Concern as ICANN shuts down “independent” security review
Just a year after gaining its independence from the US government, ICANN has come under scrutiny over concerns that its board of directors may have overstepped its powers.
The board has come in for criticism from almost everyone expressing an opinion at the ICANN 60 meeting in Abu Dhabi this week, after it temporarily suspended a supposedly independent security review.
The Security, Stability and Resiliency of the DNS Review, known as SSR-2, is one of the mandatory reviews that got transferred into ICANN’s bylaws after the Affirmation of Commitments with the US wound up last year.
The review is supposed to look at ICANN’s “execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet’s system of unique identifiers that ICANN coordinates”.
The 14 to 16 volunteer members have been working for about eight months, but at the weekend the ICANN board pulled the plug, saying in a letter to the review team that it had decided “to suspend the review team’s work” and said its work “should be paused”.
Chair Steve Crocker clarified in sessions over the weekend and yesterday that it was a direction, not a request, but that the pause was merely “a moment to take stock and then get started again”.
Incoming chair Cherine Chalaby said in various sessions today and yesterday that the community — which I take to mean the leaders of the various interest groups — is now tasked with un-pausing the work.
Incoming vice-chair Chris Disspain told community leaders in an email (pdf) yesterday:
The Board has not usurped the community’s authority with respect to this review. Rather, we are asking the SOs and ACs to consider the concerns we have heard and determine whether or not adjustments are needed. We believe that a temporary pause in the SSR2 work while this consideration is under way is a sensible approach designed to ensure stakeholders can reach a common understanding on the appropriate scope and work plan
Confusion has nevertheless arise among community members, and some serious concerns and criticisms have been raised by commercial and non-commercial interests — including governments — over the last few days in Abu Dhabi.
But the board’s concerns with the work of SSR-2 seem to date back a few months, to the Johannesburg meeting in June, at which Crocker said “dangerous signals” were observed.
It’s not clear what he was referring to there, but the first serious push-back by ICANN came earlier this month, when board liaison Kaveh Ranjbar, apparently only appointed to that role in June, emailed the group to say it was over-stepping its mandate.
Basically, the SSR-2 group’s plan to carry out a detailed audit of ICANN’s internal security profile seems to have put the willies up the ICANN organization and board.
Ranjbar wrote:
The areas the Board is concerned with are areas that indeed raise important organizational information security and organizational oversight questions. However, these are also areas that are not segregated for community review, and are the responsibility of the ICANN Organization (through the CEO) to perform under the oversight of the ICANN Board.
…
While we support the community in receiving information necessary to perform a full and meaningful review over ICANN’s SSR commitments, there are portions of the more detailed “audit” plan that do not seem appropriate for in-depth investigation by the subgroup. Maintaining a plan to proceed with detailed assessments of these areas is likely to result in recommendations that are not tethered to the scope of the SSR review, and as such, may not be appropriate for Board acceptance when recommendations are issued. This also can expand the time and resources needed to perform this part of the review.
This does not seem hugely unreasonable to me. This kind of audit could be expensive, time-consuming and — knowing ICANN’s history of “glitches” — could have easily exposed all kinds of embarrassing vulnerabilities to the public domain.
Ranjbar’s letter was followed up a day later with a missive (pdf) from the chair of ICANN’s Security and Stability Advisory Committee, which said the SSR-2’s work was doomed to fail.
Patrick Falstrom recommended a “temporarily halt” to the group’s work. He wrote:
One basic problem with the SSR2 work is that the review team seems neither to have sufficient external instruction about what to study nor to have been able to formulate a clear direction for itself. Whatever the case, the Review Team has spent hundreds of hours engaged in procedural matters and almost no progress has been made on substantive matters, which in turn has damaged the goodwill and forbearance of its members, some of whom are SSAC members. We are concerned that, left to its own devices, SSR2 is on a path to almost certain failure bringing a consequential loss of credibility in the accountability processes of ICANN and its community.
Now that ICANN has actually acted upon that recommendation, there’s concern that it sets a disturbing precedent for the board taking “unilateral” action to scupper supposedly independent accountability mechanisms.
