ICANN turns 20 today (or maybe not)

ICANN is expected to celebrate its 20th anniversary at its Barcelona meeting next month, but by some measures it has already had its birthday.
If you ask Wikipedia, it asserts that ICANN was “created” on September 18, 1998, 20 years ago today.
But that claim, which has been on Wikipedia since 2003, is unsourced and probably incorrect.
While it’s been repeated elsewhere online for the last 15 years, I’ve been unable to figure out why September 18 has any significance to ICANN’s formation.
I think it’s probably the wrong date.
It seems that September 16, 1998 was the day that IANA’s Jon Postel and Network Solutions jointly published the organization’s original bylaws and articles of incorporation, and first unveiled the name “ICANN”.
That’s according to my former colleague and spiritual predecessor Nick Patience (probably the most obsessive journalist following DNS politics in the pre-ICANN days), writing in now-defunct Computergram International on September 17, 1998.
The Computergram headline, helpfully for the purposes of the post you are reading, is “IANA & NSI PUBLISH PLAN FOR DNS ENTITY: ICANN IS BORN”.
Back then, before the invention of the paragraph and when ALL CAPS HEADLINES were considered acceptable, Computergram was published daily, so Patience undoubtedly wrote the story September 16, the same day the ICANN proposal was published.
A joint Postel/NetSol statement on the proposal was also published September 17.
The organization was not formally incorporated until September 30, which is probably a better candidate date for ICANN’s official birthday, archived records show.
Birthday meriments are expected to commence during ICANN 63, which runs from October 20 to 25. There’s probably free booze in it, for those on-site in Barcelona.
As an aside that amused me, the Computergram article notes that Jones Day lawyer Joe Sims very kindly provided Postel with his services during ICANN’s creation on a “pro bono basis”.
Jones Day has arguably been the biggest beneficiary of ICANN cash over the intervening two decades, billing over $8.7 million in fees in ICANN’s most recently reported tax year alone.

Van der Laan to leave ICANN board

Former Dutch politician Lousewies van der Laan is to leave the ICANN board of directors next month and be replaced with the former CEO of the Serbian ccTLD.
ICANN said yesterday that Danko Jevtovic, who headed RNIDS from 2013 until July last year, has been selected to occupy van der Laan’s seat following the Annual General Meeting in Barcelona.
Van der Laan, who had been selected by the Nominating Committee for a second term, has had to decline the offer “due to unforeseen family obligations”, ICANN said.
Jevtovic will take his seat at the same time as fellow NomCom appointee, Tripti Sinha of the University of Maryland, who oversees management of the DNS D-root server and replaces term-limited George Sadowsky.
El Salvadorean ccTLD founder Rafael “Lito” Ibarra is the third NomCom appointee this year, starting his second term next month.

Set buttocks to clench! ICANN approves risky KSK rollover

ICANN has approved the first rollover of the domain name system’s master security key, setting the clock ticking on a change that could cause internet access issues for millions.
The so-called KSK rollover, when ICANN deletes the key-signing key that has been used as the trust anchor for the DNSSEC ecosystem since 2011 and replaces it with the new one — will now go ahead as planned on October 11.
The decision was made yesterday at the ICANN board of directors’ retreat in Brussels.
ICANN chief technology officer David Conrad posted this to an ICANN mailing list this morning:

The Board voted to approve the resolution for ICANN org to move forward with the revised KSK rollover plan. So barring unforeseen circumstances, the KSK-2017-signed ZSK will be used to sign the root zone on 11 October 2018.

The rollover was due to happen October 11 last year, but ICANN delayed it when it emerged that many DNS resolvers weren’t yet configured to use the new key.
That’s still a problem, and nobody knows for sure how many endpoints will stop functioning properly when the new KSK goes solo.
While most experts weighing in on the rollover, including Conrad, agreed that the risk of more delay outweighed the risk of rolling now, that feeling was not unanimous.
Five members of the 22-member Security and Stability Advisory Committee — including top guys from Google and Verisign — last month dissented from the majority view and said ICANN should delay again.
The question now is not whether internet users will see a disruption in the days following October 11, but how many users will be affected and how serious their disruptions will be.
Based on current information, as many as two million internet users could be affected.
ICANN is likely to take flak for even relatively minor disruptions, but the alternative was to continue with the delays and risk an even bigger impact, and even more flak, in future.
The text of ICANN’s resolution and the rationale behind it will be published in the next day or so.

