[Senate Hearing 109-1152]
[From the U.S. Government Publishing Office]
S. Hrg. 109-1152
INTERNET GOVERNANCE: THE FUTURE OF ICANN
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 20, 2006
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
71-638 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana Chairman
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
Lisa J. Sutherland, Republican Staff Director
Christine Drager Kurth, Republican Deputy Staff Director
Kenneth R. Nahigian, Republican Chief Counsel
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Samuel E. Whitehorn, Democratic Deputy Staff Director and General
Counsel
Lila Harper Helms, Democratic Policy Director
------
SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT
GORDON H. SMITH, Oregon, Chairman
TED STEVENS, Alaska BYRON L. DORGAN, North Dakota,
JOHN McCAIN, Arizona Ranking
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
JOHN ENSIGN, Nevada JOHN D. ROCKEFELLER IV, West
GEORGE ALLEN, Virginia Virginia
JOHN E. SUNUNU, New Hampshire JOHN F. KERRY, Massachusetts
JIM DeMINT, South Carolina MARIA CANTWELL, Washington
DAVID VITTER, Louisiana FRANK R. LAUTENBERG, New Jersey
BILL NELSON, Florida
E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
C O N T E N T S
----------
Page
Hearing held on September 20, 2006............................... 1
Statement of Senator Burns....................................... 1
Statement of Senator McCain...................................... 28
Statement of Senator Pryor....................................... 15
Statement of Senator Smith....................................... 36
Statement of Senator Stevens..................................... 1
Glossary of Internet Governance Terms and Organizations...... 37
Witnesses
Jones, Christine N., General Counsel/Corporate Secretary, The Go
Daddy Group, Inc............................................... 28
Prepared statement........................................... 31
Kneuer, John M.R., Acting Assistant Secretary for Communications
and Information, National Telecommunications and Information
Administration, Department of Commerce......................... 2
Prepared statement........................................... 3
Leibowitz, Hon. Jon, Commissioner, Federal Trade Commission...... 6
Prepared statement........................................... 7
Silva, Ken, Chief Security Officer, VeriSign..................... 23
Prepared statement........................................... 25
Twomey, Dr. Paul, President/CEO, Internet Corporation for
Assigned Names and Numbers (ICANN)............................. 18
Prepared statement........................................... 21
Appendix
Smith, Hon. Gordon H., U.S. Senator from Oregon, prepared
statement...................................................... 47
Response to written questions submitted by Hon. Daniel K. Inouye
to:
Christine N. Jones........................................... 52
John M.R. Kneuer............................................. 47
Hon. Jon Leibowitz........................................... 53
Ken Silva.................................................... 54
Dr. Paul Twomey.............................................. 67
INTERNET GOVERNANCE:
THE FUTURE OF ICANN
----------
WEDNESDAY, SEPTEMBER 20, 2006
U.S. Senate,
Subcommittee on Trade, Tourism, and Economic
Development,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:05 a.m. in
room SR-253, Russell Senate Office Building, Hon. Ted Stevens,
Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. TED STEVENS,
U.S. SENATOR FROM ALASKA
The Chairman. Let me start this hearing.
Senator Smith has been delayed. He will be along. I do
thank him for scheduling this hearing on ICANN, and we want to
thank the witnesses for coming to participate.
We're proud that the Internet was developed with research
funding from the Department of Defense Advanced Research
Project Agency to establish a military network. Today, the
Internet continues to evolve and flourish, mostly through
private investment. One critical part of the Internet is the
management of domain names, and ICANN is the nonprofit
corporation responsible for coordinating the management of the
technical elements of the domain-name system of the Internet.
It also oversees the distribution of identifiers used in
Internet operations.
When ICANN was created, it was expected to transition into
a freestanding, financially sound organization by the year
2000. The Department of Commerce extended this Memorandum of
Understanding with ICANN several times, and the current MOU is
set to expire within 1 month. ICANN's current system for
managing the domain-name system is working, but the feeling is
that more needs to be done to improve the process and
transparency. And we're going to look forward to the statement
of witnesses here today.
Senator Burns, do you have any comments?
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Well, no, Mr. Chairman, but I would say that
there's quite a lot of interest in this, and to make sure that
this moves forward, especially this issue between the two
entities of ICANN and VeriSign, and make sure that they've got
the resources for an ever-increasing load that they have to
handle. I look forward to getting an update. That's the reason
I'm here today; I want an update on where we are on this
process, because it's a very tender and--it's a very important
issue, as far as the operation of the Internet is concerned.
So, thank you for this hearing, and we might get going to
the witnesses.
The Chairman. Yes, we'll reserve the space at the beginning
of the hearing for Senator Smith's statement that he may wish
to put in the record.
Our first witnesses are John Kneuer, the Assistant
Secretary for Communications and Information of the Department
of Commerce, and Jon Leibowitz, Commissioner of the Federal
Trade Commission.
I assume that it's all right if you start, Mr. Kneuer.
STATEMENT OF JOHN M.R. KNEUER, ACTING ASSISTANT
SECRETARY FOR COMMUNICATIONS AND INFORMATION,
NATIONAL TELECOMMUNICATIONS AND INFORMATION
ADMINISTRATION, DEPARTMENT OF COMMERCE
Mr. Kneuer. Thank you. Thank you, Chairman Stevens, Senator
Burns, for this opportunity to testify before you on the
progress of ICANN in meeting its obligations under its MOU with
the Department of Commerce.
The Department continues to believe that the stability and
security of the Internet domain name and addressing system can
best be achieved by transitioning the coordination of the
technical functions related to the management of DNS to the
private sector. The vehicle for achieving this goal is the MOU
between the Department and ICANN.
The Chairman. Can you pull that mike a little bit toward
you, please? Thank you.
Mr. Kneuer. As the Committee will recall, ICANN was formed
in 1998 in response to the Department of Commerce's call for a
partner to lead the transition to the private-sector management
of the DNS. The Department plays no role in the internal
governance or day-to-day operations of ICANN; however, under
the terms of the MOU, we offer expertise and advice on the
transition, and monitor ICANN's performance of the MOU tasks.
The current MOU was deliberately crafted to permit the
Department and ICANN to measure progress toward concrete goals
and objectives. When this current MOU was entered into, in
September 2003, ICANN had just completed an internal review and
reform effort. As well, ICANN was in the process of
implementing the structural and organizational changes that
would be necessary to complete that process. In the course of
the past 3 years, ICANN has successfully met many of the MOU's
date-specific milestones.
The current MOU expires on September 30, 2006. Over the
course of the past year, the Department has conducted an
internal review of its relationship with ICANN. To complement
the Department's internal review, NTIA initiated a public
consultation process to obtain views of all interested
stakeholders in ICANN. We received and analyzed over 700
written responses from individuals, private corporations, trade
associations, nongovernmental entities, and foreign
governments. The public consultation revealed broad support for
continuing the transition of the DNS to the private sector
through a continued partnership between the Department and
ICANN. A majority of interested stakeholders continue to
endorse the original principles put forth in the DNS
transition: stability and security, competition, bottom-up
policy coordination, and broad representation. Equally
important, the consultation process revealed strong support for
more specific focus on transparency and accountability, and the
continued involvement of the Department of Commerce in this
transition.
As we approach the end of the term of this MOU, we are
working with ICANN to negotiate the next phase of our continued
partnership.
I would also like to focus briefly on the WHOIS database.
The U.S. Government continues to believe that ICANN should
enforce the existing contractual obligations of domain name
registrars and registries in the collection and maintenance of
accurate registrant contact data. The Department and other U.S.
agencies strongly support continued timely access to accurate
and publicly available WHOIS data. We believe WHOIS data is
critical to meeting a variety of public policy objectives,
including those of law enforcement and intellectual property
concerns.
In conclusion, the Department continues to be supportive of
the private-sector leadership in the coordination of the DNS.
The Department continues to support the work of ICANN as the
coordinator of these technical functions. Both ICANN and the
Department agree that preserving the security and stability of
the Internet DNS is a critical priority that will guide the
next stage in the transition process.
Thank you, and I'll be happy to answer any questions.
