ICANN 85: Insights from the Meeting in Mumbai, India

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "ICANN 85: Insights from the Meeting in Mumbai, India." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Gretchen Olive. Gretchen is the Vice President of Policy for CSC. For over two decades, Gretchen has helped Global 200 companies devise global domain name and online brand protection strategies and is a leading authority on ICANN and dot brands. She holds a JD from Widener University Delaware Law School and authored 100 .Brand applications in Round 1. And with that, let's welcome Gretchen.

Gretchen: Thank you, Christy, and thanks, everybody, for joining. I know these are busy times, so we're going to get right to it. We have a lot to cover today.

I'm just going to give you a quick overview of our agenda. We'll definitely do our usual kind of ICANN overview, make sure everybody understands kind of how ICANN works a little bit. Then we're going to jump right into Round 2 updates. That was definitely a very big part of the most recent ICANN meeting. We'll talk about WHOIS updates and other policy developments. Then we'll kind of wrap up with DNS abuse and the GAC Communiqué, which is always insightful.

So if we first start with kind of our overview of ICANN, ICANN has three public meetings a year, usually one in March, one in June, and then one in sort of the late October/early November time frame. The one that just occurred in March here, that's called the Community Forum. It's a 7-day format. It includes a lot of different sessions on like high interest topics and a lot of working group meetings. So it's a pretty extensive meeting, much like the annual meeting. It's the Policy Forum, that's in the middle, that's a little bit shorter and a little bit more focused.

Here's an organizational chart of ICANN. I do see we have some new people joining us here today. So just to give you a sense, ICANN is a bottom-up, multi-stakeholder, consensus policy-driven organization. So the theory is that all these different kind of groups, SOs or supporting organizations, they talk about issues, work on policy, and then that kind of bubbles up to the ICANN Board of Directors for approval.

And we have some of these gray boxes here that are advisory committees to the Board. The dark gray box on the bottom there, that's the Governmental Advisory Committee. That is probably the one we focus on the most here in this webinar series. They kind of watch different policy developments that are happening, many of which come through the GNSO, which is the Generic Names Supporting Organization. That includes registrars, registries, business interests, intellectual property interests, ISPs. So it's a pretty broad group of participants. But a lot of the policies that come up through that group is our focus here in this webinar series. And the Governmental Advisory Committee kind of keeps an eye on what's going on there and has been participating earlier and earlier in the process so that by the time things do get to the Board of Directors, it's not any surprise if the Governmental Advisory Committee has any kind of concerns from a public policy standpoint.

But ICANN also has a staff. So this whole group of folks, they meet three times a year, and it is always a busy meeting. But ICANN does move relatively slowly. So when you talk about something in one meeting, it will take a little bit to kind of happen.

But we're going to jump into talking about the upcoming round of ICANN's New gTLD Program. So this is a very good case in point. So in 2012, ICANN ran its first round of its New gTLD Program, where entities could come forward and they could apply for different types of TLDs. So you could have an open TLD, a community TLD, kind of geographic a TLD, like a .NYC or a .Berlin. And what also came about in Round 1, it wasn't kind of a standout category at the time, but there were .Brand applications, applications that came forward from corporate entities basically saying, "I want my own TLD for the exclusive use of my company."

And so when we look at all the applications that were put forward back in 2012, there are a little over 1,900 applications, of which that kind of boiled down to 1,409 unique strings. That means there were multiple applicants for some strings. But about 33% were .Brand applications. So it was something that brands did participate in pretty heavily.

But it's now taken 14 years to get to Round 2. So as I said, things happen a little slowly in the ICANN world. Part of that delay was ICANN, when they were kind of commencing Round 1, promised the Governmental Advisory Committee, because there were a lot of concerns by them and others, that once Round 1 was over, they would take the time to kind of review what went right, what went wrong, and then take corrective action. So there have been lots of kind of assessments and studies and policy discussions that have kind of now gotten us to this point.

So you can see here on the slide, and I know it's a lot of colors and a lot of words on the graphic, but this is kind of just an overall kind of picture of the program plan. You can kind of see all the different work streams that are going on here and sort of the timeline. It's been pretty intense here over the last few years.