Mediators hired as Whois reformers butt heads

ICANN has hired professional mediators to help resolve strong disagreements in the working group tasked with reforming Whois for the post-GDPR world.
Kurt Pritz, chair of the Expedited Policy Development Process for Whois, last week told the group that ICANN has drafted in the Consensus Building Institute, with which it has worked before, to help “narrow issues and reach consensus”.
Three CBI mediators will brief the EPDP group today, and join them when the WG meets face-to-face for the first time at a three-day session in Los Angeles later this month.
Their goal is not to secure any particular outcome, but to help the disparate viewpoints find common ground, Pritz told the group.
It’s been Pritz’s intention to get the mediators in since day one — he knew in advance how divisive Whois policy is — but it’s taken until now to get the contracts signed.
The EPDP WG’s job is to create a new, privacy-conscious, consensus Whois policy that will apply to all gTLD registries and registrars. Its output will replace ICANN’s post-GDPR Temporary Specification for Registration Data, which in turn replaced the longstanding Whois policy attached to all ICANN registry and registrar contracts.
Since the working group first convened in early August — about 500 emails and 24 hours of painful teleconferences ago — common ground has been hard to find, and in fact the EPDP group did not even attempt to find consensus for the first several weeks of discussions.
Instead, they worked on its first deliverable, which was finalized last week, a “triage report” that sought to compile each faction‘s opinion of each section of ICANN’s Temp Spec.
The idea seemed sensible at the time, but with hindsight it’s arguable whether this was the best use of the group’s time.
The expectation, I believe, was that opposing factions would at least agree on some sections of text, which could then be safely removed from future debate.
But what emerged instead was this, a matrix of disagreement in which no part of the Temp Spec did not have have at least one group in opposition:
The table is potentially misleading, however. Because groups were presented with a binary yes/no option for each part of the spec, “no” votes were sometimes recorded over minor language quibbles where in fact there was agreement in principle.
By restricting the first few weeks of conversation to the language of the Temp Spec, the debate was arguably prematurely hamstrung, causing precious minutes to trickle away.
And time is important — the EPDP is supposed to deliver its consensus-based Initial Report to the ICANN 63 meeting in Barcelona about five weeks from now.
That’s going to be tough.
What’s becoming increasingly clear to me from the post-triage talks is that the WG’s task could be seen as not much less than a wholesale, ground-up, reinvention of the Whois wheel, recreated with GDPR as the legal framework.
Who is Whois for?
Discussions so far have been quite mind-expanding, forcing some fundamental rethinking of long-held, easy assumptions, at least for this lurker. Here’s an example.
One of the fundamental pillars of GDPR is the notion of “purposes”. Companies that collect private data on individuals have to do so only with specific, enumerated purposes in mind.
The WG has started by discussing registrars. What purpose does a registrar have when it collects Whois data from its registrants?
None whatsoever, it was claimed.
“To execute the contract between the registrant and the registrar, it’s really not necessary for registrars to collect any of this information,” GoDaddy head of policy James Bladel, representing registrars, told the group on its latest call Thursday.
Registrars collect data on their customers (not just contact data, but also stuff like credit card details) for billing and support purposes, but this is not the same as Whois data. It’s stored separately and never published anywhere. While covered by GDPR, it’s not covered by Whois policy.
Whois data is only collected by registrars for third parties’ purposes, whether that third party be a registry, ICANN, a data escrow agent, a cop, or an intellectual property enforcer.
“Other than a few elements such as domain name servers, there is nothing that is collected in Whois that is needed for the registrar to do their business,” At-Large Advisory Committee chair Alan Greenberg told the WG. “All of them are being collected for their availability to third parties, should they need it.”
While this may seem like a trivial distinction, drawing a hard line between the purposes of registries, registrars and ICANN itself on the one hand and law enforcement, cybersecurity and IP lawyers on the other is one of the few pieces of concrete advice ICANN has received from European data protection regulators.
There’s by no means unanimous agreement that the registrars’ position is correct, but it’s this kind of back-to-basics discussion that makes me feel it’s very unlikely that the EPDP is going to be able to produce an Initial Report with anything more than middling consensus by the October deadline.
I may be overly pessimistic, but (mediators or no mediators) I expect its output will be weighted more towards outlining and soliciting public comment on areas of disagreement than consent.
And the WG has not yet even looked in depth at the far thornier issue of “access” — the policy governing when third parties such as IP lawyers will be able to see redacted Whois data.
Parties on the pro-access side of the WG have been champing at the bit to bring access into the debate at every opportunity, but have been
Hey, look, a squirrel!
The WG has also been beset by its fair share of distractions, petty squabbles and internal power struggles.
The issues of “alternates” — people appointed by the various constituencies to sit in on the WG sessions when the principles are unavailable — caused some gnashing of teeth, first over their mailing list and teleconference privileges and then over how much access they should get to the upcoming LA meeting.
Debates about GDPR training — which some say should have been a prerequisite to WG participation — have also emerged, after claims that not every participant appeared clued-in as to what the law actually requires. After ICANN offered a brief third-party course, there were complaints that it was inadequate.
Most recently, prickly Iranian GAC rep Kavouss Arasteh last week filed a formal Ombudsman complaint over a throwaway god-themed pun made by Non-Com Milton Mueller, and subsequently defended by fellow non-resident Iranian Farzaneh Badii, in the Adobe Connect chat room at the September 6 meeting.
Mueller has been asked to apologize.

