Yes, definitely. It was in my SOI at the time. I haven’t had too many dealings with them but I found Keith Drazek to be a pretty honest broker during the CCWG efforts to build an accountability framework prior to the transition so, when the DC fights (Ted Cruz, etc.) began, I went to Verisign among others, for help with our efforts to mobilize our members at ACT to make the case for the transition in DC. At the time, ACT counted among its sponsors Microsoft, AT&T, Apple, NBC Universal, Viacom, Fox and Disney and I was in the IPC for many years, mostly criticizing Verisign on things like thick whois. After lobbying for stronger IP for 20 years, I’m still a bit of an IP hawk as my At-Large colleagues will attest, despite no longer having any more IP related sponsors. Another, looser, connection is that I’m still technically on the board of NetChoice which I spun out of ACT many years ago to fight barriers to ecommerce but I haven’t had any operational role in NetChoice since spinning it out. NC counts Verisign as one of its members. A few years ago, I retired from ACT to focus on two non-profits, DC Dogs and The Innovators Network Foundation, neither of which has much to do with IG but I didn’t want to leave the community so I joined the At-Large primarily to be a part of the implementation of the review related reforms. I’ve been pretty focused on process in the At-Large, rather than pursuing any particular policy agenda. I’m fairly certain that I’ll be opposing Verisign, and the contracted parties generally, more often that agreeing with them because of DNS Abuse. I imagine the contracted parties aren’t too happy about the CCT Recommendations or the At-Large recommendations in that arena nor many upcoming recommendations for reform prior to a new round. So all of this has been part of the public record as is my reform oriented agenda at ICANN (“Metrics Man”) and I think that record speaks for itself. I’m not sure ad hominem is any better an approach on this than Jacob’s ad Nazium arguments in his Circle ID post. The At-Large is a diverse, heterogeneous body with the near impossible mandate to identify and champion the interests of individual internet users. Our job is made all the more difficult by our open door membership policy that makes it possible for folks, who have never shown an interest in individual end users, to join as individual members, when their business interests appear to be at stake. Throwing around platitudes like “of course, our interests are aligned with end users” along with ad hominem attacks doesn’t really advance the debate. Instead, focus on the points being made and let’s see if we can find consensus on how the At-Large should proceed. I thought your email to Evan was thoughtful and I plan to read it more carefully. More of that would be ideal if you’d like to continue to participate in At-Large deliberations. This thread began because I shared Alvin’s article on what’s at stake for domain investors and I don’t envy the position in which you find yourselves. That said, it has little or nothing to do with the interests of individual end users who are more likely to benefit from a price hike, especially if some of that money gets invested in security and stability activities. Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc., and those individual end users are, unfortunately for you, our constituency here in At-Large. From: Nat Cohen <ncohen@telepathy.com> Date: Monday, January 6, 2020 at 9:03 AM To: Alan Greenberg <alan.greenberg@mcgill.ca>, Jonathan Zuck <JZuck@innovatorsnetwork.org> Cc: "cpwg@icann.org" <cpwg@icann.org> Subject: Re: [CPWG] Verisign Alan - Jonathan is capable of speaking for himself. So let's ask him. Jonathan - have you ever been compensated by Verisign, by a Verisign lobbyist or a related entity? Regards, Nat On Mon, Jan 6, 2020 at 12:40 AM Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: Nat, I have largely stayed out of the PIR discussion, but here I have to intervene. First, In case you are not familiar with my background, let me present some credentials; - I have been actively involved with At-Large since 2006, was an ALAC member for ten of those years, and was ALAC Chair for four years. - ALAC had always taken an interest in issues related to registrants, where those needs do not conflict with those of the greater non-registrant population - I initiated the PDP on domain tasting, a practice that allowed a very small number of domain investors to take unfair advantage of certain rules, allowing them to register "valuable" domains in great quantities without paying fees that would normally be associated with the business. So I do nave a fairly long and deep understanding of the domain investing business. - I initiated and chaired a PDP and the protected registrant rights at expiration time. So I believe my track record shows some concern for registrants. I have also been accused of "adopting talking points" of various other groups where the speakers apparently felt that I was betraying the At-Large cause because we happen to agree, in specific situations, with those who might otherwise be perceived as our enemies. Jonathan is new to At-Large, but he well understands what we are here for. And if that means he at times agrees with some position taken by PIR or Verisign, or even domain investers!, you can be sure that he has thought it through and is not doing it for any reason other than he believes it is in the best interest of Individual Internet Users. You may disagree with what he says (and I do on occasion), be he is not doing it in blind support of some other interest. Alan At 05/01/2020 12:28 PM, Nat Cohen wrote: Jonathan, I find it disturbing that while you are participating in At-Large nominally as a representative of the best interests of end-users, you consistently adopt talking points pushed by Verisign and PIR and bash domain investors. While domain investors are affected by price hikes, so is each and every registrant of .org and .com. You have so far failed to explain why it is in the best interests of .org and .com registrants to pay unjustified higher prices to continue the use of their domain names, for the sole benefit of those registries that are already being overpaid for the services they provide. For those with an interest, here is the link to the ICA's statement laying out many reasons for concern with the handling and the terms of the proposed renewal of the .com agreement: https://www.internetcommerce.org/ica-statement-on-icanns-announced-changes-t... Regards, Nat Cohen President Telepathy, Inc. www.Telepathy.com<http://www.Telepathy.com> On Sun, Jan 5, 2020 at 12:09 PM Jonathan Zuck < JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: My point, to be clear, is that these price hikes really only affect the investor community and will, as Evan has suggested, help clear some clutter out of the secondary market. Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.Innovatorsnetwork.org> ________________________________ From: CPWG <cpwg-bounces@icann.org<mailto:cpwg-bounces@icann.org> > on behalf of Justine Chew <justine.chew@gmail.com<mailto:justine.chew@gmail.com> > Sent: Sunday, January 5, 2020 11:31:16 AM To: cpwg@icann.org<mailto:cpwg@icann.org> <cpwg@icann.org<mailto:cpwg@icann.org>> Subject: Re: [CPWG] The crux of the COM issue Somewhat reminiscent of what was suggested as the third position in the ALAC Statement of May 2019 on the .org RA renewal. Justine Chew ----- On Mon, 6 Jan 2020 at 00:03, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote: I can't find an copy of the NCSG letter on the ICANN website but a copy is posted on the Internet Gov. org site ( https://www.internetgovernance.org/2019/12/11/icann-told-to-make-ethos-capit... ) NSCG is asking for (among other things): A revised notification procedure in which wholesale price increases of any amount give ORG registrants 6 months to renew their domains for periods of up to 20 years at the pre-existing annual rate. Implementation of this revised notification procedure must be obligatory to both PIR as well as any registrar through which .org domain names are registered and/or renewed. Marita On 1/5/2020 10:43 AM, Marita Moll wrote: Milton Mueller suggested that angle quite awhile ago and I think it forms part of their letter to ICANN re: this issue. It is one of the contractual things that is actually within ICANN's purview and, from what I have read, would not be very appealing to a for profit private equity firm -- seriously limits their options. Marita On 1/4/2020 10:40 PM, Jonathan Zuck wrote: https://www.kickstartcommerce.com/about-that-10-year-renewal-strategy-for-co... Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.Innovatorsnetwork.org> _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Bill, That's certainly an interesting take that I hadn't thought about. The reasoning from Evan, that make sense to me, is that higher prices would make it less likely that people would register the fraudulent names in the first place, making defensive registrations less necessary. Of course, for truly premium names a small price hike will NOT make a difference but at volume it might. I'll noodle that more. My job is facilitator here so my opinion doesn't really matter. I'm just not interested in a knee jerk emotional response from At-Large. Jonathan ________________________________ From: Bill Jouris <b_jouris@yahoo.com> Sent: Monday, January 6, 2020 11:37 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Nat Cohen <ncohen@telepathy.com>; Alan Greenberg <alan.greenberg@mcgill.ca> Cc: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign Jonathan, In your last paragraph, you say: "Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc...." But that does give individual end users a stake in domain name prices. Thanks to the IDN effort, we are about to see a spike in the potential for DNS abuse -- specifically the easy opportunity (thanks to ICANN's approach) to generate quite misleading domain names. The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations. Lots of defensive registrations. (I did a quick calculation for Citi Bank. 4 letter domain name. Close to 300 readily confusable variations. Longer names would have more, of course.) If the price of registrations goes up, they will do fewer defensive registrations. Which means end users will have more trouble reliably getting where they want to go. Which, I submit, we do care about. Bill Jouris Sent from Yahoo Mail on Android<https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_Andr...> On Mon, Jan 6, 2020 at 7:23 AM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Dear all,

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations. Lots of defensive registrations. (I did a quick calculation for Citi Bank. 4 letter domain name. Close to 300 readily confusable variations. Longer names would have more, of course.)

It might very well be that this is an issue to start with? SSR2 will likely recommend measures to be taken here. In general though, it is quite ridiculous if you think about it — I have to pay for multiple domains to protect myself because contracted parties do not have their house in order… (Obviously, I am overstating slightly, on purpose) All the best Laurin

On Jan 6, 2020, at 17:45, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Bill, That's certainly an interesting take that I hadn't thought about. The reasoning from Evan, that make sense to me, is that higher prices would make it less likely that people would register the fraudulent names in the first place, making defensive registrations less necessary. Of course, for truly premium names a small price hike will NOT make a difference but at volume it might. I'll noodle that more. My job is facilitator here so my opinion doesn't really matter. I'm just not interested in a knee jerk emotional response from At-Large. Jonathan

From: Bill Jouris <b_jouris@yahoo.com> Sent: Monday, January 6, 2020 11:37 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Nat Cohen <ncohen@telepathy.com>; Alan Greenberg <alan.greenberg@mcgill.ca> Cc: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign

Jonathan,

In your last paragraph, you say: "Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc...."

But that does give individual end users a stake in domain name prices. Thanks to the IDN effort, we are about to see a spike in the potential for DNS abuse -- specifically the easy opportunity (thanks to ICANN's approach) to generate quite misleading domain names.

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations. Lots of defensive registrations. (I did a quick calculation for Citi Bank. 4 letter domain name. Close to 300 readily confusable variations. Longer names would have more, of course.)

If the price of registrations goes up, they will do fewer defensive registrations. Which means end users will have more trouble reliably getting where they want to go. Which, I submit, we do care about.

Bill Jouris

Sent from Yahoo Mail on Android

On Mon, Jan 6, 2020 at 7:23 AM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Laurin, I'm not sure it is accurate to characterize the situation as the registries as "not having their houses in order."  As for-profit companies, their duty is to their owners.  And the technical term of a situation requiring lots of defensive registrations is "gold mine" -- multiple sales, with only a single customer to deal with.  And, for the most part, you can probably sell hosting services for the re-direct to the real website as well. 

From the point of view of the users, and of the Internet generally, simply blocking those potential abusive registrations is clearly the way to go.  But for the registries?  All their incentive is to have as many potential conflicts as possible.  Easy sales. Bill Jouris

Sent from Yahoo Mail on Android On Mon, Jan 6, 2020 at 8:50 AM, Laurin B Weissinger<lbweissinger@protonmail.com> wrote: Dear all,

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.)

It might very well be that this is an issue to start with? SSR2 will likely recommend measures to be taken here. In general though, it is quite ridiculous if you think about it — I have to pay for multiple domains to protect myself because contracted parties do not have their house in order… (Obviously, I am overstating slightly, on purpose) All the best Laurin

On Jan 6, 2020, at 17:45, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Bill, That's certainly an interesting take that I hadn't thought about. The reasoning from Evan, that make sense to me, is that higher prices would make it less likely that people would register the fraudulent names in the first place, making defensive registrations less necessary. Of course, for truly premium names a small price hike will NOT make a difference but at volume it might.  I'll noodle that more. My job is facilitator here so my opinion doesn't really matter. I'm just not interested in a knee jerk emotional response from At-Large. Jonathan

From: Bill Jouris <b_jouris@yahoo.com> Sent: Monday, January 6, 2020 11:37 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Nat Cohen <ncohen@telepathy.com>; Alan Greenberg <alan.greenberg@mcgill.ca> Cc: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign

Jonathan,

In your last paragraph, you say: "Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc...."

But that does give individual end users a stake in domain name prices.  Thanks to the IDN effort, we are about to see a spike in the potential for DNS abuse -- specifically the easy opportunity (thanks to ICANN's approach) to generate quite misleading domain names. 

