153 registrars fingered for ICANN security probe

Registrars will be asked to account for abusive domain names found on their services, under a new ICANN security audit.

ICANN says it will soon send requests for information to 153 registrars, asking them to provide documentation showing how they dealt with domains used for distribution of malware or spam.

Registrars will get audited if more than five domains under their sponsorship showed up on a number of block-lists ICANN uses (SpamHaus and the like) during November 2020.

ICANN is spinning the number of affected registrars as a very small percentage of the accredited base, but it really isn’t.

It said that “only” 153 out of 2,380 accredited registrars are affected, apparently willfully ignoring the fact that well over 1,700 of these registrars are shell accreditations used for drop-catching and belonging to just two companies: Web.com and NameBright.

Domains never stick around at drop-catch shells for long, and abusive registrants typically aren’t buying expensive names on the aftermarket, they’re prowling the budget registrars for sub-dollar bargains and bulk-reg tools.

Up to a couple hundred or other accredited registrars have no or negligible domains under management. Several more are corporate registrars with no retail front-end.

So we’re really looking at “only” 153 out of 500 to 600 active retail registrars that saw the required level of abuse, a much higher percentage than would be ideal.

The audit is part of ICANN’s regular Contractual Compliance Audit Program, which seeks to determine whether any registrars or registries are in breach of their contractual obligations.

Under the 2013 Registrar Accreditation Agreement, registrars are obliged to document their responses to abuse reports, keep the data for two years, and hand it over to ICANN on demand.

ICANN hopes to finish the audit by the third quarter this year.

ICANN axes Cancun again. Apparently there’s a pandemic

ICANN has formally confirmed that its seventieth public meeting will be online-only, disappointing restaurateurs and sex workers in Cancun, Mexico for the second year running.

The meeting will also be mercifully shorter, with two days cut from its running time. The new dates are March 22 to March 25. Thankfully, ICANN actually announced the date change this time around.

ICANN top brass had indicated as far back as October that Cancun was very unlikely to go ahead as an in-person meeting.

It will be the fourth consecutive meeting to be held via Zoom since the coronavirus pandemic began a year ago. My guess is it won’t be the last.

The next meeting this year is slated to take place in The Hague in late June, but I think only an strident optimist or denialist could imagine that actually happening.

It’s pandemic continuity versus gender diversity in ICANN’s board wish-list

ICANN’s Nominating Committee will be asked to pit two fundamentally opposed principles against each other when they pick three members of the organization’s board of directors this year.

Board chair Maarten Botterman has asked NomCom to prioritize continuity — keeping experienced directors in place — while also increasing gender diversity in the male-heavy current line-up.

Botterman this week sent a letter (pdf) to NomCom chair Ole Jacobsen, offering guidance virtually identical to that found in a December 2019 letter (pdf) to his predecessor.

The two most significant changes concern the impact on the board’s work of the coronavirus pandemic.

Noting that it typically takes a year or two for new directors to learn the ropes, and that it’s useful to have a staggered mix of tenures among the board, Botterman goes on to say:

Continuity is particularly important this year given the recent departure of the Board’s longest-serving, term- limited member and the ongoing challenges arising from the pandemic, including uncertainties about when the full Board may be next able to move from its current remote schedule to in-person meetings.

The long-serving member who left was presumably Chris Disspain, certainly one of the most active directors in recent years.

Later, Botterman’s letter contains an entirely new paragraph explaining what a time vampire ICANN directorship can be:

We underscore the significant time commitment required of Board members. Applicants must be able to devote weeks and long hours throughout the year to Board service, and even more because of the challenges caused by the pandemic. Among many other key initiatives, one focus in the upcoming year will be understanding and evaluating the expected recommendations from the policy development process on Subsequent Procedures regarding the next round of new gTLDs (as well as implementation of several Board-approved recommendations from community groups).

That, at least, should provide some comfort to those champing at the bit to get the next round of new gTLDs up and running — ICANN clearly expects it to happen at some point in the next four years.

So there’s a definite, newly emphasized focus on continuity at ICANN.

That’s good news for Lito Ibarra, Danko Jevtović and Tripti Sinha, the three NomCom appointees whose current terms end this coming October. Ibarra is on his second three-year term, the other two on their first. All are eligible for reselection.

The Botterman letter is less encouraging for Ibarra and Jevtović, who are men. ICANN is still seeking to increase gender diversity on its board, which only currently has five female voting members of 16 total directors.

While the wording is slightly different to the 2020 guidance, the essence is the same:

The ICANN community has also expressed strong support for efforts to increase diversity along several axes, especially including gender diversity, across the ICANN eco-system. Without compromising the fundamental requirement to have Board members with the necessary integrity, skills, experience, the Board would find it helpful to have greater gender diversity on the Board.