[The prepared statement of Mr. Kneuer follows:]
Prepared Statement of John M.R. Kneuer, Acting Assistant Secretary for
Communications and Information, National Telecommunications and
Information Administration, Department of Commerce
Mr. Chairman,
Thank you and the members of the Committee for this opportunity to
testify on the progress of the Internet Corporation for Assigned Names
and Numbers (ICANN) under the Memorandum of Understanding (MOU) between
ICANN and the Department.
The Administration recognizes the critical importance of the
Internet to the economic and social well-being of the United States and
the global community, and is committed to its future growth. The
Department has been charged with preserving the stability and security
of the Internet's underlying infrastructure--the domain name and
addressing system. I am pleased to have this opportunity to share the
results of our efforts to date, as well as our perspective for the
future.
The Department's Relationship With ICANN
The Department continues to believe that the stability and security
of the Internet domain name and addressing system (DNS) can best be
achieved by transitioning the coordination of the technical functions
related to the management of the DNS to the private sector. The vehicle
for achieving this goal is the MOU between the Department and ICANN. As
the Committee will recall, ICANN was formed in 1998 in response to the
Department of Commerce's call for a partner to lead the transition to
private sector management of the DNS.
In September 2003, the Department and ICANN agreed to renew the MOU
for a period of 3 years, with several date-specific milestones and
broad tasks aimed at guiding ICANN to a stable, independent, and
sustainable organization. The expectation of the Department was that
the three-year timeframe would allow ICANN sufficient opportunity to
formalize appropriate relationships with the organizations that form
the technical underpinnings of the Internet, secure the necessary
resources to ensure its long-term independence, improve its mechanisms
for broad participation by all Internet stakeholders, and continue to
improve its decisionmaking processes. The Department plays no role in
the internal governance or day-to-day operations of the organization.
However, under the terms of the MOU, the Department monitors and
ensures that ICANN performs the MOU tasks, and offers expertise and
advice on certain discrete issues.
As you may recall, this relationship was the focus of much debate
at last year's United Nations World Summit on the Information Society.
To provide clarity to this debate, the Administration issued the U.S.
Principles on the Internet's Domain Name and Addressing System. In this
set of principles, the Administration reiterated its commitment to
preserving the security and stability of the Internet domain name and
addressing system; recognized that governments have legitimate public
policy and sovereignty concerns with respect to the management of their
country code top level domains; reaffirmed its support for ICANN; and
encouraged continued dialogue on Internet governance issues. After much
discussion and debate, and with your help and support, the
international community arrived at a consensus on the importance of
maintaining the stability and security of the Internet, the
effectiveness of existing Internet governance arrangements, and the
importance of the private sector in day-to-day operations of the
Internet.
Measuring Progress
The current MOU was deliberately crafted to permit the Department
and ICANN to measure progress toward discrete goals and objectives.
When this MOU was entered into in September 2003, ICANN had just
completed an internal review and reform effort, and was well into the
process of implementing the structural and organizational changes
called for through that process. In the course of the past 3 years,
ICANN has successfully met many of the MOU's date-specific milestones,
which included the following:
developing a strategic plan addressing administrative,
financial and operational objectives;
developing a contingency plan to ensure continuity of
operations in the event ICANN incurs a severe disruption of
such operations, by reason of bankruptcy, corporate
dissolution, natural disaster or other financial, physical or
operational event;
conducting a review of corporate administrative and
personnel requirements and corporate responsibility mechanisms;
developing a financial strategy to secure more predictable
and sustainable sources of revenue;
improving its processes and procedures for the timely
development and adoption of policies related to the technical
management of the DNS;
implementing reconsideration and review processes, including
an Ombudsman and commercial arbitration clauses in ICANN
contracts;
developing a strategy for the introduction of new generic
top level domains, including internationalized domain names;
enhancing broader participation in ICANN processes by the
global community through improved outreach, regional liaisons,
and multilingual communications;
publishing annual reports on community experiences with the
WHOIS Data Problem Reports System, used to report inaccuracies
in the submission of WHOIS data by domain name registrants; and
publishing annual reports on the implementation of the WHOIS
Data Reminder Policy, which domain name registrars are required
to send to domain name registrants.
ICANN has also made steady progress toward the MOU's broader tasks,
including: entering into an agreement with the Regional Internet
Registries to facilitate the development of global addressing policy,
and developing and implementing new accountability framework agreements
with many country code top level domain operators.
WHOIS Policy Development
I would like to focus briefly on the WHOIS database issue. First,
the U.S. Government believes that ICANN should enforce the existing
contractual obligations of domain name registrars and registries for
the collection and maintenance of accurate registrant contact data. The
Department and other U.S. agencies \1\ strongly support continued,
timely access to accurate and publicly available WHOIS data contained
in the databases of information identifying registrants of domain
names. We believe WHOIS data is critical to meeting a variety of public
policy objectives and have been proactively advocating this position at
ICANN meetings. At the most recent meeting in June 2006, the United
States formally tabled a statement clarifying our perspective that a
public WHOIS database is essential to:
---------------------------------------------------------------------------
\1\ NTIA chairs an interagency ICANN Working Group composed of
representatives from the Department of Commerce, the Justice
Department, the Federal Trade Commission, the State Department, the
Patent and Trademark Office, the Federal Bureau of Investigation, the
Internal Revenue Service, and the Department of Homeland Security that
develops and coordinates U.S. positions on issues pending before the
ICANN Governmental Advisory Committee.
assist civil and criminal law enforcement in resolving cases
that involve the use of the Internet, combat intellectual
---------------------------------------------------------------------------
property infringement and theft;
support Internet network operators responsible for the
operation, security and stability of the Internet;
protect the rights of consumers by facilitating, for
example, their identification of legitimate online businesses;
and
assist business in investigating fraud, phishing, and other
violations of laws.
We are continuing to advance our perspective within ICANN,
including working with other governments to develop more formal public
policy advice on the purpose and use of WHOIS data.
Future Relationship
The current MOU expires on September 30, 2006. Over the course of
the past year, the Department has conducted an internal review of its
relationship with ICANN. To complement the Department's internal review
of ICANN's progress under the MOU, the National Telecommunications and
Information Administration (NTIA) initiated a public consultation
process to obtain the views of all interested stakeholders. In May
2006, NTIA issued a Notice of Inquiry on the Continued Transition of
the Technical Coordination and Management of the Internet Domain Name
and Addressing System to solicit views on such issues as:
ICANN's progress in completing the core tasks and milestones
contained in the current MOU, and whether these activities are
sufficient for transition to private sector DNS management by
the scheduled expiration date of the MOU, of September 30,
2006;
Whether the principles underlying ICANN's core mission
(i.e., stability, competition, representation, bottom-up
coordination and transparency) remain relevant and whether
additional principles should be considered;
Determining whether the tasks and milestones contained in
the current MOU remain relevant, and/or whether new tasks would
be necessary;
Assessing whether all key stakeholders are effectively
represented and involved in ICANN's activities, and if not, how
that could be accomplished; and
Whether new methods or processes should be considered to
encourage greater efficiency and responsiveness.
NTIA received and analyzed over 700 responses from individuals,
private corporations, trade associations, nongovernmental entities, and
foreign governments. NTIA invited a representative sample of these
interested stakeholders to participate in a public meeting on July 26,
2006. Representatives from the Regional Internet Registries, the root
server operators, registrars, registries, country code top level domain
operators, the Internet Society, the Internet research and development
community, trademark interests, the user community, the business
community, and a representative from the Canadian government shared
their perspectives on the questions NTIA posed to the global Internet
community. Well over one hundred interested stakeholders participated
in the public meeting.
This public consultation process revealed broad support for
continuing the transition of the coordination of the technical
functions related to the management of the DNS to the private sector
through the continued partnership between the Department and ICANN. A
majority of interested stakeholders continue to endorse the original
principles put forward to guide the DNS transition--stability and
security; competition; bottom-up policy coordination; and broad
representation. Equally important, the consultation process revealed
strong support for a more specific focus on transparency and
accountability in ICANN's internal procedures and decision-making
processes, and the continued involvement of the Department of Commerce
in this transition.
As we approach the end of this term of the MOU, we are working with
ICANN to negotiate the next phase of our continued partnership.
Conclusion
In conclusion, the Department continues to be supportive of private
sector leadership in the coordination of the technical functions
related to the management of the DNS as envisioned in the ICANN model.
Furthermore, the Department continues to support the work of ICANN as
the coordinator for the technical functions related to the management
of the Internet DNS. Both ICANN and the Department agree that
preserving the security and stability of the Internet DNS is a critical
priority that will guide/govern the next stage in the transition
process.
Thank you and I would be happy to answer any questions that you may
have.
The Chairman. Thank you.
Mr. Leibowitz?
STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE
COMMISSION
Mr. Leibowitz. Thank you, Mr. Chairman, Senator Burns. I'm
pleased to be here in this beautiful, newly renovated hearing
room on behalf of the Federal Trade Commission.
I ask that the Commission's written statement be made part
of the record. My oral testimony reflects my own views, and not
necessarily the views of any other Commissioner.
This morning I want to focus my remarks on the importance
of continued, unrestricted access to WHOIS information. Simply
put, our ability to protect consumers is being placed at risk
by a movement within ICANN to limit WHOIS to technical purposes
only and, thus, prevent law enforcement and the public from
using this critical resource to identify scammers who operate
websites.
Those who want to restrict access to WHOIS databases are no
doubt sincere in their efforts to protect privacy. I've met
with them and I know they are. But the irony of their position
is that any attempt to cabin WHOIS information so narrowly
could actually jeopardize the ability of the FTC and other law
enforcement authorities to protect people's privacy by
stopping, for example, spam, spyware, and identity theft.
That's an outcome nobody wants.
Because this is such an important issue, in June the
Commission sent a delegation to the ICANN meeting in Morocco,
where we joined with several of our foreign consumer protection
counterparts to emphasize to ICANN the importance of access to
WHOIS. We understand that in the wake of that meeting the ICANN
advisory body is reevaluating its earlier decision.
Mr. Chairman, we certainly hope so, because the future of
ICANN is really on the line here. It has to show the leadership
necessary to properly govern the Internet.
Having said that, I've met with the ICANN Board, they do
understand the seriousness of the WHOIS issue, and my strong
sense is that they're committed to doing the right thing.
From our perspective at the Commission, access to WHOIS
databases raises four important considerations: first, law
enforcement's ability to obtain information about malefactors
who use Internet websites; second, consumers' ability to know
who they're dealing with when they engage in e-commerce; third,
businesses' ability to serve important functions; and, fourth,
very important individual privacy interests.
First, law enforcement. The FTC frequently challenges a
wide variety of Internet-related threats, for example, spam,
spyware, phishing, deceptive health claims, and get-rich-quick
schemes. Whether acting to stop fraud or otherwise protecting
consumers, our investigators need to identify offenders who
hide behind the electronic shield of the Internet.
For the past decade, we've used WHOIS databases in
virtually all of our Internet investigations. In fact, WHOIS is
often one of the first tools we use to identify wrongdoers.
Sometimes, we can unmask the bad guys and learn their
whereabouts from WHOIS databases. And even when scammers
provide false information--and, sadly, all too often WHOIS
information is inaccurate--WHOIS data may still provide
invaluable leads. Con artists sometimes provide the same phony
information for multiple websites, so WHOIS sometimes enables
us to link seemingly unrelated scams.
Second, consumers themselves need to know who they're doing
business with. This is especially true in an online
environment. Continued public access to WHOIS data provides
consumers with essential contact information if an online
seller fails to deliver goods or services as promised. Consumer
self-help is vital to ensuring consumer confidence in our
market economy--and, often, to resolve disputes before they
reach law enforcement.
Third, business access to WHOIS data also serves an
important public policy purpose. Last week, I was on the West
Coast, meeting with some of our leading Internet companies.
These companies frequently rely on WHOIS databases to take
real-time action against phishers and identity thieves who are
using their brands to target their customers. Impeding
businesses ability to quickly take down scams will only further
the risk of serious consumer harm.
Of course, the FTC is concerned about legitimate privacy
interests. We have always recognized at the Commission that
individual noncommercial registrants may require protection
from public access to their contact information without
compromising appropriate access by law enforcement. Think, for
example, of the dissident who needs anonymity. But from our
perspective, anyone selling a product or engaged in commercial
activity should have to publicly reveal who they are. It's just
that simple.
Mr. Chairman, we do want to thank you for your leadership
on this issue, also you, Senator Burns. And I think I'm getting
close to my time limit, so I'm happy to answer any questions,
with Mr. Kneuer.
[The prepared statement of Mr. Leibowitz follows:]
Prepared Statement of Hon. Jon Leibowitz, Commissioner,
Federal Trade Commission
I. Introduction
Good morning, Mr. Chairman, and members of the Subcommittee, I am
Jon Leibowitz, a Commissioner of the United States Federal Trade
Commission (FTC or Commission).\1\ I appreciate the opportunity to
appear before you today to discuss Internet governance. Specifically,
my testimony will focus on the importance of continued public and law
enforcement access to WHOIS databases. Simply put, the FTC is concerned
that attempts to limit the purpose of WHOIS databases will hinder its
ability to protect consumers and their privacy.
As you know, WHOIS databases are information directories containing
contact information about website operators. The FTC has long
recognized that WHOIS databases are critical to the agency's consumer
protection mission, to other law enforcement agencies around the world,
and to consumers. In fact, 4 years ago, the Commission testified before
Congress on the importance of improving the accuracy of information in
WHOIS databases.\2\ Most recently, in July 2006, the Commission
testified before a subcommittee of the House Committee on Financial
Services on the importance of preserving public access to WHOIS
data.\3\
The Internet Corporation for Assigned Names and Numbers, commonly
referred to as ICANN, is currently engaged in a policy development
process that could modify the information that is maintained on public
WHOIS databases. In April 2006, ICANN's Generic Names Supporting
Organization (GNSO), the organizational body within ICANN that is
evaluating the proposed changes to WHOIS databases, voted to limit the
purpose of WHOIS databases to technical purposes only.\4\
Because of its concern about preserving access to WHOIS databases,
the FTC attended the ICANN meeting in Marrakech, Morocco in June to
highlight the importance of public access to WHOIS databases. On behalf
of the FTC, I participated in a panel comprised of representatives of
law enforcement agencies from other countries. I was joined by the
Chairman of the Independent Post and Telecommunications Authority in
the Netherlands (OPTA) that enforces anti-spam laws, and a Deputy
Director of Japan's Telecommunications Consumer Policy Division in the
Ministry of Internal Affairs and Communications. Together, we
emphasized the importance of law enforcement access to WHOIS databases
and encouraged the GNSO to reconsider its decision to adopt the narrow
purpose definition for WHOIS databases. The Commission understands
that, in part because of these discussions, the GNSO is re-evaluating
its decision.
The FTC is pleased to continue this dialogue today by providing
this statement on the importance of public WHOIS databases in enforcing
consumer protection laws and in empowering consumers. First, the
testimony provides some general background about the FTC. Then, the
testimony describes how the FTC uses WHOIS databases for its law
enforcement purposes, discusses the importance of consumer and business
access to WHOIS data about commercial websites and other legitimate
uses of WHOIS data, and addresses the privacy concerns that some
stakeholders have raised about public access to WHOIS databases. The
statement concludes with some of the FTC's recommendations on how to
move forward.
II. FTC Enforcement of Consumer Protection Laws
The FTC is the only Federal agency empowered to enforce both
competition and consumer protection laws. The principal consumer
protection statute that the FTC enforces is the FTC Act, which
prohibits ``unfair or deceptive acts or practices.'' \5\ The FTC Act
authorizes the FTC to stop businesses from engaging in such practices.
The FTC also can seek monetary redress and other equitable remedies for
consumers injured by these illegal practices.
The FTC has used its authority against ``unfair or deceptive acts
or practices'' to take action against a wide variety of Internet-
related threats, including Internet auction fraud,\6\ Internet-based
pyramid schemes,\7\ websites making deceptive health claims,\8\ and
websites promoting ``get rich quick'' schemes.\9\ More recently, the
Commission has focused its actions against deceptive claims delivered
through spam,\10\ ``phishing'' schemes,\11\ and spyware--all violations
of consumer privacy that WHOIS data help us eliminate.\12\ In many of
these cases, the FTC has worked cooperatively with its consumer
protection counterparts across the globe.
In addition, the FTC has made a high priority of protecting
consumers' privacy and improving the security of their sensitive
personal information, both online and offline. The FTC has brought
several law enforcement actions targeting unfair and deceptive
practices that involve the failure to protect consumers' personal
information.\13\ Indeed, as announced earlier this year, the FTC
created a new Division of Privacy and Identity Protection to address
specifically the need to protect consumer privacy and the security of
consumers' personal information.
The FTC also promotes consumer welfare in the electronic
marketplace through education, outreach, and advocacy. For example, FTC
staff provides guidance to businesses advertising and marketing on the
Internet \14\ and to consumers about what they should look for before
making purchases and providing information online.\15\
III. How the FTC Uses WHOIS Databases
FTC investigators and attorneys have used WHOIS databases for the
past decade in multiple Internet investigations. WHOIS databases often
are one of the first tools FTC investigators use to identify
wrongdoers. Indeed, it is difficult to overstate the importance of
quickly accessible WHOIS data to FTC investigations.
For example, in the FTC's first spyware case, FTC v. Seismic
Entertainment, the Commission charged that the defendants exploited a
known vulnerability in the Internet Explorer browser to download
spyware to users' computers without their knowledge.\16\ The
defendants' software hijacked consumers' home pages, delivered an
incessant stream of pop-up ads, secretly installed additional software
programs, and caused computers to slow down severely or crash. The
spyware in this case was installed using so-called ``drive-by''
tactics--exploiting vulnerabilities to install software onto users'
computers without any notice. Using WHOIS data, the FTC found the
defendants, stopped their illegal conduct, and obtained a judgment for
millions of dollars in consumer redress.\17\ It is uncertain whether
the FTC would have been able to locate the defendants without the WHOIS
data.
In another matter, the FTC cracked down on companies that illegally
exposed unwitting consumers to graphic sexual content without
warning.\18\ The Commission charged seven entities with violating
Federal laws that require warning labels on e-mail containing sexually-
explicit content. In these cases, accurate WHOIS information helped the
FTC to identify the operators of websites that were promoted by the
illegal spam messages.
Information in WHOIS databases is most useful when it is accurate.
Indeed, the Commission has advocated that stakeholders work to improve
the accuracy of such information, because inaccurate data has posed
significant obstacles in FTC investigations.\19\
In some instances, though, even inaccurate WHOIS information can be
useful in tracking down Internet fraud operators. One of the FTC's
recent spyware cases involved defendants that used free lyric files,
browser upgrades, and ring tones to trick consumers into downloading
spyware onto their computers.\20\ Rather than receiving what they opted
to download, consumers instead received spyware with code that tracked
their activities on the Internet. In this particular investigation,
several of the defendants' websites were registered to a non-existent
company located at a non-existent address. Despite the registrant's use
of false information, FTC staff was able to link the websites to each
other because all of the registrations listed the same phony name as
the administrative contact in the WHOIS databases. Of course, with a
``narrow purpose'' WHOIS, it is not clear that even such inaccurate
registration information would be available.
Having ``real-time'' access to WHOIS data is particularly important
for a civil law enforcement agency like the FTC. Where a registrar is
located in a foreign jurisdiction, the FTC often has no other way to
obtain the information it needs. The FTC cannot, in most cases, readily
require a foreign entity to provide us with information. Thus,
particularly in cross-border cases, WHOIS databases are often the
primary source of information available to the FTC about fraudulent
domain name registrants.\21\
In short, if ICANN were to restrict the use of WHOIS data to
technical purposes only, it would greatly impair the FTC's ability to
identify Internet malefactors quickly--and ultimately stop perpetrators
of fraud, spam, and spyware from infecting consumers' computers.
IV. How Consumers Use WHOIS Databases
Consumers also benefit from access to WHOIS data for commercial
websites. Where a website does not contain contact information,
consumers can go to the WHOIS databases and find out who is operating
the website. This helps consumers resolve problems with online
merchants directly, without the intervention of law enforcement
authorities. Indeed, it is crucial that consumers continue to have the
ability to settle disputes prior to--or instead of--law enforcement
involvement.
Consumers do in fact regularly rely on WHOIS databases to identify
the entities behind websites. FTC staff recently searched the FTC's
database of consumer complaints, and found a significant number of
references to the term ``WHOIS.'' These results indicate that when
consumers encounter problems online, the WHOIS databases are a valuable
initial tool they use to identify the people with whom they are
dealing. Consumer access to WHOIS also helps the FTC because it allows
consumers to gather valuable contact information that they can pass on
to the Commission--information that might no longer be available by the
time the agency initiates an investigation because the website
operators have moved on to different sites or different scams.
The Organization for Economic Cooperation and Development (OECD)
has recognized that consumer access to WHOIS data about commercial
websites serves an important public policy interest. In 2003, the OECD
Committee on Consumer Policy issued a paper unequivocally stating that
``[f]or commercial registrants, all contact data should be accurate and
publicly available via WHOIS.'' \22\ In support of this conclusion, the
paper states:
Easy identification of online businesses is a key element for
building consumer trust in the electronic marketplace. Because
a website has no obvious physical presence, consumers are
deprived of many of the usual identifying characteristics that
help instill trust in a traditional retailer . . . While the
most obvious location for an online business to provide contact
details is on the website itself, domain name registration
information can serve as a useful compliment [sic].\23\
This OECD paper represents an international consensus about the
importance of accurate and accessible WHOIS data for consumers.
V. Other Legitimate Uses of WHOIS Data
There are other legitimate private users of WHOIS databases--
businesses, financial institutions, nongovernmental organizations, and
intellectual property rights owners--all of which heavily rely on
access to accurate WHOIS data. Although the FTC does not represent
these entities' interests in the WHOIS debate, their use of WHOIS
databases can help consumers. For example, a financial institution
concerned about the misuse of its name by ``spoofing'' its website is
not only protecting its own business interests, but it is also
protecting its customers from being ``phished.''
The Red Cross recently explained how it used WHOIS data to shut
down fraudulent websites that mimicked its website after Hurricane
Katrina in connection with donation scams.\24\ The simple yet crucial
point is this: many legitimate uses of WHOIS data by the business
community and other nongovernmental organizations have an important,
and often ignored, consumer protection dimension. Their continued
access to WHOIS information often helps protect consumers from online
scams and deception.
VI. WHOIS Databases and Privacy
Concerns about the privacy of domain name registrants have driven
much of the WHOIS debate. The FTC, a primary enforcement agency for
U.S. consumer privacy and data security laws, is very concerned about
protecting consumers' privacy. Thus, the Commission has always
recognized that registrants engaged in noncommercial activity may
require some privacy protection from public access to their contact
information, without compromising appropriate real-time access by law
enforcement agencies.\25\ The FTC supports the further study of how
this goal could be achieved. In the meantime, however, at the very
least, the FTC believes that ICANN should preserve the status quo and
reject limiting the WHOIS databases to technical uses.
Restricting public access to WHOIS data for commercial websites
would deprive the public of the ability to identify and contact the
operators of online businesses and would contravene well-settled
international principles. If people want to do business with the
public, they should not be able to shield their basic contact
information. The 1999 OECD Guidelines on Electronic Commerce state that
consumers should have information about commercial websites
``sufficient to allow, at a minimum, identification of the business . .
. [and] prompt, easy and effective consumer communication with the
business.'' \26\ Thus, commercial website operators have no legitimate
claim for privacy, and the public should continue to have access to
their WHOIS data.\27\
Moreover, the existing availability of WHOIS databases can actually
help enforcement agencies find out who is violating privacy laws and,
consequently, help prevent the misuse of consumers' personal
information. For example, WHOIS databases were invaluable in FTC
investigations in phishing cases where the defendants sought to steal
sensitive personal and financial information from consumers. In
addition, the spyware cases discussed earlier also involve serious
threats to consumer privacy, as spyware can monitor consumers' Internet
habits and can even retrieve sensitive consumer information, including
financial information, by logging keystrokes. WHOIS data has helped the
FTC to stop these privacy violations and, hopefully, will continue to
do so.
