Recorded Webinar: A Wealth of Knowledge from the Persian Gulf: Insights from ICANN 60

Insights from ICANN 60: A Wealth of Knowledge from the Persian Gulf

Please be advised that these free recorded webinar presentations have been edited from the original format (which might include a poll, product demonstration, and question-and-answer session). To set up a live demo, please complete the form to the right.

CSC® experts have been around the world gathering ICANN insights, most recently in Abu Dhabi, the capital city of the United Arab Emirates. In late October, Director of Policy and Industry Affairs Gretchen Olive, along with Head of New gTLD Services Ben Anderson, attended ICANN 60 in the Persian Gulf.

For this webinar, they share new information on the latest domain name and brand protection developments, the New gTLD Program and the IANA Functions Stewardship Transition, and other topics of significant interest to brand owners everywhere.

As experts in the industry, Gretchen and Ben address best practices in effective global domain name, trademark, and brand protection strategies, with a focus on new gTLDs.

Slideshare

Webinar Transcript


Anu: Hello, everyone and welcome today's webinar, "A Welcome Knowledge from the Persian Gulf: Insights from ICANN 60." My name is Anu Shah and I will be your moderator. Joining us today are Gretchen Olive and Ben Anderson.

Gretchen is an internationally recognized expert on ICANN's New gTLD Program. For nearly two decades, she has helped clients navigate the evolving internet landscape through more effective global domain name, trademark, and brand protection strategies. She has served on several INTA subcommittees focused on the preservation and protection of intellectual property rights and consumer safety on the internet.

Ben is the head of new gTLD services and is responsible for overseeing the development of the company's product portfolio and proposition. He is an active member of the industry on the topics of gTLDs and currently sits on the board of various domain and compliance bodies for ICANN and INTA, regularly providing expertise, guidance and advice on any development.

With that, let's welcome Gretchen and Ben.


Gretchen: Hello, everyone. Thanks for joining us. Another eventful meeting, ICANN meeting. They never seem to let down. We have a full agenda as always, but we're excited to share some definite landmark developments in the industry that I think everybody needs to be aware of. So, we will get on with it.

Before we get started, we're going to do a little bit of level setting, making sure everybody knows who ICANN is and the structure that exists. So, ICANN is the Internet Corporation for Assigned Names and Numbers. It is the organization that governs the DNS. As you can see here, it's kind of a little bit of an org chart. You'll see the board of directors at the top and then below you'll see a series of blue and gray boxes.

These are different supporting organizations within ICANN, and then of course there's the president and CEO along with the ICANN staff. The folks in the supporting organization, you have the GNSO, which is the Generic Name Supporting Organization, or the ccNSO, which is the Country Code Top-level Domain Supporting Organization, these are all groups of different subgroups that volunteer their time in the ICANN space to help develop policy.

ICANN is a multi-stakeholder model and policy is developed through a bottom-up consensus policy-making methodology. So, it makes for some interesting dialogue because you get people coming from around the world from different aspects of the internet space with different perspectives and ideas and cultural perspectives. So, it's always a really interesting time.

This was one of the first meetings in a while in the Middle East, which I think added an additional layer of interest there with some new faces, which was really good.

You'll also see a series of gray boxes on the right-hand side. These are advisory committees and technical groups that also advise the board of directors as this policy comes up from this bottom-up process that I spoke of.

So, one group is one I always highlight is the Governmental Advisory Committee. They're in the darkish gray box there at the bottom. That's a group of . . . it's getting close to 200 different countries represented in that group. It's really representatives from the different telecommunication agencies or ministries within the countries that come and basically watch what's going on within the other organizations and the policymaking that's going on there, and then advises the board from a public policy standpoint, whether there are things they haven't thought of or things they're considering are really inconsistent with public policy objectives.

So, there's always this kind of tension between the community and the governmental advisory committee, I think, that's gotten better over time, but there's definitely a full group of people anywhere from academia to governments and everybody in between who comes to an ICANN meeting.

The meeting structure has changed through the years, and actually we're just about a year into the new meeting structure. Currently, what's going on is there are three meetings a year. They call it meeting A, meeting B, and meeting C. This meeting was meeting was meeting C, which is the end of the year meeting, which is the annual meeting of the ICANN community. It's the longest of the meetings. It's the meeting where there's a ton of policy work and things like that that gets done.

