Full $185,000 refunds offered to risky new gTLD applicants

ICANN is to offer applicants for three new gTLDs identified as too risky to go live full refunds of their application fees.
Its board of directors acknowledged at its weekend retreat that it has no intention of delegating .corp, .home and .mail, and that each applicant should be able to get their entire $185,000 application fee back.
The applicants will have to withdraw their applications in order to get the refund.
Ordinarily, withdrawing an application would only qualify the applicants for a partial refund.
The ICANN board said in its resolution that it “does not intend to delegate the strings .CORP, .HOME, and .MAIL in the 2012 round of the New gTLD Program”.
It added that “the applicants were not aware before the application window that the strings .CORP, .HOME, and .MAIL would be identified as high-risk, and that the delegations of such high-risk strings would be deferred indefinitely.”
The three strings are considered risky because they already receive vast amounts of “name collision” traffic, largely from DNS queries that leak out from private networks.
There’s a concern that delegating any of them would create a big security risk in terms of confidential data leakage and stuff just generally breaking.
It’s been six years since the last new gTLD application window was open, and some applicants for the strings abandoned their bids years ago.
There are five remaining .corp applicants (and one withdrawal), five for .mail (two withdrawals) and ten for .home (one withdrawal).
The refunds will be taken from ICANN’s separate new gTLD program budget so presumably will not have an impact on its current operating budget woes.
The board noted that technically it did not have to give full refunds, under the terms of the Applicant Guidebook, but that it was doing so in the interest of “fairness”.
This may come as little comfort to applicants whose money has been tied up in limbo for the last six years.

dotgay lawyer insists it is gay enough for .gay gTLD

What do Airbnb, the Stonewall riots and the 2016 Orlando nightclub shooting have in common?
They’re all cited in a lengthy, somewhat compelling memo from a Yale law professor in support of dotgay LLC’s argument that it should be allowed to proceed with its .gay gTLD application unopposed by rival applicants.
The document (pdf), written by William Eskridge, who has decades of publications on gay rights under his belt, argues that dotgay’s Community Priority Evaluation and the subsequent review of that evaluation were both flawed.
At the crux of the dispute is whether the word “gay” can also be used to describe people who are transgender, intersex, and “allied” straight — dotgay says it can, but the Economist Intelligence Unit, which carried out the CPE, disagreed.
dotgay scored 10 out of 16 points on its CPE, four shy of a passing grade. An acceptance of dotgay’s definition of the “gay” community could have added 1 to 4 extra points to its score.
The company also lost a point due to an objection from a gay community center, despite otherwise broad support from gay-oriented organizations.
Eskridge spends quite a lot of time on the history of the word “gay”, from Gertrude Stein and Cary Grant using it as a wink-wink code-word in less-tolerant times, via the 1969 Stonewall riots, to today’s use in the media.
The argument gets a bit grisly when it is pointed out that some of the 49 people killed in the 2016 mass shooting at the Pulse nightclub in Orlando, Florida — routinely described as a “gay” club in the media — were either transgender or straight.

My research associates and I read dozens of press and Internet accounts of this then-unprecedented mass assault by a single person on American soil. Almost all of them described Pulse as a “gay bar,” the situs for the gay community. But, like the Stonewall thirty-seven years earlier, Pulse was a “gay bar” and a “gay community” that included lesbians, bisexual men and women, transgender persons, queer persons, and allies, as well as many gay men.