VII. Recommendations
In light of the FTC's experience in enforcing consumer protection
laws, the FTC made several recommendations to the ICANN community at
its meeting in June. This testimony summarizes the recommendations the
Commission made to the ICANN community and then concludes with a
recommendation that Congress enact the U.S. SAFE WEB Act, which the
Senate passed on March 16, 2006.\28\
A. Recommendations to ICANN Community
The FTC made three recommendations to the ICANN community. First,
the FTC recommended that the GNSO reconsider and reverse its position
that the WHOIS databases should be used for technical purposes only. If
this narrow purpose were to be adopted, the FTC, other law enforcement
agencies, consumers, and businesses would not be able to use the WHOIS
databases for their legitimate needs. This would hurt consumers around
the world and could allow Internet malefactors to violate consumer
privacy with impunity. The Commission understands that the GNSO is
currently taking steps to incorporate the input of the FTC and other
law enforcement agencies into its final recommendation to the ICANN
Board.
Second, the FTC encouraged members of ICANN's Governmental Advisory
Committee (GAC) to continue their outreach with law enforcement
colleagues in their respective countries to reinforce the serious law
enforcement and consumer protection implications of losing access to
WHOIS databases. The Commission is pleased to note that GAC members
from several countries are undertaking such an effort.
Third, the FTC recommended that ICANN carefully consider
improvements in WHOIS databases. For example, as the OECD statements
referenced above make clear, there is simply no reason to prevent
access to contact information for a commercial website. The FTC urged
ICANN to consider additional measures to improve the accuracy and
completeness of domain name registration information. The FTC is also
interested in exploring the viability of ``tiered access'' as a
solution capable of satisfying privacy, consumer, and law enforcement
interests.\29\ Restricting the purpose of the WHOIS databases does not
satisfy any of these interests and is a step in the wrong direction.
Maintaining accessibility and enhancing the WHOIS databases would make
great strides toward improving the safety and fulfilling the promise of
the Internet.
B. U.S. SAFE WEB Act
The FTC has previously recommended that Congress consider enacting
the U.S. SAFE WEB Act, passed by the Senate on March 16, 2006. The
Commission continues to recommend enactment of this legislation, which
would give it additional tools to fight fraud. Even with the current
access to WHOIS databases, the Commission needs these additional tools.
If the Commission's access to WHOIS data becomes unavailable, the
Commission's need for the tools provided by the U.S. SAFE WEB Act
becomes even more critical.
The U.S. SAFE WEB Act would make it easier for the FTC to gather
information about Internet fraud from sources other than WHOIS
databases. For example, the U.S. SAFE WEB Act would help the FTC obtain
information and investigative assistance from foreign law enforcement
agencies. It would also allow the FTC to obtain more information from
the private sector and from financial institutions about Internet
fraud. The FTC's ability to obtain information under the U.S. SAFE WEB
Act is no substitute for real-time, desktop access to WHOIS data. Where
such data is limited, inaccurate, unavailable, or inapplicable,
however, having access to a broader range of investigative sources
about Internet and other cross-border fraud would surely help.
VIII. Conclusion
In sum, the FTC believes that improvements need to be made to the
current WHOIS database system and is committed to working with others
toward a solution. In the meantime, ICANN should ensure that WHOIS
databases are kept open, transparent, and accessible so that agencies
like the FTC can continue to protect consumers, and consumers can
continue to protect themselves. Further, Congress should enact the U.S.
SAFE WEB Act to provide the FTC with additional tools to fight Internet
and other fraud. Together, these tools will help ensure that consumers
are free from deceptive practices that undermine the promise of the
Internet.
ENDNOTES
\1\ This written statement reflects the views of the Federal Trade
Commission. My oral statements and responses to any questions you may
have represent my own views, and do not necessarily reflect the views
of the Commission or of any other Commissioner.
\2\ Prepared Statement of the Federal Trade Commission on ``The
Integrity and Accuracy of the `WHOIS' Database,'' Before the Subcomm.
on Courts, the Internet, and Intellectual Property of the Comm. on the
Judiciary, U.S. House of Representatives, May 22, 2002.
\3\ Prepared Statement of the Federal Trade Commission on ``Public
Access to WHOIS Databases,'' Before the Subcomm. on Financial
Institutions and Consumer Credit of the House Comm. on Financial
Services, U.S. House of Representatives, July 18, 2006.
\4\ The GNSO vote is not final. After considering other
recommendations submitted by the WHOIS Task Force, the GNSO will make
formal recommendations to the ICANN Board, which has the ultimate
responsibility for making the final decision on any proposed changes to
the WHOIS databases.
\5\ 15 U.S.C. Sec. 45.
\6\ E.g., FTC v. Silverman, No. 02-8920 (GEL) (S.D.N.Y., filed Aug.
30, 2004).
\7\ E.g., FTC v. Skybiz.com, Inc., No. 01-CV-396-AA(M) (N.D. Okla.
filed Jan. 28, 2003).
\8\ E.g., FTC v. CSCT, Inc., No. 03C 00880 (N.D. Ill., filed Feb.
6, 2003).
\9\ E.g., FTC v. National Vending Consultants, Inc., CV-5-05-0160-
RCJ-PAL (D. Nev., filed Feb. 7, 2006).
\10\ E.g., FTC v. Cleverlink Trading Ltd., No. 05C 2889 (N.D. Ill.,
filed May 16, 2005) (enforcing the CAN-SPAM Act).
\11\ E.g., FTC v. _______, a minor, CV No. 03-5275 (C.D. Cal. filed
2003).
\12\ E.g., FTC v. Enternet Media, No. CV 05-7777 CAS (C.D. Cal.,
filed Nov. 1, 2005); FTC v. Odysseus Mktg., Inc., No. 05-CV-330 (D.N.H.
filed Sept. 21, 2005); In the Matter of Advertising.com, FTC Docket No.
C-4147 (Sept. 12, 2005).
\13\ E.g., In the Matter of CardSystems Solutions, Inc., FTC Docket
No. C-4168 (Sept. 5, 2006); In the Matter of DSW, Inc., FTC Docket No.
C-4157 (Mar. 7, 2006); United States v. ChoicePoint, Inc., No. 106-CV-
0198 (N.D. Ga. filed Feb. 15, 2006); In the Matter of BJ's Wholesale
Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005).
\14\ E.g., ``Advertising and Marketing on the Internet--Rules of
the Road,'' http://www.ftc.gov/bcp/conline/pubs/buspubs/ruleroad.htm.
\15\ E.g., ``Consumer Guide to E-Payments,'' ``Holiday Shopping?
How to be Onguard When You're Online,'' http://www.ftc.gov/bcp/conline/
pubs/alerts/shopalrt.htm, ``How Not To Get Hooked By a Phishing Scam,''
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm, and
OnguardOnline.com (consumer education website providing practical tips
concerning online fraud and other online threats).
\16\ FTC v. Seismic Entm't Prods., Inc., No. 04-377-JD, 2004 U.S.
Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004) (Order of Default Judgment,
Permanent Injunction and Other Equitable Relief entered Mar. 22, 2006).
\17\ See News Release, Court Halts Spyware Operations, May 4, 2006,
http://www.ftc.gov/opa/2006/05/seismic.htm.
\18\ See News Release, FTC Cracks Down on Illegal ``X-Rated Spam,''
July 20, 2005, http://www.ftc.gov/opa/2005/07/alrsweep.htm.
\19\ See supra notes 2-3. FTC investigators have had to spend many
additional hours tracking down fraud on the Internet because of
inaccurate WHOIS data--hours that could have been spent pursuing other
targets. See also U.S. Government Accountability Office, Report to the
Subcomm. on Courts, The Internet, and Intellectual Property, House of
Representatives, ``Internet Management: Prevalence of False Contact
Information for Registered Domain Names'' (Nov. 2005) (noting that,
based on a random sample of domain names from the .com, .net, and .org
domains, 8.65 percent of websites were registered with patently false
or incomplete data in the required WHOIS contact information fields).
\20\ FTC v. Enternet Media, No. CV05-7777 CAS (C.D. Cal., filed
Nov. 1, 2005).
\21\ The number of cross-border complaints received by the FTC
continues to rise. In 2005, 20 percent of the complaints in the FTC's
Consumer Sentinel database had a cross-border component, compared to 16
percent in 2004, and less than 1 percent in 1995. See www.consumer.gov/
sentinel.