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.)

If the price of registrations goes up, they will do fewer defensive registrations.  Which means end users will have more trouble reliably getting where they want to go.  Which, I submit, we do care about.

Bill Jouris

Sent from Yahoo Mail on Android

On Mon, Jan 6, 2020 at 7:23 AM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Dear Bill and Jonathan, dear all, I should have added more detail, apologies. It seems that names are so cheap that “touching them”, to quote Graham, puts you in the red. As Jonathan, I see little reason to question that; it might not be quite that bad but unlikely to be far off. Thus, I am wondering, wouldn’t it be better for end users to have registrants pay a little more and not having to worry about these issues.

I'm not sure it is accurate to characterize the situation as the registries as "not having their houses in order." As for-profit companies, their duty is to their owners.

Absolutely, and as there is no requirement contractually to do much about abuse… Lots of parties do care and try, don’t get me wrong — but as long as it is not a “must”, the ones who care have to somehow make it happen, slimming their profits vs those who do the bare minimum, which isn't much.

So it’s a wee bit disingenuous to suggest that they WANT all the conflicts as they end up getting wrapped up in complaints about them all the time and I suspect they wish they weren’t there because they lose money, not make money, on them

I agree. Maybe making the playing field more equal by requiring some anti-abuse measures (and potentially allowing higher prices per registration that is then a “better” one) would actually help those who are trying and are undercut by those who choose to maximize profit by not doing as much anti abuse. (Another SSR2 teaser, there will likely be a rec on anti-abuse reqs in contracts). All in all, it is about how the operating environment looks like, and this is where ICANN policy and contracts can change things considerably. From an end user perspective, I tend to think that slightly (!) pricier registrations in return for fewer “shenanigans" will be preferable overall. All the best Laurin ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, January 6, 2020 6:21 PM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

In fairness, Bill, the contracted parties spend tons of cash to combat DNS abuse. Of course, we’ve just issued advice to the board suggesting they could do more, such as implementing the AI based solution used by .UK and .EU which look really promising. So it’s a wee bit disingenuous to suggest that they WANT all the conflicts as they end up getting wrapped up in complaints about them all the time and I suspect they wish they weren’t there because they lose money, not make money, on them. That we heard from Graham from Twocows and it makes sense. Once they “touch a domain” they’re losing money, he suggested, and I don’t have any reason to question him. I’d much rather work with them to find a better way to go after the bad guys.

From: [Bill Jouris via CPWG](mailto:cpwg@icann.org) Sent: Monday, January 6, 2020 12:15 PM To: [Laurin B Weissinger](mailto:lbweissinger@protonmail.com) Cc: cpwg@icann.org Subject: Re: [CPWG] Verisign

Laurin,

I'm not sure it is accurate to characterize the situation as the registries as "not having their houses in order." As for-profit companies, their duty is to their owners. And the technical term of a situation requiring lots of defensive registrations is "gold mine" -- multiple sales, with only a single customer to deal with. And, for the most part, you can probably sell hosting services for the re-direct to the real website as well.

From the point of view of the users, and of the Internet generally, simply blocking those potential abusive registrations is clearly the way to go. But for the registries? All their incentive is to have as many potential conflicts as possible. Easy sales.

Bill Jouris

[Sent from Yahoo Mail on Android](https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_Andr...)

...

On Mon, Jan 6, 2020 at 8:50 AM, Laurin B Weissinger

<lbweissinger@protonmail.com> wrote:

Dear all,

...

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations. Lots of defensive registrations. (I did a quick calculation for Citi Bank. 4 letter domain name. Close to 300 readily confusable variations. Longer names would have more, of course.)

It might very well be that this is an issue to start with? SSR2 will likely recommend measures to be taken here.

In general though, it is quite ridiculous if you think about it — I have to pay for multiple domains to protect myself because contracted parties do not have their house in order… (Obviously, I am overstating slightly, on purpose)

All the best Laurin

...

On Jan 6, 2020, at 17:45, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Bill, That's certainly an interesting take that I hadn't thought about. The reasoning from Evan, that make sense to me, is that higher prices would make it less likely that people would register the fraudulent names in the first place, making defensive registrations less necessary. Of course, for truly premium names a small price hike will NOT make a difference but at volume it might. I'll noodle that more. My job is facilitator here so my opinion doesn't really matter. I'm just not interested in a knee jerk emotional response from At-Large. Jonathan

From: Bill Jouris <b_jouris@yahoo.com> Sent: Monday, January 6, 2020 11:37 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Nat Cohen <ncohen@telepathy.com>; Alan Greenberg <alan.greenberg@mcgill.ca> Cc: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign

Jonathan,

In your last paragraph, you say: "Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc...."

But that does give individual end users a stake in domain name prices. Thanks to the IDN effort, we are about to see a spike in the potential for DNS abuse -- specifically the easy opportunity (thanks to ICANN's approach) to generate quite misleading domain names.

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations. Lots of defensive registrations. (I did a quick calculation for Citi Bank. 4 letter domain name. Close to 300 readily confusable variations. Longer names would have more, of course.)

If the price of registrations goes up, they will do fewer defensive registrations. Which means end users will have more trouble reliably getting where they want to go. Which, I submit, we do care about.

Bill Jouris

Sent from Yahoo Mail on Android

On Mon, Jan 6, 2020 at 7:23 AM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

I don't doubt at all that a case of DNS abuse results in a lose for the registry on that registration.  But amortized across all the defensive registrations which can be sold by pointing to that horrible example?  Less sure.  Bill On Monday, January 6, 2020, 09:21:41 AM PST, Jonathan Zuck <jzuck@innovatorsnetwork.org> wrote: #yiv3635019676 #yiv3635019676 -- _filtered {} _filtered {} _filtered {} _filtered {}#yiv3635019676 #yiv3635019676 p.yiv3635019676MsoNormal, #yiv3635019676 li.yiv3635019676MsoNormal, #yiv3635019676 div.yiv3635019676MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}#yiv3635019676 a:link, #yiv3635019676 span.yiv3635019676MsoHyperlink {color:blue;text-decoration:underline;}#yiv3635019676 .yiv3635019676MsoChpDefault {} _filtered {}#yiv3635019676 div.yiv3635019676WordSection1 {}#yiv3635019676 In fairness, Bill, the contracted parties spend tons of cash to combat DNS abuse. Of course, we’ve just issued advice to the board suggesting they could do more, such as implementing the AI based solution used by .UK and .EU which look really promising. So it’s a wee bit disingenuous to suggest that they WANT all the conflicts as they end up getting wrapped up in complaints about them all the time and I suspect they wish they weren’t there because they lose money, not make money, on them. That we heard from Graham from Twocows and it makes sense. Once they “touch a domain” they’re losing money, he suggested, and I don’t have any reason to question him. I’d much rather workwith them to find a better way to go after the bad guys.     From: Bill Jouris via CPWG Sent: Monday, January 6, 2020 12:15 PM To: Laurin B Weissinger Cc: cpwg@icann.org Subject: Re: [CPWG] Verisign   Laurin,  I'm not sure it is accurate to characterize the situation as the registries as "not having their houses in order."  As for-profit companies, their duty is to their owners.  And the technical term of a situation requiring lots of defensive registrations is "gold mine" -- multiple sales, with only a single customer to deal with.  And, for the most part, you can probably sell hosting services for the re-direct to the real website as well.   

From the point of view of the users, and of the Internet generally, simply blocking those potential abusive registrations is clearly the way to go.  But for the registries?  All their incentive is to have as many potential conflicts as possible.  Easy sales.

  Bill Jouris   Sent from Yahoo Mail on Android   On Mon, Jan 6, 2020 at 8:50 AM, Laurin B Weissinger <lbweissinger@protonmail.com> wrote: Dear all,

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.)

It might very well be that this is an issue to start with? SSR2 will likely recommend measures to be taken here. In general though, it is quite ridiculous if you think about it — I have to pay for multiple domains to protect myself because contracted parties do not have their house in order… (Obviously, I am overstating slightly, on purpose) All the best Laurin

On Jan 6, 2020, at 17:45, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Bill, That's certainly an interesting take that I hadn't thought about. The reasoning from Evan, that make sense to me, is that higher prices would make it less likely that people would register the fraudulent names in the first place, making defensive registrations less necessary. Of course, for truly premium names a small price hike will NOT make a difference but at volume it might.  I'll noodle that more. My job is facilitator here so my opinion doesn't really matter. I'm just not interested in a knee jerk emotional response from At-Large. Jonathan

From: Bill Jouris <b_jouris@yahoo.com> Sent: Monday, January 6, 2020 11:37 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Nat Cohen <ncohen@telepathy.com>; Alan Greenberg <alan.greenberg@mcgill.ca> Cc: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign

Jonathan,

In your last paragraph, you say: "Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc...."

But that does give individual end users a stake in domain name prices.  Thanks to the IDN effort, we are about to see a spike in the potential for DNS abuse -- specifically the easy opportunity (thanks to ICANN's approach) to generate quite misleading domain names. 

The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.)

If the price of registrations goes up, they will do fewer defensive registrations.  Which means end users will have more trouble reliably getting where they want to go.  Which, I submit, we do care about.

Bill Jouris

Sent from Yahoo Mail on Android

On Mon, Jan 6, 2020 at 7:23 AM, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Roberto,  I don't work for Citi Bank, and am not aware of knowing anyone who does.  So I have no idea.  I would note that, at this moment, we are probably 6 months from ICANN publishing the IDN effort's tables of all the variations on the Latin alphabet.  Having that readily available will make coming up with indistinguishable domain names much easier for bad actors.  And thus the need for defensive registrations.  In short, the problem wrt the need for defensive registrations is still at the readily foreseeable stage, rather than the already exploding in our face stage.   Bill Sent from Yahoo Mail on Android On Tue, Jan 7, 2020 at 2:16 AM, Roberto Gaetano<roberto_gaetano@hotmail.com> wrote: Hi Bill.Just a couple of questions wrt: The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.) How many actual defensive registrations has Citi Bank? Thanks,R.

Jonathan, If I correctly understand what you are suggesting, I agree completely.   The IDN effort is identifying extensive lists of symbols which normal users can not be expected to distinguish from one another.  ICANN could, if we wished, revise our contracts with the registries to simply block new domain names which differ from existing ones only by one or more of those.  So far, there is no sign of us actually doing so.  But it would be a better way to address the problem.  Bill Jouris On Tuesday, January 7, 2020, 10:03:35 AM PST, Jonathan Zuck <jzuck@innovatorsnetwork.org> wrote: This may have changed but the CCT report found far fewer defensive registrations in the new gTLDs than expected because the volume would just be too high. Instead, other means of monitoring, etc., were employed. Rather than accept defensive registrations as a solution, should we perhaps suggest blocking as an alternative? Regulating an entire market to facilitate an unfortunate activity seems wrong. Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org From: CPWG <cpwg-bounces@icann.org> on behalf of Bill Jouris via CPWG <cpwg@icann.org> Sent: Tuesday, January 7, 2020 12:45:16 PM To: roberto_gaetano@hotmail.com <roberto_gaetano@hotmail.com> Cc: CPWG <cpwg@icann.org> Subject: Re: [CPWG] Verisign Hi Roberto,  I don't work for Citi Bank, and am not aware of knowing anyone who does.  So I have no idea.  I would note that, at this moment, we are probably 6 months from ICANN publishing the IDN effort's tables of all the variations on the Latin alphabet.  Having that readily available will make coming up with indistinguishable domain names much easier for bad actors.  And thus the need for defensive registrations.  In short, the problem wrt the need for defensive registrations is still at the readily foreseeable stage, rather than the already exploding in our face stage.   Bill Sent from Yahoo Mail on Android On Tue, Jan 7, 2020 at 2:16 AM, Roberto Gaetano<roberto_gaetano@hotmail.com> wrote:Hi Bill.Just a couple of questions wrt: The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.) How many actual defensive registrations has Citi Bank? Thanks,R.