But we are now coming up to the second round, and that round is supposed to commence on April 30th and will close on August 12th. So it's just a very short application window, just 15 weeks, and so that is not a lot of time. These applications are intense. But really it is an opportunity for legal entities, such as corporations, organizations, and other institutions, as well as governments to kind of come forward and apply for a new gTLD.

So a lot of people ask, "Well, that sounds interesting. But like how much would it cost to get your own gTLD?" And so, for example, for dot brands, because that is the most logical to talk about here, to apply for a dot brand, there's kind of the base application fee with ICANN, which is $227,000. And then there's a special kind of evaluation process, and that has a little special evaluation fee that goes along with that for brands. So that's an extra $500. So the application fee for a dot brand is $227,500. That's USD. So we're kind of rolling towards that April 30th date. It's kind of coming up fast.

And this chart, I like this chart. They shared this in one of the sessions during ICANN 85. The green boxes are kind of all the things that are done. The blue boxes are things that are kind of in process, and the red box is the thing where there's a little bit of risk here.

So since the last ICANN meeting, they have published the final version of the Applicant Guidebook, and I guess it's about 450 pages with lots of other documents you should read. It's the guidebook that sort of like spells out the New gTLD Program, everything from eligibility to how to apply, what processes will be used during the evaluation process, how contention processes will work, so if there are multiple applicants for the same string, also how to make objections. It is the full kind of view of the program from start to finish. Even it kind of details what happens after a TLD is awarded and what the applicant will need to do.

So that occurred in December, and then they've just recently published what's called the Registry Agreement, which is the contract that applicants will need to sign with ICANN if they're awarded a TLD under this program. And actually, at the end of this ICANN meeting, the ICANN Board approved that Registry Agreement.

So kind of all the fundamental pieces are in place for applicants. Now the one piece that's red is this application system. They call it TAMS. They've done the development for it, but they're still going through testing. So they're highlighting it as a potential kind of risk for delay. But we continue to hear that things are on pace. They don't anticipate any problems. But they're just highlighting that that kind of testing is still going on. They had hoped to complete the testing by now. So that's why it's red.

So a lot moving forward here. A lot of energy of the whole organization is really focused on this program and a lot of energy of the community, kind of the greater ICANN community. It really is the topic that everybody is talking about. So we'll continue to watch that.

So I get asked a lot of questions every day about, "So tell me a little bit about dot brand. What's the benefit of a dot brand?" And so this is just a quick little slide to kind of highlight some of the key benefits in sort of three buckets.

From the marketing side, definitely a dot brand can help a company have short, memorable URLs. When you can have all the names in the name space, so that includes all the generic words in the name space, it really, really helps you have these very kind of short, memorable URLs. There's a client of ours that has a dot brand from Round 1, and it's one of my favorite, very memorable URLs, and it's play.afl. It's the Australian Football League, and it's a great website that sort of talks about community Australian football teams and the rules of the game and lots of information about Australian football. And it's just something that just sticks in the brain. You can type it right into the browser, and it will get you to exactly where you need to go. So that helps the user journey.

It also helps with SEO. That's search engine optimization. It really helps to have words and exactly matching URLs that match search queries. But we also know that AI is really disrupting kind of search online. Many people are using ChatGPT, Perplexity, Claude, whatever may be your favorite AI tool to kind of do searches. And so search, as we know it, is really being disrupted. But dot brand has a lot about it that helps really kind of give legitimacy and authenticity to content on dot brand sites. So we have some white papers. We can offer some briefing documents that I think if you're very interested in this topic, you can learn more about. But just something to note because I know a lot of companies are talking about AI, and I think there's a lot that a dot brand can do to aid in that sort of navigating this new AI era.

Dot brand also has a big benefit in security, really creating a secure and exclusive ecosystem. Really a great opportunity to harden internal infrastructure. A lot of Round 1 new gTLDs are doing that. We see them using it for things like vpn.brand, pki.brand, login.brand, where they can really close the loop very tightly to make sure that their company is secure. You also can put TLD-level security controls at the top-level domain, that really flow down through all the domains under the TLD. So it really goes a long way to help build online trust and security for your organization and your customers.

