But what the industry shouldn't overlook, especially in the face of the expected critical responses this week and next, is that the Governmental Advisory Committee's (GAC's) formal advice from the ICANN Beijing meeting represents an opportunity for the domain name industry to lock-in self-regulation at a critical point in its evolution.

IFFOR has been focused for some time on the question of what registries will need to do in a world where domain names can end in any word. As such, we see the GAC advice as a simple reflection of genuine, and understandable, concerns from a body whose main job is to identify public policy issues.

It is also nothing new: IFFOR went through this exact process to find policy solutions to questions raised by GAC over the dot-xxx top-level domain. Many of the same issues are present in this most recent advice — something we highlighted at the beginning of the year.

So here is the good news: it is perfectly possible to find a simple, effective and lightweight solution that will meet the concerns of governments — including that it be contractually binding — while keeping ICANN firmly out of content regulation.

It is also possible to do it right now without compromising business plans, redrawing financial projections, or seeking hundreds of thousands of dollars in new investment.

So what is this solution?

As part of the process for reaching agreement with both ICANN and the GAC over the dot-xxx top-level domain, a set of "baseline policies" was created (by IFFOR) to demonstrate a clear commitment to resolving concerns.

Those baseline policies covered issues such as:

• Scanning domains for malware, spam and phishing
• Audit and compliance systems
• Enhanced trademark protections
• Handling complaints
• Registrant verification
• Tackling child abuse images
• Disqualifying applicants that consistently break the policies

The implementation of those policies was then left up to the registry operator — ICM Registry — and IFFOR was also given the role of auditing the subsequent systems.

In response to the GAC advice in Beijing, IFFOR is close to completing a new set of "Safeguard Policies" designed specifically to encompass the six most broad safeguards that the GAC wishes to see apply to all new gTLDs.

In so doing, we have drawn on our original "baseline policies" to develop policies for the gTLD market as a whole, and have used our experience as a registry policy body to ensure all six GAC safeguards are fully addressed.

In an effort to make this work as widely accessible as possible, we plan to simply license these policies for a low annual fee. As well as the right to use, publish and reference the Safeguard Policies, each license will come complete with documentation to help registries implement each policy in the way most suited to their circumstances. We will also extend IFFOR's internal information service that provides ongoing information on related policy and regulatory topics to all licensees. Again, for one, low annual fee.

We believe this approach solves a number of issues:

• It provides applicants with a simple, swift and low-cost answer to government concerns
• It answers government calls for new safeguards
• It builds on a contractual solution that has already been shown to work within the ICANN system
• It removes the need and cost for applicants to develop their own policies
• It keeps the new gTLD program on track

Perhaps most importantly, adopting such an approach will give the industry a chance to demonstrate that it is committed to be a good actor while retaining the flexibility to develop the right systems for the right markets in the right way.

The mark of a self-regulated market is how well it responds to issues identified by a third party. With the right mix of creative pragmatism, the GAC safeguard advice can act as a catalyst for this industry.

If you are interested in learning more about IFFOR's Safeguard Policies, please visit our website at http://iffor.org/safeguard.

Written by Kieren McCarthy, Executive Director at IFFOR; CEO at .Nxt

There are two Bills that are floating through the corridors of power on the Hill that could potentially change the course of civil and political rights within the United States and the world. One was introduced through the House of Representatives and the other through the Senate. The two Bills touch on a common thread that are premised on "national security" however there are interesting challenges that will surface should the Bills be passed that affect global public interest that require further examination, introspection and discussion.

Cyber Intelligence Sharing and Protection Act (CISPA)

US Representatives Mike Rogers (R-Mich) and Dutch Ruppersberge (D-Md) took the Cyber Intelligence Sharing and Protection Act (CISPA) to the floor last year, despite the threats that President Obama would veto the Bill on the version that it was then. On 25th April 2012, President Obama's Administration released a statement saying that:

"Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security. The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill."

The US House of Representatives approved the CISPA on a bipartisan vote of 248-168. Proponents of CISPA believed that they could get the Bill ready for the President to endorse. On 7th May, 2012, the CISPA was received in the Senate and the Bill was Read twice and referred to the Select Committee on Intelligence.

Cybersecurity and American Cyber Competitiveness Act 2013

The US Senate has introduced a new Bill called the Cybersecurity and American Cyber Competitiveness Act 2013 through Senators John D. (Jay) Rockefeller IV, Chairman of the Senate Commerce, Science, and Transportation Committee, Tom Carper, incoming Chairman of the Senate Homeland Security and Governmental Affairs Committee, and Dianne Feinstein, Chairman of the Senate Select Committee on Intelligence and recently issued a Press Release.

The two Bills are controversial because on one hand, they address an important aspect of security and it is critical that countries work towards securing cyber space through having relevant legislative framework in place but what is also equally important is that considerations such as human rights provisions such as rights to privacy and other issues such as data protection rights be a part of the equation. It is also important that lawmakers remember that the foundation of freedoms and rights is also based on the notion that individuals are protected from arbitrariness otherwise there is a devolution to a Police State. There has to be a balance.

Policy should precede legislative framework and where these factors along with other key considerations such as objectionable content are identified. Given the interdependencies of the Internet through its architecture and the series of relationships and transactions, the enforcement of US control over other states through these two Bills means that every Policy made by the global community within Multistakeholder organizations' like Internet Corporation for Assigned Names and Numbers (ICANN) will be subject to these laws if passed.

There was much debate and controversy around the WCIT and rhetoric included "Hands off the Internet" but it would appear that they were being selective when they said that.

Last year the US Government decided to return two domain names, namely Rojadirecta.com and Rojadirecta.org which it improperly seized and held in its possession for well over a year, without so much as an explanation. These sites are Puerto 80's popular sports streaming sites, which the government seized back in February 2011. Puerto 80 responded by petitioning the government for return of the domains. What was fascinating about this was that Puerto 80 is a Spanish company, and a Spanish court had already found the sites legal. The courts in the US disagreed holding that the US government did not have to return the domains and Puerto 80 appealed and then late last year the US Government mysteriously dropped the matter without an explanation.

Even if the Bills were to contain provisions to protect the privacy rights and civil liberties of Americans, there is no guarantee that the rights and protections would extend to non-Americans. The challenges to an open and internet are occurring within the United States. These Bills could waive all the existing privacy laws that were crafted to protect ordinary American citizens.

Will we see more domain name seizures, DNSSEC filtering etc? What would be the impact on Whois?

The thing about Pandora's Box is once it is opened there is no going back.

Caveat – These views are solely my own and do not reflect the views of any of my affiliations.

Written by Salanieta Tamanikaiwaimaro, Director of Pasifika Nexus

I checked it to see why it had gone through the spam filters. It had no URL in the text but a reply-to address. So it needed a valid domain name, and had one: postfinances.com.

PostFinance (without trailing "s") is the payment system of the Swiss Post. It has millions of users.

The domain postfinances.com had been registered a day before my receipt of the phishing email, through a Canadian registrar:

Domain Name: POSTFINANCES.COM
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-dec-2012
Creation Date: 27-dec-2012
Expiration Date: 27-dec-2013

The domain holder (falsely) shown on the Whois is Vistaprint, an international online services company. There is an MX record pointing to:

mx.postfinances.com.cust.b.hostedemail.com.

The Phishing message itself is not convincing. The copy I received is written in bad machine-translated German. I suppose French and Italian versions have been sent too. It is the classic false alert about "account information update" targeting users of an electronic payment system. It asks the recipient to answer with account information and telephone number, promising that the support team will then contact the account holder by telephone.

Can we simply dismiss this as a clumsy attempt at phishing?

It is not that clumsy. The Swiss Post giro accounts are extremely popular. Almost everyone in Switzerland has a postal account. So any user with an email address ending in .ch is likely to have a postal account and to have electronic access to it. In this respect, the phishing perpetrators are smart.

Now the domain name. The real thing is http://www.postfinance.ch. The plural of the word "finance" is frequently used, especially in the sense of personal finance. Addresses ending in .com are frequent for large Swiss companies. So postfinances.com sounds very credible. In this respect, the phishing perpetrators are almost elegant.

Now the style of the email, the bad German, the almost humoristic notice on the bottom of the message:

"This message was sent using IMP, the Internet Messaging Program."

That notice was left in English. Even that had a role: it filtered out the educated victims, leaving only the vulnerable people.

Is this something to laugh about?

There are enough vulnerable people. At any given time, there are millions of people in the process of learning about the Internet. Not all of them will have a good command of the language in which they received the Phishing message. Some of them may respond to the scammers, giving up their account information and telephone number. The perpetrators can then work by VOIP telephony, complete with fake caller ID, making the victim believe that there is urgency, that there is a problem, that the victim should connect to a web site whose address they dictate over the telephone. If the perpetrators do not speak German they can pretend that they work for an outsourced call center, a special security investigation company...you name it.

Here is where the ICANN problem starts.

I saw the Phishing email on December 28, one day after the domain registration of postfinances.com. I sent a Whois Data Problem complaint to http://wdprs.internic.net/.

(Note: compare the elegant domain name used by the bad guys — postfinances.com — to the cryptic domain name used by the good guys for problem reporting.)

The Whois problem reporting system is not only inadequate, it is a mere fig leaf. There is no real abuse reporting tool, there is no credible fast response infrastructure — even though ICANN's budget is higher than that of Interpol.

I added a note to Whois Data Problem report, saying that this was a manifest case of phishing and that the domain should be suspended immediately. I copied the phishing email into the comment box, as further proof. The ICANN system sent me confirmation — without my explanatory comments. I am not sure if the registrar of the postfinances.com domain received my comments through the ICANN system.

When I came back to the office on January 2, 2013, the domain was unchanged. The next day I sent a problem report to the http://www.melani.admin.ch/index.html?lang=en — the Swiss government security response team. I even tried to call the person in charge of domain names at the Swiss Post. It is understandable that he is on vacation as this time of the year — just as it is understandable the phishing perpetrators selected this time of the year for their scam.

At the time of writing, the domain name is still unchanged, and the email sent to it still goes to mx.postfinances.com.cust.b.hostedemail.com.

How many people have suffered damage? How many more people will suffer damage if the domain remains active, along with the email forwarding? Difficult to say, but for some time the likelihood of harm grows with each day. Does it make sense for fraud inspectors to keep the abusive domain name alive to track the perpetrators? I doubt it.

The sad thing is that humble, hardworking people are particularly threatened by this sort of scam. Imagine a migrant worker, struggling in the local language, with no time to learn about Internet governance (or about the lack of it).

But it is worse.

Well-deserved consumer confidence in electronic commerce and payments is a necessity. Jobs and economic growth depend on it. Negligence in the combat of scams does enormous harm. The social cost of lost confidence is a million times more than the money stolen by the scammers.

Now let us take a closer look and compare it with ICANN news.

Two new gTLD applications stand out that could (or should) help with the anti-phishing challenge. One of them is ".bank" — I mean the community-based one applied for by the banks. The other is ".banque" (in French), applied for by French banks.

These are TLDs that can facilitate special processing by MTAs, email client software, spam filters, web browsers and search engines on the basis of published usage policies. They can allow machine-based compliance verification of policies. Those policies can formally be associated with TLDs whose role is easy to understand for all people. In other words, these TLDs have the power to establish the same link between technology and the human mind, just as standardized coins or paper currency do with systematic security features.

ATMs, banknote checking/counting machines and vending machines help us deal with the standardized currency. We recognize the same currency with our eyes and touch it with our hands. That is a great achievement. Or does anyone want to go back to randomly shaped lumps of metal?

Software combined with responsibly managed financial domain names can do the same. Or do we prefer to laugh at people who have trouble telling the difference between postfinance.ch and postfinances.com?

True, both the community-based .bank and the .banque application are a bit confused. But they are not more confused than ICANN as a whole. ICANN's disorientation is the main reason why many of the gTLD applications are so unclear, or even full of errors and contradictions.

The .bank and .banque TLDs can be set up correctly. They can radically improve security and productivity of on-line financial transactions. It should have been done years ago.

But there is ICANN's way — our way — of managing urgent tasks.