Eskridge argues that EIU erred by applying an overly strict definition of the applied-for string with dotgay, but not with successful community applicants for other strings.
For example, he argues, a manufacturer of facial scrubs would qualify for a “.spa” domain, and Airbnb and the Orient Express train line would qualify for “.hotel” domains under that applicant’s definition of its community, even though it could be argued that they do not fit into the narrow categories of “spas” and “hotels”.
Similarly, a transgender person may not consider themselves “gay” and a straight person certainly would not, but both might feel a part of the broader “gay community” when they get shot at a gay nightclub.
It’s an unpleasant way to frame the argument, but in my view it’s compelling nevertheless.
Eskridge also thinks that dotgay should have picked up an extra point or two in the part of the CPE dealing with community support.
It dropped one point there because the Q Center, a community center for LGBTQ people in Portland, Oregon, sent a letter objecting to the dotgay application (an objection apparently later revoked, then reinstated).
Eskridge spend some time questioning the Q Center’s bona fides as a big-enough organization to warrant costing dotgay a point, noting that it was the only member of a 200-strong umbrella organization, CenterLink, to object. CenterLink itself backed the bid.
He then goes on to cite articles seemingly showing that Q Center was in the midst of some kind of liberal paranoia meltdown — accused of racial insensibility and “transphobia” — and allegations of mismanagement at about the same time as it was objecting to dotgay’s application.
He also insinuates that Q’s base in Portland is suspicious because it’s also where rival applicant Top Level Design is based.
In summary, Eskridge reckons the EIU CPE and FTI Consulting’s subsequent investigation were both flimsy in their research, unfairly applying criteria to .gay that they did not apply to other strings, and that dotgay should have picked up enough points to pass the CPE.
It’s important to remember that this is not a case of ICANN getting decide whether the gTLD .gay gets to exist — it’s going to exist one way or the other — but rather whether the winning registry is selected by auction or not.
If dotgay wins either by getting another CPE or winning the auction then .gay will be restricted to only vetted members of the “gay” community. This could mean less homophobic abuse in .gay domains but probably also less opportunity for self expression.
If it goes to Top Level Design, MMX or Donuts, it will be open to all comers. That could increase cyber-bulling with .gay domains, but would remove barriers to entry to those who would otherwise be excluded from registering a domain.
ICANN has had .gay on hold for years while the dispute over the CPE has worked itself out, and it now has a piece of paper from FTI declaring the result hunky-dory. I doubt there’s any appetite to reopen old wounds.
My feeling is that we’re looking at an auction here.

Root crypto rollover now slated for October

ICANN has penciled in October 11 as the new date for rolling the DNS root’s cryptographic keys, a delay of a year from its original plan.
The so-called KSK rollover will see ICANN remove the deprecated 2010 Key Signing Key, leaving only the 2017 KSK active.
The KSK acts as the “trust anchor” for DNSSEC across the whole internet.
After the rollover, any network not configured to use the latest KSK would see a service interruption.
This could mean many millions of internet users being affected, but ICANN doesn’t know the extent of the possible impact for sure.
ICANN told us in November that it knows of 176 organizations in 41 countries, fairly evenly spread across the globe, that are currently not prepared to handle the new KSK.
But its data is patchy because only a tiny number of DNS resolvers are actually configured to automatically report which KSKs they’re set up to use.
Key rollovers are recommended by DNSSEC experts to reduce the risk of brute force attacks against old keys. At the root, the original plan was to roll the keys every five years.
ICANN had named October 11 2017 as the date for the first such rollover, but this was pushed back to some time in the first quarter after ICANN became aware of the lack of support for the 2017 KSK.
This was pushed back again in December to Q3 at the earliest, after ICANN admitted it still didn’t have good enough data to measure the impact of a premature roll.
Since then, ICANN has been engaged in (not always successful) outreach to networks it knows are affected and has kicked off discussions among network operators (there’s a fairly lively mailing list on the topic) to try to gauge how cautious it needs to be.
It’s now published an updated plan that’s the same as the original plan but with a date exactly one year late — October 11, 2018.
Between now and then, it will continue to try to get hold of network operators not ready to use the new keys, but it’s not expecting to completely eliminate damage. The plan reads:

Implicit in the outreach plan is the same assumption that the community had for the earlier (postponed) plan: there will likely be some systems that will fail to resolve names starting on the day of the rollover. The outreach will attempt to minimize the number of affected users while acknowledging that the operators of some resolvers will be unreachable.

The plan is open for public comment and will require the assent of the ICANN board of directors before being implemented. You have until April 2 to respond.

CPE probe: “whitewash” or “fig leaf”?

A few weeks ago, when I was reporting the conclusions of a probe into ICANN’s new gTLD program, I wrote a prediction on a piece of paper and placed it into a sealed envelope.*
I wrote: “They’re gonna call this a whitewash.”
And I was correct! Ta-dah! I’m here all week.
The lawyer for applicants for .music and .gay gTLDs has written to ICANN to complain that a purportedly independent review of the Community Evaluation Process was riddled with errors and oversights and should not be trusted.
In a letter on behalf of dotgay LLC, Arif Ali calls the report a “whitewash”. In a letter on behalf of DotMusic, he calls it a “fig leaf”.
Both companies think that the CPE probe was designed to give ICANN cover to proceed with auctions for five outstanding gTLD contention sets, rather than to get to the bottom of perceived inconsistencies in the process.
Both of Ali’s clients applied for their respective gTLDs as “community” applicants, trying to avoid auctions by using the Community Priority Evaluation process.
During their CPEs, both carried out by the Economist Intelligence Unit, neither applicant scored highly enough to win the exclusive right to .gay or .music, meaning the next stage was to auction the strings off to the highest bidder.
After repeated complaints from applicants and an Independent Review Process finding that ICANN lacked transparency and that staff may have had inappropriate influence over the EIU, ICANN hired FTI Consulting to look into the whole CPE process.
FTI’s report was finally delivered late last year, clearing ICANN on all counts of impropriety and finding that the EIU’s evaluations had been consistent across each of the applications it looked at.
The remaining gTLDs affected by this are .music, .gay, .hotel, .cpa, and .merck.
ICANN’s board of directors is due to meet to discuss next steps this weekend, but Ali says that it should “critically evaluate the [FTI] Report and not accept its wholesale conclusions”. He wrote, on behalf of DotMusic:

