Will ICANN Reform?

Opinion: ICANN's Lisbon meeting this week may be spoiled with a reform agenda. At least the parties will still be fun.

Theres nothing like a big, fat scandal to kick obstinate authorities into gear, pursuing the goals they always speak highly—if vaguely—about.

This weeks ICANN meeting in Lisbon (do they ever meet in the United States?) presents an opportunity for the organization to have some talking points ready when things get really ugly on April 1.

The April Fools Day joke will be on Registerfly customers who havent gotten their domains out of Dodge by then.

I already went on about this some last week. Since then, ICANNs president and CEO, Paul Twomey, has issued a statement wondering if maybe its time to rethink the current Registrar Accreditation Agreements.

When I spoke to ICANN (not Twomey, I believe) several years ago about my concerns that a rogue or irresponsible registrar could damage many a registrant, officials scoffed at the idea that any registrar would risk their accreditation with such behavior. But it has a big problem now with Registerfly, which claims on its home page to have "over 900,000 customers. Serving 120 countries. 2 million names registered." And there are other registrars with dirty histories.

/zimages/6/28571.gifAn ICANN report describes how and why a recent attack on the Internets "root servers" failed. Click here to read more.

Twomey directly addresses one major problem I brought up last week—that of proxy registrations: "...proxy registrations are available as a choice, but people who have them have great difficulties getting access to their data and having their domain name transferred where a registrar is uncooperative or has other problems with transfer. ICANN has had difficulty accessing this data, too."

No kidding. Come April 1, if ICANN follows through on its threat to bulk-transfer Registerflys remaining domains, those with proxy ("private") registrations will be in big trouble, unless Registerfly comes to their assistance. And I have trouble believing it will.

Of course, Registerfly is not the only registrar with a proxy or some other form of private registration service. Network Solutions service isnt strictly a proxy. Even the big and stable ones have to be thought of as a risk now, and Twomey makes the suggestion of data escrow, which I imagine means that some trusted third party holds the registrant data in a proxy registration, with its obligations for the privacy of that data strictly defined by contract.

I think perhaps the registry should be the agency to escrow the data. Nobodys in a better position to expedite a transfer. Especially with the .com names, VeriSigns fee of $6 per domain per year (a fee that is likely to grow on a regular basis) is a humongous markup on its teeny costs for each marginal domain in the registry. But, of course, that agreement isnt up for renewal for a while, and its unlikely that Verisign (or the other registries) would agree to be a data escrow for free. So this service will likely end up adding to the cost of registration, at least for private registration.

This is just one of the issues Twomey raises that makes you wonder how it took so long for ICANN to be concerned. Heres a good one: "What is the best mechanism for ICANN to hold affiliated registrars accountable for an affiliates actions?" Perhaps this is a question ICANN should have asked two years ago during the Panix.com scandal, which was instigated by an affiliate. In that case, ICANN did its best to hush everything up and protect the affiliates reputation.

Heres another good one: "How should ICANN and the registrar constituency encourage a system that rates registrars according to customer service and performance, and should this be available to registrants?" Should we let them know? This from the same ICANN CEO who said a few months ago, at the last ICANN meeting (in Brazil, of course), that he considered transparency a top priority for ICANN.

Twomey actually asks a lot of good questions, but its hard to take ICANN seriously before we see real action. And since ICANN has become, as others have pointed out, a guild of registrars and registries with no real interest represented for registrants, Ill believe these issues will be addressed by ICANN when I see it.

If ICANN were truly interested in making things different, it should consider radical notions, like Karl Auerbachs idea of using cryptographic keys rather than contact information in order to indicate domain ownership. (Read it, its a heck of an idea.)

But Twomeys new agenda covers the immediate crisis, which is how to respond in about a week when thousands of registrants scream bloody murder. And when the next registrar goes bad. And the next one.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer