How toxic can the world’s domain controller ICANN get?

An alliance of 47 countries called on ICANN the world domain name distributor back in June 2015, to respect privacy and freedom of expression when allocating top domain names.   Amicus ITS last questioned the rationale and discretion of the company when it released “.sucks” as a domain name back in March 2015 and the squabbling about fee exploitation with its licencee over trademarking in April 2015.  See blog

The Council of Europe (CoE) whilst holding no legal power to force ICANN to change its procedures (ICANN is a body appointed by the US Government), has stated its concern that the personal data of the domain name holders (name and postal address) is publicly available on the WHOIS online database.  Whilst not subject to the European Data Protection Act, ICANN as a US body should, according to the CoE, give due regard and duty of care around the personal data it handles.  In a declaration, the CoE said:  “ICANN, as a private non-profit corporation, should respect international human rights law, notably the UN Resolution 17/4 on human rights and transnational corporations”.  The declaration goes on to note that ICANN should strike an appropriate balance between “…economic interests and those of pluralism, culture and linguistic diversity, alongside the needs of vulnerable groups and communities”.

A requirement for ICANN is to undergo an independent review into WHOIS every three years.  In the last review in 2012, the chairwoman Emily Taylor noted that ICANN staff were obstructive about its compliance function. With further reports noting poor levels of data accuracy in WHOIS records, the organisation was found wanting on its compliance and safeguards policy.

What then to make of last week’s news that ICANN Chairman, Steve Crocker lost the plot during a webinar with a working party from the 2015 review group, as they were assessing how ICANN should handle its database.  When challenged, Crocker was heard to shout: “That is completely unacceptable … I understand you didn’t really want to think hard about it, but this is a destructive and inappropriate thing to do.”  The outburst resulted in silence, followed by a “wow!” from one of the review group members.  Not a response one would expect from the head of the management board.

The organisation appears to be resolute in not acting on any of the previous independent recommendations.  This is alarming as ICANN is about to be handed control of the all powerful ‘IANA contract’ by the National Telecommunications and Information Administration (NTIA) (the arm of the US Department of Commerce responsible for this move).  This would grant ICANN 100% control of the world’s DNS and IP address allocations.  It all sounds messy and unsettling as the transition plan to the new IANA contract is reportedly riddled with flaws.  In addition, ICANN was recently found to have broken its own bylaws when it gave preferential treatment to one or two bidders for the “.africa” top-level domain.  Accusations have allegedly been made of cover-ups by the staff in misleading stakeholders and the public over its actions. It would appear that the organisation is out of control and in denial.

The NTIA meanwhile has opened two review periods for people to make comments on the proposals before it approves the transition, based on four principles:

1.  Support and enhance the multi-stakeholder model.
2.  Maintain the security, stability, and resiliency of the Internet DNS.
3.  Meet the needs and expectation of the global customers and partners of the IANA services.
4.  Maintain the openness of the Internet.

ICANN has chosen to stay silent over accusations by its critics.  Surely, this time of public review is the cue for technology organisations and the internet community on the other side of the Pond to rise up and challenge ICANN to provide evidence that it is fit for purpose to carry out this important role and handle data correctly. Either that, or perhaps it should relinquish the reins in favour of an organisation that can inspire trust?


ICANN wonders if ‘.sucks’ registration process is legal

Further to our blog story on 27th March 2015 around the governing body ICANN, which approved the domain ‘.sucks’ to be licenced – ICANN has just announced they are trying to halt the rollout of the new domain by Vox Populi (reported as Momentum in March’s story). ICANN is seeking advice from US and Canadian regulators as to the legality of charging extortionate fees (US$2,499) and questionable procedures which is putting unnecessary pressure on businesses to protect their trademark name from abuse.

Under the new gTLD program, ICANN had added 583 new domains by the beginning of April, with plans to add hundreds more. The proliferation of domains like ‘.porn’ and ‘.adult’ have led to celebrities and trademark owners making preventative protective purchases to buy websites with their names in these new domains.

The IPC, which represents the holders of trademarks and related intellectual property, described the registration scheme for the domain as predatory and designed to exploit trademark owners.   There is a normal sunrise period for registration under new domains to give trademark owners a protected window to register their brand before general use, with lower fees and domain addresses getting snapped up by cybersquatters.

It all sounds rather po-faced.  ICANN is standing self-righteously querying the commercial greed of its contracted licencee without it seems any thought to the lack of morality or potential for abuse by permitting the creation of such salacious new domain names in the first place.   This internet registration organisation would do itself a favour by carrying out a bit of navel gazing and think about the international business community it seeks to serve – maybe it could start with a rapid review of the other 582 new gTLDs.



This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.


Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.


Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.


Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.