No reaction in 7 days to a report on a scam domain — that is NOT the worst problem. The problem is that no better reporting system is in place. (Yes, we have talked about domain abuse for 10 years.) The next problem is that new gTLD program, through which urgently needed security improvements should be possible, has been delayed for years. It has also been mismanaged. And now it is managed randomly, literally, by way of a Draw.

Is this all that we, the Internet experts, have to offer?

Written by Werner Staub

That said, I was correct in saying that many would be surprised by the number of new gTLD applications submitted. Unfortunately, I was also correct in saying that we would continue to see security breaches at both the Registry and Registrar levels, with the sophistication of these attacks beginning to increase.

Regardless of my crystal-ball gazing skills, it's been another incredibly eventful year, and below are the Top 10 Domain Stories from 2012.

Number 10 – "Reveal Day" Surprises Revealed

In June of 2012, ICANN announced that they had received 1930 New gTLD applications from 60 countries for 1,408 unique strings. Of the 1,930 applications received, .Brands accounted for 652 of them. In addition to the .Brand TLDs, there were also 84 "Community-Based" TLDs, some of which were also designated as geographical names. In addition, there were 66 geographical names (most of which are city TLDs). Only 116 applications of the 1930 applications utilized non-Latin character sets. (Interesting note: there were 1,179 uncontested applications, and 751 contested applications representing 230 unique strings.)

Number 9 – Domain Market Grows by 12%

According to Verisign's, "October 2012 Domain Name Industry Brief" by the end of the second quarter of 2012, more than 240 million registrations were in existence. And while .COM and .NET registrations grew by a respectable 7.8% YOY, ccTLDs grew by a whopping 18.5% YOY.

Number 8 – DNSSEC Adoption Extremely Low

Amid much fanfare, .COM deployed DNSSEC support in the first quarter of 2011. Despite the fact that a number of leading Registrars have deployed support for DNSSEC , adoption by corporate America has been extremely low. In fact, some figures show DNSSEC adoption rates of less than 1% for major US corporations.

Number 7 – Registration of ccIDNs by Corporate America Slows

While there were some reports that County-Code Internationalized Domains (ccIDNs) are becoming popular within their respective countries, registrations by brand owners in North America have been surprisingly low. Given that there are now more than 3 dozen ccIDN extensions, the resulting lack of interest may simply be the result of registration fatigue.

Number 6 – IANA Contract Renewed

While the US Government no longer has direct oversight of ICANN, they still hold the contract for the technical coordination of the Internet with IANA (Internet Assigned Numbers Authority) and in November 2011, NTIA (National Telecommunications & Information Administration) issued an RFP for the IANA functions. However, on March 10, 2012 NTIA withdrew the RFP due to the fact that there were "no proposals that met the requirements requested by the global community." Interestingly enough, on April 16, 2012, the RFP was reissued and on July 2, 2012 the contract was awarded, once again, to ICANN.

Number 5 – Hacks and Outages Continue

More so than ever, Registries and Registrars continue to fall victim to security breaches. Even as many Registries were implementing additional security protocols, vulnerabilities at the .IE, .PK and .RO Registries were exposed, resulting in redirected domain names. A number of Registrars suffered breaches as well via social engineering and SQL-injection attacks in 2012, but MarkMonitor systems were not impacted due to our focus on security. Finally, the industry's largest Registrar suffered a major outage due to their own internal system failure.

Number 4 – Secondary Market Mixed

Previous years saw seven-figure domain deals, but in 2012 the numbers of high-end purchases have declined. The domainer-to-domainer market also appears to be softening. However, the market for desirable domains remains strong despite the anticipated launch of new gTLDs next year.

Number 3 – Whois Remains a Hot Topic

In the past year, there have been a number of Whois initiatives including the completion of ICANN's Whois Policy Review Team Final Report which recommended making Whois a strategic priority , creating a single policy, data accuracy improvements, privacy/proxy requirements, and IDN support. Work on the soon-to-be revised Registrar Accreditation Agreement will likely also result in some notion of Whois verification/validation. Moreover, policy development work requiring that all Registries provide Thick Whois is now underway. Finally, the development of new technical protocols to support non-Latin character sets and new terminology has been completed. And to top it all off, the ICANN Board recently directed ICANN's CEO to "launch a new effort to re-examine the purpose of collecting, maintaining and providing access to generic Top-Level Domain (gTLD) registration data."

Number 2 – Significant Organizational Changes at ICANN Shake Things Up

Many were surprised by the resignations of both Michael Salazar, ICANN's New gTLD Program Director earlier this year and more recently by Kurt Pritz, ICANN's Chief Strategy Officer. Of course, the biggest change by far has been the hiring of Fadi Chehade, ICANN's new CEO. Chehade has described his objectives for the organization which include 1) affirmation of purpose, 2) operational excellence, 3) internationalization, and 4) evolution of the multi-stakeholder model on which ICANN is built. He has also described significant organizational changes to ICANN leadership and staff to support public engagement, technical functions, registry and registrar services, contractual compliance, communications, and stakeholder and governance support.

Number 1 – New gTLDs Troubling

A survey conducted earlier this year of MarkMonitor clients revealed that New gTLDs are of significant concern to large corporations. Fifty-five percent of the respondents stated that New gTLDs will create opportunities for brand harm or confusion. And just over half stated that their online policing efforts will need to increase. Interestingly enough, about 75% of the respondents do not expect to use new gTLDs for core websites and over a third are not sure what to do with their domain portfolios in response to new gTLDs.

What Can We Expect in 2013?

With the launch of New gTLD Registries expected next year, the real work will soon begin. Starting next year, companies will need to identify and submit their marks to the Trademark Clearinghouse, determine when and where to register domains as new gTLD Registries launch, and then actively begin policing an ever-expanding namespace. New gTLD Registries will be working through the processes of responding to Clarifying Questions, contract negotiations, pre-delegation testing, and (in many cases) developing their Registrar networks. Registrars will be busy selecting and implementing the New gTLDs they will offer to their customers.

Unfortunately, as predicted in previous years, I believe that we will continue to see Registrar and Registry security breaches. The silver lining is that for those that have been impacted previously, we will see a concerted effort to harden security.