Donuts gets bought by former ICANN CEO’s firm

Donuts is to be bought by a private equity firm that has a former ICANN CEO as a partner.
The company, which holds the largest portfolio of new gTLDs, has agreed to be acquired by Boston-based private equity firm Abry Partners for an undisclosed sum.
Not much info about the deal has been released, but one senses an ICANN alum’s hand at the wheel.
Former ICANN chief Fadi Chehade is a partner at Abry, having been initially employed as senior advisor on digital strategy back in 2016 after he left ICANN.
Abry, on its web site, says it focuses its investments on profitable companies, adding:

Depending on the type of fund, we target investments from $20 million to $200 million.
Since Abry’s inception, we’ve developed deep industry expertise in Broadband, Business Services, Communications, Cybersecurity, Healthcare IT, Information Services, Insurance Services, Internet-of-Things, Logistics, Media, and Software as a Service.

Since its formation in 1989, Abry has “completed more than $77 billion of transactions, representing investments in more than 650 properties.”
Donuts was founded by domain veterans Paul Stahura, Jon Nevett, Richard Tindal and Daniel Schindler in order to take advantage of ICANN’s new gTLD program..
It was initially funded by $100 million from Austin Ventures, Adams Street Partners, Emergence Capital Partners, TL Ventures, Generation Partners and Stahurricane.
It currently runs over 200 TLDs, the most populous of which I believe is .ltd, with over 400,000 names.
Donuts is the latest of a series of domain companies to exit via the private equity route, notably following Neustar and Web.com.
Chehade was ICANN’s CEO between 2012 and 2015. While he was not involved in the industry during the new gTLD’s program’s inception, he did oversee its early years.

.tel’s second-biggest registrar gets canned

A Chinese registrar that focused exclusively on selling .tel domain names has been shut down by ICANN.
Tong Ji Ming Lian (Beijing) Technology Corporation Ltd, which did business as Trename, had its registrar contract terminated last week.
ICANN claims the company had failed to pay its accreditation fees and failed to escrow its registration data.
The organization had been sending breach notices since June, but got no responses. Trename’s web site domain currently resolves to a web server error, for me at least.
Trename is a rare example of a single-TLD registrar, accredited only to sell .tel domains. It didn’t even sell .com.
It is Telnames’ second-largest registrar after Name.com, accounting for about 6,000 names at the last count. At its peak, it had about 55,000.
Its share seems to be primarily as a result of a deal the registry made with a Chinese e-commerce company way back in 2011.
I’m a bit fuzzy on the details of that deal, but it saw Trename add 50,000 .tel names pretty much all at once.
Back then, .tel still had its original business model of hosting all the domains it sold and publishing web sites containing the registrant’s contact information.
Since June 2017, .tel has been available as a general, anything-goes gTLD, after ICANN agreed to liberalize its contract.
That liberalization doesn’t seem to have done much to stave off .tel’s general decline in numbers, however. It currently stands at about 75,000 names, from an early 2011 peak of over 305,000.
ICANN told Trename that its contract will end September 19, and that it’s looking for another registrar to take over its domains.
With escrow apparently an issue, it may not be a smooth transition.

