Preserving a globally interoperable Internet benefits the public interest — corrupt Internet plumbing monopolies do not.
September 19, 2020
My first exposure to ICANN was back in 1999 when representatives Sarah Deutsch from Verizon and Marilyn Cade from AT&T brought this small non-profit called the Internet Corporation for Assigned Names and Numbers (ICANN), to the attention of the United States Chamber of Commerce, where I served as the Chamber’s first Director of E-Commerce and Internet Technology. Verizon and AT&T’s issues were twofold: first, efforts by the registries and registrars to make the WHOIS database go dark and the impact that would have on law enforcement, trademark holders, network security, and consumer/child protection; second, there was a growing concern that Members of Congress were going to cancel the U.S. Department of Commerce’s contract with ICANN and move all Domain Name System (DNS) functions under U.S. control back to the Department of Commerce, or even worse, to the United Nations’ International Telecommunications Union (ITU).
As then-Chairman of the Senate Commerce Committee, Senator Conrad Burns, stated in 2002, “change was necessary because ICANN has exceeded its authority, does not operate openly, and is dangerously unaccountable to Internet users, businesses, and other key interest groups.” But we, as the business community, believed that this new industry could regulate itself. We convinced Senator Burns and other critics to give ICANN a chance to work.
But we were wrong, and it is uncanny how prophetic Senator Burns’ was when looking at ICANN today. One recent example is California Attorney General Xavier Becerra’s letter to ICANN concerning the proposed sale of .org which stated, “(t)here is mounting concern that ICANN is no longer responsive to the needs of its stakeholders.”
FAST FORWARD to 2013
In September 2013, following Edward Snowden’s disclosures of the U.S. National Security Agency’s (NSA) PRISM program, Dilma Rousseff, Brazil’s then-President, spoke before the United Nations General Assembly and criticized the United States for reading her e-mails. Flying down to Brazil, Fadi Chehade, ICANN’s then-CEO, opportunistically piled on by declaring to Agence France-Presse that “she spoke for all of us that day.”
During that time, according to Julian Assange’s book, When Google Met Wikileaks, and by Fadi’s own telling in a meeting I attended, then-President Obama hosted Google’s Eric Schmidt for an Oval Office meeting where Schmidt and the president discussed possible catastrophic consequences of the Snowden disclosures, particularly efforts by certain countries to enact data localization laws (which at the time Brazil was considering as part of telecommunications reform legislation). If passed, Google feared that these laws would severely hinder its business model of harvesting vast amounts of personal information from around the world at peak efficiency to sell online targeted advertising.
Fadi, after speaking with Eric Schmidt, then began leveraging President Rousseff’s (and other world leaders’) legitimate complaints, along with the fears of the Internet community that the U.N. would exert greater control of the Internet, as a pretext to push the U.S. Government to surrender its historical role as guarantor of the legitimacy and integrity of the Internet’s Domain Name System (DNS) by transferring the Internet Assigned Numbers Authority (IANA) function from the U.S. to ICANN. On March 14, 2014, the Obama Administration did precisely that when it announced that the U.S. would transition the remaining IANA functions to ICANN.
But there were those of us who shared the position described by the Congressional Research Service (CRS) in a 2016 report titled The Future of Internet Governance: Should the United States Relinquish Its Authority over ICANN?, which stated, “[T]his stewardship role does not mean that the NTIA controls ICANN or has the authority to approve or disapprove ICANN policy decisions. Rather, the U.S. government’s authority over the IANA functions has been viewed by the Internet community as a “backstop” that serves to reassure Internet users that the U.S. government is prepared and positioned to constitute a check on ICANN under extreme circumstances (such as, for example, fiscal insolvency, failure to meet operational obligations, or capture or undue influence by a single stakeholder or by outside interests).”