While, the coming year will be an exciting one for sure, the complexity it will bring is unprecedented. I, for one, can't wait to see how it all plays out.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

"WHOIS began more than 25 years ago, before there was even a World Wide Web and its purpose was far more technical than it is today," said Dr. Stephen D. Crocker, ICANN Board Chair. "It's clear that we have to take a thorough look at WHOIS from the ground up, and that's what we're asking the CEO to do - what should WHOIS be and how can we best improve its accuracy?"

In addition to the excitement surrounding the new CEO, a number of other issues also took center stage at the Toronto meeting including the Prioritization Draw, the Trademark Clearinghouse, the URS (Uniform Rapid Suspension), the RAA (Registrar Accreditation Agreement) Negotiations and Whois.

Prioritization Draw for New gTLD Applications

Just prior to meeting, ICANN published a plan for the prioritizing of new gTLD applications through the steps leading to delegation. This new plan describes the assignment of priorities through the use of a Draw or Drawing — the priority assigned to each application will be used to schedule the release of initial evaluation results, pre-delegation testing, and contract execution. To participate in the Draw, applicants will be required to purchase a ticket for $100. The Draw is tentatively scheduled for early December 2012. With this new proposal, internationalized top-level domains will be given preference and the first set of initial evaluation results is scheduled for release towards end of March 2013, with the first new gTLDs being delegated in Q2 of next year.

Trademark Clearinghouse

Attendees at the ICANN Meeting were given a sneak peek into the Trademark Clearinghouse. While the bulk of the development work has been completed, it appears that some refinements are still required before submissions can be accepted. There are also some questions regarding how data within the Trademark Clearinghouse will be accessed, and there are two different models being proposed — a decentralized model where each registry would receive a copy of the Trademark Clearinghouse database, and a centralized model where registries would access data directly from the Trademark Clearinghouse. At this point, the Trademark Clearinghouse is expected to begin accepting submissions in Q1 of 2013. (MarkMonitor will be providing Trademark Clearinghouse submission services.)

URS (Uniform Rapid Suspension)

The (URS) was meant to provide low cost alternative to UDRP for the suspension of clearly infringing domains. According to ICANN, URS fees were originally targeted at $300 – $500, however there were no providers willing offer the service at this price point. As a result, ICANN issued an RFI in September of this year to identify additional providers. Some in the community have asked ICANN to underwrite the URS for a period of time.

RAA (Registrar Accreditation Agreement) Negotiations

ICANN and Accredited Registrars (with input from Government and Law Enforcement) continue to work towards amendments to the RAA. Significant progress has been made on areas related to Whois verification and data retention, though certain key issues remain open. According to ICANN, a draft of the RAA will be posted for public comment by the end of December and a new version will be finalized by March of next year.

Whois

Earlier this year, the Whois Policy Review Team published their final report containing 16 recommendations including making Whois a strategic priority, defining a single policy, implementation of Proxy / Privacy Accreditation program, adopting new standards to support IDNs, etc. Some had expected the recommendations to simply be implemented by ICANN staff, but the ICANN Board asked the policy-making group within ICANN to assist in determining whether to proceed with implementation of the recommendations or whether a full Policy Development Process should be initiated instead.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

ICANN Compliance acknowledged in Sunday's meeting that it had several non-aligned ticketing systems and that complaint submission interfaces without back-end processing or tracking. It is responding to this problem by centralizing its complaint processes and significantly enhancing its reporting capacity. Compliance is obviously trying to clarify its mission and build resources but is ultimately restricted by the fact that the RAA contract as written is unenforceable on WHOIS inaccuracy. At this time correcting this gaping hole in the contract is not part of the current contract negotiations. Any new contract will be just as useless without a change in section 3.7.8.

The new CEO should be applauded for his agenda and welcomed. Compliance should be encouraged in its mission. But as George Santayana famously said "Those who cannot remember the past are condemned to repeat it." For us not to document these failings, regardless of the current improvements would be irresponsible. Our full research document is here: http://knujon.com/Knujon_ICANN_compliance_eval_09192012.pdf

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

Regarding re-verification the Working Party noted that the problem of inaccurate WHOIS data can only be solved by addressing the unlimited public accessibility of private contact details in the WHOIS database. It also disagreed with the notion that the re-verification request originated from LEAs when the purpose of the WHOIS database is to facilitate contact about technical issues:

The fact that WHOIS data can be used for other beneficial purposes does not in itself legitimise the collection and processing of personal data for those other purposes.

The Working Party finds the proposed new requirement ... excessive and therefore unlawful.

Concerning data retention, the Working Party found the proposed specification to have very broad scope, suggesting it may well facilitate the collection of information like credit card data, Skype handles, and communication log files and registration data. They noted that the requirement did not stem from any legal requirement in Europe, but "is explicitly introduced by ICANN to accommodate wishes from law enforcement." As such,

The Working Party strongly objects to the introduction of data retention by means of contract issued by a private corporation in order to facilitate (public) law enforcement..."

You can read the Working Party's entire letter here.

Written by Brenden Kuerbis, Fellow in Internet Security Governance, Citizen Lab, Univ of Toronto

Registering a domain name could be about to go the same way. Simply put, the cops that police the Internet are working on some major hoops for domain owners. The disease they are taking aim at is cybercrime. Is their proposed cure a lot more hammer on nail than the precise surgical intervention needed to take the bad actors out of the equation without making life too difficult for law abiding citizens?

12 recommendations

For around a year now, registrars and ICANN, the entity that contracts them to sell domains names, have been locked in negotiations around a set of 12 "recommendations" originally made by law enforcement agencies (LEAs) such as the FBI or Interpol. Just over the last 3 months, both parties have engaged in 6 negotiating sessions, including 2 full days of face-to-face meetings that were, according to participants, physically exhausting. Registrars have not been taking this issue of cybercrime lightly…

In fact, most of the recommendations that LEAs have presented as being positive steps towards fighting cybercrime have been agreed to by registrars and are thus ready to be implemented into the new registrar contract that ICANN expects to enforce once the negotiations are ended.

But predicting when that might be is difficult, because both parties are now deadlocked over a couple of law enforcement asks that are, frankly, likely to significantly negatively impact the experience of registering a domain name.

