ICANN’s new conferencing software has a webcam security bug

ICANN can’t catch a break when it comes to remote participation security, it seems.
Having just recently made the community-wide switch away from Adobe Connect to Zoom, partly for security reasons, now Zoom has been hit by what many consider to be a critical zero-day vulnerability.
Zoom (which, irrelevantly, uses a .us domain) pushed out an emergency patch for the vulnerability yesterday, which would have allowed malicious web sites to automatically turn on visitors’ webcams without their consent.
Only users of the installable Mac client were affected.
According to security researcher Jonathan Leitschuh, who discovered the problem, Zoom’s Mac client was installing a web server on users’ machines in order to bypass an Apple security feature that requires a confirmatory click before the webcam turns on.
This meant a web site owner could trick a user into a Zoom session, with their camera turned on by default, without their knowledge or consent.
If you’re in the habit of keeping your webcam lens uncovered, that’s potentially a big privacy problem, especially if you do most of your remote coverage of ICANN meetings from the toilet.
It appears that Leitschuh, who reported the problem to Zoom three months ago, took issue with what he saw as the company’s ambivalent attitude to fixing it in a timely fashion.
When he finally blogged about it on Monday, after giving Zoom a 90-day “responsible disclosure” period to issue a patch, the problem still hadn’t been fully resolved, he wrote.
But, following media coverage, Zoom’s new patch apparently removes the covert web server completely. This removes the vulnerability but means Apple users will have to click a confirmation button before joining Zoom meetings in future.
Zoom is used now for all of ICANN’s remote participation, from sessions of its public meetings to discussions of its policy-making working groups.
I really like it. It feels a lot less clunky than Adobe, and it’s got some nifty extra features such as the ability to skip around in recordings based on an often-hilarious machine-transcription sidebar, which makes my life much easier.
One of the reasons ICANN made the switch was due to a bug found in Adobe Connect last year that could have been used to steal confidential information from closed meetings.
ICANN actually turned off Adobe Rooms for remote participants halfway through its public meeting in Puerto Rico due to the bug.
The switch to Zoom was hoped to save ICANN $100,000 a year.

ICANN explains how .org pricing decision was made

ICANN has responded to questions about how its decision to lift price caps on .org, along with .biz and .info, was made.
The buck stops with CEO Göran Marby, it seems, according to an ICANN statement, sent to DI last night.
ICANN confirmed that was no formal vote of the board of directors, though there were two “consultations” between staff and board and the board did not object to the staff’s plans.
The removal of price caps on .org — which had been limited to a 10% increase per year — proved controversial.
ICANN approved the changes to Public Interest Registry’s contract despite receiving over opposing messages from 3,200 people and organizations during its open public comment period.
Given that the board of directors had not voted, it was not at all clear how the decision to disregard these comments had been made and by whom.
The Internet Commerce Association, which coordinated much of the response to the comment period, has since written to ICANN to ask for clarity on this and other points.
ICANN’s response to DI may shed a little light.
ICANN staff first briefed the board about the RA changes at its retreat in Los Angeles from January 25 to 28 this year, according to the statement.
That briefing covered the reasons ICANN thinks it is desirable to migrate legacy gTLD Registry Agreements to the 2012-round’s base RA, which has no pricing controls.
The base RA “provides additional safeguards and security and stability requirements compared to legacy agreements” and “creates efficiencies for ICANN org in administration and compliance enforcement”, ICANN said.
Migrating old gTLDs to the standardized new contract complies with ICANN’s bylaws commitment “to introduce and promote competition in the registration of domain names and, where feasible and appropriate, depend upon market mechanisms to promote and sustain a competitive environment in the DNS market”, ICANN said.
They also contain provisions forcing the registry to give advance notice of price changes and to give registrants the chance to lock-in prices for 10 years by renewing during the notice period, the board was told.
After the January briefing, Marby made the call to continue negotiations. The statement says:

After consultation with the Board at the Los Angeles workshop, and with the Board’s support, the CEO decided to continue the plan to complete the renewal negotiations utilizing the Base RA. The Board has delegated the authority to sign contracts to the CEO or his designee.

A second board briefing took place after the public comment periods, at the board’s workshop in Marrakech last month.
The board was presented with ICANN’s staff summary of the public comments (pdf), along with other briefing documents, then Marby made the call to move forward with signing.

Following the discussion with the Board in Marrakech, and consistent with the Board’s support, the CEO made the decision for ICANN org to continue with renewal agreements as proposed, using the Base gTLD Registry Agreement.

