Latest news of the domain name industry

Recent Posts

Former NTIA chief Redl now working for Amazon

Kevin Murphy, November 6, 2019, Domain Policy

David Redl, the former head of the US National Telecommunications and Information Administration has joined Amazon as an internet governance advisor, I’ve learned.
I don’t know whether he’s taken a full-time job or is a contractor, but he’s been spotted palling around with Amazon folk at ICANN 66 in Montreal and knowledgeable sources tell me he’s definitely on the payroll.
Redl was assistant secretary at the NTIA until May, when he was reportedly asked to resign over a wireless spectrum issue unrelated to the domain names after just 18 months on the job.
His private sector career prior to NTIA was in the wireless space. I don’t believe he’s ever been employed in the domain industry before.
NTIA is of course the US agency responsible for participating in all matters ICANN, including the ongoing fight over Amazon’s application for the .amazon brand gTLD.
The proposed dot-brand has been in limbo for many years due to the objections of the eight nations of the Amazon Cooperation Treaty Organization, which claims cultural rights to the string.
ACTO nations on ICANN’s Governmental Advisory Committee want ICANN to force Amazon back to the negotiating table, to give them more power over the TLD after it launches.
But the NTIA rep on the GAC indicated at the weekend that the US would block any GAC calls for .amazon to be delayed any longer.
As I type these words, the GAC is debating precisely what it should say to ICANN regarding .amazon in its Montreal communique, using competing draft texts submitted by the US and European Commission, and it’s not looking great for ACTO.
As I blogged earlier in the week, another NTIA official, former GAC rep Ashley Heineman, has accepted a job at GoDaddy.
UPDATE: As a commenter points out, Redl last year criticized the revolving door between ICANN and the domain name industry, shortly after Akram Atallah joined Donuts.

Neustar’s .co contract up for grabs

Kevin Murphy, November 6, 2019, Domain Registries

Colombia is looking for a registry operator for its .co ccTLD.
If you’re interested, and you’re reading this before noon on Wednesday November 6 and you’re at ICANN 66 in Montreal, hightail it to room 514A for a presentation from the Colombian government that will be more informative than this blog post.
Hurry! Come on! Move it!
The Ministry of Information Technology and Communications (MinTIC) has published a set of documents describing some of the plan to find a potentially new home for .co.
There doesn’t appear to be a formal RFP yet, but I gather one is imminent.
What the documents do tell us is that Neustar’s contract to run .co expires in February, and that MinTIC is looking into the possibility of a successor registry.
Currently, .co is delegated to .CO Internet, a Colombian entity that relaunched the TLD in 2010 and was acquired by Neustar for $109 million in 2014.
But under a law passed earlier this year, it appears as if MinTIC is taking over policy management for .co and may therefore seek IANA redelegation.
There’s no indication I could see that there’s a plan to reverse the policy of allowing anyone anywhere in the world to register a .co, indeed MinTIC seems quite proud of its international success.
The documents also give us the first glimpse for years into .co’s growth.
It had 2,374,430 names under management in September, after a couple of years of slowing growth. The documents state that .co had an average of 323,590 new regs per year for the first seven years, which has since declined to an average of 32,396.
.co is not the cheapest TLD out there, renewing at around $25 at the low end.

US official Heineman joins GoDaddy

Kevin Murphy, November 5, 2019, Domain Policy

Former US government official Ashley Heineman has joined the staff of GoDaddy.
Heineman was until quite recently a policy specialist at the US National Telecommunications and Information Administration and the US representative on ICANN’s Governmental Advisory Committee.
But GoDaddy confirmed to DI today that she’s now left NTIA and joined the market-leading registrar.
I don’t know what her job title is yet. One assumes it’s related to policy or legal issues.
Heineman spent 15 years at NTIA and has been the ICANN GAC rep for the US for the last few years.
She’s had a respectably hands-on role, for a GACer, including being a member of the ongoing “EPDP” cross-community working group conducting a post-GDPR review of Whois policy.
Judging by my embarrassing error at the weekend, the US is currently being represented on the GAC by the NTIA’s Vernita Harris.
I’ve also heard rumors from ICANN 66 that another former NTIA official has also recently moved into the domain name industry. I’ll blog it up just as soon as I get confirmation.

