ICANN71: GAC in the spotlight

ICANN71: GAC in the spotlight
Image source : icann.org website

Some 56 sessions were scheduled as part of the 71st ICANN Summit in The Hague. Held once again exclusively by video conference due to the global health situation, no less than a quarter of these sessions were organised by the GAC, the governmental advisory committee that advises ICANN on public policy issues related to ICANN’s responsibilities in the domain name system. The GAC has been very active on all current ICANN policy issues and has clearly made its mark.

The GAC currently has 179 members, representing a majority of the world’s countries. This gives it a good representation on a global scale to speak to a global governance body. The GAC is highly organised and precedes ICANN meetings with preparatory meetings that enable it to gather opinions at local level and then relay them to the governance body. Once again, this summit highlighted the fact that there are really a lot of policy issues going on at ICANN level.

The fight against DNS abuse

The topic of abuse has almost become a chestnut at ICANN summits, as it has been at the center of concerns for almost two years. While registries and registrars are already subject to a battery of obligations on this topic, many stakeholders consider these to be insufficient to really address the issue. The year 2020 has indeed seen an explosion in cybersecurity breaches, particularly as a result of the global pandemic, which has seen even more consumption via the web, particularly due to confinements, and where working methods have had to be reinvented in favour of the remote. It is clear that little has been achieved to date on that issue.

A thorough initiative rich in proposals was formulated by the SSAC (Security and Stability Advisory Committee) which, in its 24 recommendations transmitted to the ICANN Board, put forward the idea of initiating an expedited Policy Development Process (ePDP) with a view to developing an anti-abuse policy. Their report to the Board three months ago has not been acted upon to date. The second and more recent initiative comes from the Registry Stakeholder Group (RySG). It has finalised, with input from the GAC, a framework aimed specifically at botnets, attacks that use forms of Trojan horses to take control of computers to form networks of computers to carry out further attacks. Its principle is to allow voluntary registries to join a scheme that requires them to preemptively block bulk names generated via DGAs (Domain Generation Algorithms), algorithms used to periodically generate large numbers of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively counter botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The principle here is therefore preventive. In return, the registries would benefit from incentives and would not have to pay the tax collected by ICANN when a domain is created. This initiative is to be welcomed, but it is carried out more directly by the RySG and is therefore not consensual, hence its voluntary nature and therefore its very limited impact.

The reason the DNS abuse issue is so stalled is that it is confronted with other ongoing and upcoming policy development processes and competing interests between bodies, the Intellectual Property Constituency (IPC) for example being very concerned about access to contact data in domain name directories, the RySG about the launch of the next round of new gTLDs that they want to see move forward.

The impact of the General Data Protection Regulation (GDPR) on domain name registration data

Recall that to replace the Temporary Specification, which was put in place on 17th of May 2018 just a few days before the GDPR came into effect, an ePDP process was initiated. This process, described as expeditious, seemed to be far from being finalised at this new ICANN summit, even though three years have passed.

Segmented into three phases, phase 1 aims to provide a perennial policy that should frame the management of personal data of domain names to replace the temporary Specification that notably redacted personal data from domain name directories (via the Whois and RDAP protocols). Its drafting is progressing but no date is known for its finalisation and therefore possible implementation. The delay is partly due to the difficulty of transcribing certain recommendations, one of which was in conflict with an existing policy, the Thick Whois Transition Policy, which provides for the systematic transfer of detailed contact data from registrars to registries. Another pitfall is that the policy overlaps with other existing policies, which therefore also require ongoing adaptation.

Phase 2 concerns the establishment of a harmonised system of access to redacted name directory data for “legitimate” interests. This system is now known as the Standardised Data Access System (SDAS). The first hurdle was that the Generic Names Supporting Organization (GNSO), the policy-making body for generic names, had surprisingly approved all of the recommendations in the Final Report, even those that did not achieve consensus. The recommendations to create this system were therefore all transmitted to the ICANN Board, which rather than pronounce and vote on their application decided to first initiate an Operational Design Phase (ODP). Initiated at the end of March by the Board, it should last six months and aims to identify the stages, risks, costs and resources to be allocated, with a consultation of the community once a milestone has been reached. It is therefore a form of project scoping. The publication of a Request for Information is planned for June for a first consultation of the community.

