blown Policy Development Process.

It’s one area where constituencies not traditionally allied or aligned — such as domain investors and intellectual property interests — seem to be on the same page.

Both the Intellectual Property Constituency and the Internet Commerce Association are among those calling for any changes to UDRP to be drafted rapidly by subject-matter experts, rather than being opened to full community discussion.

The IPC called the UDRP “a vital and fundamental tool that has a long and proven track record”, saying it has “generally been consistently and predictably applied over the course of its more than 20-year history”. Its comment added:

it is critically important that future policy work regarding the UDRP not diminish, dilute, or otherwise undermine its effectiveness. Such policy work should be extremely deferential to and reliant on the input of experts who have actual experience working with and within the UDRP system, and resistant to efforts that would weaken the UDRP system; any such work should be based on facts and evidence of problems in need of a systematic policy-level solution, and not merely to address specific edge cases, differences of opinion, or pet issues.

That’s pretty much in line with the ICA’s comments, which state that participants in future UDRP reform talks “should be experts… individuals who have extensive personal and practical knowledge of the UDRP through direct personal involvement”.

That language — in fact several paragraphs of endorsement for an expert-driven effort — appears almost verbatim in the separately filed comments of the Business Constituency, of which the ICA is a member.

The ICA’s reluctance to endorse a full-blown PDP appears to come from the experience of the Review of all Rights Protection Mechanisms in all gTLDs PDP, or “Phase 1”, which ran from 2016 to 2020.

That working group struggled to reach consensus on even basic stuff, and at one point frictions reached a point where allegations of civility rules breaches caused warring parties to lawyer up.

“Phase 1 was lengthy, unproductive, inefficient, and an unpleasant experience for all concerned,” the ICA wrote in its comments.

“Perhaps the biggest problem with Phase 1 was that structurally it was inadvertently set up to encourage disagreements between interest groups rather than to facilitate collaboration, negotiation, and problem solving,” it said.

The BC arguable goes further in its deference to experts, calling on ICANN to invoke section 13.1 of its bylaws and drag the World Intellectual Property Organization — leading UDRP provider and drafter of the original 1999 policy — as an expert consultant.

The BC also wrote:

It is imperative that stakeholders do not unnecessarily open up a can of worms with the UDRP through destabilizing changes; rather, they should take a focused and targeted approach, only entertaining improvements and enhancements which stand a reasonable chance of gaining consensus amongst stakeholders

WIPO itself is thinking along the same lines:

If the choice is made to review the UDRP, the process should be expert-driven and scoped

To avoid undoing the UDRP’s success, ICANN needs to give serious consideration to the weight to be accorded to the various opinions expressed. So-called “community feedback” referred to, for example, in section 4 of the PSR seems to lack specific depth and can seem more ideological or anecdotal

Comments from ICANN’s contracted parties also expressed concerns about a PDP doing more harm than good.

The Registries Stakeholder Group has almost nothing to say about ICANN’s report, but the Registrars Stakeholder Group expressed concerns that “any updates could have unintended consequences resulting in a less effective UDRP”.

It uniquely brought up the issue of volunteer fatigue and ICANN’s cumbersome backlog of work, writing:

Although the RrSG recognizes that there are some minor areas for improvement in the UDRP, it is the position of the RrSG that a full policy development process (PDP) is not necessary. The UDRP was adopted in 1999, and has been utilized for over 60,000 UDRP cases. The RrSG is not aware of any major issues with the UDRP, and is concerned that any updates could have unintended consequences resulting in a less effective UDRP. Additionally, not only is there a backlog of policy recommendations waiting for ICANN Board approval or implementation, but the RrSG is also aware of substantial community volunteer fatigue even for high-priority issues.

These comments were filed in response to a public comment period on an ICANN-prepared policy status report.

Not every comment expressed skepticism about the efficacy of a PDP. Notably, the Non-Commercial Stakeholders Group — the constituency arguably most likely to upset the apple cart if a Phase 2 PDP goes ahead — appears to fully expect that such work will take place.

There were also many comments from individuals, mostly domainers, recounting their own experiences of, and reform wish-lists for, UDRP.

ICANN’s report will be revised in light of these comments and submitted to the GNSO, which will decide what to do with it.

Covid surge scuppers ICANN LA meetings

ICANN has lost out on a chance to test a return to in-person meetings ahead of ICANN 74, due to a surge in Covid-19 cases in its home town of Los Angeles.

The US Centers for Disease Control has increased its risk rating for LA to “High”, compelling ICANN to scrap plans for a face-to-face board meeting next week.