Surprise! ICANN throws out complaints about .org price caps

Kevin Murphy, November 4, 2019, Domain Policy

ICANN has rejected two appeals against its decision to lift price caps and introduce new anti-cybersquatting measures in the .org space.
In other news, gambling is going on in Rick’s Cafe.
NameCheap and the Electronic Frontier Foundation both filed Requests for Reconsideration with ICANN back in July and August concerning the .org contract renewal.
NameCheap argued that ICANN should have listened to the deluge of public comments complaining about the removal of price caps in Public Interest Registry’s .org contract, while EFF complained about the inclusion of the Uniform Rapid Suspension rights protection mechanism.
Reconsideration requests are usually handled by the Board Accountability Mechanisms Committee but this time around three of its four members (Sarah Deutsch, Nigel Roberts, and Becky Burr) decided to recuse themselves due to the possibility of perception of conflicts of interest.
That meant the committee couldn’t reach a quorum and the RfRs went to ICANN’s outside lawyers for review instead, before heading to the full ICANN board.
This hasn’t happened before, to my recollection.
Also unprecedented, the board’s full discussion of both requests was webcast live (and archived here), which negates the need for NameCheap or the EFF to demand recordings, which is their right under the bylaws.
But the upshot is basically the same as if the BAMC had considered the requests in private — both were denied in a unanimous (with the three recusals) vote.
Briefing the board yesterday, ICANN associate general counsel Elizabeth Le said:

There was no evidence to support that ICANN Org ignored public consultation. Indeed both renewals went out for public comments and there were over 3,700 comments received, all of which ICANN reviewed and evaluated and it was discussed in not only the report of public comments, but it was discussed through extensive briefings with the ICANN board…
Ultimately, the fact that the removal of the price caps was part of the Registry Agreements does not render the public comment process a sham or that ICANN failed to act in the public benefit or that ICANN Org ignored material information.

General counsel John Jeffrey and director Avri Doria both noted that the board may not have looked at each individual comment, but rather grouped together based on similarity. Doria said:

Whether one listens to the content once or listens to it 3,000 times, they have understood the same content. And so I really just wanted to emphasize the point that it’s not the number of comments, it’s the content of the comments.

This seems to prove the point I made back in April, when this controversy first emerged, that letter-writing campaigns don’t work on ICANN.
As if to add insult to injury, the board at the same meeting yesterday approved paying an annual bonus to the ICANN Ombudsman, who attracted criticism from NameCheap and the Internet Commerce Association after dismissing many of the public comments as “more akin to spam”.

Somber mood as ICANN 66 opens in Montreal

Kevin Murphy, November 4, 2019, Domain Policy

The opening ceremony of ICANN’s 66th public meeting set a somber tone, as leaders bade farewell to recently departed and departing colleagues.
Outgoing chair Cherine Chalaby and CEO Göran Marby delivered eulogies respectively to senior vice president Tarek Kamel, and long-time industry/community participant, Don Blumenthal, both of whom died over the last several weeks.
Apparently choking up at one point, Chalaby described Kamel as a “good friend” and “great man” who “always made time for me, always encouraged me, and always advised me with great sincerity”.
Marby later announced that ICANN will create a new annual award, named after Kamel, which will honor “individuals significantly contributing to capacity building and creating diversity within our community”.
He also said that the dinner held by the CEO with the technical community at the end of every ICANN meeting will in future be named after Blumenthal, a long-serving member of the security community.
“His expertise, hard work and humor will be sorely missed,” Marby said.
Chalaby himself is leaving ICANN under less sad circumstances on Thursday, when the third and final of his terms comes to an end and he leaves the board of directors for good. He’s been on the board for nine years and chair for two.
Marby presented him with ICANN’s Leadership Award in recognition of his time served.
Chalaby will be replaced by Maarten Botterman.
ICANN 66 runs through Thursday in Montreal, Canada.

