Jury still out on ICANN’s content policing powers

Key ICANN community groups have refused to come down on one side or the other in the debate about proposed content policing powers, leaving the question up in the air as ICANN considers a major bylaws amendment.

As I reported last month, ICANN is thinking about changing its governing bylaws to permit it to enforce Registry Voluntary Commitments — contract clauses that could include rules on the content of web sites — on registries in future new gTLD application rounds.

ICANN’s board is convinced that it needs to amend the Org’s bylaws, which explicitly prevent it policing content, in order to do this. It is concerned that “there are political, practical, and reputational risks associated with ICANN negotiating and entering into contract provisions that have the effect of restricting content in gTLDs”.

Such an amendment would require the consent of the five-member Empowered Community, to which ICANN answers, and so far there’s little indication that it would be able to secure the three votes needed.

The EC is made up of the ASO, the ccNSO, the GNSO, the ALAC and the GAC, and so far only the ALAC has said that it supports a bylaws amendment. The GNSO is split, with contracted parties dead against the amendment, and would be unlikely to vote in favor. The GAC seems to be on the fence.

The ASO and ccNSO both declined to express an opinion, saying matters related to gTLDs are outside of their remit, but ICANN chair Tripti Sinha pressed the groups to reconsider in letters this March.

Now, both groups have responded by digging their heels in — nope, it’s none of our business, they say.

“The topics addressed in the consultation are outside the scope of the ASO, so we respectfully decline the invitation to provide input at this time,” the ASO said.

“After careful consideration, we still do not see conditions which warrant our participation in the implementation of the next round of new gTLDs,” the ccNSO said.

The ccNSO added that it could only comment on a proposed bylaws amendment if it could see the draft text of the amendment, and that is not yet available.

If ICANN leadership was hoping for clarity on whether a content policing bylaws change is even feasible, it looks like it doesn’t have it yet.

ICANN preparing for ONE HUNDRED registry back-ends

The number of gTLD registry back-end providers could more than double during the next new gTLD application round, ICANN’s board of directors has been told.

There are currently about 40 registry services providers serving the gTLD industry, but ICANN is preparing for this to leap to as many as 100 when it launches its Registry Service Provider Evaluation Program for the 2026 application round.

“We’re preparing, I think, for roughly a hundred or so applications which will include the 40 existing providers that we’re aware of, and another 60 or so is sort of our rough market sizing,” Russ Weinstein, a VP at ICANN’s Global Domains Division, told the board during a meeting in Paris last week.

The number is based on what ICANN is preparing to be able to handle, rather than confirmed applicants to the RSP program, it seems.

“We are hoping to see some diversification and new entrants into the space,” Weinstein said.

Board member Edmon Chung elaborated that he expects most of the new entrants to be ccTLD registries hoping to break into the gTLD market.

“We can expect a few more ccTLD registries that might be be interested,” he said. “We’re probably not expecting a completely new startup that just comes in and becomes a registry, but beyond the 40, probably a few more ccTLDs.”

ccTLD registries already active in the gTLD market following the 2012 application round include Nominet, Nic.at and AFNIC, which tend to serve clients that are based in the same timezone and use the same native language.

A new way to game the new gTLD program

It may not help you win a gTLD, but a new method for screwing over your enemies in ICANN’s new gTLD program has emerged.

As I reported earlier today, it seems quite likely that ICANN is going to add a new step in the new gTLD evaluation process for the next round — testing each applied-for string in the live DNS to see if it causes significant name collision problems, breaking commonly deployed software or leading to data leaks.

The proposed new Technical Review Team would make this assessment based in part on how much query traffic non-existent TLDs receive at various places in the DNS, including the ICANN-managed root. A string with millions of daily queries would be flagged for further review and potentially banned.

The Name Collision Analysis Project Discussion Group, which came up with the new name collisions recommendations, reckons this fact could be used against new gTLD applicants as a form of sabotage, as it might be quite difficult for ICANN to figure out whether the traffic is organic or simulated.

