Latest news of the domain name industry

Recent Posts

No SSAD before 2028? ICANN publishes its brutal review of Whois policy

Kevin Murphy, January 25, 2022, Domain Policy

Emergency measures introduced by ICANN to reform Whois in light of new privacy laws could wind up taking a full decade, or even longer, to bear dead-on-the-vine fruit.

That’s arguably the humiliating key takeaway from ICANN’s review of community-created policy recommendations to create a Standardized System for Access and Disclosure (SSAD), published this evening.

The Org has released its Operational Design Assessment (pdf) of SSAD, the first-ever ODA, almost nine months after the Operational Design Phase was launched last April.

It’s a 122-page document, about half of which is appendices, that goes into some detail about how SSAD and its myriad components would be built and by whom, how long it would take and how much it would cost.

It’s going to take a while for the community (and me) to digest, and while it generally veers away from editorializing it does gift opponents of SSAD (which may include ICANN itself) with plenty of ammunition, in the form of enumerated risk factors and generally impenetrable descriptions of complex systems, to strangle the project in the crib.

Today I’m just going to look at the timing.

Regular DI readers will find little to surprise them among the headline cost and timeline predictions — they’ve been heavily teased by ICANN in webinars for over a month — but the ODA goes into a much more detailed breakdown.

SSAD, ICANN predicts, could cost as much as $27 million to build and over $100 million a year to operate, depending on adoption, the ODA says. We knew this already.

But the ODA contains a more detailed breakdown of the timeline to launch, and it reveals that SSAD, at the most-optimistic projections, would be unlikely to see the light of day until 2028.

That’s a decade after the European Union introduced the GDPR privacy law in May 2018.

Simply stated, the GDPR told registries and registrars that the days of unfettered access to Whois records was over — the records contain personal information that should be treated with respect. Abusers could be fined big.

ICANN had been taken off-guard by the law. GDPR wasn’t really designed for Whois and ICANN had not been consulted during its drafting. The Org started to plan for its impact on Whois barely a year before it became effective.

It used the unprecedented top-down emergency measure of the Temporary Specification to force contracted parties to start to redact Whois data, and the GNSO Council approved an equally unprecedented Expedited Policy Development Process, so the community could create some bottom-up policy.

The EPDP was essentially tasked with creating a way for the people who found Old Whois made their jobs easier, such as intellectual property lawyers and the police, to request access to the now-private personal data.

It came up with SSAD, which would be a system where approved, accredited users could funnel their data requests through a centralized gateway and have some measure of assurance that they would at least be looked at in a standardized way.

But, considering the fact that they would not be guaranteed to have their requests approved, the system would be wildly complex, potentially very expensive, and easily circumvented, the ODP found.

It’s so complex that ICANN reckons it will take between 31.5 and 42 months for an outsourced vendor to build, and that’s after the Org has spent two years on its Implementation Review Team activities.

SSAD timeline

That’s up to almost six years from the moment ICANN’s board of directors approves the GNSO’s SSAD recommendations. That could come as early as next month (but as I reported earlier today, that seems increasingly unlikely).

The ODA points out that this timetable could be extended due to factors such as new legislation being introduced around the world that would affect the underlying privacy assumptions with which SSAD was conceived.

And this is an “expedited” process, remember?

Ten years ago, under different management and a different set of bylaws, ICANN published some research into the average duration of a Policy Development Process.

The average PDP took 620 days back then, from the GNSO Council kicking off the process to the ICANN board voting to approve or reject the policy. I compared it to an elephant pregnancy, the longest gestation period of all the mammals, to emphasize how slow ICANN had become.

Slow-forward to today, when the “expedited” PDP leading to SSAD has so far lasted 1,059 days, if we’re counting from when Phase 2 began in March 2019. It’s taken 1,287 days if we’re being less generous and counting from the original EPDP kicking off.

Nelly could have squeezed out two ankle-nibblers in that time. Two little elephants, one of which would most assuredly be white.

ICANN splits $9 million new gTLD ODP into nine tracks

Kevin Murphy, January 20, 2022, Domain Policy

ICANN has added a little more detail to its plans for the Operational Design Phase for the next round of the new gTLD program.

VP and ODP manager Karen Lentz last night blogged that the project is being split into nine work tracks, each addressing a different aspect of the work.

She also clarified that the ODP officially kicked off January 3, meaning the deadline for completion, barring unforeseen issues, is November 3. The specific dates hadn’t been clear in previous communications.