But it's also the year that ICANN does a lot of things like high-interest topics and brings together people within the community to talk about things like emerging technologies in the DNS and things like that. So, it's really an opportunity not only to bring people together, but also showcase the policy and bringing people together kind of networking within the industry. It's really an opportunity for ICANN to kind of do those things in the meeting C format. So, seven-day format makes for a lot of interesting information.

So, let's move on to the substance. I'd like to start today with what's going on with the Competition, Consumer Trust and Consumer Choice Review Team, or the CCT review Team. This group was formed as a result of ICANN's commitment to the governmental advisory committee back in 2012 when the New gTLD Program round 1 kind of got started. Well, the application process got started.

Right before that all happened, ICANN promised the governmental advisory committee that they would do a full evaluation of round 1 before embarking on round 2. So it's really looking to what went right, what went wrong, what needs to change.

So this volunteer group has come together on this review team, and really what they're looking to do is evaluate how the program promoted competition, consumer trust and consumer choice, because that was what ICANN stated, the objectives of the New gTLD Program. They're also evaluating the effectiveness of the application evaluation processes. How they evaluated applications, did it work? Was it efficient?

And then finally, they're evaluating the effectiveness of safeguards that were put into place to try to prevent DNS abuse, make sure that rights protection, different property rights, or intellectual property rights were protected online, things like that. So they're looking at evaluating those things.

They're trying to take a really data-driven approach. As you can imagine with such a diverse group of people in the internet community and the ICANN community, there are a lot of anecdotal insights and perspectives, but really, it's important to look at a lot of these things stripped of the agenda and really look at it from a data lens to help inform policy related to new gTLDs. So that's what they're endeavoring to do.

Now, their timeline, they've been working on this kind of review for a while. It started back in December of 2015. Kind of a lot has happened since then. They've had a draft report that was published in March of this year. They really spent most of 2016 trying to pull some initial evaluations together, publish that initial draft report. Then there was a DNS abuse study that was published by the group in August of this year.

Now we're in November, where they're actually getting ready to publish some new sections of the draft report to augment what was published back in March. We got a sneak peak into that at this meeting. So we'll share some of those insights and findings, which will be published in the report here in November.

They're hoping to deliver a final report to the ICANN board in 2018, and then the board potentially taking action on some of their recommendations and insights in June of 2018. We'll see if that actually flows out, but that's the plan.

The CCT Review Team, as I mentioned, is really this umbrella group. There are a lot of things going on simultaneously. We'll talk about some of those things, particularly some policy development processes that are coming out of the Generic Name Supporting Organization, or the GNSO, that are all partially inputs to this process. But the CCT Review Team is really kind of the ones pulling it all together in summary.

So let's look at . . . First, I wanted to give you the link here to the initial report in March 2017, in case you missed that. There's good information in there. That report went out for public comment. The link there is the public comment site, so you can not only get a copy of or read the initial report, but you can also see the comments and summary of comments to that.

Now, this new update that's expected this month, it really is covering three areas: parked domains, DNS abuse, and then rights protection mechanisms. So there's been some further work done here that they wanted to publish their findings on.

So let's first start with the parked domains. So a lot of domains in both legacy new gTLDs are what they called parked. They're not really live content for the registrant's purposes. They're often monetized. The CCT Review Team has determined that further research is definitely necessary in this area. They did find a higher rate of parking in new gTLDs, so you'll see 68% of registrations in new gTLDs are currently parked compared to 56% in the legacy gTLDs.

There are theories on both positive and negative impact on competition and choice of parked domain names. If people actually land on them and they're parked, are they really promoting consumer choice? Are they really promoting competition? It's really unclear at this point.

As I mentioned, though, it's really clear that there's a higher parking rate in legacy gTLDs, but why is that? I don't think anybody has a lot of insight. They're also seeing that malware is marginally more likely to occur in zones where there's a higher parking rate. So that's an interesting observation.

In terms of recommendations, the CCT Review Team is recommending that there be further collection of parking data. I think what you'll see as we kind of go through all these things is that a lot of these studies that are being done and these surveys that are being done, it's the first time they've been done, so it's like a baseline. They don't have anything to compare it to.

So they're really seeing that there needs to be more data collected on an ongoing basis. Not only just collected, but analyzed and acted upon. They're really recommending that ICANN should regularly track the proportion of TLDs that are parked and with sufficient granularity to identify those trends on a regional and global basis. So that's one of their recommendations.