Thanks John, your posts are always informative. I know you have some structural issues with the registry/registrar model which has disadvantaged some smaller markets and gTLDs. Do you have specific thoughts on "individual end user" interests in the new .COM contract? What points do you think would be most important for At-Large to make. As you say, roundabout ways to dealing with different issues aren't ideal and price caps to support defensive registrations doesn't seem like the answer to defensive registrations. What would we like to see if this contract goes forward beyond the commitments that have been made already from the new contract and the investment in research and education on SSR? DNS Abuse measures? Trusted notifier stuff like Donuts has? What would you like to see given your facility with the numbers? ________________________________ From: CPWG <cpwg-bounces@icann.org> on behalf of John McCormac <jmcc@hosterstats.com> Sent: Tuesday, January 7, 2020 3:55 PM To: cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign On 07/01/2020 18:03, Jonathan Zuck wrote:

This may have changed but the CCT report found far fewer defensive registrations in the new gTLDs than expected because the volume would just be too high. Instead, other means of monitoring, etc., were employed. Rather than accept defensive registrations as a solution, should we perhaps suggest blocking as an alternative? Regulating an entire market to facilitate an unfortunate activity seems wrong.

The problem with using the CCT-RT report, Jonathan, is that the CCT-RT were all knowledgeable about everything other than domain name metrics, measuring web usage and development in TLDs and understanding domain name markets. The opinion polls of "awareness" of new gTLDs were difficult to reconcile with reality because, as had been demonstrated by the sales of new gTLD domain names, the public was, and still is, largely unaware of the new gTLDs. A lot of work went into dealing with intellectual property and trademarks prior to the launch of the new gTLDs. The problem is that the bulk of brand protection activity is not based on trademarks or service marks. It is from small businesses protecting their brands in other relevant TLDs to the TLD where they operate their primary website. Most of the new gTLDs were aimed at potential markets that were much smaller than the artificial scarcity created by Domain Tasting suggested. The reason for this was that ICANN's multi-stakeholder model meant that little could be done about Domain Tasting for years. The deleting domain names were also targeted in Domain Tasting. The public couldn't get access to deleting domain names and this created an artificial scarcity of "good" domain names. The numbers are horrifying and I listed them, by month and by year, in the first few chapters of the Domnomics book and those chapters and the statistics on Domain Tasting in .COM over 2005 to 2009 are free to read on the "Look Inside" link on Amazon ( https://www.amazon.com/dp/B0827FL1SW ) . This wasn't domainers registering a few domain names. This was industrialised plunder of COM/NET/ORG by a small number of registrars. These weren't domain name speculators with a few hundred domain names. These were ICANN accredited registrars that were registering and deleting millions of domain names each day. ICANN made things worse by wandering off down the yellow brick road of "competition". ICANN, it seemed, existed in its own little bubble. To the public, it seemed that ICANN couldn't even understand that it was a simple "supply and demand" problem rather than a "competition" problem. The PDP on Domain Tasting helped but its statistics only focused on a single month and it only launched when Domain Tasting was completely out of control in the main legacy gTLDs. The real damage to the credibility of gTLDs had been done and the growth in the ccTLDs had been kickstarted by this episode. Eventually, ICANN did the right thing with Domain Tasting. Up to the launch of .MOBI, most new TLDs got a financial boost from defensive registrations. But that all changed for the new gTLDs. Some of the registries held back thousands of potentially valuable domain names for themselves. This had a major impact on the sales in these new gTLDs. As a result of the lack of sales, some of the new gTLD registries indulged in heavy discounting to inflate their zone files. The problem with this is that these registrations don't renew well. It had to be repeatedly pointed out to the CCT-RT that the new gTLDs with these discounted registrations were highly abnormal and that the claimed "parking" levels in some of these new gTLDs were wrong. (The "parking" report on which CCT-RT relied was claiming bluechip legacy gTLD/ccTLD levels of "parking" in bubble gTLDs.) Some of these bubble gTLDs lost over 80% of their domain names within a year. That does not happen with bluechip gTLDs and ccTLDs. Suggesting blocking as an alternative is a continuation of confusion. Brand gTLDs were meant to solve that problem and give brand owners their own gTLD so that they would not have to face this problem again. And yet the bulk of the registry agreement terminations since 2014 have been for brand gTLDs. The reason, strange as it seems, is ICANN's decision to add a cost to the AGP process. Perhaps people don't realise the part that the abuse of the AGP in Domain Tasting played in encouraging defensive registrations. Brands and IP were massively targeted by Domain Tasters. Once a cost was added to the AGP process, a lot of that activity declined and while this form of DNS abuse still exists, it is nowhere near on the scale it was when AGP was being abused and the UDRP is once more a usable tool as brand owners don't have to deal with tens of millions of potentially infringing domain names each month that are registered and deleted before the UDRP can be filed. One important point about Verisign has not been mentioned yet. That is the launch of the .WEB gTLD. As a gTLD, the .NET has been in long-term decline since the end of Domain Tasting in 2009. The .WEB is the Sword of Damocles to a lot of borderline new gTLDs. It is also the one new gTLD where the concerns over brand protection are far more global than those with some of the smaller new gTLDs. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

John, Thank you for your in-depth contribution to the discussion. I can't say that I have fully digested it all, but a couple of points stood out. There's a noteworthy contrast between how some ccTLD authorities handle their responsibilities and how ICANN does. ccTLD authorities for France, Australia, India and New Zealand, among others, have put out tenders to registry service providers for operating their respective ccTLDs. As a result of competitive bidding among registry service providers, the cost of operating the registries have fallen sharply. Even though the ccTLD authorities are presumably a branch of the government, and could directly set prices if they wished, they turn to a competitive market to set price - thereby getting them out of the price setting business. ICANN in contrast treats Verisign and ISOC not as registry service providers but as owners of the .com and .org name spaces. Verisign and ISOC do not need to compete with other registry service providers to operate those name spaces. They are thus free from competitive pressures. The $1.35 billion that Ethos Capital is prepared to pay ISOC for .org is a (low end) valuation of the ongoing harm imposed on registrants due to ICANN's mismanagement of .org. If .org was run at cost, there would be no surplus for Ethos Capital to plunder. It's an example of the road to hell being paved with good intentions. ICANN may have been motivated by good intentions when it awarded .org as a sinecure to ISOC so that ISOC could fund its operations by overcharging dot-org registrants. But now that power to overcharge .org registrants is worth over a billion dollars, and now that ISOC wants out, ICANN has created the conditions for a private equity firm to strip mine the nonprofit community of the charitable contributions that they rely on to carry out their public service missions. If ICANN does not want to be in the business of regulating prices, it should have let the marketplace do that by putting the .com and .org registries out for regular rebid. That ICANN instead ceded a perpetual right to run the registries to Verisign and ISOC is clear evidence of just how much under the thumb of the registries ICANN is. Even after granting a perpetual no-bid right to run the registries, ICANN could still have looked to the current market prices charged by registry service providers in other competitive bid situations to determine the market price. Here again, ICANN would not be a price regulator, they would merely be applying the price as determined by the market. But again ICANN swallowed the self-serving and entirely false position pushed by the registries and their many lobbyists planted throughout ICANN, that competition from new gTLDs would serve to constrain prices on .com and .org. That has been debunked in depth elsewhere, and I'd be glad to share the articles with anyone still holding this view. ICANN, acting as if it were a parasitic host whose brain had been taken over by the registries, blindly swallowed the "we are not a price regulator" and "competition with other gTLDs will hold down prices" mantras, and lifted all price caps on .org. If ICANN had been properly run from the beginning, a group like the newly formed CCOR would be currently operating .org. It would be run by a non-profit, with respect for civil society principles written into its by-laws, with certain funds clearly allocated to support IETF, but otherwise operated at cost. If this had happened, end users would not have seen hundreds of millions of dollars that they had contributed to nonprofits over the years, needlessly diverted to ISOC and PIR where ISOC and PIR adopted a wasteful approach to this undeserved gusher of funding from controlling .org.

From an end-user perspective, the choice between having .org controlled by CCOR, subject to regular rebid, or controlled by Ethos Capital, subject to resale to who knows what corrupt oligarch, is clear.

Regards, Nat On Fri, Jan 10, 2020 at 1:59 AM John McCormac <jmcc@hosterstats.com> wrote:

On 07/01/2020 21:03, Jonathan Zuck wrote:

...

Thanks John, your posts are always informative. I know you have some structural issues with the registry/registrar model which has disadvantaged some smaller markets and gTLDs. Do you have specific

The registry/registrar model is affecting the gTLDs at a local hoster level in developing markets, Jonathan, Basically what is a large hoster in some of these markets is not on the same financial level as an ICANN registrar and the logical progression isn't from hoster to ICANN registrar but hoster to ccTLD registrar. This is also seen in the mature/developed markets but for a different reason. In mature markets outside the USA, the momentum in new registrations is almost completely in the ccTLDs and the legacy gTLDs have plateaued. There was a good presentation on this from someone from the .ZA registry on trying to solve this developing markets problem at one of the ICANN meetings.

ICANN and its economic reports got the competition angle on new gTLDs wrong. There was very little competition between gTLDs and it was ICANN's failure to act that created real competition between the gTLDs and ccTLDs rather than between gTLDs. People found that they could get the domain names they wanted in their local ccTLD. Now, the ccTLDs are competing with the gTLDs and largely winning.

People are focused on the size of the total .COM rather than the reality that it is a composite of a small global market and many country level markets where .COM is either plateaued or declining. It is the US market that is driving .COM and it may be vulnerable to the ccTLD effect. The first indications of that in the US market will be a slight drift to the .US ccTLD. The .COM has been helped in the US market by the sheer volume of US .COM registrations and the inability of the .US ccTLD registry to cope with that scale of a competitor. Its discounting offers have also added a boom and bust element to its zone file.

...

thoughts on "individual end user" interests in the new .COM contract? What points do you think would be most important for At-Large to make. As you say, roundabout ways to dealing with different issues aren't

This needs a lot of thought as ALAC has to choose its battles carefully.

The price increases will have the most impact on end users. The focus on the impact of price increases on domainers is misleading as domainers only represent a small set of .COM domain names.

The more expensive the .COM gets and the stronger the local ccTLDs get, the more likely it is that a new registrant will only opt for a ccTLD domain name rather than .COM as a primary brand. The .COM has benefited from being a "must register" TLD but the price rises will cause problems. People at a registrar/ICANN level generally think in wholesale costs but the .COM price increase will be multiplied by the time it gets to the end user. This will make the US market increasingly important for the .COM because it may begin to lose its market share in markets outside the US. The historical registrations should be OK for a while but it is in the new registrations volume where the effect will appear first. The renewal rates are very different on a country level basis. The price increases may have a greater impact on countries with weaker economies.

Purely from the security and statistics side of things, the amended bulk access/zone file access section contains the 3 month blackout thing where zone file access is limited to three month periods before the CZDS user has to rerequest access to the zonefile. This was not part of the CZDS specification and was added by a person or persons in ICANN who were unaware of the damage it would cause to the cybersecurity and tracking. It is not an end-user issue but the cybersecurity aspect directly impacts end-users. Versign and some of the other legacy gTLDs on the CZDS have a more grown-up approach and do not use basic period of 3 months.

...

ideal and price caps to support defensive registrations doesn't seem like the answer to defensive registrations. What would we like to see if

A defensive registration can simply be a .COM registration where the registrant uses a website in another TLD as their primary brand. Bulk defensive registration activity (as in the Citibank example) is more easily identified as most of these registrations are hosted on specialist registrars and hosters. Ordinary defensive registrations are more often .COM/ccTLD pairs. The gTLD domain name is only one part of the puzzle.

Strange as it seems, price increases reduce the requirements for defensive registrations because it becomes more expensive for a bad actor to target brands/IP in bulk. This is why the more expensive new gTLDs have lower levels of this kind of DNS abuse.

The other aspect of DNS abuse is that it does not specifically cover webspam in its definition. The bulk of abusive registrations in Domain Tasting were monetising abusive registrations with PPC rather than being used for disposable e-mail spam and phishing purposes. Google's decision to stop monetising registrations less than five days old had a greater immediate impact on Domain Tasting than ICANN's initial move.

...

this contract goes forward beyond the commitments that have been made already from the new contract and the investment in research and education on SSR? DNS Abuse measures? Trusted notifier stuff like Donuts has? What would you like to see given your facility with the numbers?

Verisign has some excellent people working on these issues. The most effective way of hitting DNS and web abuse is by limiting the ability of a registry to discount. The problem is that it will also potentially limit the ability of the registry to survive.

Discounting, whether people like it or not, is a legitimate business tool for registries and registrars. On the matter of DNS abuse, the report from Interisle.net on the matter should be read by everyone with an interest in the subject.