The main point of contention is around the issue of verifying WHOIS data. This is the information — name, address… — that a domain registrant provides to the registrar to and that is then posted in a public database. LEAs want this data verified, and that seems entirely reasonable. What appears less so is the proposed methodology.

Double checks

Facing strong pushback from registrars in earlier negotiations, ICANN has moved away from the idea of requiring WHOIS data to be verified before a domain goes live. But in agreeing to the principle of data verification post resolution (the action of making a domain work on the Internet, i.e. point to a website or email), ICANN is now asking registrars to verify two sets of data.

A registrar would have to ensure that both telephone and email data submitted is kosher. How? One example for phone verification could be sending SMS messages with a code that the domain owner would then have to enter online. Email verification would require a similar "respond to the message we send to prove to us this address works" approach.

Why are registrars baulking at this? Well, for one it is likely to make it more difficult for them to service customers outside their country. It will increase their processing costs, with expected rises in domain registration fees if these increases are passed on to customers. It may become a nightmare for those who register large quantities of domain names. Verification emails may get caught in spam filters, thereby preventing timely registration of domain names. And is usually the case with heavy handed blanket security measures, it is more likely to cause headaches to legitimate domain users than to deter cyber criminals. After all, a determined cyber criminal would have no problem passing these tests.

Registrars are not arguing against the obvious need to have good data in WHOIS. But they are advocating a more cautious approach. "Let us test one of these two methods for a while instead of imposing both at the same time," they are saying, "then let's all evaluate the impact both on the consumer experience and cybercrime."

Keeping data personal

There is also the privacy issue. Among ideas being touted is an obligation on domain owners to provide a phone number as registrants (currently, only administrative and technical contacts are required to provide phone numbers).

Another is to re-verify data after a period of time, to make sure it has not gone "stale". A policy already exists with ICANN called WHOIS Reminder whereby registrars are obligated to send out yearly emails to domain owners (one per domain!) asking them to check their WHOIS data. Although currently domain owners are not required to act on the emails, they do cause confusion and anxiety amongst individuals who either do not understand why there are being targeted by these emails or tend to worry that they are in danger of losing their domain names.

Despite this, and the fact that the current policy has not been sufficiently reviewed to test its true efficacy, the suggestion is to go one step further. Active rechecking of the data would be required, and a domain name could be suspended if this step is not completed. That's right, fail to re-verify your WHOIS data because you either missed one email amongst the hundreds you get each day, or your spam filter blocked it, and you may end up with no website and emails!

Yet another privacy issue is a requirement that LEAs would impose on registrars to have them hold registration data for 2 years. This is simply illegal in some countries, where companies are forbidden by law to hold on to private data for such a long period of time.

Speak up!

It's important to stress that at this stage, all these ideas are just that. But should ICANN decide to enforce them on registrars, domain owners could be in for a really painful experience in years to come.

There will be public discussion sessions on the registrar/ICANN negotiations in Toronto, during the upcoming ICANN meeting (October 14 to 18). ICANN is calling for community comment during the ongoing negotiations and during these sessions.

So if you don't want your domain user experience to become more convoluted than air travel, then log in, dial in or turn up. And make yourself heard!

Written by Stéphane Van Gelder, Chairman, STEPHANE VAN GELDER CONSULTING

Not surprisingly, the survey revealed that over 90% of corporate portfolios currently consist of defensive registrations.

The survey also revealed that New gTLDs are of significant concern to large corporations. Fifty-five percent of the respondents stated that New gTLDs will create opportunities for brand harm or confusion. And just over half stated that their online policing efforts will need to increase. Interestingly enough, about 75% of the respondents do not expect to use new gTLDs for core websites and over a third are not sure what to do with their domain portfolios in response to new gTLDs.

When asked about the accuracy of Whois (domain name ownership information), 4 out of 5 respondents stated that they encounter fraudulent or inaccurate information at least monthly and one in four stated that they encounter fraudulent or inaccurate information more than once a day. Additionally, the survey revealed that 85% of those who consult Whois more than once a day encounter fraudulent or inaccurate information every day and only 15% are usually able to obtain correct information for sites with fraudulent/inaccurate Whois data.

While the results of the survey were in no way surprising, they are concerning and raise a number of important questions such as:

• Will the practice of defensive registrations continue in light of new gTLDs, or are New gTLDs the straw that broke that camel's back?
• Just how much cyber-squatting will we see in the new gTLDs when registries launch at the end of next year or in early 2014?
• Will ICANN ever be able to make meaningful changes to improve accuracy of Whois?

These are tough questions, but fortunately some of the answers will become clearer in the coming months and years.

The year was 2002. ICANN's DNSO (soon to be renamed as the GNSO) had a WHOIS Task Force, and was trying to extract policy choices from an ill-conceived and worse-executed survey of assorted self-selected stakeholders. As today, the topics at hand included privacy protections, compliance (and graduated sanctions for non-complying registrars), and accuracy of WHOIS records.

To get the discussion going, I threw a few of the proposals that had come up in the survey into a draft report as straw men; I probably made up a few more policy proposals out of whole cloth. Alas, there it was: The seemingly-innocuous concept that having an annual data reminder might be good customer service, and that it might somehow help to increase data accuracy. Next to graduated sanctions and other proposals on the table at the time, this idea had the attraction of saving face in the accuracy area, while not being an obviously bad idea by the standards of that particular task force. And so we inflicted it on the gTLD registrars and registrants of the world. And on ICANN's not-yet nascent compliance department.

The policy appears to be implemented by most registrars in the form of an e-mail notification to registrants (even though it doesn't have to be in email). By definition, these notifications include almost entirely public information. They're therefore a first-rate phishing vector: For example, send a notification with slightly (but embarrassingly) wrong WHOIS data, give a link to fix the data, and hope that people will click that link and hand over the credentials that they're using to manage their registration.

More generally, this policy exhibits a few flaws that are symptomatic for the broken policy process of the time: It micro-managed a particular piece of registrars' interactions with their customers. It didn't have a sunset date. It had no clear success metrics (e.g., number of corrections traceable to notices) that would have permitted ICANN to phase it out if unnecessary. It had no proper review for its security impact on registrants.

Even the WHOIS Review Team acknowledges that the policy is probably ineffective.