Against this backdrop, the National Telecommunications and Information Administration (NTIA) prescribed four conditions for the IANA transition to be approved by the U.S. Government. These conditions specified that the IANA transition proposal must:
• Support and enhance the multi-stakeholder model;
• Maintain the security, stability, and resiliency of the Internet DNS;
• Meet the needs and expectations of the global customers and partners of the IANA services; and,
• Maintain the openness of the Internet.
In addition to these four conditions, NTIA further advised that it would not accept a proposal that replaced the U.S. Government’s role with any other government entity. Members of Congress also raised concerns about ICANN, including the possibility of ICANN moving its headquarters outside of the U.S. to avoid U.S. jurisdiction. But Fadi testified to a Senate hearing that “ICANN has its global headquarters in the United States, and there are no plans for that to change.” Intense pressure from Congress and other outside groups caused NTIA to compel ICANN to create a “separate but inter-dependent” Cross-Community Working Group (CCWG) on ICANN Accountability. As NetChoice president Steve DelBianco conveyed in Congressional testimony supporting the transition, there was the possibility that the transition would result in an ICANN with no accountability. Mr. DelBianco called on Congress to exercise close oversight of NTIA to ensure this didn’t happen.
Thus, various stakeholders, including myself, working with legal and governance experts, developed Key Principles for Coordination of Internet Unique Identifiers. The Principles’ set of 12 high-level guidelines sought to describe what should constitute appropriate and essential mechanisms for safeguarding multi-stakeholder governance, avoiding capture, and enshrining the global community of stakeholders as the ultimate overseer of the DNS and, therefore, the grantor of legitimacy for Internet governance.
These principles were adopted and promoted by, among others, NetChoice, the Information Technology Industry Council (ITI), the Information Technology and Innovation Foundation (ITIF), the Benton Institute for Broadband and Society, and the U.S. Council on International Business (USCIB), and, in abridged form, were included in S. Res. 71, a resolution designating the week of February 8th, 2015, as “Internet Governance Awareness Week,” which was introduced by Senator Orrin Hatch and unanimously adopted by the United States Senate on February 5, 2015. Despite all this attention and the September 2016 transition of the remaining IANA functions to ICANN, NTIA’s four conditions remain unfulfilled, and judging by the current parade of scandals that besiege the DNS, it is likely that 2015 was the high-water mark for legitimate multi-stakeholder Internet governance.
TODAY — FOUR YEARS AFTER THE IANA TRANSITION
It is nothing short of tragic that after all the time and energy spent trying to create effective accountability mechanisms, today at least six major transgressions are engulfing ICANN and threatening private sector-led multi-stakeholder Internet governance:
• Potential obstruction of justice stemming from the WHOIS database going dark by ICANN’s reckless and unnecessary post-GDPR decision to change how registrant data is stored and the ongoing failure to implement a replacement solution;
• An epidemic of DNS abuse aided and abetted by ICANN’s negligent lack of enforcement of contracts with registries and registrars, which is helping to fuel the current explosion of COVID-19 fraud-related websites found online;
• Verisign’s shameful refusal to transition .COM to a “Thick Whois” registry and knowingly making it easier for those committing crimes and abuse to escape the law and continue operating in the Internet’s largest and most popular domain name registry;
• A full-frontal assault on the intellectual property rights of brands and registered trademark owners disregards community-developed Rights Protection Mechanisms (RPMs) and ignores key constituencies in favor of self-interested auctioning for O.COM and likely other single-character .COM domain names;
• The now-aborted sale of .ORG to a private equity firm connected to Fadi and other ICANN insiders; (author’s update: Fadi’s Ethos Capital owns Afilias that now operates .org on behalf of the Public Interest Registry — PIR and received $ 20 million in 2020 in fees.)
• ICANN’s recent decision to ignore unprecedented stakeholder opposition and allow Verisign to raise wholesale prices for .COM domain name registrations in exchange for $20 million
Is ICANN’s Current WHOIS Policy an Obstruction of Justice?
In the wake of the European Union’s implementation of its General Data Protection Regulation (GDPR), ICANN decided that the open nature of the WHOIS database violated the EU’s privacy directive and enacted a Temporary Specification that essentially caused WHOIS, which had been a publicly accessible record since the dawn of the Internet, to go dark.
