SSAD Archives - Cybersecurity, intellectual property and domain names news

ICANN74 between lessons of the pandemic and awareness of the richness of the Internet

Between ICANN66 in Montreal, Canada and ICANN74 in The Hague, Netherlands, thirty-two months and seven summits will have passed exclusively online. In 2020, the prospect of a return to face-to-face meetings was already being discussed under the heading of ‘hybrid mode’, a mixture of face-to-face and remote meetings. The question remained as to when this could be implemented. A more favorable health context was needed, with all the questions posed by covid variants and its repeated waves, and sufficient guarantees of security for the participants, who generally come from the four corners of the world. The 74th edition, which was held last month in The Hague, was finally chosen to experiment the ‘hybrid mode’.

The return of face-to-face meetings with the lessons learned from the pandemic

A return to face-to-face sessions in The Hague, but nevertheless extremely constrained, due to health security. Pre-registration was compulsory for all sessions, with a limited number of places per session. This meant that some sessions were already fully booked well before the summit. The compulsory pre-registration led participants to pre-register for sessions they were not sure they would attend in order to reserve a place. Each participant also had to be able to prove that their vaccination status was up to date. Tests were provided on site as well as temperature taking. Finally, masks and distancing measures were mandatory, hence the limited number of places per session. The organization also decided that everyone should go through the video conferencing medium, including those present on site, an idea that aimed to ensure that all participants could interact equally. For those connected remotely, it was also noted that, as promised, the organization planned shorter sessions, generally not exceeding one and a half hour and very often even one hour. The conditions were therefore met to guarantee safe conditions for those present and good conditions for those connected remotely.

Two ODP processes running in parallel

The subject of the next series of new generic extensions has been discussed in sessions of various bodies. The project is now in the Operational Design Phase (ODP), which consists of an assessment of the risks, tasks and resources required, and which is to be concluded with an Operational Design Assessment (ODA). A related subject, that of closed generic extensions, has entered a new sequence. The principle of a so-called “Small Team”, which includes representatives of the GAC, the body representing governments, the ALAC, which represents end-users, and the GNSO, the body in charge of generic policies, has been validated in order to discuss this subject and see if a compromise can be found to envisage next steps. In the 2012 round, it was not possible to create such extension models. The question is therefore whether such extension models will be possible in the next round. Regarding the ODA, the GNSO, which estimates its publication on 31 October, has mentioned a possible postponement of six to eight weeks due to another ODA that is also mobilizing many people on the creation of a Standardized Domain Name Registration Data Access System for legitimate purposes. The SSAD ODA with contrasting conclusions, particularly with regard to its number of potential users and its particularly high cost, was delivered on 25 January. Its findings are still being evaluated. The next step on this second subject is the creation of a sort of prototype called “SSAD Light” which could be based on technologies mastered by ICANN teams to limit delays and costs. The latter would help to validate or not the implementation of an SSAD with, in this case, a prior implementation phase.

Accuracy of registration data, an important issue

Among the many issues currently being examined, the accuracy of domain name registration data is an important one for Europeans. Indeed, it is the Regulation on the Protection of Personal Data, the GDPR, which has prompted ICANN to call for the removal of personal data from registration directories and which, in turn, explains the aforementioned SSAD project and the accuracy of data. How can we ensure that masked data is accurate? In October 2021, a Scoping Team began a mission to evaluate the obligations related to the accuracy of registration data. It planned to verify the effectiveness of the accuracy of the data. Their findings were expected in June, but the measurement of effectiveness has been hampered by the difficulty of obtaining the necessary data, which is stored at the registrars. Transmitting all registration data to ICANN for research purposes requires a legal basis. The Scoping Team is thus put on hold.

This is particularly important because, as EURALO, the European part of the At-Large body representing end-users, has pointed out, Europe is about to adopt the NIS2 Directive. The directive is due to be voted on in the plenary session of the European Parliament in September before being published in the Official Journal and transposed in the 27 European states. EURALO recalled that NIS2 provides for specific obligations notably on domain name registration data, storage, access and verification and therefore interferes with the role of the regulator ICANN. Moreover, if specific measures apply only to European providers, this creates a disparity of obligations between players, not to mention that the transposition of the text could be unequal in the states. Accuracy at the ICANN level can help harmonize future obligations for all players regardless of their location.