\22\ OECD, Consumer Policy Considerations on the Importance of
Accurate and Available WHOIS Data, DSTI/CP(2003)1/REV1 (April 30,
2003), available at http://www.olis.oecd.org/olis/2003doc.nsf/LinkTo/
dsti-cp(2003)1-final.
\23\ Id.
\24\ Red Cross Comment to GNSO WHOIS Task Force Preliminary Report,
March 14, 2006, http://forum.icann.org/lists/whois-comments/
msg00043.html.
\25\ See supra notes 2-3.
\26\ OECD, Guidelines for Consumer Protection in the Context of
Electronic Commerce (1999), available at http://www.oecd.org/dataoecd/
18/13/34023235.pdf.
\27\ Consistent with this approach, the European Union's Distance
Selling Directive requires that European websites selling to consumers
include the name and address of the website operator. European Distance
Selling Directive (Directive 97/7/EC), Article 4.
\28\ Undertaking Spam, Spyware, And Fraud Enforcement With
Enforcers across Borders (``U.S. SAFE WEB Act''), S. 1608, 109th Cong.
(2006) (sponsored by Sen. G. Smith, passed by the Senate, Mar. 16,
2006).
\29\ Tiered access refers to a system in which different categories
of stakeholders would get different levels of access to WHOIS
databases.
The Chairman. What was the example you used?
Mr. Leibowitz. Oh, of dissidents. Right. We believe that
you can make a--at the Commission, you can make a distinction
between commercial and noncommercial entities. So, if someone's
selling a product on the Internet, they should have to publicly
reveal their contact information. All too often, that contact
information is hidden behind proxy registrations, even for
commercial entities. And a lot of the time, when someone is a
scammer or trying to rip off consumers, they deliberately use
proxy registrations to try to cloak themselves in Internet
anonymity. It makes it much harder for us to go after these
malefactors. And that's true for law enforcement agencies in
the United States and, really, around the world. But we also
recognize that some people may need some anonymity if they're
not engaged in a commercial activity. It seems to us that makes
sense. But this is an issue that needs to be thought through by
ICANN and by NTIA.
The Chairman. Thank you very much.
Mr. Kneuer, I think the $64-billion question is, should
this agreement be extended? It expires in a month.
Mr. Kneuer. And I think the short answer is yes, it should
be extended. We conducted a public consultation over the
summer. We had more than 700 written comments. We had a public
forum at the Department of Commerce, where interested
stakeholders, from governments to private companies to
registrars and registries, attended. I think that consultation
reflected broad support for ICANN, that the private-sector
management of the DNS is clearly the appropriate path forward,
that ICANN is clearly the appropriate vehicle for that private-
sector management. But I think there was also clear indications
that--in order for ICANN to be a really lasting and sustainable
institution, that we need to continue to make more progress on
issues of accountability and transparency, and the vehicle of
the MOU to help them through that process is still appropriate.
The Chairman. How long has the current agreement been in
place?
Mr. Kneuer. The current agreement was for 3 years.
Historically, we have extended these MOUs periodically from 1
year to 3 years. The 1-year extensions would come up quickly,
so we made the last one 3 years. I think it would be
appropriate to consult with ICANN concerning our review of the
record, to come up with an appropriate time period that clearly
indicates that we continue to be committed to the transition,
but, at the same time, provide adequate time for ICANN to make
some measurable progress on these issues of transparency and
accountability.
The Chairman. Have you discussed the length of that MOU,
the time frame, with your counterparts in other countries?
Mr. Kneuer. Not in other countries. This is an agreement
between the Department of Commerce and ICANN.
The Chairman. But doesn't it have international
implications?
Mr. Kneuer. It does have international implications, and I
speak periodically and fairly regularly with my regulatory
counterparts in other countries around the world that have
interest in this. The issue of more governmental involvement in
ICANN was an issue that was raised at the World Summit on the
Information Society in Tunisia last year, and the clear answer
to that was that the continued private-sector model was
affirmed.
The Chairman. Well, I've had indications from other
Senators that when they started to open up and seek a domain
name, they found that name had already been reserved by someone
else, but it was for sale to them. Have you looked into that?
Mr. Kneuer. Not explicitly in that context, but that's
clearly something that we're happy to work on with you, or your
staff.
The Chairman. Mr. Leibowitz, has the FTC gone into that at
all?
Mr. Leibowitz. Well, I think, for the most part, this--I
think it's called ``domain-name tasting'' and ``parking,''
where people may sample a domain name without having to pay, or
may just hold it for a certain amount of time, even if they
don't use it. They raise some public policy questions for us,
because, again, a lot of the fraudsters hide behind temporary
Internet websites. And so it is a concern. We've talked to NTIA
about it. We've talked to ICANN about it, too. And we know
that--we know that they're taking this seriously.
The Chairman. Well, isn't it part of identity theft if
someone goes and takes my name and registers it as a domain
name, and then uses that domain name out to--in the world?
Isn't that identity theft? Why don't you look at that?
Mr. Leibowitz. Well, we do, and we brought a number of
cases in this area. I mean, technically, identity theft is when
they do something bad with your name, like steal your credit
card information or steal other personal information.
The Chairman. Well stealing my name is still stealing,
isn't it?
Mr. Leibowitz. It's a very legitimate public policy
concern, and it's something that we have looked at. We've
brought a bunch of cases against phishers, identity thieves,
cybersquatters, and other Internet malefactors.
The Chairman. Thank you.
Senator Burns?
Senator Burns. Well, they could have mine.
[Laughter.]
Senator Burns. Not very many people have gone through a
business failure. And I had to go through one, one time. And I
prayed--something like that.
But, anyway, how long should we extend this MOU? I mean,
you're recommending that it be extended. How long should it be
extended?
Mr. Kneuer. Well, as I said, we're in discussions with
ICANN about the appropriate formalization of our relationship,
going forward, and the period of time. Like I said, we've done
longer extensions and shorter extensions. I think the important
thing, at the end of the day, is that we provide enough time
for ICANN to achieve meaningful progress on these issues of
accountability and transparency, and, at the same time, we
don't create, an ``in-perpetuity,'' going forward. I want to be
cognizant of the fact that this is a transition that we
undertook, that we intend to complete, but, at the same time, I
want there to be enough time to be realistic for real change to
take place.
Senator Burns. Well, Mr. Kneuer, have they--what milestones
have they not met to complete this transition?
Mr. Kneuer. Most of the milestones that ICANN has met were
with regards to the brick and mortar of putting together an
institution, having a budget in place, coming up with
contingency plans, having staffing, making sure that they have
technical competency and expertise. On the issues of
accountability and transparency and on having the invested
support of all of the constituencies that make up ICANN, having
firm relationships with the root-zone operators, and with the
regional Internet registries, they've made progress on some of
these. But the larger thematic of making sure that each of
those constituencies are confident that ICANN has processes in
place that are transparent and that there are means for
accountability, it's those broader thematic developments that I
think we need to be focused on going forward.
Senator Burns. OK. I think maybe--that's all the questions
I have for this panel, Mr. Chairman. We should talk more about
those milestones and Internet transparency, what's expected by
the Department, what's expected by us, because we're talking
about an organization that's very, very important to us.
So, I thank you for that information.
Mr. Leibowitz. Mr. Chairman?
The Chairman. Senator Pryor?
Pardon me.
Mr. Leibowitz. I was just going to say, Mr. Chairman, could
I just come back to a question you asked me? You asked me about
people who are doing basically bad things to American consumers
on the Internet. And a lot of those folks are from out of the
country. And your Committee passed a bill, the U.S. SAFE WEB
Act, which would allow us to more effectively work with foreign
law enforcement agencies--really, to protect American consumers
by sharing information. It has passed your Committee. It passed
the Senate by unanimous consent, and the House hasn't taken it
up yet. And anything you can do to help act on this
noncontroversial bill, which really would help us do the things
you want us to do, would be really appreciated in the waning
days of this session and this Congress.
The Chairman. Thank you for that.
Senator Pryor?
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairman.
