Skip to main content

When you think .BRAND, think CSC.

Get started about .BRAND services

ICANN 86: Insights from the Meeting in Seville, Spain

Make an inquiry

All fields marked with * are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

By submitting this form, you acknowledge that CSC will collect and process your personal data in accordance with our Privacy Notice.

Stay informed on the latest policy and governance developments from the Internet Corporation for Assigned Names and Numbers (ICANN). Join CSC for a webinar featuring expert Gretchen Olive, vice president of policy, as she shares key takeaways from the ICANN 86 meeting and what they may mean for organizations managing domain portfolios.

Key points we’ll cover:

  1. ICANN policy discussions that may influence domain name registration, data access, and domain name system (DNS) governance

  2. Updates on evolving domain initiatives, including activity related to generic top-level domains (gTLDs)

  3. Ongoing community priorities focused on accountability, transparency, and trust across the ICANN ecosystem

Webinar transcript

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Welcome to today's webinar, "ICANN86: Insights from the Meeting in Seville, Spain." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Gretchen Olive. Gretchen is the Vice President of Policy and Strategic Account Management for CSC. For over two decades, Gretchen has helped Global 2000 companies devise global domain name and online brand protection strategies and is a leading authority on ICANN and Dot Brands. She holds a JD from Widener University Delaware Law School and authored 100 .BRAND applications in Round 1. And with that, let's welcome Gretchen.

Gretchen: Thanks, Christy, and thank you, everybody, for joining us today. I know it's always busy times, so I appreciate the time that people can spend with us. We do have a full agenda as always. So we'll definitely be running the whole time as we always are.

But we'll go through sort of just a little ICANN overview to make sure everybody kind of has a lay of the land. I always see a few new names on the registration. So thank you, if you're new to this webinar series, for joining us. We will talk about the in progress, I should say, now Round 2 of ICANN's New gTLD Program. We'll also talk about some policy updates related to WHOIS, the evergreen topic of DNS abuse, and then we'll also talk about the GAC Communiqué that comes out after every ICANN meeting. So let's move on.

The ICANN has three public meetings a year. So we're here at kind of the second public meeting of the year. It usually happens in the June time frame. It's called the Policy Forum. It's a little bit shorter in format, and it's really that kind of like working meeting. There's not a lot of like extra sessions around like topics of interest and things like that. It's really about getting a lot of the different kind of working groups together to do their work in-person. And so that's really what happens at the Policy Forum.

So this is ICANN sort of like an organizational chart to kind of orientate everybody to the different kind of groups we'll talk about during this webinar. So ICANN is made up of kind of the ICANN community. When you say the ICANN community, that's kind of a very broad group. There's definitely ICANN Org., which that's like the president, the CEO, their staff, that type of thing. There's also the ICANN Board. And then there are all these different supporting organizations and advisory committees that are really volunteers that make up sort of the ICANN community.

And we focus a lot of our discussion on work that's going on in kind of the biggest blue box in the center there, the GNSO, the Generic Names Supporting Organization. That's where you find registries, registrars, ISPs, intellectual property holders, business users. That's where you're going to find a lot of people who are working on the internet day in and day out.

Then we'll also talk about a group that's kind of the dark gray box, all the way on the bottom right side, called the Governmental Advisory Committee. That is a group made up of representatives from different governments' typically telecom ministries that come to ICANN and follow ICANN and is a part of the ICANN community and really an advisory committee to the ICANN Board regarding sort of the policies that are starting to bubble up.

ICANN is a bottom-up, a consensus policy-driven organization. So a lot of the policy work is kind of done at the grassroots level, and then that kind of bubbles up for ICANN Board approval. And along the way, the Governmental Advisory Committee is following that, and at appropriate times giving the ICANN Board advice and their opinions on whether or not there are public policy issues that need to be considered or whether what's been considered is maybe in contravention of public policy as they see it. So it's always an interesting conversation.

But this is kind of the ICANN community. And we'll use the acronym GNSO and GAC, for Governmental Advisory Committee, during the course of the webinar.

