The end of the beginning? ICANN releases policies for next round of new gTLDs

Over eight years after ICANN last accepted applications for new gTLDs and more than four years after hundreds of policy wonks first sat around the table to discuss how the program could be improved, the working group has published its draft final, novel-length set of policy recommendations.

Assuming the recommendations are approved, in broad terms the next round will be roughly similar to the 2012 round.

But almost every phase of the application process, from the initial communications program to objections and appeals, is going to get tweaked to a greater or lesser extent.

The recommendations came from the GNSO’s New gTLD Subsequent Procedures working group, known as SubPro. It had over 200 volunteer members and observers and worked for thousands of hours since January 2016 to come up with its Final Draft Report.

Some of the proposed changes mean the cost of an application will likely go down, while others will keep the cost artificially high.

Some changes will streamline the application process, others may complicate it.

Many of the “changes” to policy are in fact mere codifications of practices ICANN brought in unilaterally under the controversial banner of “implementation” in the 2012 round.

Essentially, the GNSO will be giving the nod retroactively to things like Public Interest Commitments, lottery-based queuing, and name collisions mitigation, which had no basis in the original new gTLDs policy.

But other contentious aspects of the last round are still up in the air — SubPro failed to find consensus on highly controversial items such as closed generics.

The report will not tell you when the next round will open or how much it will cost applicants, but the scope of the work ahead should make it possible to make some broad assumptions.

What it will tell you is that the application process will be structurally much the same as it was eight years ago, with a short application window, queued processing, objections, and contention resolution.

SubPro thankfully rejected the idea replacing round-based applications with a first-come, first-served model (which I thought would have been a gaming disaster).

The main beneficiaries of the policy changes appear to be registry service providers and dot-brand applicants, both of which are going to get substantially lowered barriers to entry and likely lower costs.

There are far too many recommendations for me to summarize them eloquently in one blog post, so I’m going to break up my analysis over several articles to be published over the next week or so.

In the meantime, ICANN has opened up the final draft report for public comment. You have until September 30.

The report notes that previously rejected comments will not be considered, so if your line is “New gTLDs suck! .com is King!” you’re likely to find your input falling on deaf ears.

After the comment period ends, and SubPro considers the comments, the report will be submitted to the GNSO Council for approval. Subsequently, it will need to be approved by the ICANN board of directors.

It’s not impossible that this could all happen this year, but there’s a hell of a lot of implementation work to be done before ICANN starts accepting applications once more. We could be looking at 2023 before the next window opens and 2024 before the next batch of new gTLDs start to launch.

UPDATE: This post was updated August 27, 2020 to clarify procedural and timing issues.

It’s a CONSPIRACY! Canadian registrant “sues” pretty much everybody

Canadian domain registrant and noted industry troll Graham Schreiber has sued, or at least claims to have sued, just about every notable figure in the ICANN community.

A document purporting to be a lawsuit is being circulated today among some of the dozens of named defendants, which include several people who’ve not been involved with ICANN for many years.

It names 27 volunteers from ICANN’s Intellectual Property Constituency, 21 current and former senior executives of registries and registrars, several members of the US and UK governments, an FBI agent, an unnamed “White House Conspirator”, as well as lawyers for LinkedIn, Facebook, Twitter, ICANN, Google and the UK Intellectual Property Office.

It’s my job to tell you in simple terms what the alleged lawsuit alleges, but I’m afraid I’m at an utter loss with this one. It reads like the fever dream of a conspiracy theorist that would make the average Qanon believer appear the model of reason and clarity.

Schreiber variously refers to his defendants as “Kingpins” involved in a “Cartel” or “Conspiracy”, the factual details of which he never quite gets to.

Here’s a representative sample paragraph, unedited:

If and when, the “Defensive Registrations” obliged by ICANN’s R[r]egistry & R[r]egistrar “Stakeholders” = “Kingpins” and specifically CentralNic [ weren’t purchased ] assailants would strike; and Infringe, Dilute, Blur and Pass-Off as our online business, individually with identical and confusingly similar domain name, faking to be appointed or an authorized agent of the primary Registrant, in a country’s entrepreneurs Intellectual Property may or may not have been protectable at Common Law Trademark, under Madrid Protocol Rules, as it / they fulfilled the obligations of local National laws, to become a Registered Trademark, as I secured in the USA with USPTO, after the CIPO did their work.

At one point, he admits to trolling the defendants on social media since 2012, and points to their failure to sue him as evidence of a conspiracy:

I’ve made statements via those Social Media resources which would, if they were untrue, subject me to a singular lawsuit or multiple lawsuits from the Defendants listed, for: Defamation, Slander and Libel.

As yet, these well taunted Defendants have all conspired together, in collective silence, anticipating that their grandeur and my insignificance would, maintain safe passage, for them to continue.

As the vast majority of the Defendants are well schooled, powerful U.S. Attorneys, it’s my expectation that the Court oblige them to address the charges here stated, or collectively for their defence, they must File a lawsuit with this Court, charging me for what could be [ but aren’t ] remarks constituting Defamation, Slander & Libel against them, which again, I’ve posted on some of the Defendants own clients, Social Media Platforms

Schreiber was once a regular fixture in DI’s comments section too. Thankfully, we’ve not heard from him in years.

The root cause of the “lawsuit” appears to be an old beef Schreiber has with CentralNic.

He says he owns what he calls a “common law trademark” on the term “Landcruise” and he once used the matching .com domain to operate a motor-home rental business.

At some point in 2011, he became aware that a British registrant had registered landcruise.co.uk and landcruise.uk.com.

At the time, CentralNic was primarily in the business of selling domains at the third level in pseudo-gTLDs such as uk.com, gb.com and us.com.

Schreiber tried and failed (twice) to get the .uk domain transferred under Nominet’s Dispute Resolution Service, and then he took his beef to the courts.

In 2012, he sued CentralNic, ICANN, Verisign, eNom, and Network Solutions in a complaint that barely made much more sense than the “lawsuit” being circulated today.

That case was thrown out of court in 2013.

I expect the same fate to befall the current lawsuit, if indeed it has even been filed in a court.

Schreiber wants $5 million from every defendant.

If you want to check whether you’re one of them, read the PDF “complaint” here.

“Arms dealer” registrar probed by ICANN

ICANN’s top security thinkers are looking into hotly denied claims that an Israeli registrar collaborated with malware distributors.

Luckily for the registrar, GalComm, so far they’ve come up empty-handed and ICANN has told the company it does not consider it “malicious”.

ICANN told GalComm this week that its Security, Stability and Resiliency team is looking into a report published by security consultancy Awake Security in June entitled “The Internet’s New Arms Dealers: Malicious Domain Registrars”.

The report connected GalComm to over 100 malicious browser extensions, used to steal data, that have been installed 33 million times. GalComm was apparently the attackers’ registrar of choice.

While Awake did not report the registrar to ICANN, GalComm took it upon itself to write to ICANN to deny the allegations, saying that it merely acted as a neutral registrar and had no involvement in hosting or distributing the malware.

It also demanded that Awake retract its report and apologize or face legal consequences. The report is still available.

Now, ICANN has written back (pdf) to assure the registrar that its investigations to date has been “unable to corroborate the findings Awake Security presented and it does appear that Awake Security had an inaccurate picture of the total domains under management by GalComm”.

It added that the investigation is ongoing, however:

Based on the information we have been able to obtain to date, we have no reason to believe it appropriate for GalComm to be considered a “malicious domain registrar” as asserted by Awake Security. However, as noted in Awake Security’s report, the malicious actors behind the domains in question may be utilizing detection evasion techniques. As such, our investigations continue, and we appreciate GalComm’s cooperation and support of those investigations.

ICANN has previously told news outlets that it receives very few complaints about GalComm, none related to malware.

ICANN names Egypt-based head of Istanbul office

ICANN has appointed veteran staffer Baher Esmat as the new head of its regional office in Istanbul, Turkey.