The report reveals that FTI’s investigation was cursory at best; its narrow mandate and evaluation methodology were designed to do little more than vindicate ICANN’s administration of the CPE process.
…
It is evident that FTI engaged in a seemingly advocacy-driven investigation to reach conclusions that would absolve ICANN of the demonstrated and demonstrable problems that afflicted the CPE process.

Among the applicants’ list of complaints: their claim that FTI did not interview affected applicants or take their submissions seriously, and the fact that ICANN was less than transparent about who was conducting the probe and what its remit was.
The same letter quotes ICANN chair Cherine Chalaby, then vice-chair, saying in a January 2017 webinar that he had observed inconsistencies in how the CPEs were carried out; inconsistencies FTI has since found did not occur.
That should be enough to provoke discussion when the board meets to discuss this and other issues in Los Angeles on Saturday.
* I didn’t actually do this of course, I just thought about it, but you get my point.

US and EU call for Whois to stay alive

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.
The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.
Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.
David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.
Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.
Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”
“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”
He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.
The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.
For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.
It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.
The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.
While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.
Two weeks ago it called for comments on three possible Whois models that could be used from May.
That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

Is the Trump administration really trying to reverse the IANA transition?

Questions have been raised about the US government’s commitment to an independent ICANN, following the release of letters sent by two top Trump appointees.
In the letters, new NTIA head David Redl and Secretary of Commerce Wilbur Ross expressed an interest in looking at ways to “unwind” the IANA transition, which in 2016 severed the formal ties between ICANN and the US in DNS root zone management.
Responding to questions from senators during his lengthy confirmation process, now National Telecommunications and Information Administration assistant secretary Redl wrote:

I am not aware of any specific proposals to reverse the IANA transition, but I am interested in exploring ways to achieve this goal. To that end, if I am confirmed I will recommend to Secretary Ross that we begin the process by convening a panel of experts to investigate options for unwinding the transition.

The letters were first obtained by Politico under the Freedom of Information Act. We’re publishing them here (pdf).
They were sent last August, when Redl’s confirmation to the NTIA role was being held up by Senator Ted Cruz, who vehemently opposed the transition because he said he thought it would give more power over online speech to the likes of Russia and China.
He was confirmed in November.
The question is whether Redl was serious about unwinding the transition, or whether he was just bullshitting Cruz in order to remove a roadblock to his confirmation.
Technically, he only promised to “recommend” convening a panel of experts to his boss, Ross.
NTIA declined to comment last week when DI asked whether the department still supports the IANA transition, whether any efforts are underway to unwind it, and whether the panel of experts has already been convened.
Redl’s statements on ICANN since his confirmation have been more or less consistent with his Obama-era predecessor, Larry Strickling, in terms of expressing support for multi-stakeholder models, but with perhaps some causes for concern.
During his first public speech, delivered at the CES show in Las Vegas earlier this month, Redl expressed support for multi-stakeholder internet governance amid pushes for more multi-lateral control within venues such as the International Telecommunications Union.
However, he added:

I’ll also focus on being a strong advocate for U.S. interests within ICANN. We need to ensure transparency and accountability in ICANN’s work. And in light of the implementation of the European General Data Privacy Regulation, or GDPR, we need to preserve lawful access to WHOIS data, which is a vital tool for the public.
In the coming weeks, I’ll be seeking out the views of stakeholders to understand how else NTIA can best serve American interests in these global Internet fora.

Could this be an allusion to the “panel of experts”? It’s unclear at this stage.
One of Redl’s first moves as NTIA chief was to slam ICANN for its lack of accountability concerning the shutdown of a review working group, but that was hardly a controversial point of view.
And in a letter to Senator Brian Schatz, the Democrat ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, sent earlier this month, Redl expressed support for the multi-stakeholder model and wrote:

NTIA will be a strong advocate for US interests with the Governmental Advisory Committee of the Internet Cooperation [sic] for Assigned Names and Numbers (ICANN) in the existing post-transition IANA phase. NTIA will also monitor the [IANA operator] Public Technical Identifiers (PTI) and take action as necessary to ensure the security and stability of the DNS root.