A Phase 2a additional layer of the PDP aims to assess the possibility of unbundling the contact data of publishable legal entities from non-publishable natural persons. Initiated in December 2020, it resulted in five recommendations in an initial report open for comment until 19th of July 2021. The first recommendation, which was much commented on at ICANN71 , finally recommends that nothing should be changed by allowing players who so wish to make this differentiation. This process will continue with a final report of recommendations expected in the second half of the year.

The GAC considers that improvements are needed in both of the above-mentioned topics. In particular, it considers that the system does not go far enough to protect consumers and increase their confidence. It also regrets that the evolution of the system over time has not been framed and fears that the cost, since access is subject to an accreditation system, could be a deterrent, particularly for those involved in the fight against security breaches who need access to registration data. On DNS abuse, the GAC reiterates the need to address this issue. It has already made several proposals at previous summits.

What about the next round?

The next round is still undecided. We just learned that the ICANN Board, which has just received the last inputs on the recommendations for the next round of new gTLDs, has confirmed that it will start an Operational Design Phase (ODP) to estimate the steps, risks and resources necessary to implement these recommendations. Not yet planned, the Board said it had asked ICANN org to prepare a document to frame the ODP in order to draft the resolution that will formalise it. This resolution will set a deadline for completion of the ODP, possibly six months as with the SSAD. 

The GAC, for its part, recalled the issues of specific concern to its members. These include: predictability, voluntary and mandatory registry commitments including how to address DNS abuse, its desire to see support for new applicants better adapted, particularly for less favoured areas, its opposition to closed generic TLDs, the consolidation of its ability to evaluate all applications in order to issue advices and warnings, and its opposition to private auctions to decide between applicants for the same gTLD. It also wishes to support non-profit community applications.

Other issues carried by the GAC are very committed

Other policy development processes are underway, such as the one on Governmental and Non-Governmental Organisation Identifiers (IGOs, INGOs), a process on the rights protection mechanisms, or in the initial phase a PDP on domain transfers and on the launch pad a PDP on IDNs. The GAC did not fail to recall the central issue of accuracy of registration data which is considered insufficiently addressed by the current obligations espacially due to the impact of GDPR. This topic will indeed be central in the perspective of the future NIS2 directives and the Digital Services Act currently being drafted at the European level. The GNSO was challenged by the GAC on the examination of this topic, which has not really started, and apologized for having too many topics in progress. Tensions that the GNSO has sought to alleviate by spending time reviewing its liaison with the GAC to improve it, a decidedly offensive and active GAC.

What About Future Summits?

ICANN summits usually end with a public forum where the public can directly question the Board. As a sign of a (temporary?) improvement of the health state on the covid, the traditional forum was dedicated to the future ICANN summits to know if they should be held in person. From this session it emerged that the answer is not obvious. At issue were the different levels of vaccination and access to vaccines in different countries, the currently restricted conditions of entry to the USA, ICANN72 being held in Seattle and the evolution of the pandemic which remains uncertain. This forum provided an opportunity to comment on a recent survey conducted by ICANN which showed that the majority of those interested in ICANN events considered that face-to-face meetings should be reactivated (54%). At the end of this session, ICANN committed to arbitrate during July. The format of ICANN72 could be hybrid, with limited on-site representation and the continuation of the remote format.

A notable feature of this summit was the large number of ongoing issues and the impression that things are moving forward with difficulty. This has resulted in notable tensions between bodies and discontent expressed, for example, by the group of representatives of geographical extensions, the geoTLDs. If for some, the return to face-to-face meetings seems to be the solution to improve things, through our presence in certain bodies and our participation in working groups, we think that it is rather a problem of visibility due to too many subjects being launched in parallel, some of which overlap with a clear lack of prioritisation. The ODP, the new tool which aims to frame the implementation of a harmonised system of access to registration data and which is now being applied in the next round, may go some way to improving these perceptions. Another aspect to be considered is the diverging interests between bodies. Here, facilitated exchanges can perhaps improve things.

New document : 5 minutes to understand the URS procedure

5 minutes to understand - Domain names - Nameshield

The URS (Uniform Rapid Suspension System) procedure is the latest domain name dispute resolution procedure implemented by ICANN for new extensions.

This procedure allows to sanction obvious and indisputable infringements of a trademark right resulting from the registration by third parties of identical or similar domain names regarding the new extensions.

Find in this “5 minutes to understand” document in which cases the URS procedure applies and what are the rules and conditions to respect.

