This session will share highlights of important industry policy developments that will affect your online domain name, brand protection, and cybersecurity strategies.

Expert Gretchen Olive, CSC vice president of policy, will bring webinar participants up to speed on:

  • WHOIS updates - Status of Registration Data Policy and implementation of NEW Registration Data Request Service

  • Mitigation of DNS Abuse efforts by ICANN

  • Timing of Round 2 of New gTLD Program


Receive a free consultation or learn more about our services.

Contact us 


Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "ICANN 78: Insights from the meeting in Hamburg, Germany." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Gretchen Olive. Gretchen is the Vice President of Policy and Strategic Account Management for CSC. For over two decades, Gretchen has helped Global 2,000 companies devise global domain name, trademark, and online brand protection strategies and is a leading authority on ICANN. And with that, let's welcome Gretchen.

Gretchen: Thanks, Christy, and thanks, everybody, for taking time to join us today. As always, we have a very full agenda. I don't think there's ever such a thing as a quiet ICANN meeting. Lots going on. A lot of things coalescing and we'll talk about that in just a second. But put your roller skates on because we are going to run to the finish on this one.

So let's start off with just we see a few new names on our registration list and thank you if you're joining us for the first time. But just to give everybody kind of an equal footing, let's just cover a couple of things about ICANN. So first of all, they have three public meetings a year. We are in the third public meeting of the year, the last one, which usually occurs in the October/November time frame. This one happened at the end of October. This is their kind of like annual general meeting. It's where they kind of showcase all the work that's been going on over the course of the year, and really it's a longer meeting. It's typically a seven-day format. So it's kind of the chunkiest of the meetings, if you will.

ICANN, just to give everybody a sense of sort of like what that structure looks like is that we have a board of directors, and then there's ICANN staff and the CEO and president. And then below you see a number of kind of blue and gray boxes. The gray boxes are different advisory committees, and we'll talk specifically about the one at the very bottom there, the Governmental Advisory Committee in just a second.

But what we mostly focus on in this session is things that are going on or policies that are kind of bubbling up or being discussed as part of the Generic Name Supporting Organization or the GNSO. That's where you find the registries, the registrars, IP interests, business interests, non-commercial interests, nonprofits, etc. So that's kind of the area that we focus in on.

As I mentioned before, the Governmental Advisory Committee is a committee made up of different representatives from governments around the world, typically from like telecom ministries. And their function is to advise the ICANN Board of Directors, from a public policy standpoint, in terms of any policies that are kind of bubbling up from this multi-stakeholder, bottom-up consensus policy organization that ICANN is. As those policies bubble up towards review by the Board of Directors, the Governmental Advisory Committee will advise the ICANN Board and kind of give them the public policy perspective on things, making sure that kind of government and individual consumer interests are being taken care of.

All righty. So let's start off with the second round of the new gTLD program. Just by way of background, so in 2012, ICANN opened up a limited window of time for entities to come forward and apply for their own top level domain. So like most people understand a top level domain to be .com, .net. So this was an opportunity for entities to come forward and say I want to run a new gTLD. And some of them, most of them were strings where they would be open to the public for registration. And then there were some that were applied for as what they call dot brands, where companies were coming forward wanting to apply for their company name or their brand name for sort of their exclusive use.

So that happened in the early part of 2012. And it seems unbelievable, but it is true that we are still launching new gTLDs. The whole process hasn't worked its way through. Now there were certainly more applications than ICANN ever thought there would be. But some are still involved in disputes. There's been some recent press around .web going through sort of like some additional rounds of discourse. We also have TLDs that are still launching, so like .music and .bot and .meme. And then, some have failed or consolidated with other TLD operators. So it's been a bit of a mixed bag. But we went from basically 21, 22 gTLDs, generic top level domains, to well over 1,200 top level domains, generic top level domains now available on the internet. So it's been a huge expansion of the space over the last 10 years.

There's been numerous studies, assessments, policy development work that's been going on. ICANN promised the Governmental Advisory Committee, when they started the program in 2012, when it sort of opened up for application, there was a lot of work before that, so "start" is probably not exactly the right word, but when the program opened up for application, they had committed to the GAC that they would do all those things after the first round to kind of assess what went right, what went wrong, and make corrective action if they felt like another round should happen. And really there was always that assumption by ICANN going in that there would be additional rounds. So that's kind of the way things move forward.