Okay. So we're going to start with Round 2 of the New gTLD Program. Many of you may know that ICANN did this once before. Back in 2012, they had what was called Round 1 of the New gTLD Program. At that time, over 1,900 applications were put forward for all sorts of TLDs. There were kind of TLDs for communities, open TLDs, and what eventually evolved into brand TLDs. That actually boiled down, those 1,900 applications boiled down to 1,409 unique strings. So there were multiple applicants for some strings, and there are processes for that. But about 33% of those that applied were brands.

And so, over the last 14 years, there's been a lot of discussion about how Round 1 went. ICANN did promise the Governmental Advisory Committee, the GAC that prior to starting another round, they would kind of evaluate what happened in Round 1, what went right, what went wrong, and take corrective action. And so kind of all those assessments and studies and debates have been going on for the past 14 years, and now we are in Round 2 of the program.

So Round 2 officially kicked off, if you will, with the opening of the application window on April 30th of this year. That application window runs to August 12th of 2026. So it's a very short application window. It's about 15 weeks. So now is the time that entities are putting forward their applications. This time there is a formal kind of category of application of .BRAND. But you'll see all the other types, open TLDs, community TLDs, IDNs, geographic TLDs. Last time, in 2012, we had a lot of cities come forward, like .NYC or .Paris or .Berlin. So everybody is working on their applications now and putting those into the ICANN system that will close on August 12th.

It costs a bit more than registering a domain name. You're actually registering to own and operate a TLD, so to become a registry. And that's at a cost of $227,000. And then, there are some specialized evaluations. .BRAND is one of those specialized evaluations that have additional fees. And .BRAND's kind of specialized evaluation fee is $500.

So ICANN has been working on this for quite some time. It's really been the last two years where they've really been driving towards this specific date. They've kind of gotten, over the last particularly like 16, 18 months, kind of out of the policy side of things and really into the mechanics of things. And this is just kind of a quick screenshot of kind of their project planning for that.

I mentioned already the different types of applications, and I'm going to share over the next kind of few slides, these are actual slides that ICANN presented during the Seville meeting in Spain. And so just to give you a sense, I think they're actually really well laid out and kind of give you a lot of good information in one slide. So wanted to include those.

But these are the official types this time. And so this is what we should be expecting. Reserved names, some of you may remember from attending prior sessions of this webinar series that there was a big debate around kind of some reserved names that should not be allowed to be registered as TLDs. And a lot of those were around like Red Cross, the International Olympic Committee, things like that. So that's that sort of reserved names group, where they can't be registered but for those folks.

So that's what we have going on right now. Right now, while the window is open, kind of no one knows what's going on. People are applying. They're putting forward their applications in an ICANN system, which is called the TAM system. And on August 12th that window will close. And for those of you out there saying, "Well, we're not applying for a .BRAND, so it doesn't matter much to me," I would say wait a second. You want to think about this just a little bit differently.

So when the application window closes, it will be quiet for about two months. So it won't be until sometime around mid-October, we don't have the exact date, that ICANN will do what's called Reveal Day, where they will publish the list of strings that have been applied for and who has applied for them. That's an important day to start paying attention as a brand owner for a lot of reasons.

One is you want to see if maybe you have a competing trademark holder, did they apply? So you want to know that. You also want to know if maybe some third party, maybe you're a brand, maybe there's some third party who tried to apply for your brand. If you're a very well-known trademark holder, it's unlikely they're going to try to pull a fast one because the risk is they could lose their $227,000. But there is an opportunity that if you see an application there that you feel like is infringing on your legal rights, we'll talk in a little bit about there is something called a legal rights objection. So it's really important, one, from a kind of trademark defense purpose to kind of look at that list and kind of be aware of what's going on.

The other thing is you'll see all the open TLDs and all the other TLDs that are being applied for and sort of like where there may be multiple applications, etc. You want to look at it because you want to start thinking about, "Oh, are any of these TLDs ones that I might be interested in when they go live?" So just kind of understanding what's out there is always very helpful.

I know, as I talk to brand owners, everybody groans when we talk about, oh, there are going to be more TLDs. And I completely understand. But it doesn't mean ignorance is bliss. So on Reveal Day is really the time to start paying attention.