When you move on to actually DNS abuse, you're going to see a theme here a little bit, so hopefully I'm not spoiling it at this time, but there was that report that I mentioned a little earlier, Statistical Analysis of DNS Abuse in gTLDs, that was published in August. Really, what they were trying to do was measure the effectiveness of the new gTLD safeguards on mitigating technical DNS abuse. There are things like no wildcarding, DNS sec, abuse monitoring of the zones, things like that. They're trying to assess what impact did that all have. Was it effective?

So they relied on zone files and WHOIS records, and they also looked at domain name blacklist feeds. They looked at and analyzed a bunch of the data related to like absolute counts of abusive domains per gTLD and registrar abuse rates, abuse associated with privacy and proxy services, geographic locations associated with abusive of activities, and then abuse level distinguished by maliciously registered versus compromised domain names.

They put a lot of data into the funnel and then what they came out kind of . . . what some of the observations were in terms of the introduction of new gTLDs is that these safeguards . . . new gTLDs themselves did not increase the total amount of abuse for all gTLDs. Actually, while the number of abuse domain names remains approximately constant, there's definitely an upward trend in the absolutely number of phishing and malware domains in new gTLDs. So that's an early observation, but something I think there will be further analysis on, which we'll talk about in a second.

In terms of legacy versus new gTLDs, the nine new gTLD program safeguards alone did not prevent the abuse. There are rates of abuse and legacy and new gTLDs were kind of similar at the end of 2016. There were higher rates of compromised legacy gTLD domains than new gTLDs, so that was kind of an interesting finding. Increased malicious registrations were more common in new gTLDs, and the use of privacy proxy services to mask registrant WHOIS is more common in legacy than new gTLDs, so that's also interesting to see.

So when they look at a lot of these things, they kind of came out with three observations. They noticed that where there are registration restrictions, meaning stricter registration policies, there were definitely lower levels of abuse.

I think that makes a lot of sense. When things are super easy to register . . . Some of these registration requirements, I call them speed bumps, when they don't run into a lot of speed bumps, it's really super easy to just say, "Hey, it's available. Here's my credit card. I want to register that," and not much more. That makes things really easy. When you have more, there are usually lower levels of abuse because bad guys don't want to have to overcome a lot of hurdles.

Price matters. The highest levels of abuse they found were offered in low price domain name registrations. So, again, when you think about the bad guys out there, they're going to go where they can do harm for the least cost. They're not going to spend lots of money doing that. They're going to try to spend as little money and impact the most harm.

Then finally, this is always the thing that trademark holders have known, but here it is. Maliciously registered domain names often contain strings related to trademark terms. Basically, bad guys love to joyride off of trademarks. The whole notion of a trademark is it's a promise of quality. It's a promise of a certain customer experience. That evokes a certain amount of trust. So, when people see those strings in domain names, they think, "I know that brand, I trust that brand, I'm going to click on that." Trademarks are definitely valuable bait to the bad guys.

In terms of recommendations, they did also notice that there were high levels of DNS abuse concentrated in a small number of registries and registrars.

So there was a lot of detail to each of these recommendations that will come out in the report. I really encourage everybody, when that comes out, to take a look, but generally, the recommendations they're pushing toward on the DNS abuse is to encourage, incentivize proactive abuse measures.

So let's not be reactive. Let's look for the system to develop and to offer proactive abuse measures. Let's introduce measures to prevent technical DNS abuse, so continually looking for additional safeguards. Let's ensure that data collection is ongoing and acted upon. This was a theme I was talking about before. It always surprises me. A lot of this data collection is for the first time. So we really need to build some data here and some perspective.

And then consider additional means to deal with registry operators or registrars who are not effectively mitigating DNS abuse. So a lot of you will recall in the New gTLD Program, there's some post-delegation dispute resolution processes, things like that, that deal with really I would call them niche or very small situations. They just have not been utilized widely.

But when you talk to brand owners, you'll hear, "This TLD is where all the spam is," or, "This TLD is where I'm seeing a lot of phishing," or you'll hear, "This registrar harbors the bad guys." There really wasn't anything in the New gTLD Program that dealt with those things. The CCT Review Team is recommending that there needs to be additional means to deal with that.