New (kinda) geo-TLD rules laid out at ICANN 66

Kevin Murphy, November 2, 2019, Domain Policy

The proposed rules for companies thinking about applying for a geographic gTLD in the next application round have been sketched out.
They’re the same as the old rules.
At ICANN 66 in Montreal today, a GNSO Policy Development Process working group team discussed its recently submitted final report (pdf) into geographic strings at the top level.
While the group, which comprised over 160 members, has been working for over two years on potential changes to the rules laid out in the 2012 Applicant Guidebook, it has basically concluded by consensus that no changes are needed.
What it has decided is that the GNSO policy on new gTLDs that was agreed upon in 2007 should be updated to come into line with the current AGB.
It appears to be a case of the GNSO setting a policy, the ICANN staff and board implementing rules inconsistent with that policy, then, seven years later, the GNSO changing its policy to comply with that top-down mandate.
It’s not really how bottom-up ICANN is supposed to work.
But at least nobody’s going to have to learn a whole new set of rules when the next application round opens.
The 2012 AGB bans two-letter gTLDs, for example, to avoid confusion with ccTLDs. It also places strong restrictions on the UN-recognized names of countries, territories, capital cities and regions.
It also gave the Governmental Advisory Committee sweeping powers to object to any gTLD it didn’t like the look of.
What it didn’t do was restrict geographic names such as “Amazon”, which is an undeniably famous geographic feature but which does not appear on any of the International Standards Organization lists that the AGB defers to.
Amazon the retailer has been fighting for its .amazon gTLDs for seven years, and it appears that the new GNSO recommendations will do nothing to provide clarity for edge-case applicants such as this in future rounds.
The group that came up with report — known as Work Track 5 of the New gTLD Subsequent Procedures PDP Working Group — evidently had members that want to reduce geographic-string protections and those who wanted to increase them.
Members ultimately reached “consensus” — indicating that most but not all members agreed with the outcome — to stick with the status quo.
Nevertheless, the Montreal session this afternoon concluded with a great deal of back-slapping and expressions that Work Track 5 had allowed all voices, even those whose requests were ultimately declined, to be heard equally and fairly.
The final report has been submitted to the full WG for adoption, after which it will go to the full GNSO for approval, before heading to public comment and the ICANN board of directors as part of the PDP’s full final report.

Form an orderly queue: New Zealand wants a new back-end

Kevin Murphy, October 23, 2019, Domain Registries

New Zealand is looking to possibly outsource its .nz ccTLD registry back-end for the first time, and has invited interested parties to get in touch.
Registry manager InternetNZ today published a request for expressions of interest in what it’s calling its “registry replacement project”.
It won’t be as straightforward as most registry migrations, as .nz is currently running essentially two different back-ends.
Today, about 65% of its registrations are based on an outdated custom Shared Registration System protocol, with the remainder on the industry standard Extensible Provisioning Protocol.
The proportion of registrars running SRS versus EPP is roughly the same, with about 65% on SRS, according to the REOI.
But the registry wants to get rid of SRS altogether, forcing all SRS-only registrars to adopt the EPP, and the new back-end provider will have to support this transition.
While registrars always have a bit of implementation work to do when a TLD changes back-ends, it’s not usually as complicated as adopting a completely different protocol with which they may not be unfamiliar.
So the risk of issues arising during the eventual handover — which will probably take a bit longer than usual — is probably a bit higher than usual.
But .nz is an attractive TLD. At the start of the month, it had 711,945 domains under management, a pretty good penetration on a per-capita basis when compared to the biggest ccTLDs.
It’s in the top 50 of the 1,338 TLDs for which I have data.
The deadline for responses to the REOI is November 29, a little over a month from now, InternetNZ said.
The registry is taking briefings at ICANN 66 in Montreal from November 2, and the following week in New Zealand.
UPDATE: This article originally stated that InternetNZ has decided to outsource its back end. In fact, outsourcing is just one of a number of options.

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.
In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.
That abuse comprises malware, phishing, botnets, pharming and spam.
The companies agree that these are activities which registrars and registries “must” act upon.
But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.
The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.
It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.
Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.
Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.
They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.
However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.
The DAAR report for September shows that spam constituted 73% of all tracked abuse.
The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.
Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.
The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.
The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.
Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.
They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.
But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.
During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.
“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.
Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.
The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.
While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.
But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.
While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.
Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.
Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.
The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.
Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.
PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.
Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.
Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.
The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.
The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.
Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).
Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.
The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.
The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.
The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).
Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.
Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.
The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.
The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.
So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.
If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.
How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.
There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.
This will be a hot topic at ICANN 66 in Montreal next month.
Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

ICANN’s babysitting fund goes live

Kevin Murphy, October 1, 2019, Domain Policy

ICANN has started accepting applications for its childcare grants program.
As previously reported, ICANN plans to offer up to $750 per family to community members who have no choice but to show up to its meetings with their offspring in tow.
The money is designed to cover childcare costs while the parent attends sessions at ICANN’s thrice-yearly public meetings.
ICANN will not be providing any on-site childcare itself, nor will it approve any providers.
The program is in a pilot, covering the next three meetings.
The current application period, for ICANN 67 in Cancun, Mexico next March, runs until November 20. The application form wouldn’t open for me.
Full details can be found here.