Latest news of the domain name industry

Recent Posts

Three ICANN directors wanted to go to Puerto Rico

Kevin Murphy, November 17, 2021, Domain Policy

The ICANN board of directors’ decision to scrap the in-person component of its next public meeting was not unanimous, it has emerged.

Three directors voted against the November 4 resolution, which said ICANN 73 would be ICANN’s seventh consecutive online-only gathering, according the a preliminary board report.

The plan for months was to have a “hybrid” meeting, with some face-to-face component at the convention center in San Juan, Puerto Rico, as an intermediate step towards post-pandemic normality.

But at the time of the vote travel restrictions in the US were such that getting to Puerto Rico was tough even for fellow Americans, so ICANN’s meetings team had not been able to do on-site preparation.

Nine directors voted to make 73 virtual, with four absent during the vote, the preliminary report states.

Five directors have taken their seats since the coronavirus pandemic began, and have therefore never officially met with their board colleagues in person.

It’s not the first time the board has been split on this matter. Last year, directors Ron Da Silva and Ihab Osman voted to return to face-to-face for the October 2020 Hamburg meeting.

Da Silva is no longer on the board, but there are at least two other directors among the current line-up on the same page.

The voting breakdown will not be revealed until the board approves the November 4 minutes, which could be months if history is any guide.

ICANN abandons face-to-face plan for Puerto Rico

Kevin Murphy, November 5, 2021, Domain Policy

ICANN has canceled its plans for a “hybrid” ICANN 73, saying this morning that the meeting will go ahead as an online-only virtual meeting.

Its board of directors yesterday voted to abandon efforts to have a face-to-face component in Puerto Rico as originally planned, as I predicted a few days ago.

ICANN of course said it’s because of the coronavirus pandemic, and more particularly the associated travel restrictions and the lack of access to vaccines in some parts of the world from which its community members hail.

The US Centers for Disease Control currently rates Puerto Rico as its second-highest risk level, meaning ICANN’s meetings staff have been unable to travel there to do on-site planning. ICANN said:

While there has been progress that might make it feasible to plan for and convene a meeting in San Juan, Puerto Rico in March 2022, the current risks and uncertainties remain too high to proceed with an in-person meeting or with an in-person component.

Its board resolution stated:

Between the global inequity in vaccine availability across the world, continuing restrictions on persons from many countries or territories being allowed to enter the U.S., and backlogs in visa processing for those who are able to enter the U.S., ICANN org cannot estimate with any confidence the ability for attendees outside of the U.S. to attend ICANN73.

So 73 will be Zoom again. The time zone will remain UTC-4, Puerto Rico local time, which should make it less problematic for Europeans to attend.

The dates are still slated for March 5 to March 10 next year, but it seems likely that we’ll be looking at a March 7 kick-off, as March 5 is a Saturday and people don’t like working weekends if not somewhere they can also work on their tans.

ICANN said it “affirmed its intent” to attempt the hybrid model again for the mid-year ICANN 74 meeting, which is due to take place in The Hague, Netherlands, next June.

It’s bad news for ICANN participation, which has been declining in the new era of virtual meetings, but good news for its bank account. Virtual meetings cost a few million dollars less than in-person ones.

ICANN going back to Puerto Rico for a third time

Kevin Murphy, November 11, 2019, Domain Policy

ICANN has selected Puerto Rico for its ICANN 73 public meeting.
The meeting is slated to be held at the Puerto Rico Convention Center in San Juan from March 5 to March 10, 2022.
That’s the same venue ICANN visited in March last year, in the wake of Hurricane Maria, which caused extensive damage and loss of life on the island. Indeed, the convention center had just months earlier been used as a command and control center for the recovery effort.
San Juan will become just the third city that ICANN has visited three times. It’s been to Singapore four times and its home city of Los Angeles (if you include Marina Del Rey) six times.
Puerto Rico had also been scheduled as the venue for ICANN 57 in 2016, but the meeting was moved to India instead, because of the Zika virus that was causing international concern at the time.
In 2020, meetings are to be held in Cancún, Kuala Lumpur and Hamburg, in that order. In 2021, ICANN’s going to Cancún (again), The Hague and Seattle.