The abuse measures are noble aspirations but the reality is that the threats change. Much of the the damage and abuse that has been seen with the highly discounted new gTLDs has largely been self-inflicted by the registries. The discounted regisration fee has made some models of DNS and web abuse economically viable. The CCT-RT report cited the Dutch report on this but the report concentrated mainly on reported incidents. This is a major shortcoming with dealing with DNS abuse as it relies on reporting rather than detection. If it is not detected, then it might not as well exist to ICANN and the registry but the end-user is going to suffer anyway. It can also be poisoned by incorrect data. One of the most famous incidents was where the .ZIP was designated the most toxic of the new gTLDs by some security consultancy. The .ZIP gTLD wasn't even active. (That was a wonderful example of the weakness of ICANN's evaluation process in allowing a commonly used file extension to become a gTLD. Ironically .com was a file extension dating back to the 1970s.)

One of the metrics in the web usage reports that I run is a compromised sites estimate per TLD. That is partially based on a continually updated "toxic links" table of URLs that are known to be used in link injections and links that should not appear in certain sets of websites. Basically these are links for discounted gTLDs that appear in gTLDs/ccTLDs where there's no real connection and they appear identically across a set of sites. Some of the historical survey data here goes back over ten years or so. It is not unusual to see compromised websites remain compromised for years.

Unfortunately the definition of DNS abuse is too narrow to encapsulate such issues because it is purely focused on DNS, reported phishing, malware, botnet and e-mail spam. Web-side abuse is far worse in some respects as it kills gTLDs. The .LOAN gTLD's business model looked good initially but it collapsed (around 2015 or so) and the then registry manager, Famous Four Media, turned to discounting as a means to inflate the zone. The problem was that it ended up with approximately a million or so adult and gambling affiliate websites and only a few hundred on-topic websites. Most of those affiliate sites washed out of the zone when the new registry management made the decision to increase the wholesale renewal/registration fee in August 2018. Pricing, ironically, is the most effective tool in fighting some forms of DNS abuse.

Most of these link injection compromises are easily detected and could be detected in a TLD-wide scan by Verisign. The reality is that the number of websites that would need to be scanned is far smaller than the total number of .COM registrations. It would be relatively easy for Verisign, should it decide to go down this path, to implement a system where it could notify registrars of such issues. The problem arises where these registrars then have to notify resellers/hosters who would then have to notify their customers. There's also the possibility that the customer has outsourced the development of the site that was compromised so there are many links in the kill chain to securing a compromised site.

The .COM, by virtue of being the largest TLD, will see more compromised sites than other TLDs. But the pricing issue reduces the volume of webspam because the discounted gTLDs are more economically viable.

The Public Interest Commitments (Section a) requires the registrar-registrant agreement to have terms forbidding phrarming, malware distribution, botnet operations and, most interestingly copyright infringement and counterfeiting. The problem with the last two issues is that Section b (where the registry will run surveys of the TLD to measure security threats) makes no reference to them as being part of the security threat model. With copyright infringement, apart from the obvious streaming of movies and Pay TV programming, it can be a very difficult task to identify the original copyright owner. Some of the Chinese software used to produce such sites is quite sophisticated in how it scrapes websites, blogs and search engine results. It can be an absolute nightmare, at times, writing the code to distinguish between a legitimate website and one of these generated websites.

With streaming services, there are two basic types. The first, obviously, are the services that stream content in real time. They are high bandwidth operations. The second are the services that just redistribute the keys from a legitimately subscribed smartcard so that a set of decoders connected by the Internet can all just a single smartcard to access programming. That kind of service is more difficult for a registry to identify as it is relatively sparse data and those networks tend to be relatively small in size. Trying to detect these services is a waste of the registry's time and resources. Websites offering streaming services will be picked up in Verisign's monthly scan.

There's a break between Section a and Section b of the PICs in that there's no requirement for the registry to take any action. It is only required to record any action that it does take. The registrar is the one in the firing line as section a specifically mentions the registrar having terms in its contract with the registrant.

Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

David, Here are links to some initial coverage. https://www.reuters.com/article/us-internet-domain-sale/internet-nonprofit-l... https://www.nytimes.com/2020/01/07/technology/dot-org-private-equity-battle.... https://associationsnow.com/2020/01/new-co-op-aims-to-take-over-org-registry... https://www.theverge.com/2020/1/7/21056029/dot-org-icann-chairman-nonprofit-... https://www.engadget.com/2020/01/08/internet-pioneers-group-org-domain/ Apparently it is just getting itself organized now, so I'd expect that they'll put out more information themselves once they have finalized their set up. Regards, Nat On Fri, Jan 10, 2020 at 11:07 AM David Mackey <mackey361@gmail.com> wrote:

Nat,

Do you have a link that provides more information about "CCOR"? It's a pretty generic keyword and my searching on Google hasn't produced relevant results. lol

"It would be run by a non-profit, with respect for civil society principles written into its by-laws, with certain funds clearly allocated to support IETF, but otherwise operated at cost." ... sounds like an interesting option if the operating model proves to be a viable.

Cheers, David

On Fri, Jan 10, 2020 at 9:40 AM Nat Cohen <ncohen@telepathy.com> wrote:

...

John,

Thank you for your in-depth contribution to the discussion. I can't say that I have fully digested it all, but a couple of points stood out.

There's a noteworthy contrast between how some ccTLD authorities handle their responsibilities and how ICANN does.

ccTLD authorities for France, Australia, India and New Zealand, among others, have put out tenders to registry service providers for operating their respective ccTLDs. As a result of competitive bidding among registry service providers, the cost of operating the registries have fallen sharply.

Even though the ccTLD authorities are presumably a branch of the government, and could directly set prices if they wished, they turn to a competitive market to set price - thereby getting them out of the price setting business.

ICANN in contrast treats Verisign and ISOC not as registry service providers but as owners of the .com and .org name spaces. Verisign and ISOC do not need to compete with other registry service providers to operate those name spaces. They are thus free from competitive pressures.

The $1.35 billion that Ethos Capital is prepared to pay ISOC for .org is a (low end) valuation of the ongoing harm imposed on registrants due to ICANN's mismanagement of .org. If .org was run at cost, there would be no surplus for Ethos Capital to plunder. It's an example of the road to hell being paved with good intentions. ICANN may have been motivated by good intentions when it awarded .org as a sinecure to ISOC so that ISOC could fund its operations by overcharging dot-org registrants. But now that power to overcharge .org registrants is worth over a billion dollars, and now that ISOC wants out, ICANN has created the conditions for a private equity firm to strip mine the nonprofit community of the charitable contributions that they rely on to carry out their public service missions.

If ICANN does not want to be in the business of regulating prices, it should have let the marketplace do that by putting the .com and .org registries out for regular rebid.

That ICANN instead ceded a perpetual right to run the registries to Verisign and ISOC is clear evidence of just how much under the thumb of the registries ICANN is.

Even after granting a perpetual no-bid right to run the registries, ICANN could still have looked to the current market prices charged by registry service providers in other competitive bid situations to determine the market price. Here again, ICANN would not be a price regulator, they would merely be applying the price as determined by the market.

But again ICANN swallowed the self-serving and entirely false position pushed by the registries and their many lobbyists planted throughout ICANN, that competition from new gTLDs would serve to constrain prices on .com and .org. That has been debunked in depth elsewhere, and I'd be glad to share the articles with anyone still holding this view.

ICANN, acting as if it were a parasitic host whose brain had been taken over by the registries, blindly swallowed the "we are not a price regulator" and "competition with other gTLDs will hold down prices" mantras, and lifted all price caps on .org.

If ICANN had been properly run from the beginning, a group like the newly formed CCOR would be currently operating .org. It would be run by a non-profit, with respect for civil society principles written into its by-laws, with certain funds clearly allocated to support IETF, but otherwise operated at cost.

If this had happened, end users would not have seen hundreds of millions of dollars that they had contributed to nonprofits over the years, needlessly diverted to ISOC and PIR where ISOC and PIR adopted a wasteful approach to this undeserved gusher of funding from controlling .org.

From an end-user perspective, the choice between having .org controlled by CCOR, subject to regular rebid, or controlled by Ethos Capital, subject to resale to who knows what corrupt oligarch, is clear.

Regards,

Nat

On Fri, Jan 10, 2020 at 1:59 AM John McCormac <jmcc@hosterstats.com> wrote:

...

On 07/01/2020 21:03, Jonathan Zuck wrote:

...

Thanks John, your posts are always informative. I know you have some structural issues with the registry/registrar model which has disadvantaged some smaller markets and gTLDs. Do you have specific

The registry/registrar model is affecting the gTLDs at a local hoster level in developing markets, Jonathan, Basically what is a large hoster in some of these markets is not on the same financial level as an ICANN registrar and the logical progression isn't from hoster to ICANN registrar but hoster to ccTLD registrar. This is also seen in the mature/developed markets but for a different reason. In mature markets outside the USA, the momentum in new registrations is almost completely in the ccTLDs and the legacy gTLDs have plateaued. There was a good presentation on this from someone from the .ZA registry on trying to solve this developing markets problem at one of the ICANN meetings.

ICANN and its economic reports got the competition angle on new gTLDs wrong. There was very little competition between gTLDs and it was ICANN's failure to act that created real competition between the gTLDs and ccTLDs rather than between gTLDs. People found that they could get the domain names they wanted in their local ccTLD. Now, the ccTLDs are competing with the gTLDs and largely winning.

People are focused on the size of the total .COM rather than the reality that it is a composite of a small global market and many country level markets where .COM is either plateaued or declining. It is the US market that is driving .COM and it may be vulnerable to the ccTLD effect. The first indications of that in the US market will be a slight drift to the .US ccTLD. The .COM has been helped in the US market by the sheer volume of US .COM registrations and the inability of the .US ccTLD registry to cope with that scale of a competitor. Its discounting offers have also added a boom and bust element to its zone file.

...

thoughts on "individual end user" interests in the new .COM contract? What points do you think would be most important for At-Large to make. As you say, roundabout ways to dealing with different issues aren't

This needs a lot of thought as ALAC has to choose its battles carefully.

The price increases will have the most impact on end users. The focus on the impact of price increases on domainers is misleading as domainers only represent a small set of .COM domain names.

The more expensive the .COM gets and the stronger the local ccTLDs get, the more likely it is that a new registrant will only opt for a ccTLD domain name rather than .COM as a primary brand. The .COM has benefited from being a "must register" TLD but the price rises will cause problems. People at a registrar/ICANN level generally think in wholesale costs but the .COM price increase will be multiplied by the time it gets to the end user. This will make the US market increasingly important for the .COM because it may begin to lose its market share in markets outside the US. The historical registrations should be OK for a while but it is in the new registrations volume where the effect will appear first. The renewal rates are very different on a country level basis. The price increases may have a greater impact on countries with weaker economies.

Purely from the security and statistics side of things, the amended bulk access/zone file access section contains the 3 month blackout thing where zone file access is limited to three month periods before the CZDS user has to rerequest access to the zonefile. This was not part of the CZDS specification and was added by a person or persons in ICANN who were unaware of the damage it would cause to the cybersecurity and tracking. It is not an end-user issue but the cybersecurity aspect directly impacts end-users. Versign and some of the other legacy gTLDs on the CZDS have a more grown-up approach and do not use basic period of 3 months.

...

ideal and price caps to support defensive registrations doesn't seem like the answer to defensive registrations. What would we like to see if

A defensive registration can simply be a .COM registration where the registrant uses a website in another TLD as their primary brand. Bulk defensive registration activity (as in the Citibank example) is more easily identified as most of these registrations are hosted on specialist registrars and hosters. Ordinary defensive registrations are more often .COM/ccTLD pairs. The gTLD domain name is only one part of the puzzle.

Strange as it seems, price increases reduce the requirements for defensive registrations because it becomes more expensive for a bad actor to target brands/IP in bulk. This is why the more expensive new gTLDs have lower levels of this kind of DNS abuse.

The other aspect of DNS abuse is that it does not specifically cover webspam in its definition. The bulk of abusive registrations in Domain Tasting were monetising abusive registrations with PPC rather than being used for disposable e-mail spam and phishing purposes. Google's decision to stop monetising registrations less than five days old had a greater immediate impact on Domain Tasting than ICANN's initial move.

...

this contract goes forward beyond the commitments that have been made already from the new contract and the investment in research and education on SSR? DNS Abuse measures? Trusted notifier stuff like Donuts has? What would you like to see given your facility with the numbers?