What will happen this time, that's a little different than back in 2012, back in 2012, whatever string you applied for, you applied for. That was it. There was no way to change it kind of as you moved forward into the application process. This round, there is a chance. There is a way to kind of change your string after that list is published.

So there are two times that strings can change. The first time is if someone puts in their application a replacement string, and they see, when those strings are published, maybe there's someone else who's applied for the same string and they'd like to maybe change their string to their replacement string to avoid contention because there's a lot of processes that goes with that and potential costs. So they could wind up in an auction. And maybe the applicant will decide, "You know what, I'm going to go with my replacement string instead."

So that's something that happens very quickly. After they have to kind of put forward that they want to move to their replacement string, very quickly after that kind of Reveal Day, they basically have 14 days to make that decision. But then, after that, there will be sort of like a day where they publish sort of the final string list. So it's called String Confirmation Day. So anybody who maybe changed their string to the replacement string, you would see that change then.

The other opportunity to change your string is specific to brand owners. So again, there may be competing trademark holders who both apply. So two Deltas, let's use that example. If two Deltas apply and they see that on Reveal Day, there's an opportunity for brand owners to decide they want to get out of contention. They can do something called a brand string change request that would enable them to basically keep their string, but then pull in a word from their goods and services description from the supporting trademark for the application and append that to the end of their string. So I'll use the example Delta Airlines, that word "airlines" would likely be in the goods and services description of Delta Airlines' trademark goods and services description. So that gives you an example of what will be there and what their opportunities are. But basically, String Replacement Day or String Confirmation Day will kind of let you know where people stand on that.

So once that happens, you kind of see a bunch of things happening here, but I'll kind of distill it down. That then sort of kicks off a lot of different processes. There are some initial evaluations of the strings that are done. There is something called prioritization. There are contention sets that are formed, and then there are different parts of the evaluation process that will get underway, likely into 2027, maybe the very, very end of 2026, but likely into 2027.

So this is a long process. So stick along with us. We'll keep you posted as to where this process is each time we do this webinar series. But it'll be important to pay attention and to kind of make sure that if you're concerned about any other kind of brands, like competing trademark holder or maybe a competitor has applied or whatever, it's just important to kind of know that and be able to share that information within your organization. And in some cases, you may want to take action.

So let's talk about some of this kind of next phases of this. So I mentioned already that there's kind of this before evaluation, then kind of the String Confirmation Day, and then the starting of all the kind of the processes. So this slide gives you a nice kind of like let's call it a blueprint of what's about to happen.

And these applications, even though there are some folks who did likely put their application in on the first day, on April 30th, when ICANN opened the window and there'll be some people who put their application in on August 12th, the last day that it's open, the time at which they apply doesn't much matter in terms of like the order of evaluation. It really is about sort of are they going to get caught up in some of the like contention processes or other reviews, or will they be able to kind of participate in a prioritization draw and have a high number or a low number pulled in that draw? So depending on how many applications, that will kind of tell us how long about how this process will go.

We have no visibility while this window is open in terms of like how many applications have been submitted so far. So it is a complete kind of like black box right now. There's really no way to know how much is going in, who's going in. We won't know that. We'll get our first glimpse, if you will, in mid-October with Reveal Day.

Now as I mentioned, there are opportunities to object. And again, apologies, this is ICANN's slide. The little person is covering part of the top corner there. But there are different types of objection grounds. And so you have string confusion, legal rights, limited public interest, and community. Probably the one that most people on this webinar series should kind of focus on is legal rights. Again, looking to see if the applied for string is infringing on your legal rights.

And so, you can find the rules for the legal rights objection and sort of all the criteria as part of ICANN's Applicant Guidebook. So that is the book, the document, it's about 450 pages long, that kind of really spells out everything about this program, everything from eligibility, to how to apply, to all these different mechanisms, rights protection mechanisms that exist within the process. So if you can't find that out on the internet, just you can put your name in the Q&A and ask for a link to that, and we'll be happy to send that to you after this webinar.

Okay. So we'll keep everybody posted on Round 2. The ICANN CEO, he was at the INTA meeting in May in London. He kind of did a fireside chat during that meeting. He expressed that he feels like this is going to be a very big kind of like what he called a brand round, where he was expecting a lot of brand applications. But I don't know. I mean, I certainly talk to people every day, and I'm working on a lot of applications. But we'll see what actually happens, whether there will be more kind of open TLDs again, or it will be more brands this time. It'll be interesting to see.