Both LA and Marrakech briefings “were closed sessions and are not minuted”, ICANN said.
But it appears that the board of directors, while not voting, had at least two opportunities to object to the new contracts but chose not to stand in staff’s way.
At the root of the decision appears to be ICANN Org’s unswerving, doctrinal mission to make its life easier and stay out of price regulation to the greatest extent possible.
Reasonable people can disagree, I think, on whether this is a worthy goal. I’m on the fence.
But it does beg the question: what’s going to happen to .com?

Net 4 India gets brief reprieve from ICANN suspension

India registrar Net 4 India has been given a bit of breathing space by ICANN, following its suspension last month.
ICANN suspended the registrar’s accreditation a month ago, effective June 21, after discovering the company had been in insolvency proceedings for some time.
But on June 20 ICANN updated its suspension notice to give Net4 more time to comply. It now has until September 4, the same day its insolvency case is expected to end, to provide ICANN with documentation showing it is still a going concern.
The registrar was sued by a debt collector that had acquired some Rs 1.94 billion ($28 million) of unpaid debts from an Indian bank.
ICANN’s updated suspension notice adds that Net4 is to provide monthly status updates, starting July 18, if it wants to keep its accreditation.
The upshot of all this is that the registrar can carry on selling gTLD domains and accepting inbound transfers for at least another couple months.

Charities “could move to .ngo” if .org prices rise

File this one under “wrong-headed argument of the day”.
The head of policy at the Charities Aid Foundation reportedly has said that the recent removal of price increase caps at .org could lead to charities moving to other TLDs, “like .ngo”, which would cause confusion among charitable givers.
Rhodri Davies told The Telegraph (registration required) newspaper:

One of the benefits at the moment is you have at least at least one very well known and globally recognised domain name, that indicates to people that what they’re looking at is likely to be a charity or a social purpose organisation. If in the future, the pricing changes, and suddenly organisations have all sorts of different domain names, it’s going to be much harder for the public to know what it is they’re looking at. And that will get confusing and will probably have a negative impact on on people’s trust

The Telegraph gave .ngo (for non-governmental organization) as an example of a TLD they could move to. It’s not clear whether that was the example Davies gave or something the reporter came up with.
While Davies’ argument is of course sound — if charities were forced en masse to leave .org due to oppressive pricing, it would almost certainly lead to new opportunities for fraud — the choice of .ngo as an alternative destination is a weird one.
.ngo, like .org, is run by Public Interest Registry. It also runs .ong, which means the same thing in other languages.
But as 2012-round new gTLDs, neither .ngo or .ong have ever been subject to any pricing controls whatsoever.
At $30 a year, PIR’s wholesale price for .ngo is already a little more than three times higher than what it charges for .org domains. I find it difficult to imagine that .org will be the more expensive option any time soon.
.org domains currently cost $9.93 per year, and PIR has said it has no current plans to increase prices.
PIR does not have a monopoly on charity-related TLDs. Donuts runs .charity itself, which is believed to wholesale for $20 a year. It’s quite a new TLD, on the market for about a year, and has around 1,500 domains under management compared to .org’s 10 million.
Of course, .charity doesn’t have price caps either.
In the gTLD world, the only major TLDs left with ICANN-imposed price restrictions are Verisign’s .com and .net.

.org now has no price caps, but “no specific plans” to raise prices

ICANN has rubber-stamped Public Interest Registry’s new .org contract, removing the price caps that have been in effect for the best part of two decades.
That’s despite a huge outcry against the changes, which saw the vast majority of respondents to ICANN’s public comment period condemn the removal of caps.
The new contract, signed yesterday, completely removes the section that limited PIR to a 10% annual price increase.
It also makes PIR pay the $25,000 annual ICANN fee that all the other registries have to pay. Its ICANN transaction tax remains at $0.25.
PIR, a non-profit which funnels money to the Internet Society, is now allowed to raise its wholesale registry fee by however much it likes, pretty much whenever it likes.
But PIR again insisted that it does not plan to screw over the registrants of its almost 11 million .org domains.
The company said in a statement:

Regarding the removal of price caps, we would like to underscore that Public Interest Registry is a mission driven non-profit registry and currently has no specific plans for any price changes for .ORG. Should there be a need for a sensible price increase at some point in the future, we will provide advanced notice to the public. The .ORG community is considered in every decision we make, and we are incredibly proud of the more than 15 years we have spent as a responsible steward of .ORG. PIR remains committed to acting in the best interest of the .ORG community for years to come.