His new job title will be managing director for Middle East and Africa, having previously headed ICANN’s partnership programs for the region. He’s basically become ICANN’s point man in the region.

He’s replacing Nick Tomasso, who’s sticking around at ICANN in his main role as VP of meetings but appears to be leaving Istanbul.

Esmat currently lives in Egypt, which isn’t even in the same time zone, and there does not appear to be a short-term plan to move him to Istanbul

The ICANN board noted in its resolution promoting Esmat:

There will be a fiscal impact on ICANN in FY21 only to the extent of travel and related costs for Mr. Esmat as he will continue to reside in Egypt for the time being, but ICANN will save on the costs associated with Mr. Tomasso’s having resided in Istanbul during his tenure as the representative of the liaison office in Turkey, Istanbul.

It’s not clear whether the decision to stay in Egypt is coronavirus-related, but I imagine working from home in Egypt isn’t much different from working from home in Turkey.

Esmat has been at ICANN for 14 years. Tomasso ran the Istanbul office from 2017. The handover is effective at the end of the month.

Countries ask Amazon for thousands more domain blocks

The eight South American nations of the Amazon region are demanding Amazon block more domain names in the recently delegated .amazon gTLD.

Amazon Cooperation Treaty Organization secretary general Alexandra Moreira has written to Amazon VP of public policy Brian Huseman to complain that Amazon’s current set of “cultural” safeguards do not go far enough.

The August 14 letter, which was forwarded to DI, seems to mark a new phase of bilateral talks, after ICANN washed its hands of its reluctant role of third-party facilitator last month.

Currently, .amazon is governed by a set of Public Interest Commitments in its registry contract designed to protect the “Culture and Heritage specific to the Amazonia region”.

ACTO, as well as disagreeing with the use of the term “Amazonia”, has a narrow interpretation of the PICs that Moreira says is “insufficient to ensure respect for the historic and cultural heritage of the Amazon region”.

Under ACTO’s reading, Amazon is only obliged to block a handful of domains from use, namely the words “OTCA”, “culture”, “heritage”, “forest”, “river”, “rainforest”, the names of indigenous peoples and national symbols.

Moreira writes:

That would leave out a vast number of terms that can still cause confusion or mislead the public about matters specific to the Amazon region, such as the names of cities, villages, mountains, rivers, animals, plants, food and other expressions of the Amazon biome, biodiversity, folklore and culture.

ACTO wants the list of protected domains to be expanded to include these additional categories, and for Amazon and ACTO to sign a binding agreement to that effect.

Given that the Amazon forest is home to literally tens of thousands of distinct species and Brazil alone has over 5,500 municipalities, this could translate to a hell of a long list.

I should probably note that the .amazon PICs also offer ACTO the chance to block 1,500 strings of its own choosing, so ACTO’s narrow interpretation may not tell the whole story.

Dot-brand fizzles out after acquisition

Another dot-brand gTLD has decided to terminate its ICANN contract, but this time it’s because the brand itself has been discontinued.

.ceb was applied for by the Corporate Executive Board Company, a consulting company, in 2012.

But the company was acquired by Gartner in 2017, and the CEB brand was discontinued the following year.

For some reason it’s taken Gartner a couple of years to remember it has a gTLD it doesn’t need, and it’s told ICANN it no longer wishes to operate it.

The .ceb dot-brand was never used.

It’s the 81st dot-brand to self-terminate, the 12th this year.

The pricey, complex, clusterfuck plan to reopen Whois

After a little more than two years, an ICANN working group has finalized the policy that could allow people to start accessing unredacted Whois records again.

Despite the turnaround time being relatively fast by ICANN standards, the Expedited Policy Development Process group has delivered what could be the most lengthy and complex set of policy recommendations I’ve seen since the policy work on new gTLDs over a decade ago.

Don’t get too excited if you’re itching to get your hands on Whois data once more. It’s a 171-page document containing over a hundred recommendations that’s bound to take ages to implement in full, if it even gets approved in the coming weeks.

I’d be surprised if it’s up and running fully before 2022 at the earliest. If and when the system does eventually come online, don’t expect to get it for free.