And then in terms of rights protection mechanisms, there were new rights protection mechanisms that were specifically developed for the New gTLD Program. The New gTLD Program was going to be the beta environment for these new mechanisms. Really, what the CCT Review Team is to see did these RPMs, these rights protection mechanisms, help encourage a safe environment and did they promote consumer trust in the DNS?

You're got to measure that against what was the cost impact. When you do that cost-benefit analysis, were these measures worth the cost? As I talk to brand owners, that's a big part of this process. There's definitely increased costs that came along with the New gTLD Program, and while some of the things people feel were good ideas and somewhat helpful, the cost is really hard to justify.

So the review team has been trying to pull together data and work together with other working groups and PDP groups to pull together information to inform this review. So, the CCT team actually has some metrics reporting.

There was an impact study done by the International Trademark Association, or INTA. The ICANN Rights Protection Mechanisms Review Team, the independent review of the Trademark Clearinghouse, and then also parallel work being done by the ongoing working group. So lots of areas to collect data from.

To give you a sense of some of this data and reports and surveys and what they found, the INTA survey really looked to try to gather information directly from brand owners in terms of the costs of the program and what tactics and strategies worked best for them. It really looked at capturing all costs over the past two years, so 2015 and 2016.

This survey really required a lot of heavy lifting by brand owners to pull together this data, kind of extract this information out from their workflow. I think the challenge there . . . It's constantly a balance when you do these surveys. You want to get all this information and be really helpful, but I think because they asked for a whole lot that really took a heavy lifting, they only got 33 respondents.

I think there are still some good observations here. I think there are some questions about would they have gotten more deeper insights if they would have pulled back a little bit on the data or found a way to make it a little bit easier.

Nonetheless, key takeaways were that 90% of brand owners elect to register new gTLDs for defensive purposes. I don't think anybody is surprised by that. Basically, the domain names registered by brand owners are not being utilized. They're parked. The New TLD Program has definitely increased the overall cost of trademark defense. There's definitely a need for further investigation in terms of total enforcement costs related to TLDs.

Disputes, 75% of cases now involve privacy and proxy services, and then there's also a pretty large percentage that encounters some level of inaccurate or incomplete WHOIS information in that process and that dispute process. There's a disproportionate costs associated with new gTLD enforcements compared to overall enforcement actions.

But generally, the rights protection mechanisms that were unique to the New gTLD Program are considered to have been helpful. Again, the cost probably was higher than the overall benefits. So, some interesting insights there.

In terms of the CCT metrics reporting that they did, here they looked at the number of cases filed in the UDRP and the URS. You definitely see . . . if you look at the chart below, this covers the period between 2013 and 2016. So, if you remember, 2013, the very end is when the new gTLDs started to be launched. There was just a handful at the end of 2013 that really picked up in earnest in 2014 and continued through 2015. And then 2016 kind of flattened out a bit. But you see from 2013 to 2014 there's a big jump there. There are almost a thousand more complaints.

Now, you also see the division between UDRP and URS. The URS is not providing . . . it's not basically turning out to be as popular as most people anticipated.

It really is something that's kind of . . . I think a lot of people hoped for the URS to be a shorter, quicker, cheaper way for trademark holders to protect their marks. I think in retrospect, because the remedy is really suspension of the domain name, it's not recovery of the domain name, you find that ultimately people go and do a UDRP. So, the URS is really in about 5% of the total cases and those numbers are really flat.

But interestingly, and I think a lot of trademark owners would have this is what they anticipated, there are proportionally more trademark infringements in new GTLDs than in legacy TLDs, at least in 2016. So there's something interesting data there.

In terms of conclusions, we've kind of gone through most of them, but basically disputes are increasing with the number of TLDs. Trademark owners use a variety of means to deal with the abusive domain name registrations. So filing costs are only a part of the total enforcement costs. You have a lot of other tools that people use in terms of cease and desist letters and a number of other ways that people, through monitoring and things like that, deal with enforcement.

There's also more trademark infringement in new gTLDs, as we mentioned. So cost-benefit analysis and improved data is definitely on the needed on the TMCH. These data and insights are really light and the URS value versus UDRP is really questionable at this time.

These are some of the conclusions they came up on. They've made three recommendations. Again, more study is needed. I think that's a theme, more data collection. So an impact study to ascertain the impact of the New gTLD Program on cost and effort required to protect trademarks. That needs to happen on regular intervals, not just once and done.