It's time for the GNSO to propose to the Board to repeal this policy. Should be a slam dunk of a task force.

Originally posted on my personal blog.

Written by Thomas Roessler, Mathematician

This was not the only conflicting information which came out of the At-Large and Compliance meeting in Prague. In this discussion Compliance staff repeatedly asks At-Large representatives to cite specific examples of problems, but when a question concerning certain complaints (at minute 01:19:27) is asked and the room goes silent. To further the point, a specific case concerning BizCN is read aloud but not addressed specifically by Compliance. Compliance presented a number of process enhancements and improvements in automation at this meeting but the issue on the table was actual enforcement of the contract which seems to be lacking. Setting the tone for this missing enforcement was the apparent removal from ICANN's website of a flowchart entitled "ICANN Compliance Program for Registries and Registrars” which had no enforcement phase documented in the flow, only compliant dismissal, closure and circular shuffling. However, this has been replaced with three new charts which show significant improvement in stated process. Unfortunately, the question is still open as to if these processes will actually be used as stated. So far we do not have a good track record of real follow-through. The three legs of Compliance are Prevention through collaboration, Transparency through communication, and Enforcement. But it feels like this chair is going to drop us on the floor.

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

The Claim

The issue being discussed here is really all about RIR (Regional Internet Registry) Whois database accuracy. The RIR Whois databases contain the records of who holds what IP addresses, down to a level of granularity dependent on that RIRs specific policies. When law enforcement agencies like the FBI, DEA, and RCMP want to find out who was using an IP address (say to post child pornography or host an illegal prescription sales website) at a given time, they first go to Whois to determine who is responsible for the network that IP address belongs to. If everything is as it should be, Whois will provide the name (and contact info) of the responsible party. "Responsible party" in this context means the organization responsible for the network that the offending IP address belongs to. This is typically either the enterprise which holds that network directly, or the ISP who's customer is using the address. When law enforcement officials get the party directly responsible for that specific IP address from Whois, they are able to obtain and serve warrants most efficiently. In cases where Whois information is stale (out of date) or not granular enough (perhaps Whois lists the ISP of the ISP of the ISP of the person using the IP address); they must embark on a goose chase of sorts, obtaining and serving warrant after warrant as they work down the chain to the responsible party who should have been listed in Whois in the first place.

The hypothesis being presented is that IPv6 Whois information will be less accurate than IPv4 Whois information, causing more of those wild goose chases and ultimately making it harder for law enforcement to track criminals by IP address. The rationale behind this claim is basically that Internet number registrants (ISPs and others who hold AS numbers and IP addresses) only update Whois in order to receive more addresses from the RIR. Since IPv4 has been known to be an ultimately scarce resource since as far back as the early 1990s, IPv4 addresses have been handed out in relatively small chunks. This requires organizations who consume lots of addresses, like ISPs and data-centers, to come back to the RIRs and request more IPv4 addresses with great regularity. Because the RIRs will not grant addresses to organizations who are out of compliance with RIR policy, this in effect forces such organizations to keep their Whois records up to date. In the brave new world of IPv6, things have changed. Since the IPv6 addressing space is effectively some 16 million to 17 billion times larger than IPv4; RIRs are handing out IPv6 in much larger blocks, allowing these very same organizations to come back to the well much less frequently and perhaps never at all. This is great for network address planning and route aggregation but not so great for Whois database accuracy if you believe that folks only make updates in order to get more addresses.

The (Recent) History

I think we should first realize that this is not a new story. I have personally been working on this subject, often with members of the FBI and the RCMP, for around four years now. I am, by far, not the first champion of Whois accuracy, as registration requirements have been present in RIR policy since the very beginning. I have however contributed to some of the more recent reforms directly related to IPv6 and law enforcement's ability to use IP addresses and Whois to track down criminals as quickly and efficiently as possible, without infringing on anyone's individual or organizational rights. In these past four years we have seen some major "wins" for Whois database accuracy.

The first happened in the ARIN region with the adoption of draft policy 2008-7, which was eventually implemented by ARIN in the second half of 2010. This policy requires ARIN staff to conduct an annual Whois POC validation during which all POC (Point Of Contact) records in ARINs Whois database are verified via response to an email message. In the context of today's discussion, this means that every single POC in ARINs Whois is contacted and asked to make updates every year, regardless of their organizations need for more addresses. This is true for POCs associated with IPv4 and/or IPv6 records.

The second victory came with the adoption and subsequent implementation of ARIN-2010-14 in mid 2011. ARIN-2010-14 encompassed fairly sweeping changes to the ARIN policies regarding Whois data for both IPv4 and IPv6. The key reforms directly associated with criminal traceability in IPv6 were threefold: First, to require that all static IPv6 assignments to downstream organizations be recorded in Whois. Second, to define the organizational information required in Whois as; legal name, full physical address, and at least two POCs (both with a verifiable email address and phone number). Third, and perhaps most importantly, to specifically allow ARIN to conduct resource reviews if an organization fails to maintain accurate and complete Whois records (including downstream assignments to other organizations).

Most recently (and further south) we scored another win for global Whois data accuracy when the LACNIC community approved LAC-2012-02 following LACNIC XVII in May 2012. This policy was crafted based on the reforms in ARIN-2010-14 following a brief presentation I gave at the October 2011 LACNIC meeting. They key difference is that the LACNIC policy sets the boundary for downstream IPv6 assignments at /48 rather than /64. This effectively means that while ARIN policy requires all static IPv6 assignments to be recorded in Whois, in the LACNIC region only assignments of larger than a /48 prefix must be registered.

There have obviously been great strides, within the ARIN region and elsewhere, with regard to Whois data accuracy in the past few years but there has been at least one setback as well. Draft policy ARIN-2011-7 was recently abandoned by the ARIN AC after not gaining clear consensus among the ARIN community. This proposed policy change would have supplied some added clarity and additional tools to ARINs Whois data enforcement abilities.

The Current (IPv6) Situation

Perhaps even more important than tallying the recent wins and losses is understanding the current state of affairs more clearly.

The first thing to realize is that this is not just a law enforcement issue. Accurate Whois information is extremely helpful in all sorts of abuse reporting which happens directly between network operators. The very same wild goose hunts that can plague LEAs can cost Internet connected businesses substantial amounts of time and money. Not to mention the fact that knowing you can be easily identified regardless of your physical location would likely have a chilling affect on abuse in the first place.