Verisign has some excellent people working on these issues. The most effective way of hitting DNS and web abuse is by limiting the ability of a registry to discount. The problem is that it will also potentially limit the ability of the registry to survive.

Discounting, whether people like it or not, is a legitimate business tool for registries and registrars. On the matter of DNS abuse, the report from Interisle.net on the matter should be read by everyone with an interest in the subject.

The abuse measures are noble aspirations but the reality is that the threats change. Much of the the damage and abuse that has been seen with the highly discounted new gTLDs has largely been self-inflicted by the registries. The discounted regisration fee has made some models of DNS and web abuse economically viable. The CCT-RT report cited the Dutch report on this but the report concentrated mainly on reported incidents. This is a major shortcoming with dealing with DNS abuse as it relies on reporting rather than detection. If it is not detected, then it might not as well exist to ICANN and the registry but the end-user is going to suffer anyway. It can also be poisoned by incorrect data. One of the most famous incidents was where the .ZIP was designated the most toxic of the new gTLDs by some security consultancy. The .ZIP gTLD wasn't even active. (That was a wonderful example of the weakness of ICANN's evaluation process in allowing a commonly used file extension to become a gTLD. Ironically .com was a file extension dating back to the 1970s.)

One of the metrics in the web usage reports that I run is a compromised sites estimate per TLD. That is partially based on a continually updated "toxic links" table of URLs that are known to be used in link injections and links that should not appear in certain sets of websites. Basically these are links for discounted gTLDs that appear in gTLDs/ccTLDs where there's no real connection and they appear identically across a set of sites. Some of the historical survey data here goes back over ten years or so. It is not unusual to see compromised websites remain compromised for years.

Unfortunately the definition of DNS abuse is too narrow to encapsulate such issues because it is purely focused on DNS, reported phishing, malware, botnet and e-mail spam. Web-side abuse is far worse in some respects as it kills gTLDs. The .LOAN gTLD's business model looked good initially but it collapsed (around 2015 or so) and the then registry manager, Famous Four Media, turned to discounting as a means to inflate the zone. The problem was that it ended up with approximately a million or so adult and gambling affiliate websites and only a few hundred on-topic websites. Most of those affiliate sites washed out of the zone when the new registry management made the decision to increase the wholesale renewal/registration fee in August 2018. Pricing, ironically, is the most effective tool in fighting some forms of DNS abuse.

Most of these link injection compromises are easily detected and could be detected in a TLD-wide scan by Verisign. The reality is that the number of websites that would need to be scanned is far smaller than the total number of .COM registrations. It would be relatively easy for Verisign, should it decide to go down this path, to implement a system where it could notify registrars of such issues. The problem arises where these registrars then have to notify resellers/hosters who would then have to notify their customers. There's also the possibility that the customer has outsourced the development of the site that was compromised so there are many links in the kill chain to securing a compromised site.

The .COM, by virtue of being the largest TLD, will see more compromised sites than other TLDs. But the pricing issue reduces the volume of webspam because the discounted gTLDs are more economically viable.

The Public Interest Commitments (Section a) requires the registrar-registrant agreement to have terms forbidding phrarming, malware distribution, botnet operations and, most interestingly copyright infringement and counterfeiting. The problem with the last two issues is that Section b (where the registry will run surveys of the TLD to measure security threats) makes no reference to them as being part of the security threat model. With copyright infringement, apart from the obvious streaming of movies and Pay TV programming, it can be a very difficult task to identify the original copyright owner. Some of the Chinese software used to produce such sites is quite sophisticated in how it scrapes websites, blogs and search engine results. It can be an absolute nightmare, at times, writing the code to distinguish between a legitimate website and one of these generated websites.

With streaming services, there are two basic types. The first, obviously, are the services that stream content in real time. They are high bandwidth operations. The second are the services that just redistribute the keys from a legitimately subscribed smartcard so that a set of decoders connected by the Internet can all just a single smartcard to access programming. That kind of service is more difficult for a registry to identify as it is relatively sparse data and those networks tend to be relatively small in size. Trying to detect these services is a waste of the registry's time and resources. Websites offering streaming services will be picked up in Verisign's monthly scan.

There's a break between Section a and Section b of the PICs in that there's no requirement for the registry to take any action. It is only required to record any action that it does take. The registrar is the one in the firing line as section a specifically mentions the registrar having terms in its contract with the registrant.

Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

On 10/01/2020 14:39, Nat Cohen wrote:

John,

Thank you for your in-depth contribution to the discussion.  I can't say that I have fully digested it all, but a couple of points stood out.

There's a noteworthy contrast between how some ccTLD authorities handle their responsibilities and how ICANN does.

The ccTLDs can make ICANN look like a simple operation, Nat, What makes a lot of the ccTLDs different from the gTLDs is that the ccTLDs are generally backed by strong legislation and it is the country's government that decides to delegate it to a registry. This is the case with the .IE (Ireland), the .EU (European Union) and a few more. The governments effectively have a nuclear option if a registry becomes a problem. The ccTLD registries tend to be far more responsive to their communities than ICANN in that many of them have been through the bad old days when .COM was the leader in their local market.

ccTLD authorities for France, Australia, India and New Zealand, among others, have put out tenders to registry service providers for operating their respective ccTLDs.  As a result of competitive bidding among registry service providers, the cost of operating the registries have fallen sharply.

Some of the falling costs are due to economies of scale. The ccTLDs generally started out being run from university CS departments with much of the administration being manual. The ccTLDs registries that kept manual processes remained small and kept their prices high. The .COM was cheaper even at $100 for two years. Once the shared registry system hit the gTLDs, the prices dropped for the gTLDs and some of the ccTLD registries had no option to but to lower their prices. Most of the ccTLDs had relatively slow growth for the first few years of the 2000s. It wasn't until ICANN screwed up on dealing with Domain Tasting in 2004-2005 that year on year percentage growth in the ccTLDs started to compete with (and overtake) that of the gTLDs. (The actual numbers and percentages are in the Domnomics book.) Every ccTLD that is now dominant in their local market should have a framed photograph of the ICANN management who facilitated their dominance.

Even though the ccTLD authorities are presumably a branch of the government, and could directly set prices if they wished, they turn to a competitive market to set price - thereby getting them out of the price setting business.

The ccTLD registries are typically separate from the government department and minister or secretary that has ultimate authority over the ccTLD. The last thing that most of them want to get drawn into is an argument over pricing.

ICANN in contrast treats Verisign and ISOC not as registry service providers but as owners of the .com and .org name spaces.  Verisign and ISOC do not need to compete with other registry service providers to operate those name spaces.  They are thus free from competitive pressures.

It looks more like ICANN sees itself as having governmental level control over .COM and the other gTLDs and as such it makes decisions on .COM and .ORG because it can. Verisign, due to its position in the market, could easily gather support from its customers on a scale that could cause terminal problems for the elected management of ICANN. Politically, I doubt if ICANN ever wants to upset Verisign. Perhaps there is a fundamentally different mindset in ICANN to that of the ccTLDs. The ccTLD registries realise their position is due to the decision of the relevant government. ICANN seems to think that it is a government when it comes to making decisions on who runs which gTLD.

The $1.35 billion that Ethos Capital is prepared to pay ISOC for .org is a (low end) valuation of the ongoing harm imposed on registrants due to ICANN's mismanagement of .org.  If .org was run at cost, there would be no surplus for Ethos Capital to plunder.  It's an example of the road to hell being paved with good intentions.  ICANN may have been motivated by good intentions when it awarded .org as a sinecure to ISOC so that ISOC could fund its operations by overcharging dot-org registrants.  But now that power to overcharge .org registrants is worth over a billion dollars, and now that ISOC wants out, ICANN has created the conditions for a private equity firm to strip mine the nonprofit community of the charitable contributions that they rely on to carry out their public service missions.

The optics are terrible. ICANN is being made to look incompetent and ISOC is being made to look like a bunch of greedy management types, even when the reality is different, who would sell out the people who made .ORG a good gTLD. Running .ORG at cost in the current gTLD market (where discounting basically facilitates bad activity) might be a very dangerous thing. The .ORG has spent a lot of time trying to clean up the damage that discounting did to the gTLD and has largely succeeded. If Ethos Capital succeeds and starts to increase prices, then it is in for one Hell of a shock. It would put itself in the position of being an enemy of the registrants and when that happens, all the happy-clappy job titles and PR in the world won't help it when registrations start being dumped. The legacy gTLDs are in a very tricky position outside the US market. The .COM has plateaued in many country level markets and .NET and .ORG are struggling. The .BIZ and .INFO are essentially dead in most markets. The registration volume for most of the legacy gTLDs is, apart from .COM, almost completely dependent on the renewal of historical registrations. With the .ORG, the bulk of registrations are, by country of registrar and by website IP address, in the US market. With the rise of the ccTLDs, it has become less relevant in markets outside the US. The web usage %s on .ORG are quite good but the majority of .ORG domain names have no active websites.(Most TLDs have more domain names with no active websites than domain names with active websites.) The value for an entity like Ethos Capital isn't in .ORG's growth but rather in the historical registrations that keep on being renewed. It has all the optics of a Vulture Capitalism deal.

If ICANN does not want to be in the business of regulating prices, it should have let the marketplace do that by putting the .com and .org registries out for regular rebid.

In theory, it is a good idea. In practice, it can lead to market uncertainty. Market uncertainty damages TLDs. The .EU mess with Brexit had a bunch of cluelessly ignorant and unelected politicians making stupid decisions about the status of UK owned .EU domain names without bothering to tell EURid (the .EU registry). That affected about 10% of the .EU ccTLD and was a group of registrations that the ccTLD could not afford to lose. The public and registrants need to be able to see a registry like a swan moving gracefully across a pond without realising that there's a lot of furious paddling going on beneath the surface. The one thing that the gTLDs cannot afford to do is to create any sense of uncertainty. That's a lesson that many ccTLDs have had to learn the hard way in the past.

That ICANN instead ceded a perpetual right to run the registries to Verisign and ISOC is clear evidence of just how much under the thumb of the registries ICANN is.

It is hard not to think of ICANN management as being the John Sculleys of the domain name business when the business needs more Steve Jobs types. Some of these registries have been in business for decades and know how to play the game.

Even after granting a perpetual no-bid right to run the registries, ICANN could still have looked to the current market prices charged by registry service providers in other competitive bid situations to determine the market price.  Here again, ICANN would not be a price regulator, they would merely be applying the price as determined by the market.

The main issue with that is that a gTLD is not a single market but rather a composite of many country level markets and a much smaller global market. A price that might seem competitive in the USA might seem expensive elsewhere.

But again ICANN swallowed the self-serving and entirely false position pushed by the registries and their many lobbyists planted throughout ICANN, that competition from new gTLDs would serve to constrain prices on .com and .org.  That has been debunked in depth elsewhere, and I'd be glad to share the articles with anyone still holding this view.

The more that I looked at the ICANN arguments for competition for the new gTLDs for the Domnomics book, the more that I realised that those arguments were rubbish. The economic reports dealing with competition were clueless about the domain name business. The reality is that apart from gTLDs and ccTLDs, gTLDs don't really compete with each other. They form an interdependent ecology. This is why brand protection at a trademark/service market level and at a small business level is such a major part of the legacy gTLDs. The biggest overlap with .COM is with ccTLDs in that the commonest registration combination is from people and businesses registering their .COM and .ccTLD.

ICANN, acting as if it were a parasitic host whose brain had been taken over by the registries, blindly swallowed the "we are not a price regulator" and "competition with other gTLDs will hold down prices" mantras, and lifted all price caps on .org.

ICANN, at times, seems to be quite rudderless. It really never recovered from the Domain Tasting period and that gave the ccTLDs their current momentum. Once these ccTLDs became dominant in their markets, the gTLDs drifted into the background. The 2012 round of new gTLDs seemed like a last hurrah of an organisation that was becoming less relevant to end-users by the day. ICANN has an unlucky history of being overtaken by events. The first round of new gTLDs, promoted in the late 1990s and announced in 2000, were hit by the bursting of the .COM bubble in 2000. The second group of that round of new gTLDs where hit by Afilias' decision to offer free .INFO registrations and the Domain Tasting debacle. As if that wasn't enough, the remaining first round new gTLDs had to launch when the bursting of the Subprime mortgage bubble caused an economic recession. The 2012 round of new gTLDs were basically a response to an artificial scarcity caused by Domain Tasting and each day's deletions being hoovered up by drop catcher and tasting registrars. Once ICANN got around to implementing some changes in AGP costs, that artificial scarcity disappeared and with it the potential demand for most of the 2012 round of new gTLDs. To ICANN management, it seemed that competition was like some holy grail. To people with actual business experience in the domain name industry, demand is everything. No demand = few registrations = no business.