A full review of the URS should be carried out in addition to consideration given to how that should interoperate with the UDRP, and then a cost-benefit analysis and review of TMCH needs to be carried out. So there's more work to be done here is really the summary.

I know that was lightning quick, but a lot happening there. We'll keep an eye on the draft report when it comes out, but I think some really interesting data points here and some really . . . I wouldn't say a ton of surprises, but I think confirmation of a lot of things people were expecting to find. So really interesting stuff.

With that, we're going to move on to I would call the big topic of this ICANN meeting, and that's GDPR. Ben, you want to take us through that?


Ben: Thanks very much, Gretchen. You're right. Most ICANN meetings have one key topic that everyone's discussing. For this meeting, ICANN 60, it was GDPR. I know a lot of people on this call will be familiar with GDPR and are probably working through some of the major points for their business. For those that aren't familiar, here's a quick GDPR 101.

So the General Data Protection Regulation is going to come into force on May 25 of next year. It's a European regulation and it will apply throughout Europe immediately from that date. As opposed to a directive, this is a regulation and it doesn't need to be transposed into national law. So it will be there across all European countries.

The purpose of the regulation is really to regulate data protection in a uniform manner throughout the EU. It gives EU citizens better control over their personal data and it also regulates how controllers of that data may use it and may use that personal data.

On the other hand, it does actually ensure that a free flow of personal data within the EU is there, and it also regulates the export of personal data outside of the EU.

So some of the main themes really are increased transparency requirements, increased data security requirements, and these will come into play for those that operate domain names that collect personal data from EU citizens. So a lot of our customers will fall into that category.

And increased accountability, such as reporting data breaches across every single organization that deals with EU citizens. It will allow citizens the right to be forgotten and the right for the data to be portable, and ultimately, this is privacy by default and by design.

One of the major questions that we get asked quite a lot is "How does GDPR fit in with domain names and the management of domain names?" Well, Article 4 within GDPR talks about personal data. Personal data is a means by which any information relating to an identified or identifiable natural person, also known as a data subject, is one that can be identified directly or indirectly through data identifiers.

Now, that can be numbers, location, any kind of online identifier, even down to IP addresses even if they're dynamic ones, phone numbers, email, or any kind of identifier that can be given as an example of personal data.

How that translates to domains is there is something called the WHOIS where you can see who owns a domain name, who has registered it. Within that data displayed on the WHOIS, actually a lot of personal data is given out. So that is covered by GDPR in its essence.

One area to note for everyone on this call is that legal persons or business entities are not covered by the GDPR. So unless this data can be linked to a natural person, then GDPR is not applicable.

So legal representatives of companies will enjoy the same protection under GDPR, though having individuals owning domain names for your company, even down to just having personal email addresses or phone numbers on the WHOIS, means that GDPR will apply to those domain names or those persons.

So this all links into the WHOIS and how registries and registrars process and ultimately display the personal data of registrants. This is a requirement within the contract that registries and registrars have with ICANN that govern the relationships between the parties. In most cases, domains, as you know, can't be technically registered without a lot of this data, as many of the fields are mandatory and registrars are compelled to validate in some way the data provided by the registrants. So this now, the WHOIS display of domain names, becomes a real issue when put alongside GDPR.

We've all known that GDPR has been coming for quite some time, but ICANN's been dragging their heels on the issue. This has pretty much come to a head in recent weeks.

So, firstly, the ICANN compliance team issued a compliance notice against the operator of dot-amsterdam and dot-frl, which are new TLDs. The compliance note was for not meeting the requirements within their registry agreement, which required them to publish the WHOIS data of domains registered beneath those TLDs.

A compliance case of that kind of sort can ultimately lead to a registry termination, so this registry was faced with quite a big problem. In steps the Dutch Data Protection Authority, or DPA, and they've let ICANN and pretty much everyone else know, and this is from their statement verbatim, that "the unlimited publication of WHOIS data of domain name registrants by Dutch registries is a violation of current Dutch privacy law."

So the registry, who is based in the Netherlands, on one hand had the Data Protection Authority from the Netherlands saying, "You cannot publish this data because you're in breach of law." On the other hand, they had ICANN saying, "You need to publish it because it said so in your contract."