All right. So let's move on to WHOIS updates. So there are kind of three things I want to cover here. One, we're going to talk about kind of where we are in what's called the EPDP or the Extended Policy Development Process Phase 2 because we all know that ICANN loves to have phases to all the PDPs because they're usually trying to deal with a big issue that needs to be broken down into sort of smaller parts. We'll also talk about urgent requests for disclosure of registration data and then WHOIS data accuracy.

So let's tackle the EPDP stuff first. So I'll take you down a little like recent history just to get everybody oriented. So in 2018, when the GDPR, the General Data Protection Regulation became enforceable, ICANN at that point issued something called the Temporary Specification, which really basically said to registrars and registries, as ICANN, we don't yet have a policy that really works well with the requirements of GDPR. So therefore, you kind of get a waiver, registrars and registries, of putting contact data into the WHOIS record.

And so I know at our offices we kind of refer to May of 2018 as the time the WHOIS started going dark, and that has caused a lot of complications. It causes complications in enforcing IP rights. It causes complications in security evaluations. It causes complications in really understanding who's behind a domain name. I think we all know that the domain name system is a very self-service system. So there's always been skepticism of sort of the accuracy of the WHOIS because people get to input what they want. But nonetheless, folks really feel like it degraded the kind of content or the usefulness of the WHOIS at that time.

And since then, after ICANN issued that Temporary Spec that allowed that to happen, they embarked on some policy processes to try to get to a policy that would work because before that it was mandatory for registrars and registries to collect and publish, free of charge, WHOIS information. And yes, there are privacy and proxy services and things like that, that would obfuscate that. But nonetheless, for the most part, WHOIS was available.

But that policy process took quite a bit of time, and it broke into a couple phases. The first phase was like, okay, what can we still put in the WHOIS? What can be the rules around that, that don't kind of conflict with GDPR? We all know that GDPR is about personal data. So yes, there are a lot of domain names that are registered by individuals, but also there are a lot of domain names registered by entities. So trying to kind of deal with the difference between kind of like a legal entity and a natural person and some rules around that.

So that was sort of Phase 1 of the policy process, kind of getting to that, and that took about a year. And that was expedited. In the ICANN world, PDPs can go on for two to three years. So getting something done within a year is expedited, and it's a special PDP, an expedited PDP. And it is mandated in the ICANN bylaws that it is one year, that kind of the guidance is received within one year. So that that did happen on Phase 1.

But on Phase 2, once that kind of wrapped up, there was a group convened to say: "Okay, well, now how do we give access to WHOIS information that may not be published in the WHOIS because of GDPR restrictions? Are there kind of times where there are legitimate interests that that information should be published? Are there times where law enforcement needs it, security researchers need it, IP holders need it, and how would that happen? What would be the process or the system by which that information could be requested and disclosed?" And that's what kind of EPDP2 for disclosure of registration data was about.

And it took them a little bit, about a year again, to come out with a resolution, a kind of guidance on that. But unfortunately, the guidance that was provided on that, when evaluated in terms of a feasibility study, it was going to take many millions of dollars and many years to implement without really knowing that that was going to work. And so ICANN kind of took a step back, with the GNSO kind of arm in arm, certainly encouraged by the GAC to kind of step back and re-evaluate what's being proposed just because of the feasibility and whether or not that would really work.

So that's when we moved into the RDRS, which was the registration data, which still is the Registration Data Request Service. And what that is, I would say, in its most basic form, it's a ticketing system, where you make a request for WHOIS data. You have to disclose who you are, and you have to provide a reason why you're asking for it. And then that moves along to the registrar that sponsors the name, but only if that registrar is voluntarily participating in that service. So that was one of the big things that's been identified as a challenge of the RDRS is that that is not a mandatory requirement for registrars and registries. So that was problem number one. Number two, that system is only good for gTLDs. So people were entering ccTLD requests, but that's not something covered by the RDRS.