ICANN launched a so-called Expedited Policy Development Process (EPDP) to confirm or modify the Temporary Specification, which, after two years, has been called a “failed experiment” by ICANN’s own Business and Intellectual Property Constituencies.
Regulators and legislators should note that the Internet Plumbing Monopolies — ICANN, Verisign, Google, and GoDaddy, among others- have prioritized their corporate profits over protecting our nation’s cybersecurity and Internet users. As a result, there is a need for clear regulatory guidance related to GDPR and for the U.S. to pursue alternative legal and regulatory approaches for protecting users online.
Here are some quotes from the leading federal consumer protection agencies in recent letters to Congress:
U.S. Food and Drug Administration
Criminal Case Investigations Access to WHOIS information has been a critical aspect of the FDA’s mission to protect public health. Implementing the E.U. General Data Protection Regulation (GDPR) has had a detrimental impact on FDA’s ability to pursue advisory and enforcement actions as well as civil and criminal relief in our efforts to protect consumers and patients. WHOIS data has also been widely used in FDA’s criminal investigations to identify individuals and organizations selling online a variety of unapproved/uncleared/unauthorized products such as opioids, counterfeit or adulterated drugs, and purported dietary supplements containing deleterious or undeclared ingredients. Most recently, lack of WHOIS transparency significantly hindered FDA’s ability to identify sellers of fraudulent and unproven treatments for COVID-19 as well as illegitimate test kits and counterfeit or substandard personal protective equipment. These cases range from a simple website marketplace to sophisticated transnational cybercrime networks involving thousands of websites, hidden servers, dark web applications and virtually linked co-conspirators.
U.S. Federal Trade Commission
This lack of access also limits consumers’ ability to identify bad actors using WHOIS information. Prior to the GDPR, thousands of the complaints filed in our Consumer Sentinel complaint database referred to the filer’s use of WHOIS data to identify businesses involved in spyware, malware, imposter scams, tech support scams, counterfeit checks, and other malicious conduct.
U.S. Department of Homeland Security
HSI views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud. Since the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow. If HSI had increased and timely access to registrant data, the agency would have a quicker response to criminal activity incidents and have better success in the investigative process before criminals move their activity to a different domain.
Why is this potentially obstruction of justice? Because law enforcement, consumer protection agencies, intellectual property rights-holders, cyber security experts, child safety organizations and others with legitimate interests depend on WHOIS data to identify the actors behind websites that traffic in such “products” as child pornography, human sex slaves, malware, counterfeit goods, and pirated content. In other words, the WHOIS database is an essential cornerstone of online safety and security.
Three of ICANN’s key advisory committees — the Governmental Advisory Committee (GAC), the At-Large Advisory Committee (ALAC), and the Security and Stability Advisory Committee (SSAC) — along with ICANN’s Business Constituency (BC) and Intellectual Property Constituency (IPC) have all concluded that the results of the EPDP and the model it proposed for dealing with requests to disclose WHOIS data are woefully inadequate. At the public forum at ICANN’s Annual Meeting in Montreal, I asked ICANN’s Board, by a show of hands, “how many of you believe that an accessible WHOIS database is important to the stability, security, and safety of the Internet and its users?” Every ICANN Board Member raised their hand. Yet, the EDPD’s estimates range from 3–5 years to never for full implementation of a new WHOIS regime, and that clock starts after the adoption of any EPDP recommendation.
ICANN Turns a Blind Eye to Domain Name System Abuse
Despite concerns about the growing levels of abuse on the Internet, from phishing and malware attacks to child pornography, ICANN takes a hands-off approach and leaves domain name registries and registrars to oversee themselves. Although ICANN’s accreditation agreements with registries and registrars require that they prohibit domain name registrants from engaging in illegal activity, ICANN has taken the position that their enforcement responsibility ends once the “right language” appears in the contracts with domain registrants, irrespective of whether that language is adhered to or not.