So, ultimately, this is a catch-22 for both the registries and registrars, and really, the question that they all and we're all asking ourselves at the moment is "Whose wrath do you want to incur?" Is it ICANN's or is it the data protection authority from your jurisdiction and ultimately the EU?

As we saw in the previous pages, GDPR fines are 4% of your annual turnover or €20 million, whichever is the greater. There are large sums at play here for failing to meet the GDPR conditions.

The slow nature of ICANN policy development, and what really is ICANN's refusal to accept that they're a data controller within this ecosystem, means that registries and registrars are now being forced to pick which entity to be compliant with, which is quite a difficult thing.

So, during last week in Abu Dhabi, Gretchen and I had really been pushing for answers. We thought this was the meeting where ICANN would show some kind of leadership because this issue was brought up in the last two meetings before.

I have to say at the beginning of the week, it didn't look good. We kind of got the stock answer from all the ICANN staff over and over again, and that was that they were waiting for advice from their lawyers, Hamiltons. That won't be available for another few weeks after the meeting. That was the stock answer we got pretty much all week even though we pushed quite hard.

ICANN's CEO on numerous occasions had stated that they still didn't want to assume that they were a data controller even though it's pretty obvious to the entire community and those outside.

They even at some point wanted the community to share their own legal advice with ICANN to help them form a decision, which we found quite disturbing. We did think there was something else going on there and it felt like something was going to happen.

So, as the pressure increased around all the different constituencies within ICANN, we came to the Thursday session, which was the cross-community session on GDPR in relation to the WHOIS, and there was one slide displayed here for a two-hour meeting. I'll show you that slide in a minute.

But ultimately, ICANN have now said there will be a new interim compliance policy between May 2018 and onwards until this new RDS system is implemented. I'll explain what RDS is in a few slides down. But ultimately, ICANN as an organization see GDPR and the conflict with WHOIS as a compliance issue.

They've actually been quite clear from the board level that contracted parties such as registries and registrars must comply with applicable law. ICANN can't compel them to comply with the ICANN contracts when they're in direct violation of any kind of applicable law there.

So it's worth saying . . . I know we kind of beat ICANN the organization, but as Gretchen said right at the start, this is a bottom-up, multi-stakeholder model. So, ICANN, the organization, can't actually really change this policy without the involvement of the community.

But when then happened is the CEO made this statement, I'll read this out, he said, "We cannot expect to go away from a full WHOIS," which means they're not going to get rid of WHOIS as an instrument, "But during this period of uncertainty and under these conditions that ICANN are going to place on the contracted parties, ICANN contractual compliance will defer taking action against registry or registrar for non-compliance with contracted obligations related to the handling of registration data."

So what does this all mean? It means that we're probably going to see the end of WHOIS for maybe a year and a half. So WHOIS will likely go dark. So it may be that it's removed, redacted, or replaced with proxy registration data.

The worry here is because ICANN aren't given a method by which to do this, it's going to be up to individual parties to decide how they best handle being in compliance with GDPR. So there won't be one set solution. There won't be one set way of doing this. So the WHOIS as we know it today is likely going to disappear for a long time.

ccTLD WHOIS, especially within European registries, is probably going to become even more restricted. So we know dot-nl and dot-de have rate limits and they don't even allow you to see some of the registrant data on a domain. And ICANN-accredited registrars are most likely going to favor being compliant with GDPR rather than with ICANN. Now that ICANN has given essentially this period of noncompliance away, it means that a lot of these registries and registrars will likely just switch off WHOIS.

So there are some things that domain portfolio holders should start to think about. The first is really be prepared to remove all personal data from corporate domains. We say it a lot, but now it becomes even more critical. So the use of a person within a department rather than a generic contact is not something that you should have within your domain portfolio.

As I said earlier, this whole demonstration of being able to have domains that are transactional, these higher increased data security requirements, it means that having domains locked with the registry locked at two-factor authentication and having the highest level of SSLs should be thought of as standard now across transactional sites that take in EU citizen data. There's an increasing accountability and that requirement to report breaches, so protecting those critical domains that accept personal data will be key.

Also, one thing to think about . . . Gretchen and I and the team across the business are looking at what impact this may have on other areas of brand protection. Because in the interim this data was going to disappear, it's going to make the detection and therefore the enforcement of potentially infringing domains even more difficult. It will be difficult to ascertain who actually owns a domain names and you won't have that channel of being able to complain to ICANN compliance about WHOIS data missing because there is now this period of time where noncompliance will not be dealt with.