ICANN flips off governments over Whois privacy

Kevin Murphy, May 8, 2018, Domain Policy

ICANN has formally extended its middle finger to its Governmental Advisory Committee for only the third time, telling the GAC that it cannot comply with its advice on Whois privacy.
It’s triggered a clause in its bylaws used to force both parties to the table for urgent talks, first used when ICANN clashed with the GAC on approving .xxx back in 2010.
The ICANN board of directors has decided that it cannot accept nine of the 10 bulleted items of formal advice on compliance with the General Data Protection Regulation that the GAC provided after its meetings in Puerto Rico in March.
Among that advice is a direction that public Whois records should continue to contain the email address of the registrant after GDPR goes into effect May 25, and that parties with a “legitimate purpose” in Whois data should continue to get access.
Of the 10 pieces of advice, ICANN proposes kicking eight of them down the road to be dealt with at a later date.
It’s given the GAC a face-saving way to back away from these items by clarifying that they refer not to the “interim” Whois model likely to come into effect at the GDPR deadline, but to the “ultimate” model that could come into effect a year later after the ICANN community’s got its shit together.
Attempting to retcon GAC advice is not unusual when ICANN disagrees with its governments, but this time at least it’s being up-front about it.
ICANN chair Cherine Chalaby told GAC chair Manal Ismail:

Reaching a common understanding of the GAC’s advice in relation to the Interim Model (May 25) versus the Ultimate Model would greatly assist the Board’s deliberations on the GAC’s advice.

Of the remaining two items of advice, ICANN agrees with one and proposes immediate talks on the other.
One item, concerning the deployment of a Temporary Policy to enforce a uniform Whois on an emergency basis, ICANN says it can accept immediately. Indeed, the Temporary Policy route we first reported on a month ago now appears to be a done deal.
ICANN has asked the GAC for a teleconference this week to discuss the remaining item, which is:

Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;

Basically, the GAC is trying to prevent the juicier bits of Whois from going dark for everyone, including the likes of law enforcement and trademark lawyers, two weeks from now.
The problem here is that while ICANN has tacit agreement from European data protection authorities that a tiered-access, accreditation-based model is probably a good idea, no such system currently exists and until very recently it’s not been something in which ICANN has invested a lot of focus.
A hundred or so members of the ICANN community, led by IP lawyers who won’t take no for an answer, are currently working off-the-books on an interim accreditation model that could feasibly be used, but it is still subject to substantial debate.
In any event, it would be basically impossible for any agreed-upon accreditation solution to be implemented across the industry before May 25.
So ICANN has invoked its bylaws fuck-you powers for only the third time in its history.
The first time was when the GAC opposed .xxx for reasons lost in the mists of time back in 2010. The second was in 2014 when the GAC overstepped its powers and told ICANN to ignore the rest of the community on the issue of Red Cross related domains.
The board resolved at a meeting last Thursday:

the Board has determined that it may take an action that is not consistent or may not be consistent with the GAC’s advice in the San Juan Communiqué concerning the GDPR and ICANN’s proposed Interim GDPR Compliance Model, and hereby initiates the required Board-GAC Bylaws Consultation Process required in such an event. The Board will provide written notice to the GAC to initiate the process as required by the Bylaws Consultation Process.

Chalaby asked Ismail (pdf) for a call this week. I don’t know if that call has yet taken place, but given the short notice I expect it has not.
For the record, here’s the GAC’s GDPR advice from its Puerto Rico communique (pdf).

the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;
ii. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;
iii. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;
iv. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;
v. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;
vi. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory crossreferencing needs; and
vii. Ensure confidentiality of WHOIS queries by law enforcement agencies.
b. the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;
ii. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and
iii. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.
The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.
Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.
At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.
At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.
It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.
ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.
We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.
I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.
Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.
I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.
While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.
In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.
Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.

Next new gTLD round unlikely before 2022

Kevin Murphy, March 13, 2018, Domain Policy

ICANN is unlikely to accept any more new gTLD applications until a full decade has passed since the last round was open.
That’s the conclusion of some ICANN community members working on rules for the next round.
Speaking at ICANN 61 in Puerto Rico this weekend, Jeff Neuman, co-chair of the New gTLD Subsequent Procedures Working group, presented a “best case” timetable for the next round.
The timetable would see the next new gTLD application window opening in the first quarter of 2021, nine years after the 2012 round.
But Neuman acknowledged that the timeline would require all parts of the ICANN community — working groups, GNSO Council, board of directors, staff — to work at their most efficient.
With that in mind, 2021 seems optimistic.
“Even if we hit the 2021 date, that’s still a decade after the launch of the last round, which is crazy,” Neuman said.
Slide
The timetable assumes the GNSO wraps up its policy development a year from now, with the ICANN board approving the policy mid-2019.
It then gives the ICANN staff about six months to publish an updated Applicant Guidebook, and assumes whatever is produced is approved within about six months, after the first pass of public comments.
It’s worth noting that the 2012 round’s AGB hit its first draft in 2008 and went through half a dozen revisions over three years before it was finalized, though one imagines there would be less wheel-reinventing required next time around.
After the board gives the AGB the final nod, the timeline assumes ICANN staff about six months to “operationalize” the program.
But one unidentified ICANN staffer, who said she was “the person that will be ultimately responsible for the implementation” of whatever the GNSO comes up with, said during this weekend’s session that she doubted this was realistic.
She said ICANN the organization would need “at least 12 months” between the ICANN board approving the AGB and the application window opening. That would push the window to late 2021.
The Subsequent Procedures policy work is of course not the only gating factor to the next round.
There’s also a potential bottleneck in work being carried out to review rights protection mechanisms, where fears of filibustering have emerged in an already fractious working group.
All things considered, I wouldn’t place any bets on an application window opening as early as 2021.