The recent explosion of fraudulent and illegal websites related to the COVID-19 pandemic has shined a brighter spotlight on ICANN’s failings regarding addressing online abuse, despite its mission of ensuring the secure and stable operation of the domain name system. An article by renowned security expert Brian Krebs describes the growth of domain names and websites engaged in a wide range of fraudulent, illegal, and dangerous activity related to the pandemic. Concerning a recent letter that the ICANN CEO and President Goran Marby sent to domain name registries and registrars about the pandemic, Krebs quotes another security expert as follows, “It’s absolutely ludicrous that ICANN hasn’t stepped up, and they will bear significant responsibility for any deaths that may happen as a result of all this. This (letter from Marby) is a CYA response at best and dictates to no one that they should do anything.”
Delay of Thick Whois Implementation by Verisign
Even though ICANN’s board, in early 2014, adopted the policy recommendation that Verisign adopts a “Thick Whois” for .COM, Verisign still has not implemented it, and it has become increasingly clear that Verisign never intends to do so.
In October 2017, the ICANN Board granted a six-month extension for the transition to Thick WHOIS for new domain names in the .com, .net and .jobs domains to October 2018 and an extension for existing registrations to July 2019. In April 2018, Verisign requested a further one-year extension for implementation, and in May 2018, the Board passed a resolution extending the date to complete the transition from Thin to Thick WHOIS for .com, .net and .jobs to January 2020. Verisign requested two further extensions to the Board in September 2018 and in February 2019, and in both instances, the Board granted additional extensions. Then in July 2019, Verisign once again requested another one-year extension.
In November 2019, the ICANN Board passed a resolution addressing the situation. The Board noted that “this is the fifth deferral of the compliance enforcement of the Thick WHOIS Transition Policy.” Instead of granting a further extension, the Board gave the President and CEO of ICANN authority to defer compliance until a group of conditions has all been satisfied concerning the implementation of the Expedited Policy Development Process related to WHOIS and the GDPR. However, the timeframe for implementation is “3–5 years to never,” which makes the deferral a de facto exemption. This is even though every other registry of generic top-level domain names other than Verisign currently operates a Thick WHOIS. Yet, Verisign has been given a seemingly indefinite pass from implementing this critical policy that worked through the ICANN multistakeholder (and multi-year) consensus policy process.
Critical Date Summary of Versign Thick WHOIS:
October 2013: Thick WHOIS policy Working Group issues Final Report October 2013: GNSO Council approves Final Report recommendations and recommends Board adoption
February 2014: ICANN Board adopts recommendations and directs policy implementation
October 2016: Proposed Policy Implementation issued for transition to Thick WHOIS for .com, .net and .jobs setting forth deadlines of May 2018 and February 2019
October 2017: ICANN Board grants a 6-month extension of deadlines
May 2018: ICANN Board, in response to Verisign’s request grants a second 6-month extension of deadlines
October 2018: ICANN Board, in response to Verisign’s request grants a third 6-month extension of deadlines
March 2019: ICANN Board, in response to Verisign’s request grants a fourth 6-month extension of deadlines
November 2019: ICANN Board, in response to Verisign requests, grants a fifth deferral of Thick WHOIS
Disregarding Rights Protection Mechanisms (RPMs) for O.COM
At the March 2019 ICANN meeting in Kobe, Japan, ICANN’s Board voted (although some members have been unable to recall voting on this matter) to move forward with a proposed auction for O.COM. Unfortunately, ICANN ignored advice from its own Intellectual Property Constituency (IPC) and other notable experts to require RPMs for the release of O.COM.
Further aggravating the O.COM auction is the fact that VeriSign’s Request for Services Extension Proposal (RSEP) completely ignored the commitment it made pertaining to .COM Internationalized Domain Names (IDNs) in its 2013 letter to ICANN. VeriSign reaffirmed this commitment to protecting trademark owners and brands to Wall Street analysts during a quarterly earnings call. It is still found on the company’s website blog, which clearly states in “Use Case №2” that a registered .COM IDN will be unavailable in all other transliterated .COM IDNs and in the .com registry unless and until registered by the registrant of that initial transliterated .COM IDN.
This auction proposal enjoyed strong support from Public Interest Registry (PIR) and the Internet Society (ISOC). What would motivate ISOC to support Verisign’s O.COM proposal? The answer is found in the now-redacted Exhibit A of the Second Amendment to the .COM registry agreement which lists ISOC as one of the beneficiaries of the O.COM auction proceeds.
ISOC’s Aborted Sale of .ORG Sold Out Stakeholders
Much has been written shedding light on ISOC’s and Fadi’s .ORG fiasco. ICANN justified removing the pricing safeguards from .ORG’s registry agreement, disregarding 98.1% of public comments opposing such a move, by pointing to the fact that .ORG’s registry operator, PIR, was owned by the non-profit ISOC. The public was misled into believing that safeguards against excessive price increases were secure but the proposed sale of PIR to Ethos Capital, announced just three weeks after the price caps were removed entirely, exposed the fraud.
When ICANN removed pricing safeguards, PIR also agreed to include RPMs and anti-abuse provisions into the amended .ORG Registry Agreement. However, on the same day as they amended the .ORG registry agreement, ICANN and PIR executed an Addendum that removed most of the language that had just been added. Thus, most of the essential RPMs that were promised in the new .ORG Registry Agreement disappeared in the “Addendum.”
There is extensive coverage of ISOC’s failed sale of .ORG registry to Ethos by The Register’s Kieren McCarthy, and it’s worth noting that Esther Dyson, the founding chairwoman of ICANN, took to Twitter and denounced the whole matter as “appalling.” California Attorney General Becerra as well as several US Senators also raised strong objections to the billion dollar sale of PIR to Ethos Capital, and it was a strongly worded letter from Becerra to the ICANN Board that actually stopped the sale at the last minute.
Verisign Receives a Nice Gift from ICANN and ICANN Gets a Nice Gift in Return
The latest scandal involves the recent Third Amendment to the .COM Registry Agreement and Binding Letter of Intent (LOI) between ICANN and Verisign. Although NTIA’s approval of pricing flexibility states that ICANN and Verisign “may agree to amend the maximum price up to 7%,” there is nothing that says ICANN must agree. In true ICANN fashion, even though 95% of the comments filed by the “multi-stakeholder” community opposed increasing .COM prices, ICANN agreed to give Verisign the maximum annual 7% increase in the wholesale price of .COM while Verisign will “contribute” $20 million to ICANN over 5 years. ICANN’s unilateral decision ignored an unprecedented volume of stakeholder input and contradicts the bedrock principle of bottom-up policy development which is the source of any legitimacy that ICANN may claim for its decisions.
In Conclusion, All Internet Users Must Realize the Power of the “Internet Plumbing Monopolies”
Why isn’t there more outrage at what appears to be collusion between ICANN, Verisign, and ISOC being perpetrated in plain view? Why aren’t the various constituencies and advisory councils that form the core of ICANN’s multi-stakeholder model holding it accountable? Is it because, at the end of the day, ICANN pays attention only to the contracted parties that finance its operations — large domain name registries and registrars?
Is it because, like we’ve seen with Mafia cartels, many — too many — are corrupt and colluding for mutual financial gain?
It is time for lawmakers and regulators to take a much-needed closer look at the Internet’s plumbing monopolies. It is not ICANN’s, ISOC’s, PIR’s, VeriSign’s, GoDaddy’s, or Ethos Capital’s Internet to corrupt. The answer is not to “keep the geeks in charge of the Internet”, as Fadi has suggested. It must be our Internet and our public interests must be rightly served. Perhaps this Congress can grab the baton and pick up where Senator Burns left off.
Rick Lane is the CEO of Iggy Ventures, LLC and a 30-year veteran of technology policy.