NomCom may find this pressure is relieved slightly by the fact that current ccNSO representative to the board, Nigel Roberts, is being replaced by Katrina Sataki of the Latvian ccTLD registry this October, following an election last month.

The Address Supporting Organization’s rep, Ron Da Silva, is also ending his current term this year. He’s up for reselection against nine other candidates, three of whom are female.

Here’s why two ICANN directors opposed extending Marby’s CEO contract

ICANN CEO Göran Marby’s personality came into question when the organization’s board of directors voted to prematurely extend his contract last year, it emerged this evening.

Back in October, the board voted to add two years to Marby’s current contract, which had been due to expire May 23, 2022, saying it would help with continuity and provide a “sense of calm” at the org.

But one director voted against the extension, and another abstained. Today, with the publications of the October 7 meeting’s minutes, we found out the whos and and whys.

Ihab Osman was the director who voted against the deal, telling the rest of the board that there should have been a formal review and plan to address Marby’s “communications style”, which has apparently come in for criticism.

He added that there should have been a global search for a CEO after Marby’s first six years (that is, in 2022). The minutes read:

Ihab stated that the decision to extend the President and CEO’s contract was taken without, in his view, a formalized professional performance review process reflecting on the past four years of the CEO’s service. He stated that he believed that not doing so was inconsistent with best practices for an organization of the size and importance as ICANN. Ihab noted that comments had been expressed about the CEO’s communication style and did not believe there was a formal plan to work on this issue. Ihab stated his belief that extending a contract that has two years before it is completed is premature, noting that organizations generally benefit from a global search for a CEO after a six-year tenure.

Osman is a Sudanese businessman who currently lists his employers as Saudi agricultural company NADEC and the US-Sudan Business Council.

The director who abstained from the vote was Mandla Msimang. She had procedural concerns, saying that the decision should have been subject to more input from other stakeholders. The minutes read:

Mandla explained that her abstention is not a reflection on the President and CEO. Mandla indicated that she abstained from voting because she did not agree with the process that has been followed to arrive at the decision. Mandla noted that she believes the process lacked a performance-based approach and lacked a more extensive input from key stakeholders, namely the org staff and the community.

South African Msimang is CEO of Nozala Investments, an investment vehicle focused on female-owned businesses.

Both she and Osman are Nominating Committee appointees whose first three-year terms on the ICANN board end in 2022.

While the minutes do not elaborate on the apparent criticisms of Marby’s “communications style”, it’s probably fair to say he’s a bit more confrontational and abrasive when compared to his predecessors.

Fadi Chehadé sometimes came across like a used-car salesman hiding behind a dubious veil of servile humility; Rod Beckstrom had baffling New Age hippy tendencies and often appeared out of his depth when it came to the minutiae of ICANN’s function.

As for Marby’s style… what do you think? Answers in the comments or privately to the usual address.

Rules for the next new gTLD round near the final straight

The ICANN working group tasked with creating policies for the next round of new gTLDs is wrapping up its work this week, setting up the battle lines for the next phase of the program’s development.

Members of the cross-constituency Subsequent Procedures for new gTLDs group, known as SubPro, have until a minute before midnight UTC Friday night to declare whether they’re not happy with any parts of the 373-page document (pdf).

It’s expected that some groups and individuals will have beef with some of the SubPro recommendations, which will be included in the Final Report as dissenting minority statements before it is sent off to the GNSO Council later this month.

The report, the product of five years of discussions, will largely affirm that the next new gTLD round will proceed along roughly the same lines as the 2012 round, with some of ICANN staff’s historical ad-libs being codified and a few new big concepts introduced.

New additions include the idea of a pre-evaluation process for registry service providers, enabling applicants to pick from a menu of pre-approved back-ends and avoid the cost of having their technical prowess evaluated for every string they apply for.

The price of applying could be kept artificially high, however, to discourage gTLD stockpiling, and the report will also recommend banning the coexistence of single/plural variants of the same word.

One area where there was definitely no consensus was the issue of “closed generics” — a non-brand string reserved for the sole use of the registry — it’s going to be up to the GNSO Council and ICANN to muddle through this one.

While the consensus call marks the end of the working group phase of new gTLD policy development, there are still many substantial hurdles to leap before the next application round opens.

In the last round, the policy was approved by the GNSO Council in 2007, and ICANN didn’t start accepting applications until the start of 2012.

it may not take five years between policy and launch this time, if only because many of the new recommendations are merely affirmations of the status quo, but there are new mechanisms ICANN will have to implement before the next round opens, and we should probably expect more than one comment period on iterations of the next Applicant Guidebook.

The road between now and the next round is still likely measured in years.

Net 4 India gets unwelcome Christmas gift from ICANN

Struggling Indian registrar Net 4 India has been hit by its third notice of contract breach by ICANN, in a letter delivered Christmas Eve.

Net4 is on ICANN’s naughty list this time due to its alleged violations of ICANN’s transfer and expired domains policies. The breach notice is very similar to that delivered just two weeks earlier, concerning different domains.

ICANN reckons Net4, once India’s largest independent registrar, has in some cases been transferring domains to a partner registrar, OpenProvider, without the consent or knowledge of the registrant.

It’s been asking the company for records proving compliance, which Net4 has apparently not been providing. Therein lies the alleged breach.

Net4 has been persona non grata among many of its customers for several months, with complaints about billing and renewal failures, expirations, and a general lack of customer service availability compounded by the coronavirus pandemic.

The company has also been fighting an insolvency proceeding over millions of dollars in allegedly unpaid debts for years, which has been the subject of an ICANN breach notice for about 18 months.

The Christmas Eve breach notice gives Net4 until January 14 to turn over the relevant records or possibly face termination.

But that might prove moot — the December 10 notice had a deadline of December 31, so the wheels may already be in motion.

Fuji Xerox kills off gTLD after rebrand

Fuji Xerox has become the latest multi-billion-dollar company to ditch its dot-brand gTLD.

The Japanese-American company, a joint venture of Xerox and Fuji, has told ICANN it wants to terminate its registry contract for .fujixerox, and ICANN has indicated its intention to let the string die.

The gTLD was not in use, beyond the mandatory nic.fujixerox placeholder site.

That said, the termination appears to be primarily due to a rebranding as the joint venture fizzles out.

Fuji Xerox is, according to Wikipedia, the world’s oldest Japanese-American joint-venture company, at 59 years old. It’s in the document processing space and had $11 billion in annual revenue.

But the companies said last year they would end the relationship, with Xerox no longer providing its tech, leading to rebranding the company Fujifilm Business Innovation. The dot-brand is clearly no longer needed.

Xerox also owns .xerox, and it’s not using that either. There is no .fuji or .fujifilm.

.fujixerox the first dot-brand to jump off the cliff this year, and the 86th in total.

Donuts acquisition of Afilias closes, integration work begins

Donuts’ acquisition of Afilias closed without incident on December 29, the companies announced last week.

The registries said that registrants and registrar partners should not see any immediate disruption, but added that it’s now working on an integration plan that should see some changes over the longer term.

“Our combined teams can now begin developing an integration plan, with a goal of minimizing disruption to those we serve,” Akram Atallah, Donuts’ CEO, said in a press release. “We expect no changes in the short term, and ample notice on any changes that are decided.”

Atallah has previously told DI that it’s likely that Afilias’ owned and operated TLDs will likely be transferred to Donuts’ registry back-end, which is hosted on the Amazon cloud.

He also said that services such as the Domain Protected Marks List, currently available in 240+ Donuts gTLDs, should soon become available in Afilias’ 20-odd.

The deal, for an undisclosed sum, was subject to scrutiny by ICANN, which could have blocked it, but its board of directors considered the merger last month with no resolution passed.

US sneaks public Whois demands into pandemic relief bill

Outgoing US president Donald Trump has signed into law a coronavirus relief bill and spending package that contains a surprise instruction for the government to pursue open access to Whois records.

The Consolidated Appropriations Act of 2021 is focused on federal spending for fiscal 2021, with billions set aside for pandemic-related economic stimulus. It’s the bill you may recall Trump refused to sign for several days on the purported basis that it only provided Americans with a piddling $600 check.

An accompanying document contains encouragement for the National Telecommunications and Information Administration to “to require registrars and registries based in the United States to collect and make public accurate domain name registration information”.

It also asks the NTIA to continue to work within ICANN’s Governmental Advisory Committee to help create “a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information”.

The text can be found in a joint explanatory statement (pdf) accompanying the act. It’s not on the statute books as such, but it does tell NTIA how to spend the money it’s been allocated.

The full text relevant to the domain name industry reads:

NTIA is directed, through its position within the Governmental Advisory Committee o work with I CANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.

As ICANN notes in its analysis, the first sentence is not telling NTIA to do anything it hasn’t been doing since the European Union’s General Data Protection Regulation came into effect two and a half years ago.

The NTIA and GAC have been involved in efforts to create a privacy workaround for rights holders and law enforcement, which in September came up with the widely panned SSAD proposals. ICANN is currently pleading with the EU for clarity on whether it would even be legal.

The second sentence is perhaps a bit more worrying, dangling as it does the possibility of American registries and registrars having to either break EU law or implement a much more complex Whois infrastructure.

But, as ICANN notes, the words “encouraged, as appropriate” are doing a lot of heavy lifting in that sentence, saying “encouragement is aspirational; it is not a mandate”.

However, ICANN appears to be treating it as a warning shot, with head of compliance Jamie Hedlund writing:

It appears to hint that if NTIA and the ICANN community can’t develop a robust access model, Congress could entertain more forceful measures that would impose requirements on U.S.-based registries and registrars to collect and publish domain name registration information.

It seems the NTIA has the wink to cause mischief, should ICANN not deliver what intellectual property lobbyists want.

Mixed messages from ICANN on pandemic travel in 2021

ICANN still hasn’t formally cancelled its public meeting in Cancun, Mexico next March, but it appears to be planning for scheduled in-person gatherings to not resume until the fourth quarter of next year.

While nobody in their right mind seems to believe ICANN 70 will go ahead anywhere other than virtually — and ICANN’s top brass acknowledged in October that a face-to-face community forum appeared highly unlikely — the Org has still not announced that it will be the fourth consecutive meeting to be held via Zoom.

But two recently published documents show that ICANN doesn’t see travel getting back to normal any time soon, though its expected timing is ambiguous.

First, the proposed budget for fiscal 2022, which was published on Friday, envisages pandemic-related travel restrictions for only “the first nine months” of its current FY21, which ends June 30 next year.

That means that ICANN, at least in its travel budget, still thinks there’s a chance that international travel may be an option as early as April next year. Its travel budget for this year is $4.7 million, which certainly suggests one normal public meeting.

That would rule out Cancun, but leaves open the possibility that June 14-17 public meeting in The Hague could actually go ahead.

The budget also assumes a normal level of travel spending for the whole of FY22, which would mean ICANN 72 in Seattle — a mere domestic flight for most ICANN staff and a good portion of the domain industry — would also take place in-person next October.

But a resolution passed by the ICANN board of directors last Thursday appears to have a more pessimistic outlook.

The board at that meeting approved the continuation of contingency plans for signing the cryptographic keys at the root of the DNS that would eliminate the need for travel until the fourth quarter of calendar 2021.

Normal, quarterly root Key-Signing Key ceremonies require a small number of trusted “secret key holders” to be flown from around the world into facilities in the US, carrying physical keys, to ensure the integrity of the process.

But those rules were tweaked under coronavirus lockdown last April to allow IANA employees to sub in for these key-holders.

Understanding that the pandemic wasn’t going away any time soon, but perhaps with hindsight on the optimistic side, the KSK ceremony in April generated three quarters’ worth of keys in advance, enabling root DNSSEC until the end of March 2021.

Last Thursday, the ICANN board resolved to again bulk-generate keys during its next ceremony, to be held some time in the first quarter. The plan states:

The coronavirus pandemic is expected to continue to significantly impact operations well into 2021. To limit the impact on the ability to hold quarterly key ceremonies, the plan again provides for generating signatures for an extended nine-month period. This relieves the need to hold a subsequent key signing ceremony until the fourth quarter of 2021.

So, while the proposed budget thinks travel could return to normal by April, the KSK plans are thinking October could be the best-case scenario.

Vaccines appear to be the key, as you might expect:

Staff will continue to monitor the pandemic and prepare for all possible scenarios for this ceremony in accordance with the graduated approach. Should widespread vaccination programs prove to be successful, and international travel limitations be relaxed, it is conceivable a late-2021 ceremony could be conducted in its normal format with international in-person participation.

I’m going to go out on a limb and suggest that the chances of a normal in-person ICANN meeting going ahead before Seattle are pretty slim.

For vaccination programs to be successful, we’re going to need a combination of competent governments capable of handling an unprecedented logistical challenge and a largely sane, rationale populace willing to go under the needle en masse. I’m afraid I don’t have that much faith in humanity.

Even if everything goes smoothly, we’re still looking at the vaccine rollout taking a long time indeed. I live in the UK, the first country to roll out vaccinations at scale, and I don’t anticipate getting the jab for six months or more.

An unofficial calculator tool estimates that a middle-aged Brit with no diagnosed preexisting conditions cannot reasonably expect to get a vaccine until July 2021, assuming the UK manages to quickly ramp up to one million vaccinations per week and 70% of those eligible choose to take the shot.

If that’s true elsewhere in the world, and vaccination becomes a passport to travel, then any hypothetical June face-to-face ICANN meeting could resemble a senior care home or retirement village even more than usual.

Not so much Club Med as a Saga Holiday.

And none of this takes into account the potential impact of the super-spreadable new coronavirus strain discovered to be hugely prevalent in the UK last week.

While it’s early days, it seems there’s a significant possibility that what I’m calling the limeyvirus (because what goes better with Corona than lime?) is going to significantly impact travel worldwide in the coming months.