And there are some kind of challenges just with the RDRS system. You can only make one request at a time. It's really kind of the results have shown, over two years of operation of that, that many of the requests resulted in no information being disclosed. So it had a limited uptake, and there were some significant problems that really hindered its success.

And so it was decided, this is when we get finally to more current history, and that's the thing with ICANN, things take a little while. So we've been working on this issue since 2018, and here we are in 2026. But back at the ICANN meeting in Dublin last year, it was decided the RDRS was only supposed to be a two-year pilot. Kind of think of it as a quick and dirty system to see what data we could collect. We could get a better sense of what the demand was, what the requests were, what the sort of success rate was, things like that.

And while all that information was reviewed, it was determined that while not a huge success, there were some things, like I mentioned, that really hindered its success. And the fact is that does that mean that just because that wasn't as successful as everybody had hoped that we should automatically revert back to the initial system that was initially kind of proposed, which was often called SSAD. That stands for Standardized System for Access/Disclosure of Registration Data, so SSAD.

So at ICANN84, it was decided, you know what, let's let the RDRS pilot go beyond the two years, so let that continue to function. Basically, the ICANN Board kicked it back to the GNSO and said, "Okay, we need to kind of regroup here and figure out is there anything we've learned here that maybe we could either take kind of the learnings from the RDRS and improve SSAD so that it is feasible or what?" And so they kicked it back, said let's move beyond the initial two years pilot, and basically kicked it back to the GNSO to kind of talk about the future of the service and sort of associated policy recommendations.

So then earlier this year, at the ICANN meeting in Mumbai, the ICANN Board basically resolved, because they had these 18 recommendations that were the SSAD recommendations still pending for the last couple years, they decided to formally non-adopt those recommendations and formally send it back to the GNSO and really enabling work of kind of a small team to work on this. So that's what happened in Mumbai. And really what the goal of that small kind of team is to kind of propose modifications to the original 18 recommendations, kind of based on what we've learned through RDRS.

So that group has been meeting since the last ICANN meeting. They held several working sessions at ICANN86. This is very limited in scope. They're not allowed to come up with a whole new system. They're really there to basically try to amend or tweak what is there now to move this issue forward.

So this is not a completely new PDP. It's on a pretty short leash. We're watching this really closely. But access to WHOIS data continues to be an issue. I often tell people, when I went to my very first ICANN meeting, back in 2002, WHOIS was the issue, and here we are still 24 four years later looking at this. So it's kind of a little mind-boggling that we haven't figured this out yet, but certainly GDPR did add a wrinkle to things. So that work continues, and we'll continue to keep you updated on the progress there.

There is also kind of an issue that it's actually part of the RDRS or the existing kind of like ticketing system for WHOIS disclosure. There are requests that are urgent. An urgent request is sort of a high-priority request for that domain data. And these are for kind of emergency situations where there's either immediate risk or will require a swift response from domain registrars or registrars. You're really looking at like imminent harm and not like financial harm. I guess like imminent personal harm. And really trying to deal with a lot of the requests honestly made by law enforcement.

While again, WHOIS has not always been wholly reliable as accurate, it is something that law enforcement does use in their work. And so being able to provide information for things like imminent threat to life or serious bodily injury, threats to critical infrastructure, or kind of circumstances involving child exploitation, it's important that those requests don't just sort of sit and languish and like people get to them when they get to them. They need to be actioned quickly.

And those urgent requests shouldn't only apply to registrars and registries that participate in the RDRS. There should be kind of a process and a standard to kind of deal with those requests even outside that system, even if you're not participating in that system.

So that's what this discussion has been around, and it is something that there's been a lot of kind of like wrangling about over the last few meetings largely because, of course, law enforcement wants information ASAP, within 24 hours or less, like within an hour, within a couple hours. They want it just as quick as possible because it can be the difference between life or death or a really significant kind of a breach of critical infrastructure or harm to a child.

And so they've really been wrangling over this because registrars particularly struggle with how could they respond that quickly. The registrars are all over the world. They are different sizes and sophistication. Some teams are very small. They're often not legally trained. So it will take more than an hour or two to kind of like assess and respond to that, much less also kind of know what requests are legitimate. Like no one has like a database at their office of all the law enforcement agencies and how to know that the requests are coming from legitimate places. So this has been a significant kind of dialogue that's been going on.