Mr. Leibowitz, let me follow up on that point. It sounds
like that this Committee and the Senate have acted to try to
put some tools in your hands that you feel like we need, and it
sounds like that has a big international dimension to it. Is
that right?
Mr. Leibowitz. That's exactly right, Senator.
Senator Pryor. And I assume one of the real challenges you
have is the international aspects of the Internet.
Mr. Leibowitz. Well, of course it is, because at this
point, right now, we can't share confidential information, by
law, with our foreign law enforcement sister agencies. It's an
anomaly in the law and everyone agrees that it should be
changed. And foreign law-enforcement agencies can't share
information with us, because it's FOIA-able. So, of course,
they won't do that. And if we can empower them to help us, I
think that will be enormously helpful in trying to do the
things you want us to do and really bringing more cases
effectively.
Senator Pryor. Does the Federal Trade Commission have any
real control over the Internet right now?
Mr. Leibowitz. No, we do not have control over the
Internet. We try to bring cases, when we can, against Internet
malefactors, of course, and we have brought a number of them.
Senator Pryor. Should it have any control over the
Internet?
Mr. Leibowitz. Well, I think we should have the ability to
effectively prosecute cases. And we can do some of that now,
but we could be much more effective if this legislation was
passed. And one of the reasons why we're so concerned about
this movement within ICANN to limit access to what's now public
information is that it will make it even more difficult for us
to find out who the bad guys are. It will be particularly hard
for us if we have to go to Internet registrars--and there are
800, I believe, of them, more or less--in foreign countries,
and they don't have to give us any information, and that
information isn't available.
Senator Pryor. Right, OK. And, I'm sorry, you're going to
have to pronounce your name for me. Is it Kneuer?
Mr. Kneuer. Kneuer.
Senator Pryor. Mr. Kneuer, I am very interested in the
possibility, at least, of setting up a dot-xxx domain. I think
that--and I may have it wrong, but I think that this would be
a--an important step to cleaning up the Internet. I have a real
concern. I have two young children--not that young; sixth and
seventh grade--and they're just getting, kind of, prime
Internet-exposure age, and I have a lot of concern about them.
And I think every parent in America is concerned, or should be
concerned, about the Internet. And I think the dot-xxx domain
could be an important step in maybe making the Internet safer
in a lot--in a lot of different ways for our children and for
this country, and, really, for the world. But as I understand
it, NTIA urged ICANN to reject the dot-xxx domain, and I'm
curious if you know how that happened and why that happened?
Mr. Kneuer. Thank you, Senator. I absolutely share your
concern. I've got two small children of my own--too small for
the Internet, but I constantly worry about what happens when
they get to be the age of your children, and older.
ICANN did consider the adoption of a dot-xxx domain name,
and they ultimately did not adopt that. There was communication
from NTIA and the Department of Commerce into the ICANN process
on two fronts with regards to dot-xxx. The first was a
communication that said, ``As you are examining this, there
appears to be a great deal of interest from a great deal of
entities about this, and, as part of your bottom-up
deliberative process, you should have an opportunity, and
create an opportunity, for all interested stakeholders to
express their views.'' So, we wrote a letter asking them to do
that. Other governments wrote similar letters.
I wrote a second letter, later, talking about, precisely,
the potential public policy benefits that would flow from dot-
xxx. If there were to be a dedicated domain, let's make sure
that there are enforceable steps to make sure that pornography
is limited to those sorts of sites. And it was simply a factual
inquiry to say, ``We've heard a list of public policy
commitments. Are they being made enforceable?''
As I said, ultimately through the process, dot-xxx was not
fully adopted, but----
Senator Pryor. Is that because you just want more time to
examine the value of dot-xxx?
Mr. Kneuer. Well, I think it was through--as I said,
communications we made into the ICANN Government Advisory
Committee. Other governments made similar inquiries. Large
numbers of private entities made comments, both in favor of and
against. I don't believe we ever established a formal position,
one way or another. Our comments with regards to dot-xxx, which
are public, were along the lines of process, making sure that
everybody had an opportunity to weigh in, and then raising
factual questions about, what would be the potential
enforcement of these public policy benefits that could accrue
from dot-xxx?
Senator Pryor. Will ICANN revisit this in the future?
Mr. Kneuer. I believe, under ICANN's processes, there are
periods for reconsideration and review. My understanding is
they're currently undergoing that with regards to dot-xxx.
There is a fairly transparent and open application process for
the establishment of new top-level domains, so I don't believe
that there is anything that would preclude further
consideration of whether it is dot-xxx or some other domain
name.
Senator Pryor. And that's my last question, that you
mentioned, transparency and openness and accountability. I
think both of you have talked about this in your statements and
in answering questions. What can NTIA do to help improve the
level of transparency and accountability? What needs to happen
there?
Mr. Kneuer. Well, I think that is the function of our MOU.
The MOU does not create a relationship between the Department
of Commerce and ICANN that is one of regulator and regulated;
it is much more of a partnership. This was a U.S. Government
function that we unilaterally are transferring to the private
sector. And we have the MOU to help them with that transition
and to help them develop those processes. So, to the extent
being dedicated to being a closer observer than perhaps others
might be, and sharing with them our insights and our views,
being a sounding board for those sorts of issues, we help them
work through this transition. So, that would be my expectation
of what the ongoing relationship would entail, us helping them
come up with processes that are transparent to the constituent
membership, and the interested stakeholders so that they
understand how they can interrelate with ICANN, that all views
are heard and considered through the bottom-up coordination
process, and that decisionmaking is accountable.
Senator Pryor. Thank you, Mr. Chairman.
The Chairman. Well, thank you very much.
Pardon me for mispronouncing your name, Mr. Kneuer. I don't
know whether you want to be ``Knowwer'' or ``Knewer,'' but
sorry.
[Laughter.]
The Chairman. We do appreciate your help and consideration.
I thank you for your plug for the bill we've passed in the
Senate, and we still are trying to wait and see whether the
House will pass that. It passed over here unanimously, so it
should not be causing any problems over there. We do thank you
for your help.
Mr. Kneuer. Thank you, Mr. Chairman.
The Chairman. Do you have any further questions, Senator?
Senator Burns. I do not.
The Chairman. So, we'll turn to panel 2, then. Gentlemen,
thank you very much.
Our next panel is Dr. Paul Twomey, President and CEO of
Internet Corporation for Assigned Names and Numbers; Mr. Ken
Silva, Chief Security Officer for VeriSign; and Ms. Christine
Jones, General Counsel and Corporate Secretary for The Go Daddy
Group.
We thank you very much for being willing to testify here
today to help us further understand the situation with regard
to ICANN.
Dr. Twomey, would you like to commence, please?
STATEMENT OF DR. PAUL TWOMEY, PRESIDENT/CEO,
INTERNET CORPORATION FOR ASSIGNED NAMES AND
NUMBERS (ICANN)
Dr. Twomey. Good morning----
The Chairman. Pull the mike toward you, please.
Dr. Twomey. All right. Thank you.
The Chairman. Thanks.
Dr. Twomey. Good morning, Mr. Chairman, and members of the
Committee. May I say how pleased I am to be--appear again in
front of your Committee. Thank you for the opportunity to speak
before the Subcommittee in my role as President and Chief
Executive of the Internet Corporation for Assigned Names and
Numbers.
ICANN is a private-sector organization performing a global
function, with our main office in Marina del Rey, California.
ICANN has been recognized by the world community as the global
authoritative body on the technical and organization means to
ensure the stability, interoperability of the DNS and the
distribution of Internet protocol addresses and other unique
identifiers.
Since appearing before the Senate Committee on Commerce,
Science, and Transportation nearly 2 years ago----
The Chairman. I hate to tell you, but people in the back of
the room are not hearing you.
Dr. Twomey. OK, sorry.
The Chairman. Can you pull the mike toward you, sir?
Dr. Twomey. There we go. Thank you sir.
The Chairman. Thank you.
Since appearing before the Subcommittee nearly 2 years ago,
ICANN has continued to take great steps forward in solidifying
its role as the international private-sector entity tasked to
provide technical coordination of the domain-name system. Since
its origins in 1998, ICANN has helped secure a stable and
secure Internet that creates a presumption of universal
resolvability. ICANN has fostered greater choice, lower costs,
and better services to DNS registrants, including over 10
million businesses in the United States alone.