So there's a lot to think about. We'll continue to make sure that we let people know about the changes here and hopefully try and drive some standards within the registrar community, but it's clear that from May 18 of next year, the use of WHOIS is going to be greatly reduced.


Gretchen: I would even anticipate then that that would kind of . . . starting at the top of the year, you'll see a gradual decline. I don't think a lot of the registrars will wait until May. I think they'll slowly implement it now.

I think everybody came to this meeting thinking they were going to get that definitive guidance, and now that they haven't and they've been given at least some relief from ICANN compliance, now they're going to start implementing some of these limited WHOIS mechanisms.


Ben: I think so. If you look to your slides earlier about the CCT where we've seen certain registries and registrars where we know abuse happens more frequently for whatever reason that may be, we rely on the WHOIS to find out who owns the domain and maybe link them with other things that are going on as well. I think this may cause a greater issue in the interim.


Gretchen: I agree. We've put up a poll question. Given this new information, I think it's really important to review your domain portfolio to make sure there's none of that personal data in there and to also identify those critical domain names that you're going to want to get a higher level of security on to. So we'll give you a few seconds here to respond to the poll question.

It definitely is a major shift in the industry. WHOIS has been an issue . . . My very first ICANN meeting I can remember back in 2000, WHOIS was the big issue. It always continues to be, and while in the recent memories, there's been a lot of privacy regulation out of Europe, individual country legislation, it never had the teeth that a GDPR has. So this is now forcing action. It's interesting to see that this is what it took. Unfortunately, this is going to be some collateral damage here for a little bit.

So why don't we talk about RDS real quick?


Ben: One of the themes that we always have within our ICANN roundups is that a lot of this stuff is intertwined. As I said earlier, there's going to be this period where there is a moratorium on compliance until this RDS system comes about.

RDS is the registry directory services. It's there to replace the WHOIS as we know it. At the moment, there is a policy development process ongoing about this system and whether or not it's actually needed. So what it will be is it will be a centralized database that's queryable for WHOIS data rather than WHOIS data being served up in lots of different locations.

So one of the key things here is who actually gets access to this, under what conditions is access granted, and is access limited or rate limited based on the type of user that has access. Should law enforcement be given access to this data without limit? Should researchers into abuse within domain names be granted access without limits? Where do registrars need the data? We all know that we use it for transferring. What else is required?

So this has been one of the most contentious groups that we've seen, the ICANN ombudsman needed to step in recently because things got quite heated within the group to the point where the ombudsman stepped in and reiterated the standards that all participants needed to adhere to.

At the moment, they've moved through many of the key things they needed to do and they're at the deliberation stage. We started to see more of a quorum within the group, but of course there are still lots of different interests being represented there. So they're at that stage at the moment and we hope at the end of Q1 next year that there will be an initial issues report that will be open for public comment so people can see the work that's happened.

So RDS is now becoming important because until we have RDS, you'll see on the slide here, come May next year, there will be this compliance freeze of the publishing of data. It won't start again until the RDS system is implemented and then the policy surrounding its use and how data is provisioned into that system is written into policy.

As we all know, policy development processes within ICANN are not an exact science and can take quite a long time. So the impact of GDPR and the removal of compliance actions surrounding it is now slowly resting on the RDS being brought into production and used by all the parties.


Gretchen: I look at that timeline and just knowing how ICANN works and its notorious glacial pace, while May 2019 seems not that far away, there's always a chance that date gets extended out too. So, whenever they're implementing systems and things like that, I just think this May 2018 date with the GDPR coming in to play, I really do believe it's going to be a good 18-plus months before we get this RDS system.

I know we're hoping it's less than that, but I think everybody really does need to prepare for an extended dark period of WHOIS. It's going to be interesting. Definitely something we'll be following really closely. I know Ben's mentioned it, but it's something we're not only watching closely, but really working to influence and make sure that the perspectives of the brand owners are being considered at every step of the process.

We don't have a lot more time, but let's go through a few other things that are going on in ICANN. Around the fringes of GDPR, there are some other policy development processes that are ongoing, and I kind of referenced that a little bit when I was talking about the CCT Review Team.