If ICANN had been properly run from the beginning, a group like the newly formed CCOR would be currently operating .org.  It would be run by a non-profit, with respect for civil society principles written into its by-laws, with certain funds clearly allocated to support IETF, but otherwise operated at cost.

ICANN was always going to be influenced by the industry. Its main problem is that there is no proper oversight. The ccTLDs generally seem to have an element of governmental oversight. In moderation, this can be a good thing. With the paragraph above, the position of governmental oversight is replaced by a kind of benevolent CCOR oversight.

If this had happened, end users would not have seen hundreds of millions of dollars that they had contributed to nonprofits over the years, needlessly diverted to ISOC and PIR where ISOC and PIR adopted a wasteful approach to this undeserved gusher of funding from controlling .org.

The high profile sites in .ORG are generally NGO/do-gooder sites but that is only the tip of the iceberg. The reality is that many of the .ORG registrations are brand protection and other kinds of registrations that are definitely owned by for-profit organisations. Brand protection registrations, as a category, renew extremely well. Without them, the .ORG could be less than 20% of its current registration volume.

From an end-user perspective, the choice between having .org controlled by CCOR, subject to regular rebid, or controlled by Ethos Capital, subject to resale to who knows what corrupt oligarch, is clear.

From an end-user perspective, the .ORG is a special gTLD unlike the others. It is associated with NGOs and do-gooder operations. But that can change quickly. End-users are not stupid and the branding of Ethos Capital will be seen as a crass attempt to plunder that good will. And when the end-users realise that they've been played, they generally dump registrations. Losing the true believers is a very dangerous thing for a TLD because they are the unpaid salespeople and proponents of the TLD. This loss of the true believers problem happened with the .EU ccTLD. The .EU was supposed to be a ccTLD for the European Union and many of the people promoting were left down by a poorly designed regulatory framework and an understaffed and inexperienced registry that was incapable of dealing with what happened. (Again, the gory details are in Chapter 1 of the Domnomics book.) The true believers were betrayed and usage in the ccTLD collapsed. Instead of becoming a competitor to .COM in the European Union market, it is just competing with .NET/.ORG and other non-core TLDs while each of these markets are approximately 80% .ccTLD/.COM. It typically has less than 5% of the market in most European Union countries. ICANN might act on the .ORG deal but it will probably only do so having exhausted all other possibilities. But given its history, it is always external events that force it to act. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************

Hi Roberto,  I don't know specifically what tables of potential problems you are referring to.  But since I'm on the Latin Generation Panel (that is, the part of IDN working on the Latin alphabet based scripts) I do know that we haven't published our lists/tables yet.  As for why these particular issues are getting raised, I would not that for the most part scripts are used by one, or at most a half dozen, different languages.  The Latin script is used by over 2 hundred.  Because on the way it evolved, what that script has is 26 letters modified by a couple dozen diacritics.  Some of which are essentially indistinguishable.  By the time the various combinations are gathered, we are over 200 symbols.  Any given language (and it's users) maybe involved a half dozen of those diacritics.  Users have trouble identifying the others simply because they have never encountered them and don't realize that there might be something to look for.  You may be familiar with the cedilla under the letter C used in French.  But would it even occur to you to look for one under a letter M?  You may be familiar with the acute accent used over some vowels.  But if the dot over a letter I was replaced by one, would you realize it meant you had a different character?  To date, we have seen criminal activity involving a relatively small number of symbols.  (I believe there was mention in Montreal of a scam involving replacing the J in EasyJet's name with an I.)  But criminals have the same challenges other users have: they just aren't aware (yet!) of all the possibilities that await. So it may not be unreasonable to foresee a surge in problems when ICANN's handy list of variants and confusables (focused on TLDs, but work anywhere in the name) is published. ,   I suppose we could reduce the problem by forcing users to use the actual IP address, rather than domain names.  If nothing else, people would have to pay more attention in order to make sure that they hadn't accidentally gotten the wrong address.  Of course, that loses the ease of use that domain names provide.... Bill On Tuesday, January 7, 2020, 04:07:43 PM PST, Roberto Gaetano <roberto_gaetano@hotmail.com> wrote: Hi Bill.Thanks for answering my question. The reason why I was asking for data is that I am very suspicious about analyses based only on suppositions, in particular when suppositions are addressed in one direction only. Since we are in the domain (pun not intended) of hypotheses, I will propose mine - supported, when possible, by observation - going in a different direction. IDNs are being deployed for years now. Had reputable organizations felt the risk of registrations of IDNs that are confusingly similar (personally I find the qualification of “indistinguishable” factually incorrect) as a serious risk, we would have witnessed a spike in defensive registrations. To me, the fact that it did not happen is, if not a proof, at least an indication that the vast majority of these organizations do not see this as a serious threat. As you say, ICANN has produced a few months ago tables of the potential threats. My observation is that crime normally acts fast - generally before the potential pitfall is brought to the general public. Why would this case be different? My observation is that a cure that limits the effects of a problem without addressing the root cause is seldom effective. In this case the root cause is, IMHO, that the “real” url is not the displayed one, therefore potentially inducing the user in error. Maybe to solve this problem is not trivial, but it seems to me that addressing the behaviour of the browsers will produce far better results in the long term than creating blacklists, regulating the domain name market, forcing defensive registrations, or whatever else. Unless, of course, the objective is not solving the problem but influencing the domain name market. I would like to conclude with a provocative question. How come that the potential problems supposedly originated by the introduction and deployment of IDNs are raised only by people and interest groups that are operating in a plain ASCII environment - and more often than not of English mother tongue? Cheers,Roberto On 07.01.2020, at 18:45, Bill Jouris via CPWG <cpwg@icann.org> wrote: Hi Roberto,  I don't work for Citi Bank, and am not aware of knowing anyone who does.  So I have no idea.  I would note that, at this moment, we are probably 6 months from ICANN publishing the IDN effort's tables of all the variations on the Latin alphabet.  Having that readily available will make coming up with indistinguishable domain names much easier for bad actors.  And thus the need for defensive registrations.  In short, the problem wrt the need for defensive registrations is still at the readily foreseeable stage, rather than the already exploding in our face stage.   Bill Sent from Yahoo Mail on Android On Tue, Jan 7, 2020 at 2:16 AM, Roberto Gaetano<roberto_gaetano@hotmail.com> wrote:Hi Bill.Just a couple of questions wrt: The only obvious defense, for registrants who want their customers to arrive reliably at their website, will be defensive registrations.  Lots of defensive registrations.  (I did a quick calculation for Citi Bank.  4 letter domain name.  Close to 300 readily confusable variations.  Longer names would have more, of course.) How many actual defensive registrations has Citi Bank? Thanks,R. _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Roberto,  You wrote: What prompted me to react to this thread was the temptation to see the introduction of IDNs as evil because its could encourage criminal activities. My personal opinion is that, if we take a global view, the benefits of IDNs for users whose native languages do not use latin script overcome by far the potential problems it raises. Secondly, that a solution to the problem of fake web sites pretending to be something else should be found acting on the browsers and not on the DNS. I completely agree that the benefits of IDNs far outweigh their downsides.  But I also think that some fairly straightforward ways to reduce some of the downsides, while preserving the benefits, have been overlooked.  More could probably be done with browsers.  But I'm not sure I see how ICANN can drive that.  (Especially in light of how far, a decade later, most browsers are from even implementing IDNA 2008 to replace IDNA 2003.)  I do see how we can do something about what characteristics of domain names the DNS accepts.  And the contracts with the registries are where, from what I know, we can act.  I think you are right that, since we have wandered rather far from the original topic, we should probably take this offline now.  Bill  On Wednesday, January 8, 2020, 05:35:48 AM PST, Roberto Gaetano <roberto_gaetano@hotmail.com> wrote: Hi Bill.My comments below. On 08.01.2020, at 01:22, Bill Jouris via CPWG <cpwg@icann.org> wrote: Hi Roberto,  I don't know specifically what tables of potential problems you are referring to. Ooopss - reading again your previous message I realise that when you spoke about 6 months from publication of the tables you meant that it will be 6 months in the future, not 6 months ago.I stand corrected.   But since I'm on the Latin Generation Panel (that is, the part of IDN working on the Latin alphabet based scripts) I do know that we haven't published our lists/tables yet.  Indeed, see above.I know you are active in this field, if I remember correctly we had a couple of exchanges on the UA mailing lists. As for why these particular issues are getting raised, I would not that for the most part scripts are used by one, or at most a half dozen, different languages.  The Latin script is used by over 2hundred.  Because on the way it evolved, what that script has is 26 letters modified by a couple dozen diacritics.  Some of which are essentially indistinguishable.  By the time the various combinations are gathered, we are over 200 symbols.  I know that, but thanks for pointing it out. Any given language (and it's users) maybe involved a half dozen of those diacritics.  Users have trouble identifying the others simply because they have never encountered them and don't realize that there might be something to look for.  You may be familiar with the cedilla under the letter C used in French.  But would it even occur to you to look for one under a letter M?  You may be familiar with the acute accent used over some vowels.  But if the dot over a letter I was replaced by one, would you realize it meant you had a different character?  OK, so now I am getting a better picture. I was speaking of confusing similarity of diacritics (or chars in different scripts) with plain ASCII chars. You are raising the issue of confusing similarity between diacritics.You get another point here, because in this case solutions like the simple display of the punycode together with the visual rendering would not solve the problem (I assume that users would not distinguish between two different punycode strings). To date, we have seen criminal activity involving a relatively small number of symbols.  (I believe there was mention in Montreal of a scam involving replacing the J in EasyJet's name with an I.)  But criminals have the same challenges other users have: they just aren't aware (yet!) of all the possibilities that await. So it may not be unreasonable to foresee a surge in problems when ICANN's handy list of variants and confusables (focused on TLDs, but work anywhere in the name) is published. ,  Here I start keeping my points, so we still disagree.IMHO, criminals do this as their job, so they get aware much in advance of the potential pitfalls. Although I might agree that in time more criminals could get involved in exploiting these kinds of opportunities, I would be seriously surprised in learning that many of these individuals and organizations are not already acting as “early adopters”.In short, were I Citi Bank - or a similar organization potentially under attack - I would have started already taking countermeasures - including defensive registrations - if that was our defensive strategy. My personal opinion is that we have sufficient evidence that this is not happening - at least not on a large scale. I can, however, concede that the situation might evolve and getting worse in the future - but this not really to the extent that we can use the defensive registrations as an argument against raising prices.   I suppose we could reduce the problem by forcing users to use the actual IP address, rather than domain names.  If nothing else, people would have to pay more attention in order to make sure that they hadn't accidentally gotten the wrong address.  Of course, that loses the ease of use that domain names provide.... I assume you are using this as a straw man - if not as a joke altogether. We obviously need to figure out a solution - or at least a mitigation of the impact. What prompted me to react to this thread was the temptation to see the introduction of IDNs as evil because its could encourage criminal activities. My personal opinion is that, if we take a global view, the benefits of IDNs for users whose native languages do not use latin script overcome by far the potential problems it raises. Secondly, that a solution to the problem of fake web sites pretending to be something else should be found acting on the browsers and not on the DNS. Happy to continue the discussion - but can also do that offline or in other contexts should this be of no interest to this group. Cheers,Roberto Bill