A Practitioners Group, the GAC, really this has been a very big issue for them. And it makes a lot of sense. And they have part of the GAC, which is called the Public Safety Working Group or the PSWG. They've really been kind of banging the drum about this, like this is a huge priority. And so they took kind of the lead, if you will, in pulling together what was called a Practitioners Group, which involved the GAC, the GNSO, several law enforcement agencies, including like INTERPOL, Europol, and the FBI, really to try to figure out like how can we do this and what is a reasonable amount of time. And so they did resolve that kind of the standard is within 24 hours. There can be situations where it may take up to 72 hours for complex or very high-volume requests.

And the challenge is that a lot of this, though, can't really be set into action until we know how registrars and registries can kind of validate legitimate requests from law enforcement. And so that's what this Practitioners Group is doing. What it was doing is they were trying to come up with how we could kind of do this authentication. And so they came up with two kind of mechanisms. One is a short-term mechanism, and one is a long-term mechanism.

The short-term one certainly is not meant to be for a long period of time, but there is no specified amount of time that it will be. And the goal would be to kind of get this implemented potentially into RDRS, while things are still being decided around what system is going to be used long term for disclosure requests. But the short-term solution is basically for there to be given to ICANN a definitive list of law enforcement agencies that could be posted to registrars and registries to access to validate requests against. So it's the paper list that would be available to registrars and registries to be able to evaluate those requests coming in. So that's the short-term request. And so that list right now is being compiled.

And then the more long-term kind of proposal is having some type of integration where those law enforcement agencies actually kind of interface with an ICANN system that registries and registrars would have access to and could validate through some automated system.

So that's what's going on, short-term and long-term proposal here. But kind of an agreement has been made on kind of the time frames, and that has now been pushed out to registrars and registries. And now we're just waiting for kind of this list, the short-term solution right now to kind of go live. And then these things will kind of move into action.

But that's what's kind of happening with urgent requests. I think it's an important issue to kind of be aware of. Hopefully, none of us will have to work with law enforcement to make those requests. But I think it's important to be aware that that's a mechanism that's kind of going to be in play here.

Now let's move to WHOIS accuracy. So again, I mentioned earlier like when a very long time ago I started going to kind of ICANN meetings, WHOIS and WHOIS accuracy was a big issue. It still is. It's a very, very big issue, kind of championed by the GAC. They have, for as long as I can remember now, like the past 10 years at least, really been pushing ICANN in a lot of ways to kind of, one, understand really how accurate current WHOIS is, and then secondly how to make it better.

So there's been this GNSO Small Team that's kind of reviewed some "threshold questions" and kind of like recommendations about WHOIS accuracy. And so it's things like shortening the current 15-day limit for registrars to validate registration data, kind of provide some additional education, indicate whether domains actually get suspended due to data accuracy violations. There is language in current contracts with registries and registrars that does allow for the deletion, but you often don't see it.

And really, as this issue has continued to drum along, at the last ICANN meeting, really the GAC in their communiqué, which is a document they put out shortly after the ICANN meeting which summarizes kind of what they did while at the meeting, kind of the meetings they engaged in, the topics they kind of explored, and then it also kind of outlines things like issues of importance to the GAC with some further kind of rationale and kind of description, as well as if they have any formal advice for the ICANN Board. And so in their ICANN85 Communiqué earlier this year, they really kind of expressed strong interest. They just feel like this keeps on spinning, spinning, spinning. It keeps on bouncing between all these different working groups. We kind of make a little bit of progress, but it never really seems done. And they feel like we're still not to the resolution. And I would not disagree with them.

And so they basically have come back to the ICANN Board and said, "You know what, we want to again directly engage with you, the ICANN Board and the contracted parties, which are the registries and registrars, to really discuss this 15-day requirement for registrars to validate and verify registrant contact information." And so what that means is when you register a domain name using a registrant for the first time, there's a current obligation of registrars to have 15 days to kind of validate that that's accurate information. You can validate the address. You can test the phone number, things like that. And they just feel like that's way too long. And so, again, they want to directly engage here.