Chair Maarten Botterman wrote:

The Board discussed the rising cases, the change in the CDC risk level, the trajectory, and the collective responsibility we have to ensure the health and safety of all of the participants, including ICANN Org staff who would support the events – and we recognized the additional risk of bringing all of ICANN leadership together in one place, under these circumstances – only six weeks before ICANN74.

The meeting will instead be held virtually by Zoom.

It’s not yet clear whether this will have any impact on ICANN’s next public meeting, which is due to take place in The Hague, the Netherlands, this June.

Botterman wrote that the Org is monitoring the situation on the ground and will provide updates as necessary.

ICANN has already announced a stringent set of restrictions, including mask wearing and social distancing, for ICANN 74.

Vox Pop defends its favorite cybersquatter

The .sucks registry, Vox Populi has complained to ICANN about the fact that its biggest customer keeps losing cybersquatting cases.

In its submission to ICANN’s recently closed public comment period on UDRP reform, Vox Pop bemoans the fact that panels keep finding that Honey Salt, a shell company based in a tax haven, isn’t really engaging in non-commercial free speech.

Honey Salt was the registrant of thousands of .sucks domains, all matching famous trademarks, that redirected visitors to a wiki-style gripe site, populated with content scraped from third-parties, at Everything.sucks.

After a long series of lost UDRP cases, Honey Salt started allowing its domains to expire and zone files suggest only a couple hundred or so remain today.

Neither Honey Salt nor Everything.sucks responded to ICANN’s public comment period, which was seeking input on possible changes to UDRP.

But Vox Pop did on their behalf, complaining bitterly that “forum shopping and bias obstruct free speech” and citing mostly Honey Salt’s lost UDRP cases to evidence its arguments:

Despite 4(c)(iii) of the UDRP stating “noncommercial or fair use” is legitimate use of a domain name – numerous UDRP decisions contradict the Policy’s express recognition of fair use and free speech rights in favor of trademark owners. Several recent UDRP decisions have jeopardized free speech rights for all domain name registrants because of the lack of guidance from ICANN and/or a misapplication of free speech rights and/or bias as it relates to criticism sites.

Honey Salt had consistently argued, UDRP decisions show, that Everything.sucks was non-commercial free speech and as such was not cybersquatting under UDRP precedent and WIPO guidance.

But panels repeatedly pointed out that Everything.sucks was in fact commercial.

At first, the site hosted banners linking directly to sales landers for the domains in question — basically asking the brand owners or others to fork out hundreds or thousands of dollars to claim their matching domains.

When panelists got wise to that, the site started instead publishing the transfer authorization codes for the domains in question, so literally anyone could initiate a transfer and take ownership of the name without even asking Honey Salt’s permission — if they were willing to pay the transfer fee.

Everything.sucks and Honey Salt would not have benefited financially from these transfer fees, which often were thousands of dollars, but Vox Pop, and sometimes its registrar sister company Rebel, which sells .sucks names at cost, would.

Everything.sucks has removed the AuthCodes, but in the most-recent .sucks UDRP case Eutelsat v Honey Salt, the panel called the AuthCode scheme “little more than a ruse to generate registration fees in the thousands of dollars range”.

Vox Pop is now complaining to ICANN, I’m guessing with a straight face, that transfer fees are ICANN-mandated and therefore registrants cannot be blamed if registrars charge for transfers:

The panelist, in an unfounded grasp, used the ICANN-mandated transfer fee, charged by the registrar as rationale to find commercial use by the registrant and hence bad faith by the registrant. Other UDRP panels have similarly disingenuously blamed registrants for ICANN-mandated transfer and renewal fees imposed by registrars; panelists argue that the ICANN-mandated transfer is bad faith even though the registrant has no say or participation.

It’s an incredibly ballsy complaint by Vox Pop, given that it is Vox Pop, as the registry, that sets the price for transfers and renewals in .sucks, and that it is Vox Pop, as the Eutelsat panel noted, that has flagged many trademarks as “premium”-tier names that costs thousands of dollars to transfer and renew.

Vox also argues that it is possible for trademark-owners to “forum shop” between the various UDRP providers, in the hope of finding a panel more favorable to intellectual property interests over free speech rights.

It’s certainly not the only ICANN commenter to make this point, but it’s a pretty thin argument in the case of Honey Salt and .sucks.

Vox argues that WIPO repeatedly favors IP rights over free speech rights, and the outcome of Honey Salt’s UDRP cases may indicate why it holds that view.

Of the 20-odd UDRP cases Honey Salt has defended, most were filed with WIPO and all those filed with WIPO resulted in a complainant win. Three were filed with the National Arbitration Forum and three were filed with the Czech Arbitration Court.