The next thing to realize is that this is not just a U.S. or Canadian issue. Internet users (including the nefarious types) span the globe. IP addresses are used all over this planet. Five distinct Whois databases for Internet numbers are operated by the five individual RIRs representing the various regions of our world. In order to understand where we are today, we need to examine all five RIRs policy on Whois and re-assignment registration.

Working alphabetically, AFRINIC is the first RIR. AFRINIC's IPv6 policy has a section titled "5.5. Registration" which simply requires that all organizations holding IPv6 addresses must register all downstream assignments larger than a /48 in the "AFRINIC database." Their policy further states that this data will be used "to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time" and does not appear to have any additional auditing or 'enforcement' mechanisms in place (although they do encourage the inclusion of an abuse contact).

APNIC has a very similar registration policy to AFRINICs. Theirs is titled "5.6. Registration” and also requires all downstream assignments of /48 or larger to be "registered in an RIR/NIR database" and they also state that "RIR/NIRs will use registered data to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time." However, there is a key difference in the APNIC policy. "Organizations that receive an allocation from APNIC can choose whether or not their customer assignment registrations should be publicly available." So while APNIC address holders must register reassignments, that info does not have to be viewable in Whois. They do require (since late 2010) the registration of an "Incident Report Team (IRT) object for each allocation and assignment record in the APNIC Whois Database." This object provides abuse contact information.

We have discussed ARINs IPv6 registration policy already, since it was re-written by ARIN-2010-14, but to keep it simple let's cover the basics: ARINs policy states that all static IPv6 assignments of a /64 or larger must be registered publicly within 7 business days of being made. Further, these "reassignment registrations" must include the pre-defined "organizational information" of name, address, and two POCs - unless the assignment is to an individual residential customer (for privacy protection). Finally, ARIN is granted the ability to conduct a "resource review” specifically "whenever ARIN has reason to believe that an organization is not complying with reassignment policies."

LACNIC is another one that we covered above. Post-LAC-2012-2 LACNICs IPv6 policies (yet to be updated with the new text) will include a revised section "4.5.6. Registration" which states that all assignments of /48 or larger must be visible in Whois within 7 days of issue and that those registrations "must include the organization's name; address; administrative contact, technical contact, and contact in case of abuse, with their updated telephone numbers and email addresses" except again in the case of residential customers. While LACNICs policy is not as clearly specific to reassignment registrations as ARINs is, they do have a provision stating that a "breach of LACNIC policies" (presumably including registration policies) may be used as evidence to "initiate the resource recovery process."

Finally we turn to RIPE NCC, the final RIR alphabetically speaking. RIPEs IPv6 policy has a familiarly titled section "5.5 Registration," which requires quite simply: "When an organisation holding an IPv6 address allocation makes IPv6 address assignments, it must register these assignments in the appropriate RIR database." However, it does go on to qualify that assignments smaller than a /48 can be aggregated and simply indicate the "size of the individual assignments made to End Users." I am unaware of any auditing/review or 'enforcement' policies at RIPE NCC but they do allow for an optional "IRT (Incident Response Team) object."

The Other (IPv4) Side

We've taken a fairly in depth view of IPv6 Whois policy around the world, including some of the most recent reforms. But all of that is hard to judge in a vacuum. What about the other side of this comparison? If IPv6 really is (going to be) worse for tracing criminals, what is it worse than? To answer that we must take a look at IPv4 traceability. I mentioned in the opening section of this post that IPv4 Whois accuracy has benefited from the constant and frequent return of many organizations to ARIN and the other RIRs for additional addresses. There are however two major factors that work against Whois accuracy in IPv4.

One of these challenges is the "legacy" or "swamp" IPv4 address space. This problem affects folks in the ARIN region the worst, since most of this so-called legacy address space resides within the ARIN service region but there is also legacy space under the oversight of other RIRs as well. The problem with legacy space as it relates to Whois accuracy is twofold: First, legacy address holders received their assignments and/or allocations before the current RIR system was in place (that's what makes them "legacy" registrations). This is problematic because it means that many of these organizations have no relationship with their RIR. This in turn means that while "regular" address holders pay dues every year (i.e. must be in contact with the RIR at least once a year), many legacy registrants have no contact at all with any RIR. With no formal relationship ever established, there is no way for the RIR to know if the organization is still using the addresses or if they even exist at all (the annual Whois POC validation policy was created in large part to help resolve this lack of contact issue). Second, legacy allocations were made during the period of classful addressing. The effect of this that concerns us here is that many legacy allocations were far larger than what the organization truly needed at the time, thus they have never needed to come back to the RIRs for more addresses. Now, this may or may not be an impact-full issue but it certainly puts them in the same boat with IPv6 address holders from that perspective - and legacy allocations are a significant portion of the total IPv4 address space.

The other primary challenge to criminal tracing in IPv4 is the eminent exhaustion of free IPv4 addresses. This is actually causing two new phenomenon which have the potential to make IPv4 address based identification much more difficult: The emergence of CGN (Carrier Grade NAT) as an IPv4 life-extension technology and the emergence of IPv4 address transfers as a CGN avoidance technique. CGN means that multiple users share a single IP address. While not directly related to Whois data accuracy, this will make IPv4 users increasingly harder to identify and track down. The more users that are forced to share a single address, the harder identification becomes (along with other problems related to IP address reputation and port consumption, etc.). More on this challenge can be found here and (perhaps surprisingly) here. On the other hand, the transfer of IPv4 addresses will hopefully not cause too much disturbance to Whois data accuracy, and may actually improve it if done properly. Unfortunately it could also cause chaos and confusion if profiteers are able to set up even quasi-successful "alternate registries." This is a vast topic in its own right so I won't go any further here other than to say that having multiple conflicting Whois databases is obviously not a good thing for abuse reporting and law enforcement.

The Bottom Line

There are two preliminary conclusions to be drawn from all of this:

• Tracing criminals using IPv4 is no bed of roses and its getting worse.
• IPv6 Whois policies exist and they're getting stronger.

