ICANN70: At the crossroads of different policy development processes

Initially scheduled to take place in Cancun, Mexico, like ICANN67 , the recent summit on Internet governance was once again held entirely by videoconference due to the global health situation. The PDPs, the Policy Development Processes, were the main thread of this summit.

ICANN 70
ICANN70 was the fourth summit held remotedely

The PDP, Policy Development Process, is the central community mechanism used by the Generic Names Supporting Organization (Gnso), the body responsible for policy developments on generic domain names, to propose new requirements and revise existing rules to update them. Each PDP results in a series of reports that are ultimately forwarded to the ICANN Board of Directors, which decides on the fate of the recommendations they contain. 

News on the PDP of the new generic extensions

It is with this mechanism that ICANN launched a program of new generic extensions that led to 1930 applications in Spring 2012 and 1233 delegated extensions by the end of 2020. The opportunity to consider a new round of applications was materialized by a PDP initiated by Gnso in late 2015. Five years later, this process to review and improve the Gnso recommendations for the 2012 cycle has entered its final stretch. It is now up to the ICANN Board to decide on the recommendations of the working groups that worked on this PDP. The Board of Directors should launch a last phase of consultations of the community before pronouncing on the continuation of their works. The community was expecting an announcement at this summit or perhaps even a timetable to mark out the next steps until the next round of applications, but we have to admit that hopes have been dashed. Indeed, no announcements were made, even though we know that the prospect of a future round of applications is now approaching fast. Regarding the content of the recommendations this time, the elements discussed mainly during ICANN70 were about a pre-evaluation of the future registries, the improvement of the predictability to evaluate the future applications and the ways to improve the applicants’ support.

The PDP: A solution to the impasse over malicious use of the DNS?

Another topic, related to the implementation of the PDP mentioned above, is the malicious uses of the DNS, a topic commonly referred to as DNS abuse.

ICANN’s monitoring of malicious practices in generic names covers some 205 million domain names, of which barely 11% are from the cycle of extensions created since 2012. The observation made through their analyses shows that around one million domains concentrate these infringements, that is to say 0.5% of them. Another notable fact is that the new generic extensions are more used for malicious practices than the historical generic extensions like .COM, .NET, .ORG, .BIZ and .INFO. In fact, ICANN indicated that in February 2021, 35% of security breaches came from names created in the new generic extensions against 65% in the historical extensions, a ratio that even rose to 40% in November 2020. ICANN also said that 90% of malicious practices in the new extensions were concentrated in 23 extensions. As for the most common types of attacks, spamming is involved at 85%, phishing at 8.4%, botnets (malicious programs that operate remotely) at 3.9% and malware at 2.7%. The new generic extensions concentrate more spamming and phishing practices. Although DNS abuse has been a central topic of discussion between the bodies representing the stakeholders of the Internet community for five summits now, positions still diverge on the measures to be taken to curb these harmful practices. Here again, the expectations of the community at this summit were high.

The GAC, the body that represents governments, has already supported the idea of a dedicated PDP on this topic. It advocates for a holistic approach that addresses all extensions, existing and future. GAC highlighted the work of the SSAC, the Security and Stability Advisory Committee, which advises the community and the ICANN Board on issues related to the security and integrity of the Internet’s naming and addressing systems. Indeed, it published an advisory prior to ICANN70 urging the Board before launching the next round of new gTLDs to commission a study of the causes, responses and best practices for mitigating domain name abuse proliferating in the new gTLDs in the 2012 round. To their credit, they also made a series of recommendations to the ICANN Board, ranging from the systematic presence of security experts in all future contract negotiations to an ePDP (expeditive Policy Development Process).  As for Gnso, it is continuing consultations for the moment without ruling out the use of a PDP.

And the ePDP phase 1 and 2 on access to registration data

Another topic, another PDP process, the ePDP in connection with the GDPR for access to domain name registration data. Initiated in 2018, it was intended to replace a Temporary Specification that involved redacting personal data from freely available registration data of generic names. Phase 1 of the ePDP, not finalized at this time, is intended to replace the Temporary Specification with a future-proof provision. Phase 2 aims to create a standardized data access system for legitimate applications commonly referred to as SSAD. This phase has now reached the end of the roadmap, as it is now in the hands of the ICANN Board of Directors after the Gnso has approved all the provisions formulated by the working groups that have worked on this subject, even those that did not reach consensus. The Gnso assumed this position under the pretext that it was necessary to take its responsibilities and that the recommendations were a whole, a breach of the process of creating new policies that normally wants to be consensual and that led the ALAC (At-Large Advisory Committee) that represents the end users to express concerns, the IPC (Intellectual Property Constituency) that represents the interests of the intellectual property community even going so far as to ask not to continue with the review of the recommendations. The ICANN Board has simply launched an Operational Design Phase to consider the operability of the future system and intends to take a position on the recommendations at a later stage.

A new PDP on domain name transfer policies

Another PDP process was officially launched at ICANN70 to revise the rules for domain name transfers: transfers between registrars and transfers between two registrants. The latter aims to simplify, secure and make name transfers more efficient. A vast project that could extend over several years…

Concerns about the concentration of the sector

Indicative of the concerns of the Internet community, the public forum this year was marked by many questions around the concentration that is accelerating among the players of domain names. The latest is Ethos Capital, a private equity firm founded in 2019, which after buying the operator of .ORG, PIR, has just taken over Donuts, which manages no less than 242 new generic extensions and had recently acquired Afilias, which is among other things manager of the extension .INFO. The community has expressed concerns about these new players whose expectations are not necessarily in line with one of ICANN’s totems, which is to defend competition, trust and consumer choice. ICANN, for its part, does not see a problem in this phenomenon, which has become a trend, because these mergers trigger very closely supervised procedures for analyzing and approving the changes that are brought about. 

ICANN70 has highlighted the fact that ICANN is looking at a number of potentially high-impact topics in domain name management, most of which are about to be materialized into new policies that Nameshield will implement for its customers. Beyond this framework, Nameshield, an independent French player, has already implemented solutions that provide answers to the problems that some of these policies must address. Do not hesitate to reach your consultant with your needs so that we can study together the solutions that we can already bring.

Author: Arnaud Wittersheim

Head of Operations Department Nameregistry - Compliance - Nameshield