The impact of regulations and disasters

At ICANN73, which followed the outbreak of the conflict in Ukraine, ICANN had the good idea of creating a session dedicated to geopolitical, regulatory and legislative aspects. This meeting highlighted the risks of fragmentation of the single Internet model advocated by the organization. This meeting was repeated at this summit and allowed to note that the initiatives of the States are increasingly interfering with ICANN’s role as regulator.

EURALO had the good idea of completing this panorama with a session on governance and multipartyism in times of emergency. This session consisted mainly of a round-up of At-Large representatives from different continents. The representative from Ukraine logically started the session. In a moving speech about the tragedy in her country, she reminded us that the Internet infrastructure in her country has been heavily impacted. For the Asia-Pacific region, the representative mentioned the volcanic eruption in Tonga in January 2022, which cut the submarine cables and caused a five-week blackout on the islands. She also mentioned the situation in Myanmar where the Internet has been cut off since a coup in February 2021. The representatives of the two American continents spoke of natural and climatic disasters such as Hurricane Maria in Puerto Rico, which had knocked out telecommunications antennas and the electricity network. For part of the population, electricity and Internet access had been cut off for several months. Finally, the representative of Africa recalled that today at least 60% of Africans do not have access to the Internet.

Our comments

The return to face-to-face meetings was not an easy task for ICANN. While many participants felt that the proposed framework was too restrictive, it seems that the organization worked quite well overall in allowing everyone to attend the sessions fairly. The protection measures also seem to have dissuaded many participants from coming, including the speakers scheduled for the week of exchanges who assumed to participate remotely. Indeed, the figures given by the organization indicate 1817 participants from 101 countries, half of whom attended remotely. A good point for the planet but the limit was the possibility to interact outside the sessions.

On the ongoing policy development and review processes, the sessions during the week of the event reminded us that there are a lot of issues being dealt with in parallel, undoubtedly too many issues. This inevitably makes it difficult to keep track of them and causes delays, such as the two ODPs being conducted simultaneously on SSAD and the next round of new generic extensions. However, the overall feeling is that the topics are moving forward, even if the finish line is often unclear.

The last day provided a break from policy issues as geopolitical and regulatory issues and the impact of disasters reminded us that the governance model and access to the Internet are two particularly fragile critical aspects. While NAMESHIELD offers you solutions to the risks associated with compromised names and malicious registrations, we must also remember that we are not all equal when it comes to accessing the Internet. In addition to stricter legislation, other risks such as armed conflicts or climate change must indeed also be considered.

Image source : ICANN’s website

ICANN73 or the difficult equation of preserving a weakened global model

In recent years, ICANN, the regulator of a “universal resolution” of the Internet for all Internet users, has been confronted with new difficulties that are weakening the body and its model. Its mode of operation has had to be adapted to an unprecedented global pandemic and its model of a global Internet is now being questioned by the growing desire of states to emancipate themselves from it, with the tragic conflict in Ukraine pushing the Urals a little further away from the Rockies. But the difficulties also come from its immediate environment with the rise of alternate roots. It is in this context and following a previous edition marked by tensions around the subjects that make up its topicality and which are struggling to move forward, that the 73rd summit opened with great expectations.

For once, the 73rd ICANN meeting did not kick off on a Monday, the day scheduled for the first working sessions. On Sunday 6 March, ICANN published a communiqué stating that its Board of Directors had decided to allocate an initial sum of US$1 million in financial assistance to support access to the Internet infrastructure in emergency situations in Ukraine. This was a way to launch an edition where the conflict in Ukraine was bound to be on everyone’s mind and in many debates.

The conflict in Ukraine in the background

Indeed, on Monday afternoon the very first plenary session of the summit, that of the GAC, the body representing governments, began with a condemnation of Russia’s actions in Ukraine. Several members of the GAC, including France, took the floor.

Two weeks earlier, Ukraine was hit by the first Russian strikes. Ukraine, through Mykhailo Fedorov, Deputy Prime Minister and Minister of Digital Transformation, asked ICANN to target Russia’s access to the Internet by revoking specific country code top-level domains operated from Russia, revoking SSL certificates associated with the domain names and shutting down a subset of root servers located in Russia. ICANN responded negatively to this request in a letter from Goran Marby, ICANN’s CEO, to the Minister, reminding that ICANN’s mission is to take steps to ensure that the Internet operates in a global and non-politicised manner. ICANN is a neutral body, Goran Marby repeated at the Public Forum that closed the summit.

Prospects for ongoing policy development processes

During the previous ICANN summit, tensions were palpable in certain bodies, especially the one representing the registries, due to policy development processes that have become longer with additional stages such as the ODP (Operational Design Phase) that now intervene between the return of final recommendations and the Board’s vote on them.

The first subject to be affected by the ODP stage is the Standardised System for Access to domain name Data. This system, known as SSAD, has been under discussion for more than three years as part of a policy development process known as ePDP, of which SSAD is part of phase 2. It is intended to return to a more uniform model of access to domain name registration data for legitimate requests. However, the ODP, which has just been finalised six months later than the initial estimated timetable, has highlighted the difficulty of framing this project. The number of users is in fact estimated at between 25,000 and 3 million to address 100,000 to 12 million requests, values that lead to a particularly wide range of implementation and maintenance costs (from 34 to 134 million US dollars) and consequently to access costs for the future system that are very difficult to evaluate, the idea being to finance the system exclusively with access costs. At ICANN73 , a way out was suggested: Create a pilot project to limit the risks, in other words, envisage a small-scale SSAD before considering the next steps.

It has been noted that regarding phase 1 of the aforementioned ePDP there is now a finish line. It is estimated to be completed by the end of 2022. This phase aims to create a perennial policy to replace a Temporary Specification that addressed the GDPR in the domain name eco-system in 2018.

The other major topic is that of a next series of new generic extensions. Let’s remember that the previous series will celebrate its ten years in 2022. Since then, it has been a policy development process (PDP) that stretched from December 2015 to February 2021 when the body representing generic policies, the GNSO, adopted the final recommendations report. Last September the ICANN Board decided to initiate an ODP process that could last until early next year. This topic has been the subject of much criticism as the finish line seems to be getting further and further away, even though it has been ten years since the last round. Nevertheless, one option was discussed at ICANN73, that of starting the implementation work without delay, a proposal that, while it rather displeased the ICANN CEO, was rather positively received by the ICANN Board, which should however only vote on the recommendations of the final report of the PDP process after the end of the ODP.

Geopolitical, legislative and regulatory aspects – a new feature

Among the novelties of this summit was a plenary session devoted to geopolitical, legislative and regulatory aspects. This session provided an overview of the many initiatives coming from institutions such as the United Nations, the International Telecoms Union, the Council of Europe and the OECD, as well as from States such as Russia with its digital sovereignty law and China with its law on cybersecurity and data security. This session also allowed to clarify perceptions such as ICANN’s position on the European NIS2 directive. Goran Marby indicated that ICANN does not have an official position on this issue.

The return of the GDD/GDS summit?

Until 2019, ICANN proposed a more operational summit called GDD Summit in addition to the three policy summits. This was abandoned in the context of the global pandemic and has not been mentioned since. The possibility of relaunching this mechanism was put on the table at ICANN73. There could therefore be a fourth annual ICANN meeting as early as the end of this year, with November being mentioned as a possible date. However, between now and then, there will be ICANN74 in June and ICANN75 in September, two events where the hybrid mode, face-to-face and remote, should be in place.

Nameshield Comments

ICANN 73 was undeniably marked by the conflict in Ukraine. A conflict that paradoxically allowed to find a semblance of unity with the outline of solutions as the fact of allowing the Ukrainian registrars to derogate from the ICANN policies through a device called “extraordinary circumstances” and to recall the ICANN to its fundamentals, an apolitical body working for a global Internet. By mapping out the geopolitical, legislative and regulatory contexts, the body also seems to have realised that the world ahead may make it even more difficult to preserve its model of a globalised internet. The feeling after this summit is that more concrete proposals and perspectives have been given on some of the subjects discussed.