The group wrote in its final report (pdf):

In the 2012 round, the issue of name collisions included an assumption that the existence of any name collision was accidental (e.g., individuals and organizations that made a mistake in configuration). In future rounds, there is a concern on the part of the NCAP DG that name collisions will become purposeful (e.g., individuals and organizations will simulate traffic with an intention to confuse or disrupt the delegation process)…

Determining whether a name collision is accidental or purposeful will be a best-effort determination given the limits of current technologies.

We’re basically talking about a form of denial of service attack, where the DNS is flooded with bogus traffic with the intention of breaking not a server or a router but a new gTLD application filed by a company you don’t like.

It probably wouldn’t even be that difficult or expensive to carry out. A string needs fewer than 10 million queries a day to make it into the top 25 non-existent TLDs to receive traffic.

It would make no sense if the attacker was also applying for the same gTLD — because it’s the string, not the applicant, that gets banned — but if you’re Pepsi and you want to scupper Coca-Cola’s chances of getting .coke, there’s arguably a rationale to launch such an attack.

The NCAP DG noted that such actions “may also impact the timing and quantity of legal objections issued against proposed allocations, how the coordination of the next gTLD round is designed, and contention sets and auctions.”

“Name collisions are now a well-defined and known area of concern for TLD applicants when compared to the 2012 round, which suggests that individuals and organizations looking to ‘game’ the system are potentially more prepared to do so,” the report states.

I’d argue that the potential downside of carrying out such an attack, and getting found out, would be huge. Even if it turns out not to be a criminal act, you’d probably find yourself in court, with all the associated financial and brand damage that would cause, regardless.

.home, .mail and .corp could get unbanned

The would-be new gTLDs .home, .mail and .corp — which were some of the most hotly contested strings in the 2012 application round before ICANN banned them — could get a new lease of life if ICANN adopts the recommendations of a panel of security experts.

More than 20 applications for the three strings were first put on hold, and then rejected outright in 2018, due to the risk of name collisions — where a TLD in the public DNS clashes with a domain used extensively on private networks.

The three non-existent TLDs receive more than 100 million queries per day at the DNS root due to queries leaking out from private networks, creating the risk of stuff breaking or sensitive data being stolen if they were to ever be delegated.

But now ICANN has been told that it “should not reject a TLD solely based on the volume of name collisions” and that it should submit .home, .mail and .corp to a new, more nuanced “Name Collision Risk Assessment Process”.

The recommendations comes in a newly published and rather extensive final report (pdf) from the Name Collision Analysis Project Discussion Group, which has been looking into the name collisions problem for the last four years.

While NCAP says ICANN should create a Collision String List of high-risk strings that new gTLD applicants could consult, it stopped short of recommending that the Org preemptively ban strings outright with a “do not apply” list, writing:

Regarding .CORP, .HOME, and .MAIL, high query volume is not a sufficient indicator of high-risk impact. The complexity and diversity of query sources further complicate the assessment of risk and impact. It is impractical to create a pre-emptive “do-not-apply” list for gTLD strings due to the dynamic nature of the DNS and the need for real-time, comprehensive analysis.

.corp might have a relatively easier time getting unblocked. NCAP figured out that most queries for that TLD are due to one “globally dominant software package” made by Microsoft that uses .corp as a default setting. This problem would be easier to fix than .home, which sees bogus traffic from a huge range of sources.

.mail also might be safe to delegate. NCAP noted that at least six gTLDs with more pre-delegation query traffic — .network, .ads, .prod, .dev, .office and .site — were subsequently delegated and received very low numbers of collision reports from live deployment.

Instead of banning any string, NCAP instead proposes a new Name Collision Risk Assessment Framework.

Under the framework, a new Technical Review Team would be in charge of testing every applied-for gTLD not already considered high risk for collision risks and placing the high-risk ones on a Collision String List of essentially banned strings.

To do so, the applied-for gTLD string would have to be actually delegated to the live DNS root zone, under the control of the TRT rather than a registry or applicant, while data is gathered using four different methods of responding to query traffic not unlike the “controlled interruption” method currently in use.

This would be a huge break from the current system, under which gTLDs only get delegated after ICANN has contracted with a registry operator, but it would mean that IANA would be able to quickly yank a gTLD from the DNS, if it started causing serious problems, without stepping on anyone’s commercial interests or inviting legal action.

There’s little doubt that the proposed framework would add friction to the new gTLD evaluation process in the next round, but the fact that NCAP has delivered its recommendations ahead of its original schedule is good news for those hoping for no more delays to the next round actually launching.

The NCAP study was considered on the critical path to the next round. It’s already been approved by the Security and Stability Advisory Committee and is expected to be considered by ICANN’s board of directors at an upcoming meeting. Implementing the recommendations would obviously take some time, but I doubt that would delay the expected Q2 2026 opening of the next application window.

The new recommendations on .corp, .home and .mail mean those gTLDs could well come back into play in the next round, which will come as cold comfort to the applicants who had their $185,000 application fees tied up for years before ICANN finally decided to ban them in 2018, offering a full refund.

There were seven applicants for .mail, six for .corp, and a whopping 11 for .home. Applicants included GoDaddy, Google, Amazon, and Identity Digital.

According to ICANN’s web site, Google never actually withdrew its applications for .home, .corp and .mail, and Amazon never withdrew its application for .mail. If that’s accurate, it could lead to some interesting disputes ahead of the 2026 application round.

Unstoppable to apply for Women in Tech gTLD

Unstoppable Domains and Women in Tech Global have announced that they plan to apply for a new gTLD when ICANN opens the next application round.

They want .witg, which Unstoppable has already launched on its blockchain-based naming system. They cost $10 a pop.

Unstoppable says the names come with some social networking features, as well as the usual ability to address cryptocurrency wallets.

The company has also recently announced gTLD application partnerships with POG Digital for .pog, Clay Nation for .clay and Pudgy Penguin for .pudgy.

Unstoppable is mainly competing here with D3 Global, which is also recruiting blockchain businesses that want to embrace the DNS when the next round opens.

D3 announces seventh blockchain gTLD client

D3 Global has announced yet another likely new gTLD applicant from the blockchain space.

The specialist consultancy said it has partnered with MAKE and the Casper Foundation, a software developer and its non-profit backer respectively, to apply for .cspr when ICANN opens its long-awaited next round of new gTLD applications in a couple years.

It’s the seventh such deal D3, which says it can help blockchain companies link their alternative namespaces to the DNS, has announced since its launch late last year.

It is also working with partners to apply for .ape, .core, .vic, .near, .gate, and .shib.

A million “free” .music domains up for grabs

The new .music gTLD registry says it will give away up to one million first-year domains over the next five weeks as part of its launch program, but there are of course plenty of catches.

DotMusic says the domains are available to what it calls “Music Community Member Organizations” — think record labels and the like — until May 24 or it reaches a million names, whichever comes first.

With not much more than a month to get on board and a fairly complex, multi-layered registration and verification process, it seems more likely that the promo will time out before it hits seven figures.

.music is a “community” gTLD only available to entities with a nexus to the music industry. The names are only available as exact matches of music performers or professionals or the organizations they belong to.

They’re also only resolvable after the registrants verify their identities via DotMusic’s sister company, ID.music, which costs $1.99 per domain during the promotion.

It’s not exactly “free”, but compared to the usual price of defensively registering during sunrise periods, it’s an absolute bargain. DotMusic’s regular, ICANN-mandated sunrise period ended a few months ago, with dozens of domains registered by the usual suspects — the likes of Apple and Amazon.

More details on the promotion can be found here. General availability begins June 25.

ICANN content policing power grab may be dead

A move by ICANN to grant itself more formal “content policing” powers may be dead, after the community was split on the issue and governments failed to back the move.