The US government itself expressed concern, during a session between the board and the Governmental Advisory Committee in Abu Dhabi today.
“This is unprecedented,” US GAC rep Ashley Heineman said. “I just don’t believe it was ever an expectation that the ICANN board would unilaterally make a decision to pause or suspend this action. And that is a matter of concern for us.”
“It would be one thing if it was the community that specifically asked for a pause or if it was a review team that says ‘Hey, we’re having issues, we need a pause.’ What’s of concern here is that ICANN asked for this pause,” she said.
UK GACer Mark Carvell added that governments have been “receiving expressions of grave concern” about the move and urged “maximum transparency” as the SSR-2 gets back on track.
Jonathan Zuck of the Innovators Network Foundation, one of the volunteers who worked on ICANN’s transition from US government oversight, also expressed concern during the public forum session yesterday.
“I think having a fundamental accountability mechanism unilaterally put on hold is something that we should be concerned about in terms of process,” he said. “I’m not convinced that it was the only way to proceed and that from a precedential standpoint it’s not best way to proceed.”
Similar concerns were voiced by many other parts of the community as they met with the ICANN board throughout today and yesterday.
The problem now is that the bylaws do not account for a board-mandated “pause” in a review team’s work, so there’s no process to “unpause” it.
ICANN seems to have got itself tangled up in a procedural quagmire — again — but sessions later in the week have been scheduled in order for the community to begin to untangle the situation.
It doubt we’ll see a resolution this week. This is likely to run for a while.
Famous Four following .sucks playbook with premium pricing for brands?
New gTLD registry Famous Four Media has slapped general availability prices of $500 and up on domain names matching famous brands.
The company plans to shortly introduce eight “premium” pricing tiers, ranging from $200 a year to $10,000 a year.
The first to launch, on July 8, will be its “brand protection tier”, which will carry a $498 registry fee.
Famous Four told its registrars that the tier “will provide an additional deterrent to cyber-squatters for well-known brands ensuring that domain names in this tier will not be eligible for price promotions”.
The gTLDs .date, .faith and .review will be first to use the tiered pricing structure.
It’s not entirely clear what brands will be a part of the $498 tier, or how the registry has compiled its list, but registrars have been given the ability to ask for their clients’ trademarks to be included.
I asked Famous Four for clarification a few days ago but have not yet had a response.
While other registries, such as Donuts, used tiered pricing for GA domains, I’m only aware of one other that puts premium prices on brands: .sucks.
Vox Populi has a trademark-heavy list of .sucks domains it calls Market Premium — formerly Sunrise Premium — that carry a $1,999-a-year registry fee.
Unlike Vox Pop, Famous Four does not appear to be planning a subsidy that would make brand-match domains available at much cheaper prices to third parties.
Famous Four’s gTLDs have seen huge growth in the last month or two, largely because it’s been selling domains at a loss.
.science, for example, has over 300,000 registrations — making it the third-largest new gTLD — because Famous Four’s registry fee has been discounted to just $0.25 from May to July.
The same discount applies to .party (over 195,000 names in its zone) and .webcam (over 60,000).
Those three gTLDs account for exactly half of the over 22,000 spam attacks that used new gTLD domains in March and April, according to Architelos’ latest abuse report.
With names available at such cheap prices, it would not be surprising if cybersquatters are abusing these gTLDs as much as the spammers.
Will intellectual property owners believe a $498+ reg fee is a useful deterrent to cybersquatting?
Or will they look upon this move as “predatory”, as they did with .sucks?
TLDH and Famous Four ink new gTLD revenue sharing deal
New gTLD portfolio applicants Top Level Domain Holdings and Famous Four Media did in fact make a deal to resolve three contention sets, as suspected.
TLDH has just confirmed that it withdrew its applications for .science and .review in exchange for Famous Four withdrawing its application for .fit.
But the deal also includes a revenue-sharing component — TLDH will get a cut of whatever revenue Famous Four makes selling .review domain names after it goes live.
All three of the gTLDs in question were in two-way contention sets between the two companies, as we reported yesterday.
TLDH gave the following update:
TLDH now has interests in 23 uncontested applications, including 15 wholly/majority owned applications, 6 where it is acting as the registry service provider for client applications, 1 equal joint venture, and 1 where it will receive a minority revenue share. Of the remaining 63 applications which TLDH either wholly-owns, is a joint-venture partner, or is acting as the registry service provider, 7 are in contention with a single other applicant, 17 with two other applicants and 39 are in contention with three or more applicants.
While the dollar amounts concerned were not disclosed, I can’t help but feel TLDH got a good deal with .review.
For the cost of an ICANN application fee*, much of which was recouped in refunds, it seems to be getting an ongoing revenue stream with no ongoing costs and little future risk.
* Of course, in TLDH’s case it has also been burning cash for the best part of five years waiting for new gTLDs to come to life, but you get the point.
Famous Four wins two new gTLD contention sets
Four new gTLD applications were withdrawn overnight, resolving three contention sets.
Top Level Domain holdings has pulled its bids for .review and .science, in both cases leaving subsidiaries of portfolio applicant Famous Four Media as the only remaining applicant.
Meanwhile, Famous Four withdrew its .fit application, leaving TLDH as the only remaining applicant.
Buyouts? It seems possible. The .review application passed its Initial Evaluation a month ago, so the ICANN refund due to TLDH will have been dramatically reduced.
As a publicly traded company, TLDH is likely to issue a statement at some point explaining the current state of its applications.
But one of the side effects of ICANN’s preference for private deals is that we won’t always know when two or more companies privately resolve their contention sets.
There are at least two other contention sets where I have very good reasons to believe that deals have already been done, partially resolving the set, but nothing has yet been disclosed.
Also overnight, L’Oreal’s application for .garnier, a dot-brand, was withdrawn. It’s the fifth, and probably not the last, of L’Oreal’s 14 original new gTLD application to be dropped.
Governmental Advisory Committee advice has been leveled against .fit and .review, but not .science.
UPDATE: The original version of this story erroneously reported that TLDH, rather than Famous Four, had withdrawn its .fit application. This has now been corrected. Apologies for the error.
TLDH applies for 92 gTLDs, 68 for itself
Top Level Domain Holdings is involved in a grand total of 92 new generic top-level domain applications, many of them already known to be contested.
Sixty-eight applications are being filed on its own behalf, six have been submitted via joint ventures, and 18 more have been submitted on behalf of Minds + Machines clients.
Here’s the list of its own applications:
.abogado (Spanish for .lawyer), .app, .art, .baby, .beauty, .beer, .blog, .book, .casa (Spanish for .home), .cloud, .cooking, .country, .coupon, .cpa, .cricket, .data, .dds, .deals, .design, .dog, .eco, .fashion, .fishing, .fit, .flowers, .free, .garden, .gay, .green, .guide, .home, .horse, .hotel, .immo, .inc, .latino, .law, .lawyer, .llc, .love, .luxe, .pizza, .property, .realestate, .restaurant, .review, .rodeo, .roma, .sale, .school, .science, .site, .soccer, .spa, .store, .style, .surf, .tech, .video, .vip, .vodka, .website, .wedding, .work, .yoga, .zulu, 网址 (.site in Chinese), 购物 (.shopping in Chinese).
There’s a lot to note in that list.
First, it’s interesting to see that TLDH is hedging its bets on the environmental front, applying for both .eco (which we’ve known about for years) and .green.
This puts it into contention with the longstanding Neustar-backed DotGreen bid, and possibly others we don’t yet know about, which should make for some interesting negotiations.
Also, both of TLDH’s previously announced Indian city gTLDs, .mumbai and .bangaluru, seem to have fallen through, as suspected.
Other contention sets TLDH is now confirmed to be involved in include: .blog, .site, .immo, .hotel, .home, .casa, .love, .law, .cloud, .baby, .art, .gay, .style and .store.
The company said in a statement:
During the next six months, TLDH will focus its efforts on marketing and operations for geographic names such as dot London and dot Bayern where it has the exclusive support of the relevant governing authority, as well as any other gTLDs that TLDH has filed for that are confirmed to be uncontested on the Reveal Date. Discussions with other applicants regarding contested names will be handled on a case-by-case basis.
Recent Comments