Well, through all this time with, as I said, sort of the assessments and policy development, we really got to a point I would say in 2021 particularly, so a couple years ago, where there was like a lot of pressure, a lot of pressure on ICANN to kind of get to Round 2. People were kind of saying like, okay, we've done enough studies. We've done enough. Like let's move the policy work faster, move it forward faster. So there really started to be a push in earnest in the 2021 time period. Not that there weren't calls before that to get to the next round, but let's say the real push in earnest in 2021.

So that really culminated with a Final Report by one of the policy development procedures, which was the Subsequent Procedures Working Group, which really looked at what was called the Applicant Guidebook. That was the book that sort of spelled out how you could apply for and get delegated and kind of your obligations of running a top level domain. So kind of the assessment and initial policy work or recommendations around things that needed to be changed was completed in 2021, and then sent to the Board. Those recommendations were sent to the Board. And what happened then is the Board basically said, well, we need to go through this new operational design plan process, which includes an operational design assessment, so that we can understand like what the costs and the time frames and the feasibility really of kind of moving forward with these recommendations.

So that all happened. It's always a bit of a . . . let's say the community is always kind of mixed on that. There's some folks who are really interested in getting to the second round. There's some folks who would be super happy if we just kind of stuck with the TLDs that we have today. And so there's always this sort of toing and froing. But nonetheless, this ODP or Operational Design Plan got done with those assessments.

The ICANN Board then approved a lot of the policy recommendations, and we'll talk about that in a second. But as part of that, in ICANN 77, which was in June, they basically said that they needed an implementation plan from ICANN Org, and when I say ICANN Org, that means ICANN and its paid staff as to sort of like what this would look like. They really needed to understand how do we get to implementation of these recommendations that came out of the Subsequent Procedures Work Group.

And so they kind of listed, and I won't go through each and everyone here, but they listed kind of a group of four things that really needed to happen in order really by the end of ICANN 77, again which happened in June, for the staff to deliver the implementation plan by August 1st, 2023. So kind of a lot of work condensed in a very, very short period of time.

So the plan was published on July 31st, so they met the August 1st deadline. And what they did is they kind of broke it down to nine projects. And really, if you look at this, they all map to the Applicant Guidebook. And what I mean by that is the Applicant Guidebook is set out in sections, like what are the basics, what's the Applicant Support Program look like, what's like the Registry Service Provider Evaluation Program look like. So all these sections of the Applicant Guidebook kind of map to these nine projects. So ICANN has kind of like broken it out in these nine projects. And, of course, there's sort of some shared service things that kind of cut across all these things, so they call those program elements and things like Communication and Outreach, Engineering and IT, Finance, and Human Resources.

So they put together this Implementation Plan. And when you put it all together, it kind of comes out to this projected timeline as to when the next round, the second round of the new gTLD program would happen. Again, there's been really mixed reaction in the community to this. Many feel like can't we get on with it? Why does it have to be we're talking like April/May 2026? And really what ICANN did through this Implementation Plan, they kind of backed through like, okay, this is what we need to do this and what are all the things that have to happen before that. And so they've committed that the new Applicant Guidebook will be done a year before the application period. They'll also have an Applicant Support Program kind of spec'd out in advance. So there's things and these are just a couple of them.

There are things that have to happen before that, but right now ICANN is projecting, and this is, we'll see in the next couple of slides, really based on a lot of dependencies that can change this timeline. But right now they're saying kind of the earliest or the most reasonable expectation would be April/May of 2026. So that's a little less, about two and a half years from now.

So let's just talk about some of the dependencies for a few minutes so you can get a sense of what that looks like. So there's obviously a dependency to get the Applicant Guidebook done. There's a lot that has to happen there.

There's a resolution to some of the subsequent procedures or often called subpro recommendations. A bulk of them ICANN already approved, and they're working towards and have an implementation review team working on those. But there's still some that have to be fleshed out, and we'll talk about that in just a few minutes. There's some implementation review team methodology and work plan that need to be make sure that they have it. Closed generics policy, we'll talk about that a little later in this presentation.

And then also the IDN EPDP. So IDN is internationalized domain name, and then EPDP is expedited policy development policy. So it's about IDNs. So those are strings that are in non-ASCII characters, so in scripts like Arabic or Japanese or Chinese. There have been historically challenges on how those labels work and how browsers also kind of process those. So IDN EPDP work plan is a real gating factor to getting to the next round.

So that's kind of a very high-level summary of the key things that have to get done in order for the completion of the Applicant Guidebook by that kind of April/ May 2025 kind of marker in the sand.

And then you have dependencies to get to the actual opening of the round. So again, you have final approval of the Applicant Guidebook. So it not only has to be kind of like fully drafted. It needs to be approved. Program development that has to happen after that. Some publication of results around Applicant Support and the Registry Services Provider Evaluation Programs, trying to make those kind of more streamlined and efficient, as well as communication and awareness campaigns.

Then to be able to delegate the first of the any of these TLDs that are approved, you've got things like technical onboarding modernization, registration reporting. There's a whole list of things you can see there.

And then, overall, there's some other additional strategic things that ICANN needs to figure out around kind of notification services for intergovernmental organizations and non-governmental organizations claims service as well as universal acceptance, which means like all the browsers and all systems being able to process those IDN labels. And then registration data policy implementation, which we'll talk again a little bit about shortly here. But we've all been sort of limping along since the implementation of the General Data Protection Regulation or the GDPR in terms of like WHOIS information and what's in there. And there's been a lot of work done to kind of finally get to a point where we have a full policy that complies with GDPR.

So there's a lot of dependencies here. Now, Christy, I think I see something in the Q&A. Do we have a question?

Christy: Yes, we do, Gretchen. So we have Julia asking, given all these dependencies, how accurate do you think ICANN's projected timeline is?

Gretchen: Well, so let me be fair. Based on the information they have today, I think it's a fair assessment. However, these dependencies, there's a lot, and I think that that's one of the reasons why I kind of wanted to kind of bullet these things out. There's a lot that has to get done. And I think it's very likely, I'm just going to say that. It'll be very likely that I think this slips by probably about a year. That's my estimation right now. So you're talking very late 2026 into early 2027. I know there's probably people on the other side of the video thinking, "Oh, no." And there's some folks who are saying, "That's fine with me."

But I will say this. I think the one piece of advice I'd give. So I've been in the industry 24 years, it always shocks me when I say that, and lived through the entire Round 1 of the new gTLD program. And what I see right now is a lot of consultants and people kind of coming at companies saying, "You have to make decisions now about whether or not you want a .brand. You have to do this. You have to do that." I think it's really important to be realistic within your organization and not kind of send up the flares too early because that's what kind of happened in Round 1. There were a lot of kind of false starts. And I think until we get closer, I think we've got to see what the next 8 to 12 months brings to really know if that timeline is going to stick or at least be pretty close. So I don't think send up flares yet within your organization if you are considering a .brand and don't get too riled up by folks who are coming and knocking on your door saying you have to make a decision now because I don't think that's at all the case.

All right. Thanks for that question, Julia. Appreciate it.

So just to give you kind of like a summary here, this I thought was a really enlightening slide that came from one of the presentations at the ICANN meeting. It's sort of like an overview of the resourcing kind of on ICANN's front. So they're going to need 68 people or almost 27 full-time people to manage this, $70 million, 30 vendors, multiple work streams and functions, the 9 primary projects that we talked about. So there's a lot of resources. This is a very resource dependent activity. ICANN is all in. They are all in on this, and I think the work that the staff has done on the Implementation Program, the amount of work that was produced in a very short period of time is I think really commendable. But there's a lot to go. So we'll see how that sorts out, and we'll keep everybody apprised.

I also wanted to highlight there's always a question of like, "Well, why are we doing this? Like do we need more new gTLDs?" And again, I think there's arguments on both sides. But ICANN has come out pretty forcefully about this being about like diversity and inclusion, about getting people basically who are not normally part of the internet on there to basically reduce barriers for potential applicants.

ICANN really, in the last round, took a lot of criticism for it being a very North America, AMEA kind of applicant pool, and the feelings that there were only a handful of applicants from sort of South America, very few applicants from the African region, a very small number from Asian countries. So they are wanting desperately to make this more about diversity and inclusion. So that's one reason why, we're going to talk about in a second, the IDN EPDP is very important to kind of enable those and kind of give certainty and clarity around IDN labels and then universal acceptance work, making sure browsers and companies and the internet in general is ready for full use of these IDN labels. So they really see it as this is the time to kind of just get out of the just serving the English-speaking world and serving sort of all areas of the world, especially the ones that have been somewhat lagging or falling behind the kind of English-speaking world on the internet. So it is a big focus and objective of theirs.

So let's briefly talk about because this is like I mentioned a really key kind of gating piece of policy work that has to happen in order to get to the next round. And so this was initiated in May of 2021. Like I mentioned before, it's really to bring some clarity around IDNs and the introduction of variant gTLDs at the top level. Like every piece of policy it seems like at ICANN, they've broken it up into phases. So the policy work is being done in two phases. The first one is related to top level, so everything after the dot, IDN gTLD definitions and variant management. And then Phase 2 is about the second level, so everything before the dot, IDN and variant management.

And so the initial report was published earlier this year. Public comment closed just before the last ICANN meeting. And they kind of had these 68 preliminary recommendations, and a lot of it was tied to some of the stuff in the Subsequent Procedures PDP output. So there is sort of connection between those two.

So during ICANN 77, which was the last ICANN meeting, they talked about the two-phased approach and what would work and what the IDN EPDP work how it would impact the Applicant Guidebook. So it's kind of like how we got here. And then in terms of where we are, there was a lot of discussion at ICANN 77 around timeline, timeline, timeline. How long will this take?

And so right now and kind of out of coming out of ICANN 77 and into 78, the Phase 1 Final Report is currently on track for submission to the Generic Names Supporting Organization or the GNSO, that blue box we talked about on that early org chart, this November, so any day now. And they state that Phase 2 deliverables are ahead schedule by 13 months.

So really they are going to get together in December, early December for several days to do some face-to-face work to try to kind of fast track the discussions. As you can imagine on any of these kind of working groups, there are representatives from around the world. And so they set a meeting schedule. Sometimes the meetings are good for people in their time zone. Sometimes they're not. So there's a lot of toing and froing and a lot of work. Meetings get recorded, and then people respond via email to give their feedback or through the kind of tools that they're using to do the policy work and to kind of coalesce communication. So it's pretty intense, but they plan to get together in early December to try to even put some additional jet fuel on that work. And right now they're estimated delivery date for Phase 2 is October 2024.

If these timelines hold, then the feeling is that, yes, the Applicant Guidebook can get out in the April/May time frame of 2025. So again, like I said, the next 8 to 12 months will really tell the tale here about whether or not those dates that ICANN is projecting for Round 2 are going to stick.

Just briefly talking about the new gTLD Subsequent Procedures PDP, quite honestly the PDP itself has completed. But just to give a sense of sort of the work that was done as part of that, when I say it's completed, the final report has been issued, but there's work to be done after that. But the actual kind of group getting together and working through policy recommendations, that part, that group's work is complete. They really worked through that since 2015. So you can see, like I mentioned earlier, for the past 10 years there's been lots of assessments and studies and policy work being done, and this is a big chunk of what policy work was being done during that period of time. And quite honestly it really just gets to the heart of what the new gTLD program is and that's why.

So I would say for four or five years it just kind of like slowly chugged along. But certainly since January 2021, when they published the final report, things have moved along a little more expeditiously. So like we talked earlier about the ODP, the Operational Design Plan, and that included the Operational Design Assessment. So that was all kind of wrapped up and provided to the ICANN Board earlier this year.

ICANN adopted 98 recommendations from the Subsequent Procedures ODP. And there are 38 recommendations, and they're dwindling, that are kind of pending. And they are things that there's seems to be pretty widespread commitment to try to get resolved. The GNSO, who obviously is behind this work, they have formed a small team of councilors of the GNSO Council to kind of review the pending recommendations and suggest how to kind of address these underlying concerns.

But also, at the same time, ICANN has formed a Subsequent Procedures Implementation Team or IRT, who's going to take those 98 recommendations that have been adopted and work through implementation planning for that. So that started just before . . . Really ICANN 77 was sort of the place where that really all started. So it's been a little . . . The pace has been picking up on the on this.

The GNSO Small Team that I mentioned, they've kind of worked through these pending recommendations. They have developed a work plan, that was something that ICANN required, and timeline for the IDN EPDP charter questions.

As well as there's this issue around closed generics. And this is an issue. In the first round, there were companies, so brands who applied for generic words and wanted to operate that for their exclusive use. And there was a lot of controversy around it. It wasn't prohibited by the initial Applicant Guidebook. So it wasn't that any anyone who applied for one of those did something wrong or sneaky. There was no language around whether that was allowed or not allowed. But people, companies did come forward and apply for those, and it has been a lightning rod. And it's been one of those issues that has bounced around a lot.

And basically the GNSO and ICANN kind of went back and forth a little bit on this. GNSO created a small team to have a facilitated dialogue with members of the GAC and other members of the community. And they quite honestly just said, "We've tried. We can't get to an answer." And it kind of kicked it back and said the work hasn't resulted in a resolution, and it's really sort of up to ICANN now to determine. And we'll talk a little bit later in the presentation about sort of the advice the GAC has given ICANN as a result of that. So I'll give you a little bit of a cliffhanger to hang on to the end on that. But there's been a lot of work going on, on that, but it it's an issue that just hasn't gotten resolution.

But there's other pending recommendations that they're working through, the GNSO Small Team. So that was only kind of one of the pending things. So the IRT got started on the work around the 98 adopted resolutions, so that work is well underway. So full steam ahead as they say.

Then we have also, again like I said I think at the very top, so much is coalescing right now. So much of the different policy work, the different issues, the different obstacles, the different challenges that ICANN has faced over really the last 10 years are kind of all coalescing at one time. One issue that has been an issue actually since I started in this area has been WHOIS.

And it really came to a head when the General Data Protection Regulation or the GDPR was being enforced, started to be enforced in May of 2018. And at the time, ICANN had to put what was called a temporary specification into place because there was some work done leading up to that May 2018 day, but I think it became abundantly clear it was going to be a complete overhaul of kind of like how the ICANN community thought about WHOIS.

And it really comes down, like the WHOIS is where you have contact information, a registrant contact, an admin contact, a technical contact, a billing contact. That's historically what that's all been. And for companies, it's largely been corporate information. For individuals though, it's their home address, their phone number, their email address, so very personal information. And so the GDPR kind of really brought that all to a head, where there had already been quite a bit of data privacy regulation around the globe, certainly in Europe had the most probably. But the GDPR really sought to try to unify that a little bit.

And again, it really hit ICANN over the head that they needed to do something about WHOIS policy. So they put this temporary specification in place and then started policy work. And they called it another extended policy development policy working group around registration data policy and disclosure.

So it was broken up into a few phases. Phase 1 was about the collection and handling of the WHOIS contact and sort of requests for WHOIS data. And then Phase 2 was like how to get access to WHOIS data for certain legitimate reasons. There's also this issue that kind of was tacked on to Phase 2 around kind of the whole natural versus legal person issue, a person versus a company basically and the feasibility of sort of using a uniform anonymized contact email in the WHOIS record.

So that's kind of how things broke out. This policy work has been going on since mid-2018. The final recommendation report for Phase 1, which is about like what's going to be in the WHOIS, that actually completed on time and I believe it was February of 2019. And ICANN pretty quickly thereafter assembled an Implementation Review Team to work on sort of the new Registration Data Consensus Policy. So they put that temporary specification on in May of 2018. That ran to May of 2019, because a temp policy can only be for a year, and then they basically said that policy is now becoming the interim policy. And that's been in place since about May 2019. And so since then, we've been working towards a more permanent Registration Data Consensus Policy as part of this EPDP Phase 1.

And so once the IRT was formed, we thought we were off to the races. But the Implementation Review Team really struggled from 2019 to 2022. There were lots of issues, some behavioral issues, some things that you wouldn't kind of expect in these kind of situations, but nonetheless happened. A lot of kind of spinning. But finally, in 2022, the Implementation Review Team found what I would say its footing, and in August of '22 they published the first kind of draft registration policy. And they took public comment to that through the end of last year.

And so at the beginning of this year, ICANN reviews and summarizes those comments, passes it on to the IRT. They reviewed it, discussed it, and then worked on a final Registration Data Policy for publication. That final policy, final draft or sort of final version, I shouldn't say draft, final version, kind of final review of it happened at ICANN 78. It's expected to be published here before the end of 2023.

Once it gets published and legal notice from ICANN goes out to registrars and registries, it'll basically go into effect in 18 months from that date. So the first six months is sort of considered a quiet period, where there's a lot of education and awareness and sort of like question period for registries and registrars that have to implement this to work with ICANN and get through all that. And then basically 12 months to implement because it will require some pretty significant changes to systems and databases and process and procedure. So they're trying to be realistic about what this is going to take. Certainly for some of the bigger registrars and registries it might not take them 18 months, but certainly for some of the smaller registries and registers, it probably will take them all of 18 months.

So the interesting part is there's a part of this policy that talks about urgent requests for data, and that part of the policy is kind of being held back for a little bit more work. It's not completely fleshed out. There are some questions about like how you make that request and what information needs to be supplied and what the timeline is for that and what's the mechanism for making the request and sending back the response. So there's more work that needs to be done there. I think they feel like that is work that can be done pretty quickly, but there's no specific timeline.

So all righty. Do I see a question, or is that the old question?

Christy: Yes. We have a question. Ari has asked, "How long do you think it will take ICANN to include those urgent requests process into the policy and implementation plans.

Gretchen: Yeah, I think the IRT in their discussions around this, they felt like it wasn't going to be years, and that it would be a matter of months. I would lean on that side. I don't think it's two months, but it's probably six months. So a lot of this comes into play with like law enforcement requests or like imminent harm, things like that, so it's really important we get this right and that everybody knows what they're supposed to do and how they're supposed to do it. So I would give it six months. That's going to be my guess right now. But I don't think this is controversial. I just think it's something that needs to be fleshed out further, so. No, great question. Thank you, Ari.

All right. So let's keep on going. So some high-level changes, we've talked about these in prior sessions of this webinar series. But I think one of the key things that's going to change that is there's going to be the elimination of the admin contact. So that's something that is going to happen. We also have the registrant organization. There's going to be some normalization of the treatment of the registrant organization field. So I think that is something we should be preparing for.

And then also there are some retention requirements that are going to be adjusted as well as the disclosure, which we're going to talk about here in just a second, where Phase 1 really didn't get too deep into the disclosure of the information, sort of the hows of it. And that's kind of the next part of our discussion though. Let's hop to that.

So Phase 2, this is the access part. So this also has been down a very long road. I mentioned Phase 1, the EPDP Team, again the Expedited Policy Development Process Team, EPDP 1 issued their final report in February of 2019. EPDP Phase 2, because they started right after Phase 1's recommendations were voted on by the Board, they published their final report in August of 2020, so a little bit little over a year afterwards.

When the GNSO approved it, the ICANN Board asked for an ODP. We talked about this before, kind of this process now that ICANN has of getting a really a feasibility report on what's being proposed, the recommendations that are being proposed. In January of '22, that was delivered. The ODA, the Operational Design Assessment part was delivered to ICANN.

The system at that time, the system for like the act of requesting WHOIS data was called the System for Standardized Access and Disclosure or SSAD. The ODA said that the SSAD would be enormously expensive and gave a very wide range from $14 million to $16 million, and basically would require years long implementation. I think the shortest time frame was like four years, and on the high end was like seven or eight years. It was a beast. It was a beast, and the feeling was: Can we wait that long? Should we wait that long? Would it be worth it? And there were just so many questions about all those things, and the sense was do we really want to invest all that time and money and not really have any certainty or kind of comfort in knowing that that's going to be the right thing, the right system, the right process to address the needs.

So the GNSO Council, there was some back-and- forth between the Board and the GNSO on this. And ultimately, Council said let's pause on SSAD, and is there something ICANN, the staff and president and CEO, is there something you can do to develop sort of a lighter version of this for proof of concept purposes so that we can test this thing out, know if this is the right way to go, kind of test some assumptions. And so there was some discussion about that. But the ICANN Board basically said to ICANN org, "Yes, let's design a proof of concept, which is now going to be known as the Registration Disclosure Request System or the RDRS. There's one thing we have a lot of in the ICANN world, and that's acronyms. So sorry about that.

So earlier this year, there was some initial kind of like proposals, kind of like spec'ing out how it could work by ICANN org. And in February of this year, the ICANN Board said, yes, we kind of give you the green light to go ahead and develop and launch this sort of proof of concept, very kind of light version. So surprise, ICANN org is expecting to launch the RDRS for at least a two-year trial period to collect data this month. Last month there was kind of some outreach and work with registrars and registries to kind of walk through this and get the Q&A going, if you will.

It was further discussed at the ICANN meeting in Hamburg. And there's still I think a fair number of questions still kind of going on and things that need to be a little bit more tuned from a policy and legal terms and conditions and that type of stuff. So we don't have an exact date, but at ICANN 78 they were still projecting November 2023.

So what is this thing? So I think the best way to think about it is it's a system where you can go to request registration data on gTLDs, and that's gTLDs only. It's not ccTLDs. Okay. And it is requesting access for non-public registration data. So if you can go and do a lookup and get the WHOIS information, I know we're not really calling it that anymore, but most people still do call it WHOIS, information, well, then that's available to you. You don't need to make the request through the system. But where the information is redacted, you can privacy proxy. You can use this system to request that data.

Now the participation in this system is voluntary by registrars. And in fairness, everybody is trying to quickly come up to speed. So someone might not be signed up on day one, but give them to day 15 to kind of get all their questions answered by ICANN to be able to participate in this thing. But it is voluntary. There's no requirement for registrars to participate in this. It's really being created to streamline and standardize the process for submitting and receiving the requests. Putting a request in doesn't guarantee access to the registration data. But ICANN sees this as a way to collect data around demand and sort of very high-level data around what happens with those requests. So sort of having a centralized platform for this.

Requesters will make the request in the system. And it's a system that ICANN will be managing and maintaining. But what happens is once the request is in the system, then that is sent to the registrar, and all the communication between the registrar and the requestor happens outside the system. So this is not being tracked within this RDRS system. The system is intended to be a very, very light, like I said, proof of concept. What's the demand for this data? What's the general processing times for this data, because once the registrar kind of makes a determination on the data, whether or not to give the data, they also have to go into the system and kind of put a final disposition on the request.

So I think there's some really key things here. Registrars will review and consider the request and balance it against interests of the data subject. So it's going to be subject to all the data privacy laws that are out there. So it's sort of like here's a request. What are we required to do under the law? It's going to be a balancing test.

I think that if you make a request within that system, you're going to need to kind of pick a box of what your type of request is. So there's like law enforcement, security researcher, computer security incident response team, cybersecurity incident response team, consumer protection, research, domain investor, IP holder, dispute resolution service provider, litigation dispute resolution. So there's different categories you can choose.

But again, once the registrar makes their disclosure decision, they'll mark it in the system. If you disagree with that, there are there are forms, that ICANN Compliance is creating, that you can complete and submit to ICANN Compliance, where they will kind of review it in terms of compliance obligations of the registrar.

But also, again, remember participation in this system, so signing up to use this system is voluntary. So I do think we're going to see more contract work here at ICANN to get this baked into ICANN contracts with registrars and registries. But that's not in place yet. So more to come. This is definitely watch this space.

So we are quickly running out of time as I anticipated, so let's just talk about a couple other things. Another big topic, which has been an ongoing topic, at the ICANN meeting in Hamburg was DNS abuse. The last meeting we talked about the last time we did this webinar series, we talked about kind of ICANN negotiating with the registry and registrar stakeholder groups to add language around kind of defining DNS abuse and sort of some initial kind of clear obligations of registrars and registries in response to DNS abuse. The contract language is now out for registrar and registries to approve. So looking very good. That'll be in their contracts shortly.