That certainly suggests NTIA is happy to work in the new paradigm, while the promise to “take action as necessary” against PTI may raise eyebrows.
While a lot of this may seem ambiguous, my hunch is that there’s not really much appetite to reverse the IANA transition. Apart from appeasing Cruz’s demons, what could possibly be gained?
Ross, quizzed by Cruz at his own confirmation hearing a year ago, seemed reluctant to commit to such a move.

New gTLD revenue cut by HALF in ICANN budget

The new gTLD industry is performing terribly when compared to ICANN’s predictions just six months ago.
ICANN budget documents published over the weekend show that by one measure new gTLDs are doing just 51% of the business ICANN thought they would.
The new budget (pdf) shows that for the fiscal year 2018, which ends June 30, ICANN currently expects to receive $4.6 million in registry transaction fees.
These are the fees registries must pay for each new registration, renewal or transfer, when the TLD has more than 50,000 domains under management.
In a draft budget (pdf) published March 2017, its “best estimate” for these fees in FY18 was $8.9 million, almost double its newest prediction.
That prediction lasted until the approved budget (pdf) published last August.
The budget published at the weekend expects this transaction revenue to increase 31.1% to $6 million by June 30, 2019, still a long way off last year’s estimate.
At the registrar level, where registrars pay a transaction fee regardless of the size of the customer’s chosen gTLD, ICANN expects new gTLD revenue to be $3.9 million in FY18.
That’s just 52% of its March/August 2017 estimate of $7.5 million.
Looking at all reportable transactions — including the non-billable ones — ICANN’s projection for FY18 is now 21.9 million, compared to its earlier estimate of 41.7 million.
ICANN even reckons the number of new, 2012-round gTLDs actually live on the internet is going to shrink.
Its latest budget assumes 1,228 delegated TLDs by the end of June this year, which appears to be a couple light on current levels (at least according to me) and down from the 1,240 it expected a year ago.
It expects there to be 1,231 by the end of June 2019, which is even lower than it expected have in June 2017.
I suspect this is related to dot-brands cancelling their contracts, rather than retail gTLDs going dark.
Revenue from fixed registry fees for FY18 is expected to be $30.6 million, $200,00 less than previous expectations. Those numbers are for all gTLDs, old and new.
Overall, the view of new gTLDs is not pretty, when judged by what ICANN expected.
It shows that ICANN is to an extent captive to the whims of a fickle market that has in recent years been driven by penny deals and Chinese speculation.
By contrast, legacy gTLDs (.com, .info, etc) are running slightly ahead of earlier projections.
ICANN now expects legacy registry transaction fees of $48.6 million for FY18, which is $200,000 more than predicted last year.
It expects registrar transaction fees of $29.5 million, compared to its earlier forecast of $29.4 million.
This is not enough to recoup the missing new gTLD money, of course, which is why ICANN is slashing $5 million from its budget.

ICANN slashes millions from its budget

ICANN has cut $5 million from its annual budget, warning the community that difficult decisions have to be made amid a slowing domain name market.
Staff and community members will all be affected by the cuts, whether in the form of less generous pay raises or fewer travel opportunities.
Cuts have also been proposed to international outreach, tech support, contractual compliance and translation services.
The organization at the weekend published for comment its proposed budget for fiscal 2019. That’s the year that begins July 1, 2018.
It would see ICANN spend $138 million, $5 million less than it expects to spend in fiscal 2018.
Four of the five top-line areas ICANN reports expenses will be cut for a total of $12 million in savings, while one of them — personnel — is going up by $7.3 million.
This rounds out to a $5 million cut to the total FY19 ICANN budget. Here’s the breakdown:

• Personnel costs going up from $69.5 million to $76.8 million, up $7.3 million.
• Travel and meetings costs are to go down from $17.8 million to $15.6 million, a $2.2 million saving.
• Professional services costs will go down from $27.7 million to $23.4 million, a $4.3 million saving.
• Administration and capital costs will go down from $22.5 million to $17.8 million, a $4.7 million saving.
• The contingency budget is going down from $5.3 million to $4.5 million, a $800,000 saving.