So just before this ICANN meeting, the GAC chair themselves requested to kind of reconvene this sort of trilateral kind of meeting. I won't go as far as calling it a working group, but sort of like meeting, forum, let's call it that, between the GAC and the GNSO to really help talk about this in the context of mitigating abuse. I think in the past a lot of people have seen this WHOIS issue championed by the GAC as sort of nice to have in some ways, but like, hey, everybody knows the system is self-service, so it is what it is. But now with all the issues around DNS abuse, I think the context is different. And verification of registrant contact data in that context, I think, is a very compelling topic, and I think it does get people's attention and kind of does get people thinking about it a bit more seriously because it can be part of the piece of the puzzle in trying to deal with DNS abuse.

So that takes us to the topic of DNS abuse, which has been a topic at every ICANN meeting now for the last probably say going on four years. And it's been a topic where certainly it's not only ICANN that's responsible to kind of solve DNS abuse. But ICANN has a role, and the ICANN community has a role. In fact, all of us have a role in mitigating DNS abuse.

So anyway, just to give a little bit of more recent history here, in August of '25, the GNSO Council kind of requested an Issue Report on DNS abuse. And they kind of initially had three priority topics, and that kind of got scoped down to two topics. And one is kind of the Preliminary Issue Report kind of identified access to an API, addressing the misuse of kind of ungated, batch, or API tools that enable those sort of large-scale, malicious registrations. So many of you may know, the bad guys are not a bunch of kids sitting in a garage. They're sophisticated. In some cases, they're state actors. And they have very sophisticated technology, and they know how to connect APIs to registration systems of various registrars that they do business with. And they are requesting using AI and APIs, so APIs is sort of like an automated connection, think of it that way, to do high-volume requests and registrations.

So back in the day, yeah, we're dealing with people who are one by one registering domain names. But now, we're in situations where there are huge, high-volume batches of domain name registrations flooding the systems basically and activated very, very quickly. So that's one issue.

And then the other issue that has been identified as sort of high priority here is associated domain checks. What that means is a couple years ago there were DNS abuse provisions put in ICANN registrar and registry contracts. You can report DNS abuse to a registrar. Their abuse contact is in the WHOIS record, and you can contact them at that address and basically make a DNS abuse complaint. And registrars are required to kind of go and then kind of do some investigation. They're not the FBI, or they're not INTERPOL or Europol. But they're required to kind of go and like look at things.

The thing is that it's usually a specific name that is being requested, like basically saying this specific name is causing some DNS abuse. And what we find and I think what we know is that oftentimes the person or group or entity that registered that one name may actually also have many, many other names with that registrar. So the goal here is like let's stop kind of just trying to pick like one piece of straw up at a time. Let's try to pick up the whole bundle of hay and like find all the names associated with that bad actor and kind of put that all into one action. And so that's what that is about. And so, right now, I'll call that the lead issue on DNS abuse.

They are not going to be worked simultaneously. They're going to be kind of put in order here. So the first PDP that is being initiated is related to these associated domain checks. And basically, they were initiated earlier this year. The GNSO has been working on it, and now they've gone through charter questions and all that, but they're going to be working further on that. So that's kind of the focus now.

The PDP 2 regarding the safeguards for sort of like unrestricted API access, that's going to be next. But that will be determined by the GNSO in terms of like timing after the first PDP.

So this group, they are going to publish their Initial Report in February of next year, 2027, with a goal of also then having the Final Report to the GNSO by May 2027. And basically, hopefully, the GNSO Council will then consider and vote on their Final Report in September of 2027. And then, those recommendations would move on to the ICANN Board. So they're going to be working throughout the remaining part of this year, and next year is when we should start seeing some reports on what is being proposed. So we'll keep you informed of that.

So it's a lot of kind of devil in the detail. They've got things kind of broken down into different questions, and they're working through those. So again, we'll continue to monitor that and inform everybody when that Initial Report comes out and talk about some of those initial recommendations.

