now browsing by category
Domain industry blogger DomainIncite broke a story on November 16 that revealed efforts by the Werte Initiative in Germany to compel ICANN to initiate a takedown request for a website. The notion of a takedown request directed to the CEO of ICANN is perhaps not novel. However, in the wake of the coordinated takedown of Gab.com in the exact same week as this letter was apparently transmitted is worth of note by the domain industry.
By way of orientation, here is the original letter dated 10/23/18:
The site in question, Judas.Watch, does not seem to have incitement to violence but rather catalogs information about various individuals organizations. The content itself looks like “Free Speech”, a topic which is generating considerable controversy in the Digital Age. Whether or not ICANN advised the complainant informally, we now know that the formal response came nearly 3 weeks later, on November 13, from Göran Marby, CEO of ICANN:
- There is apparently a continuing, coordinated and perhaps accelerating theme of censorship that extends beyond content that is of a potentially threatening nature as has been alleged in the context of Gab. Moreover, this effort is now global, not just the U.S., and it includes active lobbying of ICANN for takedown of specific domains.
- For now, ICANN is continuing to hold the position that they are not adjudicating about acceptable use of domains but are instead continuing to defer to registries and registrars as governed by their Terms of Service or as they may sovereignly rule by exception should they wish to do so.
- The website referenced in Werte’s letter remains online pending decisions from registry operator (Donuts), and registrar NameCheap (now part of Tucows) as to whether to comply with the take-down request. Given the recent November 13 response date from ICANN, we could expect to see governance action as soon as next week.
In the meantime, where does this recent news leave registrants in terms of reasonable expectations for Due Process? Well, we have some very recent case history for both Registries and Registrars.
Key Lesson #1: Registries can banish a domain without Due Process
On October 15, 2018, the domain name Incels.me was set to the inoperable state of Server Hold by the .ME registry, the country code TLD of Montenegro. The operators of the site reported in a press release without warning and also without given the registrant an opportunity to cure. This effectively means that anyone who buys a .ME from now on should put an asterisk next to their domain to footnote the risk that while they own the domain, it can be arbitrarily taken out of use as and when the registry chooses to do so. This also adds registrar counter-party risk as the .ME registry does not explicitly require that a .ME registrant enter into an Acceptable Use agreement with the registry as part of the checkout process. By contrast, when any registrant purchases an ICANN-governed domain, they are required to explicitly accept the ICANN terms, such as you can see in this example for a .COM:
Looking ahead, it remains to be seen whether Donuts takes action, particularly if they are pressed sufficiently either by lobbying groups or by social media. From my reading, the case for a takedown seems weak given the absence of incitement to violence on this particular website as was alleged in the case of Gab. For such a weak case as this one, I would expect that a takedown action by Donuts would cause widespread action by registrants to steer clear of Donuts registries on a going forward basis, just as the price increases of up to 3000% in March 2017 by Uniregistry raised important questions about whether Uniregistry has sufficient governance in place to protect stakeholder rights.
Key Lesson #2: Registrars can banish a domain without Due Process
Whether or not the registrar, in this case, Tucows, takes action on this domain name remains to be seen. As of today, just a few days after the ICANN letter, the site is up. However, we know from the high profile takedown of Gab.com by Godaddy covered intensively by the media, that registrars can sovereignly take down any domain without warning, and can do so without giving the registrant an opportunity to cure as was the case with Gab. Epik is very familiar with this case having taken the position that Gab.com should have been eligible for Due Process, and opted to step in as registrar, as explained in this important blog post on why Epik accepted Gab.com. In addition to stating Epik’s position through the blog, Epik also took the rather unusual step of indeed setting an expectation among the Gab user with regards to ongoing self-governance as a precondition for sustainable use of Free Speech.
The Future of the Domain Name Industry is being determined now!
Whether or not there is a viable domain industry 10-20 years from now, or whether it is supplanted by an alternate addressing system is being determined by the actions the industry takes now. In the specific case of Gab.com, a $300,000 domain was being held in escrow on behalf of a registrant while Gab made payments on a domain. The de-platforming action taken by Godaddy on October 29 placed a high value domain at risk of permanent impairment, leaving the domain in limbo, registered in the name of the escrow agent. At the time of the take-down action, there were 4 counter-parties with claims on the domain: (1) the registrant, (2) the user of the domain who was making payments, (3) the escrow agent, and (4) the registrar. Talk about a messy takedown with collateral damage!
For now, I applaud ICANN for deflecting this latest request for censorship without Due Process. The drumbeat is getting louder for a global framework for governance and adjudication, similar to the UDRP process administered by WIPO. For adjudication of takedown requests, I believe the “high court” will need to be comprised of persons elected through a transparent democratic process rather than staffing the judiciary with appointees. Given ICANN’s ample $454 million in funds under management, it is not unreasonable to think that ICANN could easily fund a salaried high court comprised of democratically elected persons responsible for establishing and managing a global judiciary for governing takedown requests. This would protect registries and registrars from being crucified by public opinion for simply doing their jobs!
In the meantime, Registries and Registrars that choose to play fast and loose with Intellectual Property Rights can expect to see l brand damage as individuals, organizations, and business owners begin to amplify a counterbalancing message relating to the impact of unilateral takedown operations. In the absence of incontrovertible demonstration of bad faith (e.g. blatant phishing operations where time-sensitive action may be imperative), it is reasonable for any domain registrant to expect (1) appropriate due process, (2) reasonable opportunity to remediate, and (3) orderly transition planning to another registrar in the event of continuing non-compliance with Terms of Service.
A number of ICANN’s staff email accounts have been compromised by a phishing attack, which lead to administrative passwords to other systems being exposed as well, as Necraft reports.
The Internet Corporation for Assigned Names and Numbers (ICANN) has fallen victim to a phishing attack which resulted in the attackers gaining administrative access to some of ICANN’s systems, including its Centralized Zone Data Service (CZDS).
In an email alert sent this morning, ICANN said it believes a spear phishing attack in November resulted in several ICANN staff members’ email credentials being compromised. The stolen passwords were then used to gain unauthorised access to multiple ICANN systems, which could have resulted in other usernames and passwords being compromised.
Although CZDS passwords are stored as salted hashes, ICANN has taken the precaution of deactivating passwords and API keys used on the compromised CZDS service. ICANN implemented some security enhancements earlier this year, which it believes limited the extent of the unauthorised access, and has implemented further measures since this attack.
Here’s the email that ICANN wrote to users of is CZDS:
ACTION REQUIRED: CZDS Security Disclosure ICANN is investigating a recent intrusion into our systems. We believe a â€œspear phishingâ€ attack was initiated in late November 2014. It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members. In early December 2014 we discovered that the compromised credentials were used to access certain ICANN systems including the Centralized Zone Data Service (CZDS). You are receiving this notice because the attacker obtained administrative access to all files in the CZDS including copies of the zone files in the system. The information you provided as a CZDS user might have been downloaded by the attacker. This may have included your name, postal address, email address, fax and telephone numbers, and your username and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated your CZDS password (and API key if applicable) as a precaution. Additional information about the attack is included in an announcement that is posted at https://www.icann.org/news. In order to continue using CZDS, please visit http://czds.icann.org and follow the instructions there to request a new password. We suggest that you take appropriate steps to protect any other online accounts for which you might have used the same username and/or password. This notice was not delayed as a result of a law enforcement investigation. Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems. We believe these enhancements helped limit the unauthorized access obtained in the attack. Since discovering the attack, we have implemented additional security measures. We are providing information about this incident publicly, not just because of our commitment to openness and transparency, but also because sharing of cybersecurity information helps all involved to assess threats to their systems. If you would like further assistance or information, you may contact us by email to firstname.lastname@example.org or by telephone at +1-424-277-3192 or U.S. toll-free at +1-800-401-1703. Thank you for your attention to this. We sincerely regret any inconvenience or concern this incident may cause you. ICANN Registry Services
Greetings from Los Angeles where I have spent the last few days at the ICANN 51 conference. While much of the content is the stuff of policy wonks, I found it time well spent. As the CEO of an ICANN-accredited registrar, I believe it is important to be active in the dialog around the future of the naming system and to develop direct relationships with the stakeholders and decision-makers from around the world. I greatly appreciate that ICANN hosts these meetings.
The US Government is all-in with ICANN — but does that really matter?
The headline event of ICANN 51 was arguably the formal statement by US Commerce Secretary, Penny Pritzker, that the US will hand over formal stewardship of the Internet to “global multi-stakeholder communities”.
While some US stakeholders may be appalled by this policy of apparent abdication by the US of hegemony over the Internet, I believe there is more to this move than meets the eye. The US policy-makers like a free and open Internet. Some might say that a free and open Internet is the ultimate global platform for public influence and, in the extreme case, subversion. A study of the history of US intelligence apparatus reveals that the US is the most advanced country when it comes to monitoring global telecommunications, e.g. via ECHELON/PRISM infrastructure. The Internet is a battleground where the US is, and will be for the foreseeable future, the best equipped. As such, it makes sense that the US will support a public policy which leads to a continued free and open Internet with minimal censorship.
Fadi Chehade is a professional
The conference opened with the multimedia-enhanced musings of ICANN Chairman Stephen Crocker and was followed by the keynote by Commerce Secretary Pritzker. Immediately thereafter, ICANN CEO Fadi Chehade took the stage. Fadi’s presentation laid out a well thought-out vision and strategic plan that balances top-down strategies with bottom-up consensus building. Fadi comes across as a focused technocrat who is amply capable of navigating the requisite technical, commercial and public policy circles that are central to his role.
Fadi has already presided over the massive gTLD rollout, which despite delays has gone off without a significant hitch. Another area that deserves highlighting is the enforcement of compliance, particularly among the 2013 RAA signatories. While the periodic audits and ad hoc inquiries from ICANN’s compliance team can at times be a nuisance to the registrars, the compliance enforcement efforts serve an important function, namely to bring the registrars to a unified standard of operating competency.
Consistent with Fadi’s consensus-building leadership style, during ICANN 51 Fadi announced the rollout of a new quarterly live conference call with stakeholders to review progress against plan and to invite input from the growing number of stakeholders. While the addition of these conference calls may seem like overkill, keep in mind that ICANN has to contend with public and private stakeholders from around the world while protecting the interests of registrants and consumers that do not even know ICANN exists, and must do this in an environment where technology is in a constant state of flux.
ICANN is very flush with cash and this is not necessarily a good thing
The new gTLD rollout was a windfall for ICANN, which now has a warchest of approaching $400 million in cash and investments. The current headcount of approximately 300 is projected to now hold steady. However, even at 300 persons, the organization is now large enough to have multiple layers of management distributed across multiple locations. In my personal experience as Founder and CEO of Global Market Insite, a business that grew 100% per year for 7 years to 300 persons, it was the time between employee 200 and employee 300 when the greatest cultural risks emerged. This is the point in time when a 3rd (and sometimes a 4th) layer of management is added and when the CEO no longer knows every team member, and no longer presides over every hiring decision.
Domain Tasting needs to come back into the industry
As some of our customers know, Epik has developed some capability in the area of domain tasting, i.e. the practice of registering domains and then deleting the majority of them within the 5 day delete window. Earlier this year, domain tasting capability was made accessible to approved customers. One major challenge of providing domain tasting services is that the registries are now enforcing a maximum delete rate of 10%, meaning that any significant volume of domain tasting quickly translates into onerous penalties for the sponsoring registrar. While at ICANN 51, I had the opportunity to sit down individually with Pat Kane of Verisign and Akram Attalah, President of Global Domains of ICANN to more deeply understand the respective positions on the subject of Domain Tasting. In short, the registries want tasting. It is ICANN, presumably serving as a fiduciary, that is holding domain tasting back. Mr. Attalah questioned the benefit of domain tasting, implying that it mainly benefits speculators rather than long term operators. I respectfully disagree with ICANN on the matter of domain tasting. The draconian policy now in effect is a disservice to the industry. I look forward to a continued constructive dialog with the registrar stakeholder GNSO on this topic, in the months leading up to ICANN 52 in Marrakech, and will be initiating a formal Policy Development Process (PDP) to revisit the topic of Domain Tasting. The binary decision to kill tasting was arguably the appropriate reflex response to stop egregious abuses at the time. However, the time has come to find middle ground.
Stewardship of WHOIS is setting up to be a strategic area of importance
One of the topics at ICANN 51 was the emerging discussion of centralizing WHOIS. The initial steps being taken by ICANN in the area of WHOIS are harmless and indeed useful, e.g. the launch of an ICANN-managed WHOIS search tool. While further work on WHOIS centralization appears to be preliminary, these projects have a tendency to take on a life of their own once staffed and funded. A significant change to the WHOIS framework has now gotten additional ICANN air cover by voluminous analysis by an Expert Working Group. During the meeting with Mr. Attalah of ICANN, I took the opportunity to state my position on the WHOIS centralization topic, namely that I am not in favor of a globally centralized WHOIS model and will advocate against it. For accredited registrars that are in compliance with their RAA, they must have control over the WHOIS record as they are singularly accountable to the registrant to safeguard the record of ownership of the domain, regardless of whether the WHOIS information displayed is public or is a privacy proxy authorized by the registrant. The authoritative WHOIS record should continue to come from the WHOIS server of the accredited registrar. In other words, WHOIS, just as DNS, should remain federated not centralized. There are WHOIS data quality standards. These standards can and should be strictly enforced through the established compliance and enforcement processes. The existing solution is not broken.
Many thanks to the ICANN team for putting on ICANN 51. Safe travels home for the participants from around the world.