Nat, I have nothing to hide here and I'm happy to discuss anything. Having no financial interest in the outcome here is very liberating and I continue to be involved because I've been a part of this community for 15 years and I think the work that ICANN does is important. I've tried to share my own bias and frustrations with the secondary market and the role it has played in making the registration of domains a little more difficult. That said, I don't really have anything against domain investors, I just don't think we have any obligation to them, especially in the At-Large. Our challenge is that we have the mandate to represent the interests of individual end users, most of whom are NOT registrants. More often than not, there's not conflict but sometimes there is. We have seen it come up in the GDPR discussions as well as those around geographic names. Here there's an even more subtle distinction between a "typical" registrant and a "volume" registrant (which includes both investors and large corporations). I'm not certain that those interests are entirely aligned which is why the shrill rhetoric continues to be about "millions of dollars" rather than the $3 that most will experience. Your contention that the interests of registrants are not represented inside ICANN is not exactly the case. The NCSG is is almost entirely focused on the interests of registrants, whether their privacy or their freedom of speech. Also too, you will find Registrars well aligned with registrants, in most instances, because they are their customers. So the folks who do NOT have direct representation in the GNSO are "individual end users" who spend their days on the internet, sending email, buying airline tickets, engaging in online shopping and many other activities and have no intention of every registering a domain. Of course, we are ALL end users, most of the time, so it's possible to discuss their interests logically and that's what we try to do in the At-Large. We continue to explore ways to hear from end users outside of the ICANN echo chamber but we could always do better. That said, those surveys DO tend to suggest they are more interested in things like minimizing confusion, malware and fraud than they are in controlling domain name prices. If you really got down to brass tacks, I imagine they would prefer a world in which domains devoted to political speech, communities and media would be free and that the rest of them would cost $1000/year. I agree that the At-Large has a legitimacy problem sometimes but more from failing to reach consensus, asserting fact not in evidence, failing to stick to our remit and often presenting conflicting views to the community, making it difficult to advocate for end users. That's what we're working on here, not reacting with our hair on fire every time someone says we should. Again, let's focus on being rational rather than reactive and personal. We can let the arguments speak for themselves because the people voicing them are inconsequential unless we're being asked to "believe" something or take something on faith, in which case the speaker matters. When folks simply make assertions without reason or reference, we have to question the speaker. If they are trying to apply logic to an issue, we can simply test the logic. That's a whole lot easier. So, I invite you to talk about individual end users and how their interests are affected by the new .COM contract. We're all ears. Jonathan ________________________________ From: Nat Cohen <ncohen@telepathy.com> Sent: Monday, January 6, 2020 11:39 AM To: Jonathan Zuck <JZuck@innovatorsnetwork.org> Cc: Alan Greenberg <alan.greenberg@mcgill.ca>; cpwg@icann.org <cpwg@icann.org> Subject: Re: [CPWG] Verisign Jonathan, Thank you for being so forthcoming. A while ago, well before joining the At-Large, I came across an interview with Esther Dyson published by ICANN in which she mentioned that from the earliest days of At-Large, Network Solutions was paying members to participate. She also raised fundamental questions about ICANN's ability to represent the interests of the Internet community when special interests have the motivation and financial incentive to engage while the average user does not. The whole interview is an interesting listen. Here's a link to this specific part of the interview- https://www.youtube.com/watch?v=nCgbcyBxE1o&feature=youtu.be&t=153 So, yes, I suspected that your involvement with At-Large was funded in part by Verisign. If so, I thought that should be made public in your SOI so that your comments could be understood in that light. I did find it unusual that as your passion is moviemaking, and as you have no apparent financial interest in the outcomes of ICANN policy that you would devote so many uncompensated hours to trying to shape ICANN policy, and that your positions so often align with Verisign's position. When the ICA protested Verisign's attempts to continue to increase the already inflated fees they charge to operate .com, Verisign lashed out by attacking domain investors - http://www.circleid.com/posts/20181102_how_much_could_businesses_and_consume... In that article, Verisign suggested that the price caps should be imposed on the free and open aftermarket. Your comments that end users would benefit from higher prices and that domain investors are the problem align quite closely with Verisign's positions. So if you are being paid by Verisign to take these positions, then let's at least have some transparency about that. The ICA published a response pointing out the absurdity of a company with monopoly power, insulated from competition, continuously raising prices far above competitive levels, complaining about those who participate in an open and competitive market where prices are determined by market forces - http://www.circleid.com/posts/20181112_verisigns_attempt_to_increase_fees_un.... Yet the Verisign talking points continue to be echoed by many civic minded folks who participate in ICANN and in At-Large in particular. I agree with your comment: "The At-Large is a diverse, heterogeneous body with the near impossible mandate to identify and champion the interests of individual internet users." Indeed, it is presumptuous of any of us to speak on behalf of individual Internet users. They did not select us to speak for them. As you point out, there are no real qualifications to join At-Large and even riff-raff like domain investors are allowed to participate. The legitimacy of the ICANN model is at stake in how it balances the interests of registries and registrants. Registries are overly represented at ICANN. Registrants have no constituency and no actual representation. ICANN is unrepresentative of and unaccountable to the public interest. At-Large is the closest thing ICANN has to a registrant constituency. If At-Large is made up in large part of people with ties to ISOC/PIR and Verisign, then it is just one more way for the registries to exert their influence over ICANN policy making. At-Large got it wrong in supporting the removal of price caps on .org. Apparently registrants care how much they pay. Your earlier statement that: "However, the strongest, albeit counterintuitive argument for the removal of price caps is that we actually WANT higher prices" may be true of registries but it is not true of registrants. You and others are using your influence within At-Large, and are presuming to speak on behalf of the interests of end-users, to advance positions to enable registries to extract hundreds of millions of dollars more per year from registrants. At-Large has a legitimacy problem. Regards, Nat On Mon, Jan 6, 2020 at 10:22 AM Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: Yes, definitely. It was in my SOI at the time. I haven’t had too many dealings with them but I found Keith Drazek to be a pretty honest broker during the CCWG efforts to build an accountability framework prior to the transition so, when the DC fights (Ted Cruz, etc.) began, I went to Verisign among others, for help with our efforts to mobilize our members at ACT to make the case for the transition in DC. At the time, ACT counted among its sponsors Microsoft, AT&T, Apple, NBC Universal, Viacom, Fox and Disney and I was in the IPC for many years, mostly criticizing Verisign on things like thick whois. After lobbying for stronger IP for 20 years, I’m still a bit of an IP hawk as my At-Large colleagues will attest, despite no longer having any more IP related sponsors. Another, looser, connection is that I’m still technically on the board of NetChoice which I spun out of ACT many years ago to fight barriers to ecommerce but I haven’t had any operational role in NetChoice since spinning it out. NC counts Verisign as one of its members. A few years ago, I retired from ACT to focus on two non-profits, DC Dogs and The Innovators Network Foundation, neither of which has much to do with IG but I didn’t want to leave the community so I joined the At-Large primarily to be a part of the implementation of the review related reforms. I’ve been pretty focused on process in the At-Large, rather than pursuing any particular policy agenda. I’m fairly certain that I’ll be opposing Verisign, and the contracted parties generally, more often that agreeing with them because of DNS Abuse. I imagine the contracted parties aren’t too happy about the CCT Recommendations or the At-Large recommendations in that arena nor many upcoming recommendations for reform prior to a new round. So all of this has been part of the public record as is my reform oriented agenda at ICANN (“Metrics Man”) and I think that record speaks for itself. I’m not sure ad hominem is any better an approach on this than Jacob’s ad Nazium arguments in his Circle ID post. The At-Large is a diverse, heterogeneous body with the near impossible mandate to identify and champion the interests of individual internet users. Our job is made all the more difficult by our open door membership policy that makes it possible for folks, who have never shown an interest in individual end users, to join as individual members, when their business interests appear to be at stake. Throwing around platitudes like “of course, our interests are aligned with end users” along with ad hominem attacks doesn’t really advance the debate. Instead, focus on the points being made and let’s see if we can find consensus on how the At-Large should proceed. I thought your email to Evan was thoughtful and I plan to read it more carefully. More of that would be ideal if you’d like to continue to participate in At-Large deliberations. This thread began because I shared Alvin’s article on what’s at stake for domain investors and I don’t envy the position in which you find yourselves. That said, it has little or nothing to do with the interests of individual end users who are more likely to benefit from a price hike, especially if some of that money gets invested in security and stability activities. Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc., and those individual end users are, unfortunately for you, our constituency here in At-Large. From: Nat Cohen <ncohen@telepathy.com<mailto:ncohen@telepathy.com>> Date: Monday, January 6, 2020 at 9:03 AM To: Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>, Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> Cc: "cpwg@icann.org<mailto:cpwg@icann.org>" <cpwg@icann.org<mailto:cpwg@icann.org>> Subject: Re: [CPWG] Verisign Alan - Jonathan is capable of speaking for himself. So let's ask him. Jonathan - have you ever been compensated by Verisign, by a Verisign lobbyist or a related entity? Regards, Nat On Mon, Jan 6, 2020 at 12:40 AM Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: Nat, I have largely stayed out of the PIR discussion, but here I have to intervene. First, In case you are not familiar with my background, let me present some credentials; - I have been actively involved with At-Large since 2006, was an ALAC member for ten of those years, and was ALAC Chair for four years. - ALAC had always taken an interest in issues related to registrants, where those needs do not conflict with those of the greater non-registrant population - I initiated the PDP on domain tasting, a practice that allowed a very small number of domain investors to take unfair advantage of certain rules, allowing them to register "valuable" domains in great quantities without paying fees that would normally be associated with the business. So I do nave a fairly long and deep understanding of the domain investing business. - I initiated and chaired a PDP and the protected registrant rights at expiration time. So I believe my track record shows some concern for registrants. I have also been accused of "adopting talking points" of various other groups where the speakers apparently felt that I was betraying the At-Large cause because we happen to agree, in specific situations, with those who might otherwise be perceived as our enemies. Jonathan is new to At-Large, but he well understands what we are here for. And if that means he at times agrees with some position taken by PIR or Verisign, or even domain investers!, you can be sure that he has thought it through and is not doing it for any reason other than he believes it is in the best interest of Individual Internet Users. You may disagree with what he says (and I do on occasion), be he is not doing it in blind support of some other interest. Alan At 05/01/2020 12:28 PM, Nat Cohen wrote: Jonathan, I find it disturbing that while you are participating in At-Large nominally as a representative of the best interests of end-users, you consistently adopt talking points pushed by Verisign and PIR and bash domain investors. While domain investors are affected by price hikes, so is each and every registrant of .org and .com. You have so far failed to explain why it is in the best interests of .org and .com registrants to pay unjustified higher prices to continue the use of their domain names, for the sole benefit of those registries that are already being overpaid for the services they provide. For those with an interest, here is the link to the ICA's statement laying out many reasons for concern with the handling and the terms of the proposed renewal of the .com agreement: https://www.internetcommerce.org/ica-statement-on-icanns-announced-changes-t... Regards, Nat Cohen President Telepathy, Inc. www.Telepathy.com<http://www.Telepathy.com> On Sun, Jan 5, 2020 at 12:09 PM Jonathan Zuck < JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: My point, to be clear, is that these price hikes really only affect the investor community and will, as Evan has suggested, help clear some clutter out of the secondary market. Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.Innovatorsnetwork.org> ________________________________ From: CPWG <cpwg-bounces@icann.org<mailto:cpwg-bounces@icann.org> > on behalf of Justine Chew <justine.chew@gmail.com<mailto:justine.chew@gmail.com> > Sent: Sunday, January 5, 2020 11:31:16 AM To: cpwg@icann.org<mailto:cpwg@icann.org> <cpwg@icann.org<mailto:cpwg@icann.org>> Subject: Re: [CPWG] The crux of the COM issue Somewhat reminiscent of what was suggested as the third position in the ALAC Statement of May 2019 on the .org RA renewal. Justine Chew ----- On Mon, 6 Jan 2020 at 00:03, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote: I can't find an copy of the NCSG letter on the ICANN website but a copy is posted on the Internet Gov. org site ( https://www.internetgovernance.org/2019/12/11/icann-told-to-make-ethos-capit... ) NSCG is asking for (among other things): A revised notification procedure in which wholesale price increases of any amount give ORG registrants 6 months to renew their domains for periods of up to 20 years at the pre-existing annual rate. Implementation of this revised notification procedure must be obligatory to both PIR as well as any registrar through which .org domain names are registered and/or renewed. Marita On 1/5/2020 10:43 AM, Marita Moll wrote: Milton Mueller suggested that angle quite awhile ago and I think it forms part of their letter to ICANN re: this issue. It is one of the contractual things that is actually within ICANN's purview and, from what I have read, would not be very appealing to a for profit private equity firm -- seriously limits their options. Marita On 1/4/2020 10:40 PM, Jonathan Zuck wrote: https://www.kickstartcommerce.com/about-that-10-year-renewal-strategy-for-co... Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.Innovatorsnetwork.org> _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