The CCT Review Team is sort of an evaluation process. Underneath that are concurrent activities going on in the generic name supporting organization of a policy development process, or PDP, to develop new policies or to look at what new policies may be necessary for rights protection mechanisms as well as subsequent procedures for new gTLDs.

So, in terms of the rights protection mechanisms, the work this group is doing is part of the inputs that get sent over to the CCT Review Team. They've been working on this for a while as well. A lot of these processes started late 2015, early 2016, once round 1 was pretty much through a lot of the launches, at least of the open TLDs.

Now this group has been working on what's called their Phase 1, which focuses on the rights protection mechanisms created for the New gTLD Program, so the things in the beta mode, if you will, things like trademark clearinghouse and trademark claims and the URS. These are all the things they're really focused on.

There have been some initial reports and things like that, but they're really working to complete their Phase 1 by the end of Q3 of 2018. Right now, they're in a spot where they're really digging into the URS. But it's a slow process. As Ben mentioned, policymaking . . . I think we've both mentioned policymaking in the ICANN arena is slow. I think average is two years. Some have gone much longer. Some have happened a little less than that.

Not a lot's happened, though, on this RPM PDP since the last ICANN meeting. They're really well into capturing a bunch of questions that they want to put in an RFP for full URS review. So they're really kind of in, I would say, a mode of trying to collect the data they want to be able to move this forward. So that's really been their focus over the last few months.

The new gTLD subsequent procedures . . . Again, another PDP coming out of the GNSO related to the New gTLD Program and also informing the CCT review, this one is like a cyclops. It's got so many things going on. There are a bunch of overarching issues. It's always kind of this new idea that comes up, "Oh, we should launch a brand TLDs," or, "Oh, maybe we should do a fully open round ongoing." There are always these distractions going on. They have a number of work streams. There are now five. They've just added a geo names work stream.

I think the situation with the dot-amazon application has sort of made that a priority. Many of you may know, but if you don't, dot-amazon was an application put forward in round 1. They ran into a lot of trouble with Brazil and other countries neighboring the Amazon region. ICANN kind of quashed their application. An independent review panel recently said, "ICANN, we think you mishandled this and we think you should reconsider this application."

ICANN is now in the process of deciding whether or not they're going to take that recommendation on board. But definitely Amazon was there in force working through the governmental advisory committee to try to convince them that it would be good for them to have this TLD, that their application should go through, that they can be responsible for this TLD. Anyway, it kind of made adding a fifth work stream here a priority for this PDP.

Here's a little bit of a description of each of those five work tracks. They're trying to complete the deliberations around taking in some of the community comments on some questions and initial observations they had.

They're really gunning to publish an initial report for public comment in January of 2018. That's what they're really kind of pushing toward. I think they'll get something out. We'll definitely be waiting for that report and watching and looking to comment. There are a lot of things in this PDP, like I said. It's got a bit of a monster quality to it, but we'll continue to watch.

Time is short. In fact, we're just about at time. There are a number of other things that happened at ICANN 60. We have a bulleted list there. I think what Ben and I resolved in the last webinar is that we'll put together a quick one, one-and-a-half pages that gives you the highlights here on these items and why they're important to know they're going on.

In terms of round 2, I know that's always a question I get around webinar time is when it's going to be round 2. I'm still of the opinion it's 2020 or later. Ben, I'm going to steal your thunder because I know how you feel. You're feeling like by the next ICANN meeting, there's some work that's going on in the GNSO where you think, as a result of that work, a timeline will shake out where we'll know more definitively when that happens, but I think time will tell. I'm still trying to figure out what our bet should be to see who will win this, but we'll figure it out.

I'm going to put up our last poll question. We may have had some questions in the queue. I apologize. We're probably not going to get to them individually during this session, but Ben and I will definitely get the report of these questions and we will follow back up with you. If there are some similar questions here, we may even just included in the document included on these other points so that everybody has the benefit of the questions and the answers.

Sorry for the quick run, but we're at that top of the hour and I want to respect your time. So, I'm going to turn it back over to you, Anu.


Anu: Thank you, Gretchen and Ben. Great updates for us. We are definitely looking forward to the next webinar that we hold for ICANN.

Folks, that is all the time we have today. As Gretchen mentioned, we will get back to you since we didn't get a chance to answer your questions. Thank you for participating. We hope to see you next time.