Whois privacy did NOT increase spam volumes

The advent of more-or-less blanket Whois privacy has not immediately led to the feared uptick in spam, according to researchers.
Data from Cisco’s Talos email data service, first highlighted by security company Recorded Future this week, shows spam levels have been basically flat to slightly down since ICANN’s GDPR-inspired new Whois policy came into effect May 25.
Public Talos data shows that on May 1 this year there were 433.9 billion average daily emails and 370.04 billion spams — 85.28% spam.
This was down to 361.83 billion emails and 308.05 billion spams by August 1, an 85.14% spam ratio, according to Recorded Future.
So, basically no change, and certainly not the kind of rocketing skyward of spam levels that some had feared.
Cisco compiles its data from customers of its various security products and services.
Looking at Talos’ 18-month view, it appears that spam volume has been on the decline since February, when the ratio of spam to ham was pretty much identical to post-GDPR levels.
It also shows a similar seasonal decline during the northern hemisphere’s summer 2017.

There had been a fear in some quarters that blanket Whois privacy would embolden spammers to register more domains and launch more ambitious spam campaigns, and that the lack of public data would thwart efforts to root out the spammers themselves.
While that may well transpire in future, the data seems to show that GDPR has not yet had a measurable impact on spam volume at all.

Could a new US law make GDPR irrelevant?

Opponents of Whois privacy are pushing for legislation that would basically reverse the impact of GDPR for the vast majority of domain names.
Privacy advocate Milton Mueller of the Internet Governance Project today scooped the news that draft legislation to this effect is being circulated by “special interests” in Washington DC.
He’s even published the draft (pdf).
Mueller does not call out the authors of the bill by name — though he does heavily hint that DomainTools may be involved — saying instead that they are “the same folks who are always trying to regulate and control the Internet. Copyright maximalists, big pharma, and the like.”
I’d hazard a guess these guys may be involved.
The bill is currently called the Transparent, Open and Secure Internet Act of 2018, or TOSI for short. In my ongoing quest to coin a phrase and have it stick, I’m tempted to refer to its supporters as “tossers”.
TOSI would force registries and registrars to publish Whois records in full, as they were before May this year when ICANN’s “Temp Spec” Whois policy — a GDPR Band-aid — came into effect.
It would capture all domain companies based in US jurisdiction, as well as non-US companies that sell domains to US citizens or sell domains that are used to market goods or services to US citizens.
Essentially every company in the industry, in other words.
Even if only US-based companies fell under TOSI, that still includes Verisign and GoDaddy and therefore the majority of all extant domains.
The bill would also ban privacy services for registrants who collect data on their visitors or monetize the domains in any way (not just transactionally with a storefront — serving up an ad would count too).
Privacy services would have to terminate such services when informed that a registrant is monetizing their domains.
But the bill doesn’t stop there.
Failing to publish Whois records in full would be an “unfair or deceptive act or practice” and the Federal Trade Commission would be allowed to pursue damages against registries and registrars that break the law.
In short, it’s a wish-list for those who oppose the new regime of privacy brought in by ICANN’s response to the General Data Protection Regulation.
While it’s well-documented that the US executive branch, in the form of the National Telecommunications and Information Administration, is no fan of GDPR, whether there’s any interest in the US Congress to adopt such legislation is another matter.
Is this an IP lawyer’s pipe-dream, or the start of a trans-Atlantic war over privacy? Stay tuned!

No more free ride for ICANN Fellows?