And then, from the legal side, I recently published a blog, and I think it's in the Resource Center, around sort of the competing. If there's a competing trademark holder that you're worried about applying for a dot brand, really recommend that you download that or read that because dot brand can be a way to kind of secure and protect your brand a little bit further, particularly in that competing trademark holder situation.

But it's also a really great way to demonstrate kind of proactive cyber risk reduction. And a lot of regulators and a lot of the new kind of cyber regulation out there is really looking for companies to not just like tick boxes that they outline, but to do whatever is possible, whatever comes down the pike to further secure their infrastructure, their company data, and protect their customers. So dot brand can really help demonstrate that sort of proactive approach.

So I mentioned that there's a blog that you can download. But just kind of quickly here on the risk for trademark holders, certainly you can choose not to apply. A dot brand is not for everyone. It is something that you should consider though. ICANN will publish after the application window closes in August. Somewhere probably in like the mid-October range, they're going to publish a list of all the strings that have been applied for and who applied for them, and that will be a time that will probably get a lot of publicity. And so you want to make sure that your company is really talking about this and making a decision either way, a kind of well-informed decision before that window closes, because once that window closes and then that list gets published, there's no way to kind of like jump back in.

We don't know when Round 3 is. It could be another 10 years. I'm hoping not. I think we can hope that it'd be a little less. But like I said, ICANN is a pretty slow-moving organization. So if you don't apply, that's okay. It could be okay for your organization, but it may take some tools out of the toolbox when it relates to AI and security. And so, again, you want to have a really good conversation about that internally and all be aligned on that decision.

And then the competing trademark holder situation, if they apply and you don't apply, if they have those legitimate trademark rights and their application is competent otherwise, there's really not much you're going to be able to do to stop them from getting that TLD. So all these things are just things to kind of keep in mind and make sure that your company is having a good, robust discussion internally so that you can feel good about the decision that you've made.

All right. So if anybody needs help with that conversation, certainly we provide free consultation on that. So you can give us a call to schedule a free consultation, kind of take you through what the program is and all the things that you need to think about in terms of making a decision. Make sure your C-level executives are aware. Like I said, that list is going to get published in October, and I don't want anybody to find themselves in the position where someone from the C level says, "Hey, did we think about this?" And then there's a lot of finger-pointing.

It's important to understand these applications are comprehensive and a bit intense. It will take a good six to eight weeks to put this application together. So this is not a decision you want to wait till the last minute to make. You really need to be making this decision over the next like 30 to 45 days. And then, if you decide you're not applying, then it's important to develop a defensive strategy to protect your brand, and that's something we can certainly help you with as well. So it's time to make a decision. So if we can help you in any way, please let us know.

The resources here are also I think in the Resource Center. These are things that can really help you kind of get up to speed quickly. There are different resources tailored for different audiences within your organization, so your security folks, your marketing folks, your legal folks. So hopefully that assists you.

I think I've gone through all this. We can help you get through this process. All right.

So that's the Round 2 of the New gTLD Program. A lot going on, and I will admit a lot of my focus has been there over the last few months. I get a lot of questions on that. But there are also a lot of other things going on in the ICANN world that we don't want to lose sight of. So let's try to tackle some of those.

So let's start with what I call the general category of WHOIS updates. So there's a bunch of things going on related to WHOIS. Let's start with the Registration Data Request Service. This is RDRS. This was something that was launched back in November of 2023. There had been a lot of discussion after the enforceability of the GDPR, the General Data Protection Regulation, about how to provide kind of access and disclosure to WHOIS information. And it has been an issue that has been going round and round and round and round.

And at one point, there was a proposal that was put forward on sort of a system that should be designed to handle that. It was called, for short, SSAD, but that stands for the System for Standardized Access and Disclosure. But it was a system that was going to take many, many years to implement at a very, very high multi-million dollar cost. And so it really kind of gave everyone pause, thinking okay, if we embark on this journey for many years for many millions of dollars, are we certain we're going to get kind of what we're hoping for here? And there was a lot of unease about that decision, and I think justifiably so.

So ICANN kind of jumped in. There were some additional discussions, and they decided to kind of create this RDRS system, which is in essence a ticketing system to request WHOIS information. And this has been running for now over two years. The initial pilot was supposed to be just two years. But it was decided to kind of extend this because there's been some good information that has come from it in terms of kind of what people are looking for, but it hasn't widely been used is the problem or wasn't widely used, not as much as I think everyone anticipated.

And so kind of just as the two years was coming up, there was a committee that kind of got together and kind of tried to decide like: What do we do with this? Did this work? Did it not work? What do we do? And so they came up with six recommendations, and we kind of have them over the next couple of slides.

One of the big decisions made is kind of to continue the RDRS pilot beyond the initial two-year time frame. Kind of let it keep on going so data could continue to be collected.

But there were also kind of some things that were really glaring that needed to be addressed, that weren't really handled by RDRS. And that was sort of enabling authentication for kind of specific requestor groups. Like law enforcement is a really good example. Really hard to kind of distinguish, like people could come into the system and say they were law enforcement, but there was really no way to kind of authenticate them or kind of verify them as law enforcement.

There also were just kind of system issues, and so like wanting to have like APIs and other kind of request forms and things like that, and maybe even get like ccTLDs to use this system. So there were a lot of kind of system enhancements that kind of were suggested throughout the pilot.

And then just the feeling that there needs to be some additional kind of policy work. The privacy/proxy data, so that's when there's a service, a privacy/proxy service that is kind of providing WHOIS to shield kind of who the registrant is. It's kind of a masking service, if you will. And then also kind of how the WHOIS responses, kind of the links to those WHOIS responses

So again, issues and recommendations. So another kind of key recommendation was after the pilot, they were kind of supposed to go back and look at the SSAD recommendations and then kind of the experience with the RDRS and figure out, "Okay, where do we go from here?" And so I think that the feeling was is that we kind of needed to go back and look at those really deeply, and kind of the feeling was all that was recommended probably wasn't necessary. And so they want to also maintain kind of the RDRS Standing Committee because they have a certain amount of expertise in this area.

So these were the recommendations that came kind of like as the pilot period, initial period was kind of rolling up. And so the GNSO Council has requested that ICANN kind of non-adopt, if you will, the SSAD recommendations. So when SSAD did come out, there were some of the recommendations the ICANN Board did approve, and some of them they didn't. That's what sort of spun off to RDRS.

So GNSO, which is the Generic Names Supporting Organization, feels like it's going to be much cleaner if kind of the ICANN Board non-adopts whatever they adopted and kind of sends the whole package back to the GNSO to kind of develop some additional or supplemental recommendations and really kind of use a small focus group here, not a big working group like they had for SSAD. They don't want this to be a whole new policy development process. For those of you who kind of follow this webinar series, these PDPs, they're called, they can last years, and that's not what they're looking for. They're really looking for this to be kind of like a several month effort and not a several year effort. So we'll see what happens here, but this is where we are on the RDRS. So more to come for sure.

One of the big issues around and kind of even embedded in RDRS has been this urgent requests for disclosure of registration, data. And so this often comes from law enforcement, and they need it like ASAP. But there's no kind of like exact timeline that's been provided in any way to sort of identify again or verify law enforcement agencies and actors. So it's been hard for registrars and registries. There's a lot of inconsistency in terms of like how things are handled.

So there's definitely that need for an authentication mechanism, and I think there's kind of been two identified. There's sort of a short-term solution of providing registrars a list with contacts. And then there's a longer-term solution to kind of like try to integrate this potentially RDRS or some other ICANN system into these with different law enforcement agencies so that there can be that authentication done. That's kind of percolating. That long-term solution, there's not been a ton of progress on that. I think definitely the list thing is being worked on, and registrars are expecting a list through ICANN at some point in 2026 here.

But on the policy track side, there really needs to be kind of a clearer definition of what's an urgent request and kind of who qualifies as an authenticated requestor and kind of established timelines. You've got to give these guidelines to registrars and registries so that they can meet those requirements. Otherwise you are going to get kind of inconsistent responses. And certainly if something is an urgent request, I think there's no one who would argue they want to help and they want to get that information to people, to law enforcement as soon as possible.

So on the policy track front, there have been some workings going on. But there's been general agreement between kind of ICANN, the GAC, and the RDRS team that's been working on this too in terms of a definition of an urgent request. So pretty straightforward, a high priority request for the disclosure of nonpublic domain registration data. And it's really reserved for emergency situations that pose an immediate risk and require a swift response from domain registrars or registries.

Then there are some criteria that have been put together. So when you look at things like imminent threat to life or serious bodily injury or threats to critical infrastructure or circumstances involving child exploitation, again, I don't think there's really any argument that those are all urgent. So that's I think good to get that sort of defined.

The response time has been the real sticking point because this is where sort of reality meets policy. And so it seems like we're moving towards an agreement, an official agreement that if it is an urgent request, that responses are going to be generally expected within 24 hours from registrars and registries. And that if there are things like high-volume requests or very complex requests, so if there's a need for kind of an extension of time, the registry or registrar would have to kind of provide that notice that they need the extension of time within 24 hours. And then it could be extended to a maxim of 72 hours, which is 3 days. So that's where it seems like we're going.

And then there'll be some additional guidance. Like I said, the RDRS has been a method by which you could submit these urgent requests. And like I said, it hasn't gone well because it's been so poor. So kind of lack of definition to the whole process. But they're also suggesting direct contact with registrars because a lot of times registrars aren't monitoring those kind of registration data requests 24 by 7/ 365. So I think that would be a good way to deal with this, to have it kind of be able to come in both ways, but really encourage direct contact when it comes to these urgent situations. So more to come there for sure.

Another WHOIS-related matter is privacy and proxy accreditation. This has been something that really a lot of policy work was done on this in 2014, 2015, 2016 and really had gotten to kind of approved policy recommendations. And they were adopted by the ICANN Board in 2016. But as we were rolling up to GDPR, there was this concern that obviously a lot needed to happen with relation to WHOIS information in general, and that the privacy and proxy sort of implementation process or the IRT, the Implementation Review Team, it was formed, but then it kind of got sidelined because of GDPR. And so here we are 2026. It's been a while. The IRT has resumed work in January, and now they're discussing kind of how the requirements will flow.

So the policy was kind of all developed. Now there's sort of like the implementation piece that has to take into consideration all the kind of WHOIS changes and other policy changes that have happened since GDPR. So the goal here is ICANN staff will kind of generate the first kind of draft consensus policy, and then the IRT will kind of work through that to review it, to discuss it, to get it to where it needs to be so that it can actually be rolled out. So good news is it's back being worked on. It's been on the back burner for quite some time, and I know many in the community feel like that privacy and proxy registrations, we really need an accreditation process so that folks who do that work can also be held accountable to ICANN requirements when it comes to kind of WHOIS and disclosure of WHOIS for specified circumstances.

So I'm encouraged to see this back. I'm hoping that this is not another two-year effort after here. Hopefully, within the year, we can kind of get this moving along. It's hard to tell just because there's so much energy right now being spent on the New gTLD Program. But we'll continue to monitor this also.

And then last but not least is WHOIS accuracy. This has long, long, long been an issue of the Governmental Advisory Committee. They are always asking ICANN what they're doing to ensure accuracy of WHOIS. As many of you know, the domain system is largely a self-service system. Most folks, when they go and register a domain name, with the exception of corporations who typically work with corporate registrars, but most other folks will just go online, set up an account with a credit card, and register a domain name. And they can put whatever they want in the WHOIS. And so that's always been a problem and how to kind of like ensure accuracy.

And we've had years and years and years of discussion of this. The GAC and the GNSO have been really involved in this. And there's been kind of this Scoping Team that's been around since 2022. But now, as of last year, they kind of came up with these "threshold questions" on accuracy to kind of make sure that they're kind of scoping this properly. So they did come up with the "threshold questions." And then a Preliminary Issue Report was issued in September 2025, and now the Final Issue Report is pending. So we'll be watching for that.

But really the goal of that is to launch an actual PDP that will address some of these kind of "threshold questions" of like shortening the amount of time for registrars to validate registration data, kind of providing additional education. Also kind of talking about when a domain name is suspended due to data inaccuracy, and then also finally closing the Scoping Team. So it is an issue that continues to linger.

I will tell you that I've been attending ICANN meetings since 2000. Oh, my gosh, it's been 26 years, since you 2000. And I can remember my very first ICANN meeting the big topic was WHOIS. So it is just an issue that continues to have many forms and continues to be something that plagues the industry just to get it right. So we'll continue to monitor this.

Then we have internationalized domain names. This was an expedited policy development process that ICANN kind of identified as something that needed to be completed before this next kind of new gTLD round that's coming up here in April. And it was really to focus on topics that kind of gave greater definition on what IDNs are, and also how to handle variant management, and then how to kind of handle that in second-level domain names.

So we are at a point where they are addressing kind of the remaining Phase 1 recommendations that are not related to the 2026 Round. The ones that were related to the 2026 Round have already been baked into the Applicant Guidebook. So starting to move, starting to kind of like wrap this up.

IDNs are international domain names, for those of you who might not know what that is. If you see a domain name that is not in kind of Latin characters or ASCII characters. They're in another language script, so like Japanese, Chinese, Hindi. They haven't historically . . . It's gotten better over time for sure. It's way better now than it was back in 2000. But there have been different struggles around them in terms of how the internet and the browsers handle them and how different systems and applications handle those types of domain names. They're kind of broken down into something called Punycode, which when you look at, it just looks like kind of a bunch of random letters and numbers. But it is an issue at ICANN because of their desire to really enable more and more non-English-speaking people to kind of participate on the internet and therefore hopefully participate in Round 2 of the New gTLD Program. This was a very important initiative for them to kind of get wrapped up into before the start of the program here in April, of the application window in April of this year. So they have accomplished that.

All right. Then we have a new PDP, which it is something that I think we'll be talking more and more about, not only because it's a new PDP, but as the next round of new gTLDs kind of get underway, we eventually at some point will have a bunch of new TLDs, and that will include a bunch of new open TLDS. In the first round of the New gTLD Program, ICANN did introduce some new rights protection mechanisms, things like the Trademark Clearinghouse, things like the Uniform Rapid Suspension System, things like that, that were really designed to kind of protect trademark rights in the Domain Name System.

And I think, by and large, those were helpful. Were they perfect? No. But were they helpful? I think a lot of people did feel like those were helpful. But in 2016, the GNSO Council did launch a policy development process to kind of review those rights protection mechanisms that were in the New gTLD Program to really assess whether those mechanisms fulfilled their intended purpose.

And there is some work that's being done here now. ICANN is collaborating with the Implementation Review Team to kind of implement some Phase 1 policy recommendations that were done as a result of that sort of assessment that was kind of post-Round 1 assessments that they did of kind of what went right, what went wrong, and kind of what corrective action is needed. And they kind of divided it into five implementation groups. ICANN loves phases and different implementation groups.

So kind of broadly here, they have a few that they've kind of already completed. So if you look at two and three, I think, so educational materials and kind of the Uniform Rapid Suspension contact data recommendation, those two things, implementation has been completed. But there's still some work going on related to updates to procedural documents, data collection, and new compliance mechanisms for URS participants. So they're working on finalizing that, and they're working to kind of work through Phase 1 recommendations implementation through the end of Q2 of 2026. So this is work in progress and something that we'll continue to follow as well.

Then we can't have an ICANN meeting without talking about DNS abuse. If I had to kind of look across the industry and ICANN specifically and say like, "What are the most important issues that they're handling and that need to be addressed," certainly like this urgent request thing, that's very important. But DNS abuse as a whole is a critical topic, not only for the ICANN community, for all of us and all our organizations, all types of kind of industry participants that are in organizations that are involved in the internet.

