Author: Arnaud Wittersheim

Head of Operations Department Nameregistry - Compliance - Nameshield

ICANN66 at Montreal – A contrasting summit

During the first half of November, the 66th ICANN Summit was held in Montreal, Canada. This third and final annual summit devoted to policies applicable to Internet naming was eagerly awaited as the topics under discussion are numerous. At its closing, however, it left many participants a little bit disappointed.

A preview of the topics and postures during the weekend before the official launch of the Summit

The weekend before the official opening of the Summit is usually an opportunity to get an overview of the topics and postures involved. Not surprisingly, the expedited Policy Development Process (ePDP) which aims to develop a consensus rule to specify future conditions of access to personal data that are no longer published in the WHOIS, the domain name search directory, due to GDPR, is one of the major topics.

Among other related topics, the replacement of the same WHOIS by the RDAP (Registration Data Access Protocol) probably next year for generic domain names. This replacement is not insignificant when we know that WHOIS has been in use for nearly 35 years.

The body representing governments, the GAC, has weighed up the issue of domain name abuse, which has taken off considerably on the new generic extensions launched in 2012. When we know the rise of Internet practices aimed at weighing on elections in certain countries and the economic impact of computer attacks and hacking, we understand that this subject is being pushed by the GAC. While one of ICANN’s topics is to clarify in their texts the notion of malicious uses, this term refers to domains registered for phishing, malware, botnets and spam, the other part concerns the means to stem them. The existence of abusive domains indeed threatens the DNS infrastructure, impacts consumer safety and threatens the critical assets of public and commercial entities. Finally, and not surprisingly, the subject of a future round of new generic extensions has also been on many lips.

ICANN66 at Montreal - A contrasting summit
Cherine Chalaby at the ICANN Summit held in Montreal

“The best ICANN summit”, really?

During the traditional opening ceremony, which brings together all the guests for one hour (2500 according to Goran Marby, ICANN CEO) in a huge room to listen to various speakers, including Martin Aubé of the Quebec Government’s Ministry of Economy and Innovation, Cherine Chalaby, one of the ICANN Board members whose term ends at the end of the year, told his audience that ICANN66 would be the “Best ICANN summit”. It must be said, however, that at the end of the week of debates and meetings, which followed one another at a sustained pace, while the subjects under discussion are really numerous, the feeling regarding this assertion was more than mixed for many participants.

First, the expeditious process for access to WHOIS non-public data is progressing with a framework constrained by ICANN and the Personal Data Protection Authorities. The outcome of this process is envisaged between April and June 2020 and it is currently a centralized model where ICANN would allow the future lifting of anonymity of data that are now masked due to GDPR which holds the line.

Then the subject that was probably most often mentioned during this new summit week concerned abuses with domain names. For ICANN, the subject is central because it is directly correlated to its totem: the stability of the Internet for which they are the responsible. Since February 2019, ICANN has been publishing some metrics on malicious practices identified through DAAR, their Domain Abuse Activity Reporting.

Their latest report presented in Montreal shows that 364 extensions (mainly new generic extensions from the 2012 round) revealed at least one threat posed by one of the domain names activated on these extensions. More worryingly, new generic extensions would still account for nearly 40% of malicious uses, compared to 60% for historical generic extensions. This figure should be highlighted with the volume of these two categories of extensions. Indeed, out of just over 200 million generic names, new generic domains represent only 15% of the total number of registered names. ICANN therefore wants this subject to be taken up by the entire community present in Montreal.

Proposals were made by the various bodies present, some of which went so far as to request a policy development process (PDP). This last proposal, if it were to obtain ICANN’s approval, would have the unfortunate consequence of postponing the hypothetical schedule for a next round of new extensions, a subject that interested many of the guests present in Montreal. Indeed, for ICANN, the problem of the concentration of malicious practices in the new generic extensions must be solved before any future round, so that the PDP still in progress on the review of the last round of 2012 has gone almost unnoticed.  

If the rules are slow to evolve on malicious uses, your Nameshield consultant can already provide you with adapted solutions to your needs on this key matter.

Status of ongoing projects after ICANN64

A month ago, ICANN held its first annual meeting with the Internet community in Kobe, Japan. At this summit, ICANN presented the major projects of the year and those of the coming years. Let’s look back at the main topics.

The implicitely constraint of the GDPR

While in May 2018, Europe adopted ambitious legislation to protect users’ personal data, ICANN imposed a regulatory framework on domain name players to bring the industry into line with the constraints of the GDPR.

In the absence of consensus, this framework was imposed when the GDPR came into force on May 25, 2018. It contains non-consensual provisions such as no longer publishing in the registry’s registration directory service, which currently operates via the Whois protocol, data that can be assimilated to personal data for contacts associated with domain names: registrant contacts, administrative contacts, technical contacts. Exit therefore the names, first names, postal addresses, telephone numbers and anonymization of email addresses or hidding via a contact form.

However, as provided for in the Bylaws, the rules governing the role and operation of ICANN, non-consensual rules may not be imposed beyond one year. ICANN therefore had the May 2019 deadline in mind throughout the Kobe meeting.

To build on this, last year ICANN initiated an expedited policy development process (ePDP) whose delicate mission was to develop consensus rules to replace the temporary provisions currently in place.

Shortly before ICANN64, this working group, in which Nameshield participates, submitted its proposals to the GNSO, the ICANN body that manages policy development for generic domain names. This report, which is currently open for comments, is expected to result in a final framework that will be submitted to the ICANN Board in early May for voting and promulgation.

The proposals outline a target date for implementation by 29 February 2020. ICANN has therefore focused its efforts on managing the transition period between May 2019 and this still distant deadline of February 2020. The prevailing approach is rather pragmatic as it consists in keeping the provisions currently in place such as the masking of personal data in the Whois until all the new provisions can be implemented by actors such as registrars and registries by the above-mentioned deadline.