That basically restates the comments it made before the contract was signed.
The current price of a .org is not public information, but PIR has told me previously that it’s under $10 a year and “at cost” registrar Cloudflare sells for $9.93 per year.
The last price increase was three years ago, reported variously as either $0.88 or $0.87.
ICANN received over 3,200 comments about the contract when it was first proposed, almost all of them opposed to the lifting of caps.
Opposition initially came from domainers alerted by an Internet Commerce Association awareness campaign, but later expanded to include general .org registrants and major non-profit organizations, as the word spread.
Notable support for the changes came from ICANN’s Business Constituency, which argued from its established position that ICANN should not be a price regulator, and from the Non-Commercial Stakeholders Group, which caps should remain but should be raised from the 10%-a-year limit.
There’s a bit of a meme doing the rounds that ICANN has been hit by “regulatory capture” in this case, following a blog post from ReviewSignal.com blogger Kevin Ohashi last week, which sought to demonstrate how those filing comments in favor of the new contract had a vested interest in the outcome (as if the thousands of .org registrants filing opposing comments did not).
But I find the argument a bit flimsy. Nobody fingered by Ohashi had any decision-making power here.
In fact, the decision appears to have been made almost entirely by ICANN employees (its lawyers and Global Domains Division staff) “in consultation with the ICANN board of directors”.
There does not appear to have been a formal vote of the board. If there was such a vote, ICANN has broke the habit of a lifetime and not published any details of the meeting at which it took place.
After the public comment period closed, ICANN senior director for gTLD accounts and services Russ Weinstein prepared and published this comment summary (pdf), which rounds up the arguments for and against the proposed changes to the contract, then attempts to provide justification for the fait accompli.
On the price caps, Weinstein argues that standardizing .org along the lines of most of the other 1,200 gTLDs in existence fits with ICANN’s mission to enable competition in the domain name industry and “depend upon market mechanisms to promote and sustain a competitive environment”.
He also states:

Aligning with the Base gTLD Registry Agreement would also afford protections to existing registrants. The registry operator must provide six months’ notice to registrars for price changes and enable registrants to renew for up to 10 years prior to the change taking effect, thus enabling a registrant to lock in current prices for up to 10 years in advance of a pricing change.

This appears to be misleading. While it’s true that the new contract has the six-month notice period for price increases, so did the old one.
The new contract language takes several sentences to say what the old version did in one, and may remove some ambiguity, but both describe the notice period and lock-in opportunity.
If there’s a problem with how the new .org contract was signed off, it appears to be the lack of transparency.
It’s signed by GDD senior VP Cyrus Namazi, but who made the ultimate decision to sign it despite the outrage? Namazi? CEO Göran Marby? It certainly doesn’t seem to have been put before the board for a formal vote.
What kind of “consultation” between GDD and the board occurred? Is it recorded or noted anywhere? Was the board briefed about the vast number of negative comments the price cap proposal elicited?
Are public comment periods, which almost never have any impact on the end result, just a sham?
In my view, .org (along with .com and .net) are special cases among gTLDs that deserve a more thorough, broad and thoughtful consideration than the new .org contract received.
UPDATE: This article was updated at 1600 UTC to correct information related to .org’s current wholesale price.

ICANN gives .bj to Jeny

The ccTLD for Benin has been redelegated to the country’s government.
ICANN’s board of directors yesterday voted to hand over .bj to Autorité de Régulation des Communications Electroniques et de la Poste du Bénin, ARCEP, the nation’s telecoms regulator.
It had been in the hands of Benin Telecoms, the incumbent national telco, for the last 15 years, but authority over domain names was granted to ARCEP in legislation in 2017 and 2018.
A local ISP, Jeny, has been awarded the contract to run the registry.
According to IANA, Jeny was already running the registry before the redelegation request was even processed, so there’s no risk of the change of control affecting operations.
As usual with ccTLD redelegations, you’ll learn almost nothing from the ICANN board resolution. You’ll get a better precis of the situation from the IANA redelegation report.
Benin is a Francophone nation in West Africa with about 11 million inhabitants.