Newcomers who get free travel to ICANN meetings will have to show they’re serious about participating in the community, under new rules.
ICANN is revamping its Fellowship program to ensure that it’s actually meetings its goals of increasing the pool of mugs knowledgeable volunteers that the community can draw on.
The program, designed to bring in people unable to afford their own in-person meeting attendance, had come in for criticism for not being sufficiently accountable, and perhaps a poor use of money in a time of budget pressure.
It’s not been easy to measure the ratio of valuable ICANN citizens it was creating versus freeloaders who abuse the system for a free busman’s holiday.
Among the key changes being introduced now are requirements for Fellows to attend a minimum number of session-hours per meeting, casually policed by seven “mentors” — selected from and appointed by each supporting organization and advisory committee.
The number of hours required doesn’t appear to be set in stone as yet, with ICANN saying it will work with mentors to arrive at a figure.
While ICANN admits it obviously can’t force Fellows to participate after their first meeting, it plans to make sure returning Fellows can provide documentary evidence that they have engaged on subsequent applications for the program.
The three-meetings-only rule will remain.
The request for post-meeting reports from Fellows will be piloted at the Barcelona meeting in October.
More information of program revamps can be found here.

ICANN faces critical choice as security experts warn against key rollover

Members of ICANN’s top security body have advised the organization to further delay plans to change the domain name system’s top cryptographic key.
Five dissenting members of the influential, 22-member Security and Stability Advisory Committee said they believe “the risks of rolling in accordance with the current schedule are larger than the risks of postponing”.
Their comments relate to the so-called KSK rollover, which would see ICANN for the first time ever change the key-signing key that acts as the trust anchor for all DNSSEC queries on the internet.
ICANN is fairly certain rolling the key will cause DNS resolution problems for some — possibly as much as 0.05% of the internet or a couple million people — but it currently lacks the data to be absolutely certain of the scale of the impact.
What it does know — explained fairly succinctly in this newly published guide (pdf) — is that within 48 hours of the roll, a certain small percentage of internet users will start to see DNS resolution fail.
But there’s a prevailing school of thought that believes the longer the rollover is postponed, the bigger that number of affected users will become.
The rollover is currently penciled in for October 11, but the ultimate decision on whether to go ahead rests with the ICANN board of directors.
David Conrad, the organization’s CTO, told us last week that his office has already decided to recommend that the roll should proceed as planned. At the time, he noted that SSAC was a few days late in delivering its own verdict.
Now, after some apparently divisive discussions, that verdict is in (pdf).
SSAC’s majority consensus is that it “has not identified any reason within the SSAC’s scope why the rollover should not proceed as currently planned.”
That’s in line with what Conrad, and the Root Server System Advisory Committee have said. But SSAC noted:

The assessment of risk in this particular area has some uncertainty and therefore includes a component of subjective judgement. Individuals (including some members of the SSAC) have different assessments of the overall balance of risk of the resumption of this plan.

It added that it’s up to the ICANN board (comprised largely of non-security people) to make the final call on what the acceptable level of risk is.
The minority, dissenting opinion gets into slightly more detail:

The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc.
While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties.
We would like to reiterate that we understand our colleagues’ position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision.

SSAC members are no slouches when it comes to security expertise, and the dissenting members are no exception. They are:

• Lyman Chapin, co-owner of Interisle Consulting, a regular ICANN contractor perhaps best-known to DI readers for carrying out a study into new gTLD name collisions five years ago.
• Kimberly “kc claffy” Claffy, head of the Center for Applied Internet Data Analysis at the University of California in San Diego. CAIDA does nothing but map and measure the internet.
• Jay Daley, a registry executive with a technical background whose career includes senior stints at .uk and .nz. He’s currently keeping the CEO’s chair warm at .org manager Public Interest Registry.
• Warren Kumari, a senior network security engineer at Google, which is probably the largest early adopter of DNSSEC on the resolution side.
• Danny McPherson, Verisign’s chief security officer. As well as .com, Verisign runs the two of the 13 root servers, including the master A-root. It’s running the boxes that sit at the top of the DNSSEC hierarchy.

It may be the first time SSAC has failed to reach a full-consensus opinion on a security matter. If it has ever published a dissenting opinion before, I certainly cannot recall it.
The big decision about whether to proceed or delay is expected to be made by the ICANN board during its retreat in Brussels, a three-day meeting that starts September 14.
Given that ICANN’s primary mission is “to ensure the stable and secure operation of the Internet’s unique identifier systems”, it could turn out to be one of ICANN’s biggest decisions to date.