.SBS : Sunrise phase opening

.SBS : Sunrise phase opening

The .SBS (side by side) is a short, thoughtful, three-letter domain extension, perfect for social causes, charitable organisations and other philanthropic initiatives, and any progressive business, individual, or community that believes in social and financial inclusion.

It is important to note that a part of the profits linked to the registration of .SBS domain names will be donated by the ShortDot registry to a non-profit organization.

Here is the launching schedule:

  • Sunrise Phase: May 6, 2021 – June 7, 2021
  • EAP (Early Access Period) : June 8 – June 15
  • General Availability: June 8, 2021, on a first come, first served basis

For more information about your .SBS registration conditions, please contact your Nameshield consultant.

Image by truthseeker08 from Pixabay

New document: 5 minutes to understand the SYRELI procedure

5 minutes to understand - Domain names - SYRELI procedure - Nameshield

Placed under the aegis of AFNIC (French Association for Internet Naming in Cooperation), the SYRELI procedure allows to sanction obvious and indisputable infringements of a trademarks right resulting from the registration by third parties of identical or similar domain names.

Find in this “5 minutes to understand” document, available for download on Nameshield’s website, in which cases the SYRELI procedure applies and what are the rules and conditions to respect.

New document: 5 minutes to understand UDRP procedure

5 minutes to understand - Domain names - UDRP procedure - Nameshield

Established on ICANN’s proposal, the UDRP (Uniform Domain-Name Dispute Resolution Policy) extra-judicial procedure allows to sanction obvious and indisputable infringements of a trademark right resulting from the registration of identical or similar domain names by third parties, a practice commonly referred as “cybersquatting “.


UDRP applies not only to generic extensions (gTLDs) in .aero, .biz, .com, .coop, .info, .jobs, .mobi, .museum, .name, .net, .org, .pro, .travel and new extensions (new gTLDs), but also to country code extensions (ccTLDs) of which the registry has accepted the UDRP principles.

ICANN70: At the crossroads of different policy development processes

Initially scheduled to take place in Cancun, Mexico, like ICANN67 , the recent summit on Internet governance was once again held entirely by videoconference due to the global health situation. The PDPs, the Policy Development Processes, were the main thread of this summit.

ICANN 70
ICANN70 was the fourth summit held remotedely

The PDP, Policy Development Process, is the central community mechanism used by the Generic Names Supporting Organization (Gnso), the body responsible for policy developments on generic domain names, to propose new requirements and revise existing rules to update them. Each PDP results in a series of reports that are ultimately forwarded to the ICANN Board of Directors, which decides on the fate of the recommendations they contain. 

News on the PDP of the new generic extensions

It is with this mechanism that ICANN launched a program of new generic extensions that led to 1930 applications in Spring 2012 and 1233 delegated extensions by the end of 2020. The opportunity to consider a new round of applications was materialized by a PDP initiated by Gnso in late 2015. Five years later, this process to review and improve the Gnso recommendations for the 2012 cycle has entered its final stretch. It is now up to the ICANN Board to decide on the recommendations of the working groups that worked on this PDP. The Board of Directors should launch a last phase of consultations of the community before pronouncing on the continuation of their works. The community was expecting an announcement at this summit or perhaps even a timetable to mark out the next steps until the next round of applications, but we have to admit that hopes have been dashed. Indeed, no announcements were made, even though we know that the prospect of a future round of applications is now approaching fast. Regarding the content of the recommendations this time, the elements discussed mainly during ICANN70 were about a pre-evaluation of the future registries, the improvement of the predictability to evaluate the future applications and the ways to improve the applicants’ support.

The PDP: A solution to the impasse over malicious use of the DNS?

Another topic, related to the implementation of the PDP mentioned above, is the malicious uses of the DNS, a topic commonly referred to as DNS abuse.