.amazon frozen AGAIN as endless government games continue

Amazon’s application for the .amazon gTLD has yet again been frozen, after a South American government invoked ICANN’s appeals process.
The bid, as well as applications for the Chinese and Japanese versions, were returned to “on-hold” status at the weekend, after Colombia filed a formal Request for Reconsideration, an ICANN spokesperson confirmed to DI.
“The processing toward contracting of the .AMAZON applications has been halted pending the resolution of Request 19-1, per ICANN organization’s normal processes,” the spokesperson said.
This means the applications could remain frozen for 135 days, until late October, while ICANN processes the request. It’s something that has happened several times with other contested gTLDs.
Colombia filed RfR 19-1 (pdf) on June 15. It demands that ICANN reverses its board’s decision of May 15, which handed Amazon a seemingly decisive victory in its long-running battle with the eight governments of the Amazon Cooperation Treaty Organization.
ACTO’s members believe they should have policy control over .amazon, to protect the interests of their citizens who live in the region they share.
To win an RfR — something that hardly ever happens — a complainant has to show that the ICANN board failed to consider pertinent information before it passed a resolution.
In Colombia’s case, it argues that the board ignored an April 7 letter (since published in PDF format here) its Governmental Advisory Committee representative sent that raises some interesting questions about how Amazon proposes to operate its TLDs.
Because .amazon is meant to be a highly restricted “dot-brand” gTLD, it would presumably have to incorporate Specification 13 into its ICANN registry agreements.
Spec 13 releases dot-brands from commitments to registrar competition and trademark protection in exchange for a commitment that only the brand itself will be able to own domains in the TLD.
But Colombia points out that Amazon’s proposal (pdf) to protect ACTO governments’ interests would give the eight countries and ACTO itself “beneficial ownership” over a single domain each (believed to be names such as co.amazon, .br.amazon, etc).
If this means that Amazon would not qualify for Spec 13, it could follow that ICANN’s board made its decision to continue processing .amazon on faulty assumptions, Colombia argues.
Colombia points to the case of .sas, a dot-brand that is apparently shared by two companies that have the same brand, as a possible model for shared management of .amazon.
RfRs are handled by ICANN’s Board Accountability Mechanisms Committee.
BAMC took just a couple of days to rule out (pdf) Colombia’s request for “urgent reconsideration”, which would reduce its regular response time from 90 days to 7 days.
The committee said that because the .amazon applications were being placed back on-hold as part of normal procedure during consideration of an RfR, no harm could come to Colombia that would warrant “urgent” reconsideration.
According to ICANN’s spokesperson, under its bylaws the latest the board can respond to Colombia’s request is October 28.
At a GAC session at the ICANN 65 meeting in Marrakech, taking place right now, several ACTO governments have just spent over an hour firmly and publicly protesting ICANN’s actions surrounding .amazon.
They’re still talking as I hit “publish” on this post.
In a nutshell, they believe that ICANN has ignored GAC advice and reneged on its commitment to help Amazon and ACTO reach a “mutually acceptable solution”.

What time is it? For ICANN, even that can be a controversial question

ICANN has found itself involved in a debate about whether Russia’s 2014 annexation of Crimea should be recognized.
It’s not unusual for ICANN to find itself in geopolitical controversies — see .amazon for the most recent example — but this time, it’s not about domain names.
It’s about time zones.
One of the little-known functions ICANN provides via its IANA division is the hosting of the so-called TZ Database, which keeps track of all international time zones, daylight savings time practices, and so on.
The database is referenced by scores of operating systems, web sites, libraries and software development kits. It’s used by MacOS, many major Unix/Linux distributions, Java and PHP.
IANA took over the database in 2011, after the original administrator, David Olson, was hit with a bogus lawsuit from an astrology company.
It’s currently managed by University of California computer scientist Paul Eggert. He’s not an ICANN employee. He’s responsible for making changes to the database, which IANA hosts.
There are no complex layers of policy-making and bureaucracy, just an ICANN-hosted mailing list. it very much harks back to the pre-ICANN/Jon Postel/Just A Guy model of international database administration.
But because time zones are set by the governments of territories, and the ownership of territories is sometimes in dispute, the TZ Database often finds itself involved in political debates.
The latest of these relates to Crimea.
As you will recall, back in 2014 the Russian Federation annexed Crimea — part of Ukraine and formerly part of the Soviet Union.
The United Nations condemned the move as illegal and still refuses to recognize the region as part of Russia. The de facto capital city of Crimea is now Simferopol.
As part of the takeover, Russia switched its new territories over to Moscow Time (MSK), a time zone three hours ahead of UTC that does not observe daylight savings.
The rest of Ukraine continues to use Eastern European Time, which is UTC+2, and Eastern European Summer Time (UTC+3).
This means that in the winter months, Crimea is an hour out of whack with the rest of Ukraine.
Currently, the TZ Database’s entry for Simferpol contains the country code “RU”, instead of “UA”.
This means that if you go to Crimea and try to configure your Unix-based system to the local time, you’ll see an indication in the interface that you’re in Russia, which understandably pisses off Ukrainians and is not in line with what most governments think.
You can check this out on some time zone web sites. The services at time.is and timeanddate.com both refer to Europe/Simferopol as being in Ukraine, while WorldTimeServer says it’s in Russia.
The TZ Database mailing list has recently received a couple of complaints from Ukrainians, including the head of the local cyber police, about this issue.
Serhii Demediuk, head of the Cyberpolice Department of the National Police of Ukraine, wrote in December:

by referring Crimea with the country code “RU”, your organization actually accepts and supports the aggressive actions of the Russian Federation who’s armed forces annexed this part of Ukraine. Such recognition may be considered as a criminal offense by the Ukrainian criminal law and we will be obliged to start formal criminal proceedings