It’s already being slammed in multiple quarters, with one constituency saying it could result in a “multi-year-implementation resulting in a system which would effectively be a glorified, overly complex and very expensive ticketing system”.

Trademark owners are livid, saying the proposed policy completely fails to address their needs, and merely entrenches the current system of registrar discretion into formal ICANN policy.

The recommendations describe a proposed system called SSAD, for System for Standardized Access/Disclosure, which would be overseen by ICANN and enforced through its contracts with registries and registrars.

It’s a multi-tiered system involving a few primary functions, wrapped in about a thousand miles of red tape.

First and foremost, you’ve got the Central Gateway Manager. This would either be ICANN, or a company to which ICANN outsources. Either way, ICANN would be responsible for overseeing the function.

The gateway manager’s job is to act as a middleman, accepting Whois data requests from accredited users and forwarding them to registries and registrars for processing.

In order to access the gateway, you’d need to be accredited by an Accreditation Authority. Again, this might be ICANN itself or (more likely) a contractor.

The policy recommendations only envisage one such authority, but it could rely on a multitude of Identity Providers, entities that would be responsible for storing the credentials of users.

It’s possible all of these roles and functions could be bundled up in-house at ICANN, but it appears the far more likely scenario is that there will be a bunch of RFPs coming down the pike for hungry contractors later this year.

But who gets to get accredited?

Anyone with a “legitimate interest or other lawful basis”, it seems. The document is far from prescriptive or proscriptive when it comes to describing possible users.

But the recommendations do give special privileges to governments and government-affiliated entities such as law enforcement, consumer protection bodies and data privacy watchdogs.

For law enforcement agencies, the proposed policy would mandate fully automated processing at the gateway and at the registry/registrar. It sounds like cops would get pretty much instant access to all the Whois data they need.

Requests just the for city field of the record would also be fully automated, for any accredited requestor.

There would be at least three priorities of Whois request under the proposed system.

The first, “Urgent”, would be limited to situations that “pose an imminent threat to life, serious bodily injury, critical infrastructure (online and offline) or child exploitation”. Non-cops could use this method too. Contracted parties would have one business day or three calendar days to respond.

The second would be limited to ICANN-related procedures like UDRP and URS, and registrars would have a maximum of two business days to respond.

The third would encapsulate all other requests, with some priority given to fraud or malware-related requests. Response times here could be a long as 10 days.

I’m trying to keep it simple here, but a lot of the recommendations describe the aforementioned red tape surrounding each stage of the process.

Registrars and registries would be bound to service level agreements, there’d be appeals processes for rejected requests, there’d be logging, audits, reporting, methods to de-accredit users and methods for them to appeal their de-accreditation… basically a shedload of checks and balances.

And who’s going to pay for it all?

ICANN’s latest guesstimate is that SSAD will cost $9 million to build and another $8.9 million annually to operate.

It seems the main burden will be placed on the shoulders of the end-user requestors, which will certainly have to pay for accreditation (which would have to be renewed periodically) and may have to pay per-query too.

Trademark lawyers within the ICANN community are furious about this — not because they have to pay, but because SSAD functionality does “not come close to justifying the costs”.

They’d envisaged a system that would be increasingly automated as time went by, eventually enabling something pretty much like the old way of doing Whois lookups, but say the current proposals preclude that.

It’s also not impossible that the system could lead to higher fees for registrants.

The EPDP group is adamant that domain registrants should not have to pay directly when somebody queries their Whois data, and says the SSAD should be cheaper to run for registrars than the current largely manual system, but acknowledges there’s nothing ICANN can do to stop registrars raising their prices as a result of the proposed policy.

The recommendations say that ICANN should not take a profit from SSAD, but do not discount its contractors from making a fair return from their work.

Prices are, like much else described in this Final Report, still very much TBD. The EPDP working group was given a lot to accomplish in very little time, and there’s a lot of buck-passing going on.

And there’s no guarantee that the policy will even be approved in the short term, given the level of dissent from working group participants.