ICANN’s monitoring of malicious practices in generic names covers some 205 million domain names, of which barely 11% are from the cycle of extensions created since 2012. The observation made through their analyses shows that around one million domains concentrate these infringements, that is to say 0.5% of them. Another notable fact is that the new generic extensions are more used for malicious practices than the historical generic extensions like .COM, .NET, .ORG, .BIZ and .INFO. In fact, ICANN indicated that in February 2021, 35% of security breaches came from names created in the new generic extensions against 65% in the historical extensions, a ratio that even rose to 40% in November 2020. ICANN also said that 90% of malicious practices in the new extensions were concentrated in 23 extensions. As for the most common types of attacks, spamming is involved at 85%, phishing at 8.4%, botnets (malicious programs that operate remotely) at 3.9% and malware at 2.7%. The new generic extensions concentrate more spamming and phishing practices. Although DNS abuse has been a central topic of discussion between the bodies representing the stakeholders of the Internet community for five summits now, positions still diverge on the measures to be taken to curb these harmful practices. Here again, the expectations of the community at this summit were high.

The GAC, the body that represents governments, has already supported the idea of a dedicated PDP on this topic. It advocates for a holistic approach that addresses all extensions, existing and future. GAC highlighted the work of the SSAC, the Security and Stability Advisory Committee, which advises the community and the ICANN Board on issues related to the security and integrity of the Internet’s naming and addressing systems. Indeed, it published an advisory prior to ICANN70 urging the Board before launching the next round of new gTLDs to commission a study of the causes, responses and best practices for mitigating domain name abuse proliferating in the new gTLDs in the 2012 round. To their credit, they also made a series of recommendations to the ICANN Board, ranging from the systematic presence of security experts in all future contract negotiations to an ePDP (expeditive Policy Development Process).  As for Gnso, it is continuing consultations for the moment without ruling out the use of a PDP.

And the ePDP phase 1 and 2 on access to registration data

Another topic, another PDP process, the ePDP in connection with the GDPR for access to domain name registration data. Initiated in 2018, it was intended to replace a Temporary Specification that involved redacting personal data from freely available registration data of generic names. Phase 1 of the ePDP, not finalized at this time, is intended to replace the Temporary Specification with a future-proof provision. Phase 2 aims to create a standardized data access system for legitimate applications commonly referred to as SSAD. This phase has now reached the end of the roadmap, as it is now in the hands of the ICANN Board of Directors after the Gnso has approved all the provisions formulated by the working groups that have worked on this subject, even those that did not reach consensus. The Gnso assumed this position under the pretext that it was necessary to take its responsibilities and that the recommendations were a whole, a breach of the process of creating new policies that normally wants to be consensual and that led the ALAC (At-Large Advisory Committee) that represents the end users to express concerns, the IPC (Intellectual Property Constituency) that represents the interests of the intellectual property community even going so far as to ask not to continue with the review of the recommendations. The ICANN Board has simply launched an Operational Design Phase to consider the operability of the future system and intends to take a position on the recommendations at a later stage.

A new PDP on domain name transfer policies

Another PDP process was officially launched at ICANN70 to revise the rules for domain name transfers: transfers between registrars and transfers between two registrants. The latter aims to simplify, secure and make name transfers more efficient. A vast project that could extend over several years…

Concerns about the concentration of the sector

Indicative of the concerns of the Internet community, the public forum this year was marked by many questions around the concentration that is accelerating among the players of domain names. The latest is Ethos Capital, a private equity firm founded in 2019, which after buying the operator of .ORG, PIR, has just taken over Donuts, which manages no less than 242 new generic extensions and had recently acquired Afilias, which is among other things manager of the extension .INFO. The community has expressed concerns about these new players whose expectations are not necessarily in line with one of ICANN’s totems, which is to defend competition, trust and consumer choice. ICANN, for its part, does not see a problem in this phenomenon, which has become a trend, because these mergers trigger very closely supervised procedures for analyzing and approving the changes that are brought about. 

ICANN70 has highlighted the fact that ICANN is looking at a number of potentially high-impact topics in domain name management, most of which are about to be materialized into new policies that Nameshield will implement for its customers. Beyond this framework, Nameshield, an independent French player, has already implemented solutions that provide answers to the problems that some of these policies must address. Do not hesitate to reach your consultant with your needs so that we can study together the solutions that we can already bring.

The historical operator of the .UK Nominet in troubled waters

The historical operator of the .UK Nominet in troubled waters
credit image: www_slon_pics

This Monday, March 22nd, at 5:15 pm CET, Nominet, the historical registry in charge of the extension of the United Kingdom, the .UK, announced that the motion aiming to dismiss five members of its board of directors, including the current CEO Russel Haworth and Chair Mark Wood, was approved by 52,74% of the members who expressed themselves in this consultation.