May I suggest to ask John Berkow, who is now free from his parliamentarian obligations, to join this list and start screaming his trademark invitation to “Order! Order!! Order!!!” so that we can go back to business instead of spreading FUD? On 07.01.2020, at 03:09, Greg Shatan <greg@isoc-ny.org<mailto:greg@isoc-ny.org>> wrote: Nat, After thanking Jonathan for being so "forthcoming," you write: So, yes, I suspected that your involvement with At-Large was funded in part by Verisign. If so, I thought that should be made public in your SOI so that your comments could be understood in that light. Is this a mea culpa, where you're trying to acknowledge that you now understand that there was nothing to your suspicion? And that Jonathan has no third party interest to disclose in his SOI? Or are you trying to keep your point alive, and implying that Jonathan was "forthcoming" in a way that somehow supported your "suspicion"? And that Jonathan's SOI is not "forthcoming"? Your "If so" statement is odd at this point in the conversation, since Jonathan has clearly stated that it is "not so". It's not clear to me what you're trying to say or where you have ended up in your mind on this issue you raised. If you were trying to say that your suspicion was unfounded, it would help to say it more clearly. If not, it would be helpful to understand that, too. Can you please explain? Thanks! Greg On Mon, Jan 6, 2020 at 11:40 AM Nat Cohen <ncohen@telepathy.com<mailto:ncohen@telepathy.com>> wrote: Jonathan, Thank you for being so forthcoming. A while ago, well before joining the At-Large, I came across an interview with Esther Dyson published by ICANN in which she mentioned that from the earliest days of At-Large, Network Solutions was paying members to participate. She also raised fundamental questions about ICANN's ability to represent the interests of the Internet community when special interests have the motivation and financial incentive to engage while the average user does not. The whole interview is an interesting listen. Here's a link to this specific part of the interview- https://www.youtube.com/watch?v=nCgbcyBxE1o&feature=youtu.be&t=153 So, yes, I suspected that your involvement with At-Large was funded in part by Verisign. If so, I thought that should be made public in your SOI so that your comments could be understood in that light. I did find it unusual that as your passion is moviemaking, and as you have no apparent financial interest in the outcomes of ICANN policy that you would devote so many uncompensated hours to trying to shape ICANN policy, and that your positions so often align with Verisign's position. When the ICA protested Verisign's attempts to continue to increase the already inflated fees they charge to operate .com, Verisign lashed out by attacking domain investors - http://www.circleid.com/posts/20181102_how_much_could_businesses_and_consume... In that article, Verisign suggested that the price caps should be imposed on the free and open aftermarket. Your comments that end users would benefit from higher prices and that domain investors are the problem align quite closely with Verisign's positions. So if you are being paid by Verisign to take these positions, then let's at least have some transparency about that. The ICA published a response pointing out the absurdity of a company with monopoly power, insulated from competition, continuously raising prices far above competitive levels, complaining about those who participate in an open and competitive market where prices are determined by market forces - http://www.circleid.com/posts/20181112_verisigns_attempt_to_increase_fees_un.... Yet the Verisign talking points continue to be echoed by many civic minded folks who participate in ICANN and in At-Large in particular. I agree with your comment: "The At-Large is a diverse, heterogeneous body with the near impossible mandate to identify and champion the interests of individual internet users." Indeed, it is presumptuous of any of us to speak on behalf of individual Internet users. They did not select us to speak for them. As you point out, there are no real qualifications to join At-Large and even riff-raff like domain investors are allowed to participate. The legitimacy of the ICANN model is at stake in how it balances the interests of registries and registrants. Registries are overly represented at ICANN. Registrants have no constituency and no actual representation. ICANN is unrepresentative of and unaccountable to the public interest. At-Large is the closest thing ICANN has to a registrant constituency. If At-Large is made up in large part of people with ties to ISOC/PIR and Verisign, then it is just one more way for the registries to exert their influence over ICANN policy making. At-Large got it wrong in supporting the removal of price caps on .org. Apparently registrants care how much they pay. Your earlier statement that: "However, the strongest, albeit counterintuitive argument for the removal of price caps is that we actually WANT higher prices" may be true of registries but it is not true of registrants. You and others are using your influence within At-Large, and are presuming to speak on behalf of the interests of end-users, to advance positions to enable registries to extract hundreds of millions of dollars more per year from registrants. At-Large has a legitimacy problem. Regards, Nat On Mon, Jan 6, 2020 at 10:22 AM Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: Yes, definitely. It was in my SOI at the time. I haven’t had too many dealings with them but I found Keith Drazek to be a pretty honest broker during the CCWG efforts to build an accountability framework prior to the transition so, when the DC fights (Ted Cruz, etc.) began, I went to Verisign among others, for help with our efforts to mobilize our members at ACT to make the case for the transition in DC. At the time, ACT counted among its sponsors Microsoft, AT&T, Apple, NBC Universal, Viacom, Fox and Disney and I was in the IPC for many years, mostly criticizing Verisign on things like thick whois. After lobbying for stronger IP for 20 years, I’m still a bit of an IP hawk as my At-Large colleagues will attest, despite no longer having any more IP related sponsors. Another, looser, connection is that I’m still technically on the board of NetChoice which I spun out of ACT many years ago to fight barriers to ecommerce but I haven’t had any operational role in NetChoice since spinning it out. NC counts Verisign as one of its members. A few years ago, I retired from ACT to focus on two non-profits, DC Dogs and The Innovators Network Foundation, neither of which has much to do with IG but I didn’t want to leave the community so I joined the At-Large primarily to be a part of the implementation of the review related reforms. I’ve been pretty focused on process in the At-Large, rather than pursuing any particular policy agenda. I’m fairly certain that I’ll be opposing Verisign, and the contracted parties generally, more often that agreeing with them because of DNS Abuse. I imagine the contracted parties aren’t too happy about the CCT Recommendations or the At-Large recommendations in that arena nor many upcoming recommendations for reform prior to a new round. So all of this has been part of the public record as is my reform oriented agenda at ICANN (“Metrics Man”) and I think that record speaks for itself. I’m not sure ad hominem is any better an approach on this than Jacob’s ad Nazium arguments in his Circle ID post. The At-Large is a diverse, heterogeneous body with the near impossible mandate to identify and champion the interests of individual internet users. Our job is made all the more difficult by our open door membership policy that makes it possible for folks, who have never shown an interest in individual end users, to join as individual members, when their business interests appear to be at stake. Throwing around platitudes like “of course, our interests are aligned with end users” along with ad hominem attacks doesn’t really advance the debate. Instead, focus on the points being made and let’s see if we can find consensus on how the At-Large should proceed. I thought your email to Evan was thoughtful and I plan to read it more carefully. More of that would be ideal if you’d like to continue to participate in At-Large deliberations. This thread began because I shared Alvin’s article on what’s at stake for domain investors and I don’t envy the position in which you find yourselves. That said, it has little or nothing to do with the interests of individual end users who are more likely to benefit from a price hike, especially if some of that money gets invested in security and stability activities. Individual end users don’t care about the wholesale price of domains. They care about whether they’re getting to the site they intend, that the site won’t infect their machine with malware, that the site won’t commit fraud on them, etc. etc., and those individual end users are, unfortunately for you, our constituency here in At-Large. From: Nat Cohen <ncohen@telepathy.com<mailto:ncohen@telepathy.com>> Date: Monday, January 6, 2020 at 9:03 AM To: Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>, Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> Cc: "cpwg@icann.org<mailto:cpwg@icann.org>" <cpwg@icann.org<mailto:cpwg@icann.org>> Subject: Re: [CPWG] Verisign Alan - Jonathan is capable of speaking for himself. So let's ask him. Jonathan - have you ever been compensated by Verisign, by a Verisign lobbyist or a related entity? Regards, Nat On Mon, Jan 6, 2020 at 12:40 AM Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: Nat, I have largely stayed out of the PIR discussion, but here I have to intervene. First, In case you are not familiar with my background, let me present some credentials; - I have been actively involved with At-Large since 2006, was an ALAC member for ten of those years, and was ALAC Chair for four years. - ALAC had always taken an interest in issues related to registrants, where those needs do not conflict with those of the greater non-registrant population - I initiated the PDP on domain tasting, a practice that allowed a very small number of domain investors to take unfair advantage of certain rules, allowing them to register "valuable" domains in great quantities without paying fees that would normally be associated with the business. So I do nave a fairly long and deep understanding of the domain investing business. - I initiated and chaired a PDP and the protected registrant rights at expiration time. So I believe my track record shows some concern for registrants. I have also been accused of "adopting talking points" of various other groups where the speakers apparently felt that I was betraying the At-Large cause because we happen to agree, in specific situations, with those who might otherwise be perceived as our enemies. Jonathan is new to At-Large, but he well understands what we are here for. And if that means he at times agrees with some position taken by PIR or Verisign, or even domain investers!, you can be sure that he has thought it through and is not doing it for any reason other than he believes it is in the best interest of Individual Internet Users. You may disagree with what he says (and I do on occasion), be he is not doing it in blind support of some other interest. Alan At 05/01/2020 12:28 PM, Nat Cohen wrote: Jonathan, I find it disturbing that while you are participating in At-Large nominally as a representative of the best interests of end-users, you consistently adopt talking points pushed by Verisign and PIR and bash domain investors. While domain investors are affected by price hikes, so is each and every registrant of .org and .com. You have so far failed to explain why it is in the best interests of .org and .com registrants to pay unjustified higher prices to continue the use of their domain names, for the sole benefit of those registries that are already being overpaid for the services they provide. For those with an interest, here is the link to the ICA's statement laying out many reasons for concern with the handling and the terms of the proposed renewal of the .com agreement: https://www.internetcommerce.org/ica-statement-on-icanns-announced-changes-t... Regards, Nat Cohen President Telepathy, Inc. www.Telepathy.com<http://www.telepathy.com/> On Sun, Jan 5, 2020 at 12:09 PM Jonathan Zuck < JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: My point, to be clear, is that these price hikes really only affect the investor community and will, as Evan has suggested, help clear some clutter out of the secondary market. Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.innovatorsnetwork.org/> ________________________________ From: CPWG <cpwg-bounces@icann.org<mailto:cpwg-bounces@icann.org> > on behalf of Justine Chew <justine.chew@gmail.com<mailto:justine.chew@gmail.com> > Sent: Sunday, January 5, 2020 11:31:16 AM To: cpwg@icann.org<mailto:cpwg@icann.org> <cpwg@icann.org<mailto:cpwg@icann.org>> Subject: Re: [CPWG] The crux of the COM issue Somewhat reminiscent of what was suggested as the third position in the ALAC Statement of May 2019 on the .org RA renewal. Justine Chew ----- On Mon, 6 Jan 2020 at 00:03, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote: I can't find an copy of the NCSG letter on the ICANN website but a copy is posted on the Internet Gov. org site ( https://www.internetgovernance.org/2019/12/11/icann-told-to-make-ethos-capit... ) NSCG is asking for (among other things): A revised notification procedure in which wholesale price increases of any amount give ORG registrants 6 months to renew their domains for periods of up to 20 years at the pre-existing annual rate. Implementation of this revised notification procedure must be obligatory to both PIR as well as any registrar through which .org domain names are registered and/or renewed. Marita On 1/5/2020 10:43 AM, Marita Moll wrote: Milton Mueller suggested that angle quite awhile ago and I think it forms part of their letter to ICANN re: this issue. It is one of the contractual things that is actually within ICANN's purview and, from what I have read, would not be very appealing to a for profit private equity firm -- seriously limits their options. Marita On 1/4/2020 10:40 PM, Jonathan Zuck wrote: https://www.kickstartcommerce.com/about-that-10-year-renewal-strategy-for-co... Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.innovatorsnetwork.org/> _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <https://mm.icann.org/mailman/listinfo/cpwg> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<https://www.icann.org/privacy/policy> https://www.icann.org/privacy/policy) and the website Terms of Service (<https://www.icann.org/privacy/tos> https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service ( https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

On Tue, 7 Jan 2020 at 06:37, Nat Cohen <ncohen@telepathy.com> wrote:

I thanked Jonathan for being forthcoming about his past ties to Verisign. Jonathan says "he has no financial interest in the outcome" and that his ongoing role as a board member for NetChoice, a Verisign lobbyist, is merely a technicality and has no bearing on his current policy positions and does not reflect a material interest that needs to be disclosed on his SOI. I accept that and have no issue to raise with his SOI.

And yet you keep talking about it. If you are willing, I'd like to keep the discussion respectful and to keep

it out of the "toilet".

Why start now? - Evan