I mean DNS abuse is not slowing down, and it is something that technology will always be ahead of policy unfortunately. And especially with the emergence of AI, the abuse is happening faster and in greater volume. And so in every corner of the universe, we all have to work hard, I think, to figure out how we catch up to this and get ahead of it. It's not only the right thing to do. It's critical for the internet to continue to be a place where people feel like they can conduct business and they can trust what they see online. It is really, really important that we do more here. And so the GAC has been super vocal about DNS abuse and really pushing ICANN to do more, do more, do more. Governments, obviously, have a huge stake in this issue.

The GAC, back at ICANN 83, in their Communiqué, which is that document they put out, sort of like kind of outlines what they did during an ICANN meeting, and then sort of the issues that they just want to make sure ICANN realizes is on their kind of radar and things that they're really watching. As well as a communiqué can also have specific advice to the ICANN Board. But in their 83 Communiqué, they did provide that formal advice to the ICANN Board on DNS abuse.

There's certainly been a lot of talk, but the GAC urged the GNSO Council to prepare for the launch of a targeted, narrowly-scoped policy development process on DNS abuse before the meeting that happened in Dublin late last year. And they really wanted them to prioritize two issues. One is bulk registration of malicious domain names. Again, AI is enabling that. And then registrar responsibility to investigate domain names linked to actionable reports of DNS abuse. So for example, someone can report a particular domain name, do a DNS abuse report on a particular domain name, but the GAC feels really strongly that registrars should go beyond just looking at the domain name. They should look at other names linked to that registrant and look at those as well, so that we're not just sort of like picking pieces of straw out of a stack of hay when we really need to deal with the whole stack of hay.

So I think the GAC has really been saying like there needs to be further action on DNS abuse before we start adding a whole lot more extensions to the DNS system. And so they've really been pushing to get to that very narrowly-scoped PDP on these two issues. And so in August last year, right before the ICANN 84 meeting in Dublin, the GNSO Council requested an issues report on DNS abuse. They have what they call a DNS Small Team that recommended that narrowly-scoped PDP. And they also, in September, issued a Preliminary Issue Report where those kind of two issues were highlighted. And so public comment on that issue report closed in November, and the Final Report was published in 2025. So those are the two issues, again, that are being prioritized for policy development.

So the first one that's going to go down kind of the pipe is the associated domain check. So that's where if someone makes a complaint about a name, that we're looking at all the names kind of that are associated with that registrant to see if there's a bigger problem here. So a working group was assembled, and during this past ICANN meeting, the working group got together to kind of start putting together its work plan and put together its charter questions, etc.

After that gets underway and I think gets some steam, I don't think they're going to wait for that to complete for kind of PDP 2 to start, which is sort of the safeguards for unrestricted API access to like bulk registrations. Like that's the AI enabled things that we're seeing. I think they just want to get this one up and running and going, and then I think we'll see progress on this. A lot of this is a resource issue, in my opinion, and so I think they're just trying to figure out, in light of everything that's going on all at once, how they give the appropriate resource and attention to both of these PDPs at the same time. But both hugely important and definitely things that ICANN has control over. So I think these are two of the right issues to be focusing on. So I think that's great.

I would be remiss if I didn't mention that CSC has a great platform, really quite an innovative platform, called CSC DomainSec, that really helps with DNS abuse. It's a first-of-its-kind platform. It's built on some really amazing proprietary technology, machine learning, artificial intelligence, clustering technology, really to give those kind of cutting-edge security insights that can really highlight what those leading indicators of compromise are. So if you want to schedule a demo, there's a link. I think it's in the Resource Center as well.

As well as we just issued, just a little bit earlier this year, CSC's 2026 Domain Security Report. I think we've been doing this five or six years at this point. It looks at the Global 2000, and it really gives some really great insights about kind of what's going on out there, but more importantly where corporations, where the weak spots are, what we're seeing in the Global 2000, and sort of what folks need to kind of focus in on to protect themselves online, corporations need to focus in on to protect themselves. So a complete must read. It's an easy read, lots of charts. So I highly recommend that document as well. It's something I actually really look forward to reading every year. I always get smarter reading that.