For the next round, it is the threat of alternative roots to the DNS that could give an unexpected boost to the current process. These roots that tend to develop could cause collisions between requests if one day identical TLDs cohabit in two environments, a risk that is all the more increased if ICANN marks the step on a future round. Another risk is to be challenged for the allocation of regulatory TLDs when an identical TLD would exist on an alternate root.

Image source: ICANN’s website

ICANN71: GAC in the spotlight

Some 56 sessions were scheduled as part of the 71st ICANN Summit in The Hague. Held once again exclusively by video conference due to the global health situation, no less than a quarter of these sessions were organised by the GAC, the governmental advisory committee that advises ICANN on public policy issues related to ICANN’s responsibilities in the domain name system. The GAC has been very active on all current ICANN policy issues and has clearly made its mark.

The GAC currently has 179 members, representing a majority of the world’s countries. This gives it a good representation on a global scale to speak to a global governance body. The GAC is highly organised and precedes ICANN meetings with preparatory meetings that enable it to gather opinions at local level and then relay them to the governance body. Once again, this summit highlighted the fact that there are really a lot of policy issues going on at ICANN level.

The fight against DNS abuse

The topic of abuse has almost become a chestnut at ICANN summits, as it has been at the center of concerns for almost two years. While registries and registrars are already subject to a battery of obligations on this topic, many stakeholders consider these to be insufficient to really address the issue. The year 2020 has indeed seen an explosion in cybersecurity breaches, particularly as a result of the global pandemic, which has seen even more consumption via the web, particularly due to confinements, and where working methods have had to be reinvented in favour of the remote. It is clear that little has been achieved to date on that issue.

A thorough initiative rich in proposals was formulated by the SSAC (Security and Stability Advisory Committee) which, in its 24 recommendations transmitted to the ICANN Board, put forward the idea of initiating an expedited Policy Development Process (ePDP) with a view to developing an anti-abuse policy. Their report to the Board three months ago has not been acted upon to date. The second and more recent initiative comes from the Registry Stakeholder Group (RySG). It has finalised, with input from the GAC, a framework aimed specifically at botnets, attacks that use forms of Trojan horses to take control of computers to form networks of computers to carry out further attacks. Its principle is to allow voluntary registries to join a scheme that requires them to preemptively block bulk names generated via DGAs (Domain Generation Algorithms), algorithms used to periodically generate large numbers of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively counter botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The principle here is therefore preventive. In return, the registries would benefit from incentives and would not have to pay the tax collected by ICANN when a domain is created. This initiative is to be welcomed, but it is carried out more directly by the RySG and is therefore not consensual, hence its voluntary nature and therefore its very limited impact.

The reason the DNS abuse issue is so stalled is that it is confronted with other ongoing and upcoming policy development processes and competing interests between bodies, the Intellectual Property Constituency (IPC) for example being very concerned about access to contact data in domain name directories, the RySG about the launch of the next round of new gTLDs that they want to see move forward.

The impact of the General Data Protection Regulation (GDPR) on domain name registration data

Recall that to replace the Temporary Specification, which was put in place on 17th of May 2018 just a few days before the GDPR came into effect, an ePDP process was initiated. This process, described as expeditious, seemed to be far from being finalised at this new ICANN summit, even though three years have passed.

Segmented into three phases, phase 1 aims to provide a perennial policy that should frame the management of personal data of domain names to replace the temporary Specification that notably redacted personal data from domain name directories (via the Whois and RDAP protocols). Its drafting is progressing but no date is known for its finalisation and therefore possible implementation. The delay is partly due to the difficulty of transcribing certain recommendations, one of which was in conflict with an existing policy, the Thick Whois Transition Policy, which provides for the systematic transfer of detailed contact data from registrars to registries. Another pitfall is that the policy overlaps with other existing policies, which therefore also require ongoing adaptation.

Phase 2 concerns the establishment of a harmonised system of access to redacted name directory data for “legitimate” interests. This system is now known as the Standardised Data Access System (SDAS). The first hurdle was that the Generic Names Supporting Organization (GNSO), the policy-making body for generic names, had surprisingly approved all of the recommendations in the Final Report, even those that did not achieve consensus. The recommendations to create this system were therefore all transmitted to the ICANN Board, which rather than pronounce and vote on their application decided to first initiate an Operational Design Phase (ODP). Initiated at the end of March by the Board, it should last six months and aims to identify the stages, risks, costs and resources to be allocated, with a consultation of the community once a milestone has been reached. It is therefore a form of project scoping. The publication of a Request for Information is planned for June for a first consultation of the community.