Personnel costs are going up due to a combination of new hires and pay rises, but the average annual pay rise will be halved from 4% to 2%, saving $1.3 million, ICANN documentation states.
Headcount is expected to level out at about 425, up from the current 400, by the end of FY19.
The travel budget is going down due to a combination of cuts to services provided at the three annual meetings and the number of people ICANN reimburses for going to them.
The Fellows program — sometimes criticized for giving people what look like free vacations for little measurable return — is seeing the biggest headcount cut here. ICANN will only pay for 30 Fellows to go its meetings in FY19, half the level of FY18. The Next Gen program, a similar outreach program for yoof participants, goes down to 15 people from 20.
The Governmental Advisory Committee will get its number of funded seats reduced by 10 to 40. The ALAC and the ccNSO also each lose a few seats. Other constituencies are unaffected.
At the meetings themselves, translation is to be scaled back to be provided on an as-requested basis, rather than automatically translating everything into all six UN languages. Key sessions will continue to have live interpretation.
Outside of the three main meetings, ICANN is pulling back on plans to expand its irregular “capacity building” workshops in “under-served” areas of the world.
It’s also slashing the “additional budget request” budget by 50%.
In terms of compliance, a proposed Technical Compliance Monitoring system that was going to be built this year — a way to make sure gTLD registries and registrars are stable and secure — appears to be at risk of being deprioritized.
ICANN said it “will develop an implementation plan in due time, depending on the RFP results and, if needed, work with the Board to identify necessary resources and funds to support implementation of the project.”
The documents published today are now open for public comment until March 8.
The cuts I’ve reported here can be found from page 19 of this document (pdf).
The reason for the cutbacks is that ICANN’s revenue isn’t growing as fast as it once did, due to the slower than expected growth of the domain name industry in general. I’ll get to that a later article.

A new gTLD kills itself off for the second time

British pharmacy chain Boots has applied to ICANN to terminate its dot-brand contract for the second time.
The company asked for its .boots Registry Agreement, signed in 2015, to be ended in December and ICANN opened the request for public comment this week.
What’s weird about the request is that Boots had already asked for self-termination last April, but that request was subsequently withdrawn by the company.
Boots seems to have changed its mind, twice, in a year.
As I noted first time around, .boots was the first example of a dot-brand that also matches a generic class of goods to chose the easy way out.
It’s quite likely the two-year freeze on re-applying for the string, should anyone want to, will be over by the time the next new gTLD application window opens.
.boots only had the contractually mandated placeholder domain nic.boots live.

ICANN blocks 1.5 million domains, including some three-letter names

A million and a half domain names, including many potential valuable three and four-letter strings, have been been given special protection across all gTLDs under a new ICANN policy.
The long-discussed, highly controversial reservation of the names and acronyms of various intergovernmental and non-governmental organizations has become official ICANN Consensus Policy and will be binding on all gTLD registries and registrars from August this year.
The policy gives special protection to (by my count) 1,282 strings in each of the (again, by my count) 1,243 existing gTLDs, as well as future gTLDs. That comes to over 1.5 million domains.
The strings match the names, and sometimes the acronyms and abbreviations, of recognized Intergovernmental Organizations (IGOs) and International Non-Governmental Organizations (INGOs) as well as the International Olympic Committee, Red Cross, Red Crescent and related movements.
These are all organizations whose names are protected by international law but not necessarily by trademarks.
Protected strings run from obscurities such as “europeanbankforreconstructionanddevelopment” and “internationalunionfortheprotectionofnewvarietiesofplants” to “can”, “eco” and “fao”.
All gTLDs, including legacy TLDs such as .com, are affected by the policy.
The full list of protected strings can be found here.
Any of the Red Cross, IOC and IGO strings already registered will remain registered, and registries are obliged to honor renewal and transfer requests. Nobody’s losing their domains, in other words. But if any are deleted, they must be clawed back and reserved by the registry.
The protected organizations must be given the ability to register their reserved matching names should they wish to, the policy states.
Registries will be able to sell the acronyms of protected INGOs, but will have to offer an “INGO Claims Service”, which mirrors the existing Trademark Claims service, in gTLDs that go live in future.
The policy was developed by ICANN’s Generic Names Supporting Organization and approved by the ICANN board of directors all the way back in April 2014 and has been in implementation talks ever since.
It’s the 14th Consensus Policy to be added to ICANN’s statute book since the organization was formed 20 year ago.
Registries and registrars have until August 1 to make sure they’re compliant. Consensus Policies are basically incorporated into their contracts by reference.
Work on IGO/INGO protections is actually still ongoing. There’s a GNSO Policy Development Process on “curative” rights for IGOs and INGOs (think: UDRP) that is fairly close to finishing its work but is currently mired in a mind-numbing process debate.
UPDATE: This post was updated January 17, 2018 to correct the number of reserved strings and to clarify how INGO names are treated by the policy.