All right. So we're coming down the home stretch here. I want to just briefly talk a little bit more about the Governmental Advisory Committee. So they are a group of representatives from various governments across the world. They typically come from like the telecom ministry within a government. Currently, there are 184 member states and territories and 41 observer organizations. They get a very good amount of participation each ICANN meeting. So they come there in force, and they spend the week together. This meeting was a 7-day meeting, and they spent the week together really combing through all that's going on in ICANN and providing that sort of public policy view on things that are going on.

And over the last 10 years and really as we got through the first round of the New gTLD Program, the GAC really came into its own. They really became a force within the ICANN community, a lot more vocal, a lot more integrated, a lot more I would call them like kind of the bellwether of how things are going and what needs to be focused on. And so I always say like if you watch the GAC, you'll have a pretty good sense of how things are going. They will highlight what's going right, what's going wrong, and what needs to get done. And it's pretty spot-on each and every time in their communiqué. So it's something that I pay a lot of attention to.

So just to give you a sense of what they were feeling after this meeting is these are what they list as their issues of importance. So domain name registration data, this is all the WHOIS stuff that they're persistent and they are determined that more has to be done to tighten up the rules around WHOIS. So particularly the urgent requests for disclosure of registration data, as we've discussed, very, very important and they want to see ICANN get that nailed down. As well as kind of like the RDRS, how kind of access is going to happen in the future. As well as the privacy/proxy services.

Number two on the board and I would say it's probably tied for number one is DNS abuse mitigation. So very important and, again, you can see how focused the GAC is on that with some of their recommendations here to the ICANN.

And then they're very focused on Round 2 of the ICANN New gTLD Program. Going into the first round, they were very, very unhappy, the GAC. They were very much trying to put the brakes on the program and did for a long time. There were many things that they came to the table with that say you need to do this before you launch the program. No, now you need to do this before you launch the program. And a lot of people, some people in the community felt like they were kind of coming at the 11th hour with some of those issues, but they were important issues. And so I think this time around there have been far more kind of participation along the way, and I think the GAC has definitely been far more vocal and more kind of involved in expressing what they'd like to see.

But they continue to talk about the importance of getting more non-English-speaking, more kind of emerging economies, more of a diverse population onto the internet. And so there's been an Applicant Support Program to try to help people who don't have the know-how, don't have the resources, both financial and sort of like technical. There's been an Applicant Support Program that ICANN has been running to kind of capture interest from that community to see and kind of qualify them for assistance. The GAC wants to see more kind of community-based TLDs, where it's representing different communities that exist out there. I think like .catalan is, I think, a really good example. Like that was one in the first round that came about. It represents a very distinct community in Spain and really around the world. But it really was something that the GAC wants to see more and more of those sort of like cultural, geographic communities joining the internet.

They're also concerned about like making sure that this application system or TAMS is solid. And so they're really kind of making sure like get the testing done. Let's not rush it. Let's do all the right things.

And some other items that are sort of more to geographic issues and sort of like non-IDN type TLDs. So they're really focused on quite a range of issues when it comes to the New gTLD Program. But it's in their top three, this second round.

And then they're also just wanting to encourage the continued work around the UDRP, governance of regional internet registries, the root server system, and something called the ICANN review of reviews. ICANN has scheduled reviews of the community and how it operates and different processes. And now there's a review of how the review process happens. And so it's a little bit of something that's got people concerned that these reviews have been delayed because we've been talking about how to do the reviews. So I think we'll hear more about that.

But in this Communiqué, the GAC did not provide any formal advice. So that's, I think, now three straight ICANN meetings, which unbelievable there's no formal advice for the Board. But they certainly still have a number of issues. So if I were to look at the Communiqué, I would say the GAC has DNS abuse and making sure these urgent requests get done. They've got their eye on the ball with the New gTLD Program, but they haven't put up any major red flags. So it seems like all systems are kind of go, if you will, from the GAC perspective, on moving forward with the start of program on April 30th. So that's sort of the tea leaves I'm reading from their report.