It’s the longstanding principle of the TZ Database administrators that they’re not taking political positions when they assign country-codes to time zones, they’re just trying to be practical.
If somebody shows up for a business meeting in Crimea in December, they don’t want their clock to be an hour behind their local host’s for the sake of political correctness.
But Eggert nevertheless has proposed a patch that he believes may address Ukrainian concerns. It appears to have Simferopol listed as both RU and UA.

ICANN launches cash-for-kids scheme

ICANN will hand over cash to help community members cover their childcare commitments, the organization announced yesterday.
If you show up to an ICANN public meeting with an ankle-biter under 12 years of age, ICANN will give you up to $750 to cover the cost of babysitting.
You’ll have to show receipts, and ICANN will not cover stuff like travel, lodging, tourism or other costs that parents would have during the normal course of owning a kid.
Only volunteer community members will qualify, not staffers. The full list of rules can be found here.
While the announcement may seem unusual, it does not come out of the blue. There have been a number of public calls, from a handful of single parents, for ICANN to lay on some kind of on-site childcare services over the last several years.
It isn’t doing that, however. Good grief, imagine the optics if ICANN accidentally killed a kid…
Instead, it will only give parents a list of nearby childcare providers, which it will not formally vet or recommend, and let them make their own minds up.
The program is a pilot, and will run at the next three meetings in Montreal, Cancun and Kuala Lumpur.

After $30 million deal, is a .voice gTLD now inevitable?

Do big second-level domain sales translate into new gTLD success, and does the record-breaking $30 million sale of voice.com this week make a .voice gTLD inevitable?
The answers, I believe, are no and maybe.
Before the 2012 new gTLD application round, one way applicants picked their strings was by combing through the .com zone file to find frequently-occurring words that terminated the second level string.
This is where we get the likes of .site and .online from Radix and much of Donuts’ portfolio.
But applicants also looked at lists of high-priced secondary market sales for inspiration.
This is where we get the likes of .vodka, from MMX.
The latter strategy has seen mixed-to-poor results.
Five of the top domain sales, as compiled by Domain Name Journal, were not eligible for gTLD status are they are too short.
Of the remaining 15 strings, “sex” (which occurs twice), “fund”, “porn”, “toys” and “vodka” were all applied for in 2012 and are currently on sale.
The strings “clothes” and “diamond” do not appear as gTLDs, but Donuts runs both .clothing and .diamonds.
Not delegated in any fashion are “porno” (unless you count it as a derivative of “porn”), “slots”, “tesla”, “whisky” and “california”. A company called IntercontinentalExchange runs .ice as a dot-brand.
As well as .clothing and .diamonds, .fund and .toys are both also Donuts TLDs. None of them are doing spectacularly well.
At the lower end, .diamonds currently has fewer than 3,000 domain under management, but has a relatively high price compared to the the higher-volume TLDs in Donuts’ stable.
At the high-volume end, .fund has just shy of 16,000 names and .clothing has about 12,000.
Judging by their retail prices, and the fact that Donuts benefits from the economies of scale of a 240-strong TLD portfolio, I’m going to guess these domains are profitable, but not hugely so.
If we turn our attention to .vodka, with its roughly 1,500 domains, it seems clear that MMX is barely covering the cost of its annual ICANN fees. Yet vodka.com sold for $3 million.
So will anyone be tempted to apply for .voice in the next gTLD application round? I’d say it’s very possible.
First, “voice” is a nice enough string. It could apply to telephony services, but also to general publishing platforms that give their customers a “voice”. I’d say it could gather up enough registrations to fit profitably into a large portfolio, but would not break any records in terms of volume.
But perhaps the existence of voice.com buyer Block.one as a possible applicant will raise some other applicants out of the woodwork.
Block.one, which uses a new gTLD and an alt-ccTLD (.io) for its primary web sites, is certainly not out-of-touch when it come to alternative domain names.
Could it apply for .voice, and if it does how much would it be willing to spend to pay off rival applicants? It still apparently has billions of dollars from its internet coin offering in the bank.
How much of that would it be prepared to pay for .voice at private auction?
That prospect alone might be enough to stir the interest of some would-be applicants, but it has to be said that it’s by no means certain that the highly gameable application process ICANN deployed in 2012 is going to look the same next time around.