According to its statutes, when a motion is supported by a majority of its members, Nominet must organize a consultation of all its members. Thus, this Monday, March 22, an Extraordinary General Meeting (EGM) was convened to rule on the motion carried under the banner PublicBenefit.uk pushed by Simon Blackler, CEO of the hosting company Krystal, who asked to organize a vote to remove five members of the Nominet board. Among those targeted by the motion were the CEO Russel Haworth and the Chair Mark Wood. A motion with serious consequences for the organization.

At the roots, decisions and actions that have displeased

At 17:15 CET the results of the consultation were announced. 740 members of the registry operator tipped the balance toward this motion, leading to the immediate departure of the board members.

At the roots of the protests was a growing dissatisfaction among some members that crystallized around decisions and communications of the dismissed Board that could give the impression that the registry operator was increasingly turning away from its original foundation as a non-profit organization with public interest commitments to an overly commercial orientation.

Among these decisions, commercial efforts to diversify the activity of Nominet financed by the increase of the prices of the .UK and the reduction of the charitable contributions. Another thorn pointed out by those opposed are the salary increases for members of the board of directors while the operating profits of the organization have fallen over the same period. But without a doubt, the spark that set off the whole campaign came from the brutal closure of Nominet’s online members’ forum at the last annual meeting when CEO Haworth used, in his words, “the wrong tone”.

The management in place had presented a roadmap in the form of a mea culpa a few days before the vote. It consisted of seven major commitments: a freeze on the price of the .UK extension, a freeze on board members’ salaries until the end of 2022, a £20 million investment plan in the operator’s infrastructure, a public interest program focused on young people’s digital problems with £4 million dedicated within three months, the implementation of a new exchange tool for its members, the launch of a Registry Advisory Council (RAC) of elected members who will be able to give their opinion on the policies conducted and greater transparency on the organization’s finances. However, this has not been enough.

What consequences for the operator

Nominet is a major player in the Internet address ecosystem. Their market share of 8.07% of all web addresses in country codes testifies to this. Nominet claims 17,568,576 registered addresses in its extension, which places it in fourth place after .CN, .TK and .DE. The difficult situation faced by the operator is anything but insignificant.

Today, Nominet finds itself with an interim board with an interim chairman, one of the remaining non-executive directors and no CEO. Six unseated board members have chosen not to resign and stated that they will “work on a change of strategic direction”. Nevertheless, they could be blamed for their participation in the decisions taken over the past several years that have led to this situation. A difficult situation for the organization. The former management suggested that this motion could destabilize the organization permanently and perhaps even lead to a split in its activities.

For now, two statements indicate the direction Nominet is likely to take. The first comes from interim president Rob Binns, who sent an email to Nominet members late Monday, shortly after the results were made public:

“I am writing to inform you that the EGM motion passed,” he said before promising that the board had “heard the clear message from the membership and that Nominet will change.”

“The board’s immediate priority is stability, starting with Nominet’s governance and leadership while continuing with the seven-point plan and beginning to address the issues raised over the past few weeks.”

The coming weeks will be crucial for the future of the organization. It will be necessary to renew the vacant positions at the head of the organization and to find the levers to ease the internal and external tensions and worries. It is legitimate to question whether the roadmap left by the former management is the right one, especially since Publicbenefit.UK had other proposals and also had the ambition to push a second motion that was not validated, which consisted in appointing two interim directors – the former chairman of the BBC Trust, Sir Michael, and industry veteran Alex Pawlik, director of RIPE, a historical regional IP address registry. From the perspective of replacing vacancies these people may come forward and when you look closely the proposals from Publicbenefit.UK are not far from the above. Let’s hope that reason will prevail in a compromise. There is no doubt that this is the best thing we can wish for this historical central player in the ecosystem of Internet addresses whose missions and stability are central to the DNS as a whole.

New document available on the Nameshield’s website: “5 minutes to understand – Abusive domain names registrations

5 minutes to understand - Domain names - Nameshield

The digital world is in perpetual evolution and every days, new domain names are registered around the world.

Among these new registrations, some can potentially affect your notoriety, your activity, and your results. Fraudsters, through these abusive domain names registrations, seek to benefit from your notoriety as quickly as possible.

Find in this “5 minutes to understand” document, available for download on the Nameshield’s website, the different practices of abusive domain names registrations that can affect your brand and the actions to take depending on the infringement caused to the brand.