The Governmental Advisory Committee yesterday sent comments essentially opposing, for now at least, the idea of ICANN reforming its bylaws to give it more powers over internet content, making it very unlikely that ICANN would be able to get such amendments approved by its community overseers.

The comments came a few days after ICANN extended the deadline for responses to a December 2023 consultation on whether applicants in the next new gTLD round should be able to sign up to so-called Registry Voluntary Commitments that regulate content in their zones.

RVCs would be an appendix to ICANN Registry Agreements which would commit a registry to, for example, ban certain types of registrant or certain types of content from domains in their gTLDs.

They’re basically a rebadged version of the Public Interest Commitments found in RAs from the 2012 round, in which the likes of .sucks agreed to ban cyberbullying and .music agreed to ban piracy.

But they’ve got ICANN’s board and lawyers worried, because the Org’s bylaws specifically ban it from restricting or regulating internet content. They’re worried that the RVCs might not be enforceable and that ICANN may wind up in litigation as a result.

ICANN has therefore proposed a framework (pdf) in which RVCs would be enforced by ICANN only after an agreed-upon third-party auditor or monitor found that a registry was out of compliance.

The board sent out several pages of questions to all of its Supporting Organizations and Advisory Committees in December, asking among other things whether the bylaws needed to be amended to clarify ICANN’s role, but the responses were split along traditional lines.

Registries and registrars were aligned: there’s no need for a bylaws change, because ICANN should not allow RVCs that regulate content into its contracts at all.

“ICANN should maintain its existing bylaws which exclude content from its mission, and allowing any changes to this could be a slippery slope opening ICANN to becoming a broader ‘content police’,” the Registrars Stakeholder Group said in its response, giving this amusing example:

An example of a content restriction is provided in the proposed implementation framework for .backyardchickens (e.g. no rooster-related content). Restricting rooster-related content would require a significant amount of policing, and could even prohibit valuable content that would benefit such a TLD. For example, a backyard hen farmer might want to promote the pedigree lineage of the roosters that helped sire the hens, show pictures of the roosters that were the fathers, etc. All of this could in theory be prohibited,but would also require review and subjective analysis. This would be a very slippery slope for ICANN, and a substantial departure from its mission. Restricting rooster content would then put ICANN in the place of enforcing laws that prohibit backyard roosters, rather than relying upon the competent government authorities charged with overseeing residential animal husbandry.

The Non-Commercial Stakeholders Group was more strident in its tone, even raising the possibility of legal action if ICANN went down the content policing route, saying “the best way for the Board to address content-related PICs and RVCs is to make it clear that it will reject them categorically.” It added:

The prohibition on content regulation in ICANN’s mission is extremely important and very clear. Mission limitations were a critical part of the accountability reforms that were required before ICANN would be released from US government control in 2016… NCSG will mount a legal challenge to any attempt to dilute this part of the mission.

The opposing view was held by the Business Constituency, the Intellectual Property Constituency, and the At-Large Advisory Committee, which is tasked with representing the interests of ordinary internet users.

They all said that ICANN should be able to allow content-related RVCs in registry contracts, but the IPC and BC said that no bylaws amendment is needed because the bylaws already have a carve-out that enables the Org to enforce PICs in its agreements. The ALAC said a bylaws amendment is needed.

“There is a distinction between ICANN regulating, i.e imposing ‘rules and restrictions on’ services and content, versus the registry operator voluntarily proposing and submitting to such rules and restrictions,” the IPC wrote.

“There is also a distinction between ICANN directly enforcing such rules and restrictions on third parties, i.e. registrants, versus ICANN holding a registry operator to compliance with the specifics of a contractual commitment,” it added.

The last community group to submit a response, fashionably late, was the GAC, which filed its response yesterday having reviewed all the other responses submitted so far. The GAC arguably has the loudest voice at ICANN, but its comments were probably the least committed.