Beyond that, we can also see that coming back to get more addresses is only one touch point between address holders and the RIRs who maintain these invaluable Whois databases. Regular billing cycles and recurring Whois POC validations are two others that will actually be more efficient in IPv6 due to the absence of "legacy" registrants. Resource reviews and ultimately reclamations are another potentially effective (albeit much more drastic) tool available to the RIRs. Weigh this against the impending age of IPv4 CGN and address transfers, add in the increasingly formalized Whois registration policies, and I think we can likely agree that abuse reporting and criminal tracing based on IP address will very likely actually be better in the future with IPv6 than it is today with IPv4.

Even so, we can all help ensure that the future is much better, rather than marginally better, by continuing to reform Whois registration policies in all five regions. From my perspective as I write this, sitting at my desk where much of its current text was written, ARIN has set the benchmark for Whois policy today. One of our first steps should be to bring the other four regions policies as close to that mark as possible. Of course the reason we have five regional registries rather than one global registry is to accommodate local differences, so alignment will never be perfect, but we can continue working in the right direction. I send kudos and congratulations to the folks at LACNIC who recently did just that and I offer my assistance to folks in other regions who want to do the same.

No one and no thing is perfect though, and ARINs Whois policy is no exception. There are pieces of the failed ARIN-2011-7 that need to be resurrected and submitted again, and other pieces that need to be revisited and reconsidered. Other, new policies are likely needed as well. One of the primary areas of further exploration needs to be policy enforcement, or even better, incentivising policy compliance. While all the RIRs have policies regarding Whois data accuracy, which are likely to grow stronger over time, they lack a strong enforcement mechanism. Yes, there is the ability to revoke addresses for non-compliance, but no RIR is likely to yank addresses from hundreds or possibly thousands of innocent parties simply because their ISP failed to update downstream assignments in Whois. So how do we ensure that even the laziest of engineers at the most lackadaisical organizations always update their Whois data properly? Answering that question will not be easy but is necessary if we are to avoid imposition of solutions from above upon the Internet community (something no one wants, including the folks at the FBI). Perhaps Internet service providers can provide effective enforcement of Whois policies by peer pressure, or perhaps other mechanisms are needed. In either case I have full confidence in the many bright and capable minds now working on Internet numbering policy. Who knows, it may even be you who solves this final puzzle.

So, bottom line: Is there work still to be done? Absolutely, plenty to go around. Is IPv6 a major threat to law enforcement? No, and its only getting better.

Written by Chris Grundemann, Network Architect, Author, and Speaker

However, the real problem with the contract is even more insidious. One only needs to view the ICANN Compliance "workflow" to see a kind of Sisyphean pattern. There is no "enforcement" end to the loop; the only terminating points in the "ICANN Compliance Program for Registries and Registrars” are dismissal or closure of the complaint. Issuing of breach notices is not part of the process and contracted parties are only mentioned in passing. The process, as it is, only provides a potentially endless cycle of a complainant submitting "additional information." If this flowchart is a true representation of the duties of Compliance, it exists only to shuffle paper.

We end with two major problems. First the contract is unenforceable on WHOIS accuracy which is the foundation of trust between ICANN and the Internet user. Second, there is apparently no capacity within the organization to enforce the other portions of the contract: contractual and organizational failure. We will be publishing nine case studies which demonstrate the systemic breakdown of Internet enforcement next week. RAA 378 is the crossroads of public participation: the ability of actual Internet consumers to bring grievances to the operators of the Domain Name System. Is this an Internet we all participate in or an Internet which is imposed on us? As long as 378 is a phantom we are living with an imposed Internet.

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

In the run-up to one of its three-a-year international meetings, ICANN goes into hyperdrive. And this time, days before the Prague meeting (from the 24th to the 29th), the usual downpour has turned into a veritable deluge.

Let's just take June 4th as an example. On that single day, ICANN has published the following:

• An independent report on ICANN Board conflicts of Interest (22 pages).
• An update to the Registrar Accreditation Agreement (RAA) negotiations (10 documents, a total of 87 pages).
• A roadmap to the implementation of a new technical policy (SAC 051) on WHOIS (19 pages).
• A preliminary issues report on protecting International Governmental Organisations (IGOs) in the new gTLD program (55 pages).
• An update to the new gTLD Applicant Guidebook (338 pages).
• A request for community input on ICANN's strategic plan from 2013 to 2016, which at minimum requires reading of the 17 page current strategic plan document covering 2012 to 2015.
• A report on the feasibility of a survey on WHOIS proxy and privacy (2 documents, a total of 158 pages).
• An initial report (yes, there's more to come!) on a new policy for transferring domain names between registrars (61 pages).

Do the maths. That's at the very least 757 pages of stuff to read! Given those facts, any sane person can only have one reaction: that's no way to run an organisation! Especially one tasked with overseeing the technical well being of the Internet!!

Because I chair one of ICANN's major policy making bodies, the GNSO, I have been raising the alarm on this for a while now. But my cries of "stop, please stop… no more, we can't take anymore" have apparently fallen on deaf ears. In fact, as Prague shows, the trend is actually towards more and more, not less and less.

This puts Internet policy at risk.

ICANN works through volunteers. The 22-person GNSO Council is made-up of people giving up their free time. Same goes for the Board (although Board members are eligible for a small compensation), the other policy making bodies and the "advisory committees" that also participate in the ICANN process.

Volunteers all. Volunteers who have real jobs, real lives… and who will be tempted to just skim over just some of the documents that I have listed above. Yet most, if not all of the above are crucial to the policy decisions that ICANN makes.

The result, policies risk being drawn up by people who simply cannot process all the information that's thrown at them in the few days before an ICANN meeting.

And let's face it, the fact that ICANN cannot get itself organised to have a steady feed of documents throughout the year, rather than a major rush of them in the two weeks before an ICANN meeting, doesn't say much good about the organisation that's supposed to make sure the Internet's addressing and naming systems are a-ok.

It's time to fix ICANN's pre-meeting verbal diarrhoea. Before it makes the organisation as a whole, and not just the corps of volunteers that make it work, retch in permanent disgust.

Written by Stéphane Van Gelder, Chairman, STEPHANE VAN GELDER CONSULTING