So as I mentioned, DNS abuse is something that is everyone's kind of issue, everybody's problem. We work with our customers every day regarding challenges they're having around DNS abuse and kind of misuse of their brands online. I've mentioned this before. We have a great system called CSC DomainSEC that really helps kind of bring this all together, give you one kind of single pane of glass to kind of get insights and not just insights, but actions you should be taking to kind of like take some security measures and to kind of tighten up your security measures around your domain portfolio, insights into kind of brand protection and anti-fraud kind of efforts. So if you want to schedule a demo, there's a URL there. You can certainly go there and request a demo, and our team would be happy to show you that. But it really is a way to get a very good, clear picture of what's going on within your kind of sphere of influence, if you will, and what's happening with your brands online.

All right. So we're going to come down the home stretch here. We're going to talk a little bit about the Governmental Advisory Committee again. As I mentioned, they issue a communiqué at the end of every ICANN meeting. Currently, just to give you some kind of sense of scope and scale, the GAC is made up of 184 Member States and Territories, and they have 41 Observer Organizations. So this is mostly representatives from kind of like telecom ministries or like ministries within different governments. At this last ICANN meeting, here in Seville, they had 76 GAC Members and 11 Observers participated.

This group has been growing over time, but they've reached a pretty steady participation rate. And the countries that do participate, they're not just sitting and watching. They are really digging in on these issues and really providing kind of perspectives from a public policy standpoint. And there was a time where the GAC at ICANN wasn't something that I would say had a really strong voice. But certainly over the last I would say probably 8 to 10 years, their voices increased dramatically. It really started with the first round of the New gTLD Program, where they really kind of came into their own. So I guess actually it's been longer than 8 to 10 years. It has probably been closer to 10 to 14 years, where their influence continues to grow, even though their numbers stay relatively stable.

All right. So just to give you a sense of things that are on the GAC's mind. I often say that if you want to know what's going on at ICANN or what's really going to make some progress, look at the GAC because, as I've mentioned, their voice is pretty loud and their voice gets attention.

So there's been something that is more a little bit of like inside baseball type stuff, but there's something called the Review of Reviews. ICANN undertakes kind of reviews of its processes and kind of how it goes about doing things on kind of a regular basis. And there are some voices in the industry, in the community may be a better way to say it, that feel like it's just like as soon as we finish one review, we're right on to the next review. They never kind of like get done with them. And so they have been doing a review of the reviews, and kind of the recent output of that has been we're doing too many reviews. We need to kind of like kind of slow it down so we can actually get some of this work done. So the GAC is concerned about that.

DNS abuse and we've talked about DNS abuse mitigation, and the GAC is reframing that WHOIS accuracy issue in the context of DNS abuse. And I think that's really smart because I do think that is important from a DNS abuse mitigation perspective, but also the right lens to be looking at WHOIS accuracy at this time.

Then they're following very closely the work that's being done around kind of domain registration data that we talked about. So they are very much pushing, as I've mentioned, the urgent requests for the disclosure of registration data. They are really helping kind of wrap that up in terms of working with law enforcement.

Privacy and proxy services as well is something that's they want. ICANN had policy development done on that, and it was in implementation and then it got stopped when GDPR became enforceable. And they kind of put it on the back burner, and it's only recently that that's now been dragged back out and work now being done to kind of like figure out what needs to be adjusted given the kind of new landscape we live in, so that we can actually implement some governance and some compliance over privacy and proxy services because I know as brand holders that's a very big issue, like getting behind those privacy and proxy services to understand who's behind the names or getting some kind of response is very difficult. It often takes filing a UDRP to get behind those privacy and proxy services, and that is a very expensive way of doing that. So the GAC is very much behind like ICANN needs to move on with the implementation of the policy that was drafted prior to GDPR becoming enforceable. And then the WHOIS accuracy stuff.

They also have a lot to say around ICANN as part of kind of the Round 2 New gTLD Program. A new kind of feature of this round has been what's called the Applicant Support Program, to try to encourage applicants to come forward from really kind of either underserved or locations or communities that really are not on the internet today and maybe lack the resources and know-how and expertise on how to put forth an application and to do a new gTLD. So there's an Applicant Support Program to help them with that both financially and from a know-how perspective, and the GAC continues to champion that. And so we will have some applications this round that come through that program.

And then there's some work being done around preserving universal connectivity and addressing for DNS blocking. It's more of a technical thing there.