The GAC said that ICANN should only go ahead with a bylaws amendment if it has community backing, but that the community currently lacks consensus. It said, “at this stage there are not sufficient elements to justify commencing a fundamental bylaws amendment to explicitly enable the enforcement of content-related restrictions”.

However, the GAC still thinks that RVCs “will continue to serve as tools for addressing GAC concerns pertaining to new gTLD applications during the next round” and that it wants them to be enforceable by ICANN, with consequences for registries found in breach.

The GAC said that it “will continue to explore options to address this important question”.

This all means that ICANN is a long way from getting the community support it would need to push through a bylaws amendment related to content policing. That’s considered one of the “Fundamental Bylaws” and can only be changed with substantial community support.

Such amendments require the backing of the Empowered Community. That’s the entity created in 2016 to oversee ICANN after it severed ties with the US government. It comprises individuals from five groups — the GAC, the GNSO, the ccNSO, the ALAC and the Address Supporting Organization.

For a fundamental bylaws amendment to get over the line, at least three of these groups must approve it and no more than one must object.

With the GNSO, given its divisions, almost certainly unable to gather enough affirmative votes, the GAC seemingly on the fence, and the ASO and ccNSO recusing themselves so far, only the ALAC looks like a clear-cut yes vote on a possible future bylaws amendment.

Perhaps that’s why ICANN chair Tripti Sinha has written to the ASO and ccNSO in the last few days to ask them whether they’d like to think again about ducking out of the consultation, giving them an extra two weeks to submit comments after the original March 31 deadline.

The ccNSO handles policy for country-code domains and the ASO for IP addresses. Both have previously told ICANN that gTLD policy is none of their business, but Sinha has urged them both to chip in anyway, because “the ICANN Bylaws govern us all”.

Internet could get one-letter gTLDs (but there’s a catch)

ICANN is set to loosen up its restrictions on single-character gTLDs in the 2026 application round, according to draft Applicant Guidebook language.

But the exemption to the usual rule applies only to gTLDs written in one script — Han, which is used in Chinese, Japanese and Korean.

Applied-for Latin-script strings must be three characters and over (because two-letter strings are reserved for ccTLDs) and internationalized domain names in other, non-Han scripts have a minimum of two characters.

The exemption for Han is being put in place because it’s an ideographic script, where a single character can have a meaning that other, alphabetic scripts would require an entire string to express. Google tells me the Chinese for “water” is 水, for example.

The 2012 gTLD application round did not feature the Han carve-out, and no IDN gTLDs currently in the DNS have fewer than two characters.

The draft rules governing IDNs are expected to be part of the next batch of AGB components that ICANN releases for public comment. The comment period on the first batch ended this week with no particularly controversial issues emerging.

Microsoft moving its cloud apps from .com to .microsoft

Microsoft is planning to move all of its Microsoft 365 apps off a multitude of .com domains and consolidate them all under .microsoft, its dot-brand gTLD.

The company says it will move Teams, Outlook, and Microsoft 365 web apps to the cloud.microsoft domain. They currently use domains such as outlook.office.com, teams.microsoft.com and microsoft365.com.

It first announced the move in April last year and this week reminded developers of apps that use its cloud platform that they need to support the new domain.

Explaining the move to the dot-brand last year, the company wrote:

Consolidating authenticated user-facing Microsoft 365 experiences onto a single domain will benefit customers in several ways. For end users, it will streamline the overall experience by reducing sign-in prompts, redirects, and delays when navigating across apps. For admins, it will drastically reduce the complexity of the allow-lists required to help your tenant stay secure while enabling users to access the apps and services they need to do their work.

Microsoft plans to launch the teams.cloud.microsoft domain in June but run the two domain schemes in parallel for a while, so as to not unnecessarily break apps in its developer ecosystem.

It’s not going to dump microsoft.com altogether, saying that it plans to use it for “non-product experiences such as marketing, support, and e-commerce.”

The cloud.microsoft domain is already one of the more visible dot-brand names out there, ranking in the top 20 most-visited, according to Majestic rankings.

Hat tip: The Register.