Before the recommendations become formal Consensus Policy — and therefore binding on all registries and registrars — they first have to be approved by the GNSO Council and then the ICANN board of directors.

The first opportunity for the GNSO Council to vote is at its meeting September 24, but it could be a very tight vote.

For an EPDP to pass, it needs a supermajority vote of the Council, which means a two-thirds majority of both “houses” — the Contracted Parties House (ie, registries and registrars) and the Non-Contracted Parties house — or a 75% approval in one house and a simple majority in the other.

The way things stand, it looks to me like the CPH will very likely vote 100% in favor of the proposal, which means that only seven out of the 13 NCPH members will have to vote in favor of the report in order for it to pass.

The NCPH is made up of six people from the Non-Commercial Stakeholders Group, which generally hold pro-privacy views and have already criticized the report as not going far enough to protect registrants’ data.

Six more NCPH members comprise two members each from the Intellectual Property Constituency, Business Constituency and Internet Service Providers Constituency.

The IPC and BC put their names to a joint minority statement in the Final Report saying that its recommendations:

amount to little more than affirmation of the [pre-EPDP] status quo: the elements of WHOIS data necessary to identify the owners and users of domain names are largely inaccessible to individuals and entities that serve legitimate public and private interests.

I’m chalking those four Council members down as reliable “no” votes, but they’ll need the support of the two ISP guys and the wildcard Nominating Committee appointee in order to bury this policy proposal.

If it does pass the Council, the next and final stage of approval for SSAD would be the ICANN board, probably at ICANN 69 in October.

But then ICANN would actually have to build the damn thing.

This would take many months of implementation and review, then there’d have to be multiple RFP processes to select the companies to write the software and build the infrastructure to run it, who’d then actually have to build and test it.

In the same guesstimate that put a $9 million price tag on the system, ICANN reckoned that it would take a full year for a third party to build and test SSAD. That’s not even taking registrar integration into account.

So, if you’re looking for streamlined Whois access again, you’d best think 2022 at the very earliest, if ever.

If you wish to read the EPDP working group’s Final Report, you can do so here (pdf).

UPDATE: This article originally misstated the date of the next GNSO Council meeting at which this proposal could be considered. It’s not August 20. It’s September 24, which means initial ICANN board consideration is out in October. Add another month to whatever timeline you were hoping for.

After Chapter 11 filing, JCPenney dumps its dot-brand

American retailer JCPenney has told ICANN it no longer wishes to own its dot-brand gTLD, .jcp.

The notice was filed just a month after the company entered Chapter 11 bankruptcy protection and announced the permanent closure of hundreds of stores.

Like many retailers of non-essential goods, the company’s fortunes have been badly affected by the coronavirus pandemic.

I suspect the gTLD would have been scrapped eventually regardless — JCPenney never used it, and even the obligatory nic.jcp site merely redirects to the company’s primary .com.

It’s the 80th dot-brand to be dumped by its registry. the 11th this year.

ICANN close to becoming $200 million gift-giver

Remember how ICANN raised hundreds of millions of dollars auctioning off new gTLD contracts, with only the vaguest of ideas how to spend the cash? Well, it’s coming pretty close to figuring out where the money goes.

The GNSO Council approved a plan last Thursday that will turn ICANN into a giver of grants, with some $211 million at its initial disposal.

And the plan so far does not exclude ICANN itself for applying to use the funds.

The plan calls for the creation of a new Independent Project Applications Evaluation Panel, which would be charged with deciding whether to approve applications for this auction cash.

Each project would have to fit these criteria:

• Benefit the development, distribution, evolution and structures/projects that support the Internet’s unique identifier systems;
• Benefit capacity building and underserved populations, or;
• Benefit the open and interoperable Internet

Examples given include improving language services, providing PhD scholarships, and supporting TLD registries and registrars in the developing world.

The evaluation panel would be selected “based on their grant-making expertise, ability to demonstrate independence over time, and relevant knowledge.” Diversity would also be considered.