The only case Honey Salt won on the merits was Miraplex v Honey Salt, one of the first cases, filed with the Czech Arbitration Court. That panel bought the defense that Everything.sucks was non-commercial free speech.

But one of the panelists in that case later sat on another Czech Arbitration Court case, Cargotec v Honey Salt, which decided in favor of the complaint. The same guy ruling two different ways on almost identical facts does not suggest panelist bias.

While at least one UDRP panel has suggested Honey Salt is just a front for the .sucks registry, Vox Populi has previously denied any connection exists.

ICANN picks recipient of $1 million Ukraine aid

ICANN has decided to donate $1 million to the Emergency Telecommunications Cluster, an international organization that helps people stay connected during times of crisis.

The donation was announced at ICANN 73 in early March, not long after Russia’s invasion of Ukraine, and ICANN has spent the last six weeks picking a recipient and doing its due diligence. For ICANN, that’s basically warp speed.

The ETC is one of 11 “clusters”, overseen by the UN’s Inter-Agency Standing Committee, which provide relief during humanitarian crises. Other clusters help with food, medicine, and so on.

Its partners include UN agencies, other governmental bodies, charities, and private companies such as Cisco and Iridium.

The ETC has been on the ground in Ukraine since March 3, preparing to provide emergency communications and strengthen infrastructure against cyber-attacks, though its latest report notes that Ukraine’s infrastructure is holding up pretty well so far.

ICANN CEO Göran Marby said in a statement:

This is an initiative for which we have no precedent; it is a first for ICANN. I am proud of the org for the drive and commitment to quickly identify the best path and organization to efficiently deliver meaningful support. The ETC’s vision of “a world where safe and local access to reliable communications is always available” is well aligned with our mission to ensure the stable and secure operation of the Internet’s unique identifier systems.

ICANN’s board has approved an ongoing program of similar donations, not just for Ukraine.

More friction over closed generics

ICANN’s Generic Names Supporting Organization and Governmental Advisory Committee seem to be headed to bilateral talks on the thorny issue of whether “closed generic” gTLDs should be allowed, but not without discontent.

The GNSO’s Non-Commercial Stakeholder Group last week opposed these talks, suggesting that the GAC is trying to acquire more policy-making power and take a second bite at the apple on a issue it has already advised on.

The NCSG wrote (pdf) to the GNSO Council last Thursday to oppose GAC talks, which are being encouraged by ICANN management and board.

Closed generics are dictionary-word gTLDs that do not match the registry’s trademarks but which nevertheless act as though they are a dot-brand, where only the registry may register domains.

There aren’t any right now, because ICANN, acting in 2014 in response to 2013 GAC advice, retroactively banned them from the 2012 application round, even though they were initially permitted.

It’s such a divisive issue that the GNSO working group (known as SubPro) that made the policy recommendations for the next round was, I believe uniquely, unable to come up with a even a fudged recommendation.

The GAC is sticking to its view that closed generics are potentially harmful, and since the GNSO couldn’t make its mind up, ICANN has suggested an informal dialogue between the two parties, to encourage a solution both deem acceptable that could then be thrown back at the GNSO for formal ratification.

The NCSG objected to this idea because it appears, NCSG said, that a new policy process is being created that increases the GAC’s powers to intervene in policy-making when it sees something it doesn’t like.

But the constituency appeared to stand alone during a GNSO Council meeting last Thursday, where the prevailing opinion seemed to be that dialogue is always a good thing and it would be bad optics to refuse to talk.

The Council has formed a small team of four to decide whether to talk to the GAC, which is in favor of the move.

ICANN’s Covid-19 waiver formally appealed

Two reliably regular ICANN meeting attendees have formally asked the Org to change the legal waiver it’s asking everyone to sign if they want to show up in The Hague for ICANN 74 this June.

Michele Neylon of registrar Blacknight Solutions and Eberhard Lisse of .na ccTLD registry Namibian Network Information Center filed an emergency Request for Reconsideration with ICANN last week.

They call the waiver, which absolves ICANN from liability if participants catch Covid-19 even through ICANN’s own gross negligence “unduly broad” and “unreasonable” and “unduly wide and harsh”.

They can’t ask their staff to sign such an all-encompassing waiver, they say.

ICANN’s Board Accountability Mechanisms Committee has already rejected the RfR, saying it doesn’t meet the timing requirements for an emergency request. It will consider it as a regular request in due course, it said.

As expected, ICANN also seems to have fixed the bug I spotted last week that allowed hybrid attendees to register without signing the waiver.