Just to summarize, it's really the same largely the same for both registrars and registries, so we're kind of adding to the existing obligations in the base registrar and registry agreements. We're clarifying that registrar abuse contacts are readily accessible, so where that information needs to be so the general public knows who to contact, where to kind of report to. It now requires confirmation by both the registrar and the registry, if they receive one of those abuse complaints, that they have confirmation of receipt of that.

It talks about taking mitigation action to stop or disrupt the DNS abuse. So really starting to finally get a bit more prescriptive into what has to happen after receiving one of those DNS abuse reports. So that's really important. That's a good first step. I think everybody understands this is a first step. It is not the destination.

For the purposes of the registry agreement and registrar accreditation agreement and sort of the ICANN draft advisories that have been out, DNS abuse means malware, botnets, phishing, pharming, and spam where spam serves as a delivery mechanism for other forms DNS abuse. It's following the Security Advisory Committee's kind of RFC on that. Earlier this year, INTA put out a resolution where they kind of support and state a definition of DNS abuse. And this actually . . . I would say the ICANN one is a little bit more like specific to the mention of malware, botnets, phishing, and pharming. But I think the INTA definition and this ICANN definition of DNS abuse, they align, which is important. So that's I think a good development for brand owners.

In talking about DNS abuse, I'm hoping most people who are attending this webinar have seen CSC's 2023 Domain Security Report, which was published last month. It is just chock-full of some really great insights and things that I think you (a) need to know and (b) need to share with your colleagues in InfoSec, if you are not in InfoSec, as well as your legal teams.

I highlight just a couple of the findings that we have there. But as I mentioned at the very top of the program here, the GAC, a very important advisory committee within the ICANN community, currently made up of over 190 country/territory members, like I said most of them coming from like telecom ministries. There's been a lot of new participants this year, and really since ICANN 76, a good chunk coming in. There's approximately 500 delegates in total that come to the meeting, representing these different governmental entities. So a group that ever since really the launch of the first round of new gTLD program has had increased voice and impact and influence over everything ICANN.

So at the end of every meeting, they issue something called a communiqué. So this meeting was no different. They issued the GAC communiqué. And usually in that they'll kind of review the things they did during the meeting, the people they met with, and then they'll highlight issues that are important to them, meaning like, hey, ICANN community, understand we're watching you and we've got some thoughts around this. So don't be surprised when we come and share those with you.

So listed in the issues of importance are things like the auctions. They were very displeased with how auctions happened in Round 1. They felt like people gamed the system for pure profit. Latin script diacritics in new generic top level domains, this is the whole IDN thing.

There's also a whole part about GAC advice and early warnings. The y were very upset about the very short period of time they had to react to the list of applicants that applied during Round 1e and sort of lodged their early warnings and objections. So they're reminding ICANN like that's something you need to make sure we're aligned on this time.

New gTLD Applicant Support Programs, really pushing for financial and sort of consultant support to people in emerging economies and areas of the world to help them participate in the ICANN new gTLD program. And then you can kind of see the list of other things.

Because we're right up against time, I just want to highlight real quickly here there were two kind of sections of advice. Consensus advice from the GAC is something that ICANN has to act on, reject formally, and if there's a rejection, there needs to be a whole process where they kind of negotiate a settlement. So new advice was around closed generics, and this is the cliffhanger I left you with earlier. After the GNSO small team kind of kicked back the closed generics issue and said, hey, the facilitated dialogue didn't work, we can't get to a resolution, the GAC came back to the Board and said, ICANN Board, you just need to put something in the next Applicant Guidebook that says you can't apply for a closed generic until further policy work is done. Basically, for right now, you can't apply. So that's the advice they're giving ICANN. And then, obviously, they're also following up on previous advice about inclusion and diversity, as well as making sure there's adequate demand for and need for future gTLDs.

So that is our quick rundown of the ICANN Hamburg meeting. Christy, I'm going to turn it back to you.

Christy: Excellent. Gretchen, thank you so much for all the great information.

We're ready to talk.


Our specialists are ready to answer your questions.

Maximum characters: 250

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Learn how to unsubscribe from emails.