Access to hidden data subject to tensions

Launched in 2012 during the last round of openings of new domain name extensions but quickly relegated to the boxes, the RDAP (Registration Data Access Protocol), an alternative to the aging Whois protocol, has resurfaced with the GDPR because of its modularity, which allows, unlike Whois, to filter access to certain data according to the user’s profile.

ICANN confirmed in Kobe that this protocol will be widely deployed by this summer. First, this protocol will coexist alongside the Whois protocol. Registrars will therefore provide access to domain name data through both protocols.

The stakeholders present at ICANN64 also learnt about the project submitted by a technical study group mandated by ICANN on the operational way envisaged through the RDAP protocol for access to hidden domain name data. It has been the subject of tensions because it is not the result of a consensual process and ICANN suggested it could play a central role in collecting all requests to validate their authorization, with authentication of requests being carried out upstream by agents accredited by data protection authorities. This topic is also part of the new mission of the Policy Development Working Group (ePDP) in the coming months. Things can therefore evolve on this subject in the future.

Status of ongoing projects after ICANN64
Goran Marby, ICANN CEO, speaking on the proposed functioning of access to hidden data for domain names through the future RDAP

A multi-year strategic plan

At ICANN64, ICANN also presented progress on the implementation of a strategic operating plan for the organization for the period 2021-2025.

The adoption of a five-year plan is new for this organization, which has always operated on an annual basis. This plan must determine the priorities for the coming years, which is also a novelty in a context where multiple projects have always been carried out simultaneously without any real prioritization.

We already know that DNS security is one of the major issues of the coming period. Among the priorities identified are the reinforced fight against malware and the increased security of the DNS, in particular through a faster deployment of DNSSEC.

For the next round of new domain names extensions openings also mentioned, ICANN has also indicated that it will take into account the lessons learned from the previous round. Among them, new extensions are ten times more targeted than historical generic extensions (like .COM,.NET,.ORG,.BIZ,.INFO) by malicious practices such as typosquatting and dotsquatting on which phishing and pharming practices proliferate.

Feel free to contact your Nameshield consultant, who is very knowledgeable on all these subjects.

A much awaited first report on DNS abuse in the new extensions

A much awaited first report on DNS abuse in the new extensions

While the fate of 25 not yet delegated new extensions remains to seal, which represents approximately 2 % of all the accepted extensions during the current opening round, ICANN has just published a study on the proportion of DNS abuse in the new extensions launched after 2012.

The study was requested by the Competition, Consumer Trust and Consumer Choice Review Team ( CCTRT), which is mandated by ICANN to examine the extent to which the introduction or expansion of generic extensions has promoted competition, consumer trust and consumer choice. By defining the parameters of the study, the CCTRT tried to measure the rates of the common forms of unfair activities in the system of domain names, such as spamming, phishing and distribution of malware.

As a reminder, phishing is a technique used by swindlers to obtain personal information with the aim of committing identity thefts.

What is the report based on?

The study was led by SIDN, the registry of the extension of the Netherlands, as well as the University of Technology of Delft also located in the Netherlands. It was realized over a period going from 2014 to 2016, thanks to an access to the zone files granted by ICANN to these two entities.

More than 40 million names were analyzed, among which 24 million names registered in the new extensions and 16 million in the historic generic extensions: .com, .net, .org, .biz and .info. For the new extensions, it targeted the extensions which proposed a Sunrise phase for brand owners. Thus, this study ultimately concerned few .BRAND registries, since they are not required to make Sunrise phases.

Both entities made their own measures to detect abuse and the data were cross-checked with eleven heterogeneous lists referencing domains and URLS identified as hostile, which were supplied by five specialized organizations.

What are the study’s conclusions?

Regarding phishing and malware distribution, the study shows a convergence of the proportions observed within the new extensions and those in the historic generic extensions. However, in the historic generic extensions, the rates tend to remain stable while those of the new extensions increase.

On the other hand, a strong disparity appears on the spamming. At the end of 2016, the proportions of affected domains are almost ten times higher on the new generic extensions: 526 on 10000 names against 56 on 10000 names. Trends show a shift of the cybercriminals towards the new extensions.

The analysis also shows that near half of the deposits identified in activities of spamming on the three most concerned new extensions, come from known cybercriminals and from blacklisted users by Spamhaus. Spamhaus is a non-governmental international organization, its purpose is to trace spammers.

However, these phenomena do not concern all the new extensions because 36% did not encounter any abuses during the last quarter of 2016.

The study also shows that the operators which compete by lowering their prices in order to sell volume, are the ones which are the most used by the cybercriminals. Besides competitive registration prices, not restrictive registration requirements, a variety of other registration options such as the wide range of the available methods of payment, inclusive services such as DNS hosting or services of WHOIS masks, are so many other factors looked for by the cybercriminals.

What is the impact of the DNSSEC on abuses?

While the DNSSEC protocol is rapidly expanding, the entities appointed by ICANN to conduct this study also analyzed how the structural properties and the security measures implemented by the operators of new extensions influence domain abuses. As expected, the DNSSEC plays a statistically significant role and thus incites to deploy more widely the protocol on more extensions. The extensions supporting DNSSEC are indeed less of a target of such practices.

What’s happening next?

The study is now open to public comments until September the 19th. The entities which led it, also intend to analyze more in detail the possible correlations between the registration policies and abuses.

The CCTRT is then going to make recommendations to ICANN to stem the increase of DNS abuse that ICANN can then transform into new obligations for the registry operators. This time, however, all the registry operators may be concerned, thus also the .BRAND registries. NAMESHIELD is going to follow this subject closely.