A Phase 2a additional layer of the PDP aims to assess the possibility of unbundling the contact data of publishable legal entities from non-publishable natural persons. Initiated in December 2020, it resulted in five recommendations in an initial report open for comment until 19th of July 2021. The first recommendation, which was much commented on at ICANN71 , finally recommends that nothing should be changed by allowing players who so wish to make this differentiation. This process will continue with a final report of recommendations expected in the second half of the year.

The GAC considers that improvements are needed in both of the above-mentioned topics. In particular, it considers that the system does not go far enough to protect consumers and increase their confidence. It also regrets that the evolution of the system over time has not been framed and fears that the cost, since access is subject to an accreditation system, could be a deterrent, particularly for those involved in the fight against security breaches who need access to registration data. On DNS abuse, the GAC reiterates the need to address this issue. It has already made several proposals at previous summits.

What about the next round?

The next round is still undecided. We just learned that the ICANN Board, which has just received the last inputs on the recommendations for the next round of new gTLDs, has confirmed that it will start an Operational Design Phase (ODP) to estimate the steps, risks and resources necessary to implement these recommendations. Not yet planned, the Board said it had asked ICANN org to prepare a document to frame the ODP in order to draft the resolution that will formalise it. This resolution will set a deadline for completion of the ODP, possibly six months as with the SSAD.

The GAC, for its part, recalled the issues of specific concern to its members. These include: predictability, voluntary and mandatory registry commitments including how to address DNS abuse, its desire to see support for new applicants better adapted, particularly for less favoured areas, its opposition to closed generic TLDs, the consolidation of its ability to evaluate all applications in order to issue advices and warnings, and its opposition to private auctions to decide between applicants for the same gTLD. It also wishes to support non-profit community applications.

Other issues carried by the GAC are very committed

Other policy development processes are underway, such as the one on Governmental and Non-Governmental Organisation Identifiers (IGOs, INGOs), a process on the rights protection mechanisms, or in the initial phase a PDP on domain transfers and on the launch pad a PDP on IDNs. The GAC did not fail to recall the central issue of accuracy of registration data which is considered insufficiently addressed by the current obligations espacially due to the impact of GDPR. This topic will indeed be central in the perspective of the future NIS2 directives and the Digital Services Act currently being drafted at the European level. The GNSO was challenged by the GAC on the examination of this topic, which has not really started, and apologized for having too many topics in progress. Tensions that the GNSO has sought to alleviate by spending time reviewing its liaison with the GAC to improve it, a decidedly offensive and active GAC.

What About Future Summits?

ICANN summits usually end with a public forum where the public can directly question the Board. As a sign of a (temporary?) improvement of the health state on the covid, the traditional forum was dedicated to the future ICANN summits to know if they should be held in person. From this session it emerged that the answer is not obvious. At issue were the different levels of vaccination and access to vaccines in different countries, the currently restricted conditions of entry to the USA, ICANN72 being held in Seattle and the evolution of the pandemic which remains uncertain. This forum provided an opportunity to comment on a recent survey conducted by ICANN which showed that the majority of those interested in ICANN events considered that face-to-face meetings should be reactivated (54%). At the end of this session, ICANN committed to arbitrate during July. The format of ICANN72 could be hybrid, with limited on-site representation and the continuation of the remote format.

A notable feature of this summit was the large number of ongoing issues and the impression that things are moving forward with difficulty. This has resulted in notable tensions between bodies and discontent expressed, for example, by the group of representatives of geographical extensions, the geoTLDs. If for some, the return to face-to-face meetings seems to be the solution to improve things, through our presence in certain bodies and our participation in working groups, we think that it is rather a problem of visibility due to too many subjects being launched in parallel, some of which overlap with a clear lack of prioritisation. The ODP, the new tool which aims to frame the implementation of a harmonised system of access to registration data and which is now being applied in the next round, may go some way to improving these perceptions. Another aspect to be considered is the diverging interests between bodies. Here, facilitated exchanges can perhaps improve things.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
visit	30 minutes	No description