While existing ICANN community members would not be banned from being on the panel, it’s being strongly discouraged. The plan over and over again stresses how there must be rigorous conflict-of-interest rules in place.

What’s less clear right now is what role ICANN will play in the distribution of funds.

The Cross-Community Working Group that came up with the proposal offers three possible mechanisms, but there was no strong consensus on any of them.

The one being pushed, “Mechanism A”, would see ICANN org create a new department — potentially employing as many as 20 new staff — to oversee applications and the evaluation panel.

Mechanism B would see the same department created, but it would work with an existing independent non-profit third party.

Mechanism C would see the function offloaded to a newly created “ICANN Foundation”, but ICANN’s lawyers are not keen on this idea.

The Intellectual Property Constituency was the lone dissenting voice at Thursday’s GNSO Council vote. The IPC says that support for Mechanism A actually came from a minority of CCWG participants, depending on how you count the votes.

It thinks that ICANN should divorce itself as far as possible from the administration of funds, and that not to do so creates the “unreasonable risk” of ICANN being perceived as “self-dealing”.

But as the plan stands, ICANN is free too plunder the auction funds at will anyway. ICANN’s board of directors said as long ago as 2018:

ICANN maintains legal and fiduciary responsibility over the funds, and the directors and officers have an obligation to protect the organization through the use of available resources. In such a case, while ICANN would not be required to apply for the proceeds, the directors and officers would have a fiduciary obligation to use the funds to meet the organization’s obligations.

It already took $36 million from the auction proceeds to rebuild its reserve fund, which had been diminished by ICANN swelling its ranks and failing to predict the success of the new gTLD market.

The CCWG also failed to come to a consensus on whether ICANN or its constituent parts should be banned from formally applying for funds through the program.

Because the plan is a cross-community effort, it needs to be approved by all of ICANN’s supporting organizations and advisory committees before heading to the ICANN board for final approval.

There also looks to be huge amount of decision-making and implementation work to be done before ICANN puts its hand in its pocket for anyone.

The $135 million battle for .web could be won in weeks

Afilias is to get its day in “court” to decide the fate of the .web gTLD just 10 days from now.

The registry is due to face off with ICANN before an Independent Review Process panel in a series of virtual hearings beginning August 3.

The IRP complaint was filed late 2018 as the endgame of Afilias’ attempt to have the results of the July 2016 .web auction overturned.

You’ll recall that Verisign secretly bankrolled the winning bidder, a new gTLD investment vehicle called Nu Dot Co, to the tune of $135 million, causing rival bidders to cry foul.

If that win was vacated, Afilias could take control of .web with its second-place bid.

Afilias claims that ICANN broke its own rules by refusing to thoroughly analyze whether NDC had a secret sugar daddy, something DI first reported on two weeks before the auction.

It has put forward the entirely plausible argument that Verisign splashed out what amounts to about a month’s .com revenue on .web in order to bury it and fortify its .com mindshare monopoly against what could be its most formidable competitor.

In the IRP case to date, ICANN has been acting as transparently as you’d expect when its legal team is involved.

It first redacted all the juiciest details from the Verisign-NDC “Domain Acquisition Agreement” and the presumably damaging testimony of one of its own directors, and more recently has been fighting Afilias’ demands for document discovery.

In March, the IRP panel ruled against ICANN’s protests on almost every count, ordering the org to hand over a mountain of documentation detailing its communications with Verisign and NDC and its internal deliberations around the time of the auction.

But the ace up ICANN’s sleeve may be an allegation made by Verisign that Afilias itself is the one that broke the auction’s rules.

Verisign has produced evidence that an Afilias exec contacted his NDC counterpart five days before the auction, breaking a “blackout period” rule so serious that violators could lose their applications.

While Afilias denies the allegation, the IRP panel ruled in March that Afilias must hand over copies of all communications between itself and rival bidders over the auction period.

We’re not likely to see any of this stuff until the panel issues its final declaration, of course.

In the past, IRP panels have taken as long as six or seven months after the final hearing to deliver their verdicts, but the most-recently decided case, Amazon v ICANN, was decided in just eight or nine weeks.