The nine work tracks are “Project Governance”, “Policy Development and Implementation Materials”, “Operational Readiness”, “Systems and Tools”, “Vendors”, “Communications and Outreach”, “Resources, Staffing, and Logistics”, “Finance”, and “Overarching”.

Thankfully, ICANN has not created nine new acronyms to keep track of. Yet.

Pro-new-gTLD community members observing how ICANN’s first ODP, which addressed Whois reform, seemed to result in ICANN attempting to kill off community recommendations may be worried by how Lenzt described the new ODP:

The purpose of this ODP, which began on 3 January, is to inform the ICANN Board’s determination on whether the recommendations are in the best interests of ICANN and the community.

I’d be hesitant to read too much into this, but it’s one of the clearest public indications yet that subsequent application rounds are not necessarily a fait accompli — the ICANN board could still decide force the community to go back to the drawing board if it decides the current recommendations are harmful or too expensive.

I don’t think that’s a likely outcome, but the thought that it was a possibility hadn’t seriously crossed my mind until quite recently.

Lentz also refers to “the work required to prepare for the next round and subsequent rounds”, which implies ICANN is still working on the assumption that the new gTLD program will go ahead.

The ICANN board has give Org 10 months and a $9 million budget, paid out of 2012-round application fee leftovers, to complete the ODP. The output will be an Operational Design Assessment, likely to be an enormous document, that the board will consider, probably in the first half of next year, before implementation begins.

A decade after the last new gTLD round, Marby starts the clock on the next one

Kevin Murphy, January 12, 2022, Domain Policy

The next new gTLD application is moving a step closer this month, with ICANN chief Göran Marby promising the launch of its Operational Design Phase.

But it’s still unclear whether the ODP has officially started, and many community members are angry and frustrated that the process is taking too long, some 10 years after the last application window opened.

Marby published a blog post December 20 stating “the org has advised the Board that it is beginning the ODP”, but he linked to a December 17 letter (pdf) that told the board “the org is now transitioning to launch the ODP formally as of January”.

We’re well into January now, so does that mean the ODP has officially started? It’s not clear from what ICANN has published.

It seems either ICANN doesn’t yet want to pin down an exact date for the ODP being initiated, which starts the clock on its deadline for completion, or it’s just really bad at communications.

In September, the board gave Marby $9 million and 10 months for the ODP to come up with its final output, an Operational Design Assessment.

The project is being funded from the remaining application fees from the 2012 application round, rather than ICANN’s regular operations budget.

The text of the resolution gives the deadline as “within ten months from the date of initiation, provided that there are no unforeseen matters that could affect the timeline”.

Assuming the “date of initiation” is some point this month, the ODA would be therefore due to be delivered before the end of November this year, barring “unforeseen matters”.

The document would then be considered by the ICANN board, a process likely to be measured in a handful of months, rather than weeks or days, pushing a final decision on the next round out into the first quarter of 2023.

For avoidance of doubt, that’s the decision about whether or not to even have another new gTLD round.

As a reminder, the 2012 round Applicant Guidebook envisaged a second application round beginning about a year after the first.

Naturally, many would-be applicants are incredibly frustrated that this stuff is taking so long, none more so than the Brand Registry Group, which represents companies that want to apply for dot-brand gTLDs and the consultants that want to help them do so.

Overlapping with ICANN’s December 17 letter to the board, BRG president Karen Day wrote to ICANN (pdf) to complain about the lack of progress and the constant extensions of the runway, saying:

The constant delay and lack of commitment to commencing the next round of new gTLDs is unreasonable and disrespectful to the community that has worked diligently… these delays and lack of commitments to deliver the community’s work is an increasing pattern which risks disincentivizing the volunteer community and threatens the multistakeholder model

Day asked the board to provide more clarity about the ODP’s internal milestones and possible delaying factors, and called for future work to begin in parallel with the ODP in order to shorten the overall roadmap.

It’s worth noting that the ODP may wind up raising more questions than it answers, delaying the next round still further.

It’s only the second ODP ICANN has conducted. The first, related to Whois privacy reform, ended in December (after delays) with a report that essentially shat all over the community’s policy work, predicting that it would take several years and cost tens of millions of dollars to implement for potentially very little benefit.

The board is expected to receive that first ODP’s report in February and there’s no telling what conclusions it will reach.

While Marby has publicly indicated that he’s working on the assumption that there will be another new gTLD round, the ODP gives ICANN a deal of power to frustrate and delay that eventuality, if Org is so inclined.