Amazon’s .amazon gTLD may not be dead just yet

Kevin Murphy, March 11, 2018, Domain Policy

South American governments are discussing whether to reverse their collective objection to Amazon’s .amazon gTLD bid.
A meeting of the Governmental Advisory Committee at ICANN 61 in Puerto Rico yesterday heard that an analysis of Amazon’s proposal to protect sensitive names if it gets .amazon will be passed to governments for approval no later than mid-April.
Brazil’s GAC rep said that a working group of the Amazon Cooperation Treaty Organization is currently carrying out this analysis.
Amazon has offered the eight ACTO countries commitments including the protection of such as “rainforest.amazon” and actively supporting any future government-endorsed bids for .amazonas.
Its offer was apparently sweetened in some unspecified way recently, judging by Brazil’s comments.
ACTO countries, largely Brazil and Peru, currently object to .amazon on the grounds that it’s a clash with the English version of the name for the massive South American rain forest, river and basin region, known locally as Amazonas.
There’s no way to read the tea leaves on which way the governments will lean on Amazon’s latest proposal, and Peru’s GAC rep warned against reading too much into the fact that it’s being considered by the ACTO countries.
“I would like to stress the fact that we are not negotiating right now,” she told the GAC meeting. “We are simply analyzing a proposal… The word ‘progress’ by no means should be interpreted as favorable opinion towards the proposal, or a negative opinion. We are simply analyzing the proposal.”
ICANN’s board of directors has formally asked the GAC to give it more information about its original objection to .amazon, which basically killed off the application a few years ago, by the end of ICANN 61.
Currently, the GAC seems to be planning to say it has nothing to offer, though it may possibly highlight the existence of the ACTO talks, in its formal advice later this week.

Get drunk on Neustar’s tab and it will donate money to hurricane relief

Kevin Murphy, March 5, 2018, Gossip

Neustar has promised to donate thousands of dollars to a Puerto Rican hurricane relief charity, providng enough people show up to its open bar event in San Juan next week.
It’s fairly standard for domain companies of Neustar’s size to host free after-hours social events during ICANN meetings, but this time the company said it will donate $25 for each attendee to charity.
The beneficiary is the Puerto Rico Resistance Fund, operated by Americas for Conservation and the Arts, which is helping rebuild the island after Hurricane Maria hit it for six last September.
“We want to bring together the community, help spread awareness of the hardship and devastation in Puerto Rico, and make our community proud they are contributing in a small way financially,” Neustar VP Lori Anne Wardi told DI.
With the company telling me it expects 500 guests or more to the invitation-only event, expect a total donation topping $12,500.
The venue is the Antiguo Casino, which appears to be about a 10-minute taxi ride from the Puerto Rico Convention Center, at which the ICANN 61 public meeting is being held.
The event runs from 1900 to 2330 local time.
The official death toll in Puerto Rico from Maria was 64, but a New York Times analysis puts the number at closer to 1,000. Parts of the island, a US territory, are still suffering from infrastructure problems such as power outages.

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.
ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.
The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.
Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.
After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.
Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.
Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.
Registrants would have the right to opt in to having their full record displayed in the public Whois.
Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.
The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.
This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.
The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.
The model would apply to all gTLD domains where there is some connection to the European Economic Area.
If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.
Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.
While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.
The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.
Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.
The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.
Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.
Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.
[table “50” not found /]

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.
With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

Expect “minor inconveniences” in post-hurricane Puerto Rico

Kevin Murphy, December 12, 2017, Domain Policy

ICANN 61 is going ahead in Puerto Rico despite the continuing fallout of a devastating hurricane season, the organization has confirmed.
The March 10-15 meeting will take place at the convention center in San Juan, and participants can only expect “minor inconveniences”
ICANN said in a statement:

We recognize that Puerto Rico is still in the recovery phase, and while we can expect some minor inconveniences, the convention center and supporting hotels are fully operational and eager to host our event in March.

ICANN has not yet listed its official supporting hotels, where it usually negotiates bulk discounts, on the official ICANN 61 page.
In the event you, like me, always find ICANN’s approved hotels a tad on the pricey side, you’ll probably need to do your own research.
ICANN added that it has been working with the island’s governor and that: “We have been assured that our presence in San Juan will support economic recovery on the island.”
Hurricane Maria made landfall in Puerto Rico on September 20, killing at least 48 people and causing billions of dollars in property damage.
The convention center venue for ICANN 61 escaped relatively unscathed and was actually used as a command and control center during the immediate aftermath of the disaster.