The Internet requires a stable and secure system of unique
identifiers if it is to serve the global community efficiently
and reliably.
At the core of ICANN's mission is global interoperability
of a single Internet. ICANN was established to serve the
Internet community by maintaining the stability and security of
the Internet's unique identifier system and fostering
competition, where appropriate, to give Internet users greater
choice at optimal cost.
ICANN's successful coordination of its community underpins
the operation of the global Internet. Each day, the system
supports an estimated 30 billion resolutions, nearly ten times
the number of phone calls in North America each day. There are
currently more than 1 billion users of the Internet. Due to the
universal DNS resolvability, secured and coordinated by ICANN,
the Internet addresses resolve in the same way for every one of
the Internet's global users once online.
ICANN is entering into six new agreements with gTLD
registry operators in the last 2 years, including .net,
.travel, .cat, .jobs, .mobi, and .tel. All the pending
agreements have set out language with a greater accountability
to ICANN on security and stability concerns, and also provide
greater opportunities for ICANN to act in the event of actions
of registries or such other issues that might arise from
registry operator actions or practices.
One particular agreement, the dot-com agreement, is part of
a larger overall settlement of a longstanding dispute with
VeriSign over its desire to introduce new registry services.
That dispute arose with the creation of ICANN and has been
resolved in a way that would enhance the performance of both
entities to the benefit of all the users of the Internet.
ICANN has been engaged in a longstanding and important
relationship with the U.S. Government and--since ICANN's
inception. And I note the previous panel's discussion of the
MOU.
ICANN continues in its relationship with the U.S.
Government and has recently entered into a new 5-year
arrangement for ICANN to manage the Internet, assign names, and
a numbers authority, IANA function--sorry--the Internet
Assigned Numbers Authority. Additionally, ICANN and the NTIA
are in the final stages of discussions which will confirm an
appropriate continuing relationship toward the transition of
the coordination of the technical functions related to the
management of the DNS to the private sector. And this, we
think, will recognize ICANN's global private-sector role,
providing technical management of the DNS in a manner that
provides stability and security, competition, coordination, and
representation.
One of the greatest achievements of ICANN has been the
successful creation, support, and coordination of an ICANN
community in creation of bottom-up policymaking processes
supported by various stakeholders involved in the DNS. The
evolution of this process continues in many ways, but may I
point to two important recent actions:
This week, the ICANN Board, having reviewed the comments
about ICANN and its processes, and particularly issues around
transparency and accountability that the Committee has already
mentioned, generated from the Committee during the past year,
has commenced review of its own guiding principles and is
publishing, soon, a set of private-sector management operating
principles which will be offered for public review.
And last week, the London School of Economics provided
ICANN--an ICANN-commissioned independent third-party review of
one of ICANN's key policy development supporting organizations,
the Generic Name Supporting Organization. The information
contained in this review will likely result in consideration of
additional improvements to ICANN's GNSO and supporting
organization structure. Such ongoing evolution and review is an
important part of our policy process.
May I just make some quick notes, then, on the issue of
WHOIS, to state that ICANN is dedicating resources in this
operational budget to better enforcement of the existing policy
we have for WHOIS. There is a process presently underway among
some of the constituencies of the ICANN process to discuss the
WHOIS topics, as has been pointed out by previous speakers, but
there is a long way to go before there would be any change;
and, if there was any discussion coming from many of the other
constituencies, there may be no change at all. I'd like to
point out that all of the people who we're representing here
today have all had the opportunity, and will continue to have
the opportunity, to input into that discussion, but, at the
moment, there is no change to ICANN's WHOIS policy.
Since 1998, our self-governance model has succeeded in
addressing stakeholder issues as they appeared and bringing
lower costs and better services to DNS registrants. One point
I'd like to particularly point out, partly coming to the
question from you, Chairman, is that ICANN's uniform domain
name--Universal Domain-Name Dispute-Resolution Policy has been
successful and of great value to individuals, businesses, and
intellectual property holders. The policy enables them to
assert--in allow them to assert their rights on domain names
and to bring an online arbitration system for dealing with just
the sorts of disputes that you pointed out between people who
should own a particular domain name. The UDRP has resolved more
than 17,000 disputes over the rights to domain names and has
proven to be an efficient and cost-effective way of alternate
dispute resolution.
If I could just finish my testimony by pointing out that in
the introduction of new gTLD registries and introduction of
greater competition amongst registrars, domain-name costs to
registrants in the lifetime of ICANN have declined by as much
as 80 to 90 percent, with savings both for consumers as--
consumers and businesses. ICANN looks forward to working
closely with people giving evidence here, the Committee, and
others, as we go forward to completing our transition to
private-sector coordination.
Thank you.
[The prepared statement of Dr. Twomey follows:]
Prepared Statement of Dr. Paul Twomey, President/CEO, Internet
Corporation for Assigned Names and Numbers (ICANN)
Introduction
Good morning, Chairman Smith, and members of the Committee. Thank
you for the opportunity to speak before this Subcommittee in my role as
President and CEO of the Internet Corporation for Assigned Names and
Numbers (ICANN). ICANN is a private sector organization performing a
global function, with our main office in Marina del Rey, California.
ICANN has been recognized by the world community as the global
authoritative body on the technical and organizational means to ensure
the stability and interoperability of the DNS, and the distribution of
IP addresses.
ICANN's Role in Internet Governance
Since appearing before the Senate Committee on Commerce, Science,
and Transportation nearly 2 years ago, ICANN has continued to take
great steps forward in solidifying its role as the international
private sector entity tasked to provide technical coordination of the
domain name system (DNS).
The limited and distinct mission of the Internet Corporation for
Assigned Names and Numbers is clearly set out in Article I of ICANN's
Bylaws. ICANN:
1. Coordinates the allocation and assignment of the three sets
of unique identifiers for the Internet, which are:
a. Domain names (forming a system referred to as ``DNS'');
b. Internet protocol (IP) addresses and autonomous system
(AS) numbers; and
c. Protocol port and parameter numbers.
2. Coordinates the operation and evolution of the DNS root name
server system.
3. Coordinates policy development reasonably and appropriately
as they relate to these technical functions.
Since its origins in 1998, ICANN has helped secure a stable and
secure Internet that creates a presumption of universal resolvability.
ICANN has fostered greater choice, lower costs and better services to
DNS registrants, including over ten million businesses in the United
States alone. The Internet requires a stable and secure system of
unique identifiers if it is to serve the global community efficiently
and reliably.
At the core of ICANN's mission is global interoperability of a
single Internet. ICANN was established to serve the Internet community
by maintaining the stability and security of the Internet's unique
identifier systems, and fostering competition where appropriate to give
Internet users greater choice at optimal cost.
ICANN's successful coordination of its community underpins the
operation of the global Internet. Each day this system supports an
estimated 30 billion resolutions, nearly 10 times the number of phone
calls in North America per day. There are currently more than one
billion users of the Internet. Due to the universal DNS resolvability
secured and coordinated by ICANN, the Internet addresses resolve in the
same way for every one of the Internet's global users once online.
ICANN has entered into six new agreements with gTLD registry
operators (including .NET, .TRAVEL, .CAT, .JOBS, .MOBI, and .TEL) in
the last 2 years (and has finalized negotiations and is waiting for
approval of 5 others). All of the pending agreements have set out
language with a greater accountability to ICANN on security and
stability concerns, and also provide greater opportunities for ICANN to
act in the event of actions of registries, or such other issues that
might arise from registry operator actions or practices., including:
(a) the .COM agreement (which is currently pending approval by the U.S.
Department of Commerce) and (b) four other registry agreements for
.ASIA, .BIZ, .INFO and .ORG (which are subject to review by the ICANN
Board of Directors during the next ICANN Board Meeting).
The .COM agreement is part of a larger overall settlement of a
long-standing dispute with VeriSign over its desire to introduce new
registry services. That dispute arose with the creation of ICANN and
has been resolved in a way that would enhance the performance of both
entities, to the benefit of all of the users of the Internet. ICANN and
VeriSign Board's have both approved settlement documents that would
permit the parties to act together in a concerted way to protect the
overall security and stability of the Internet. Further, if VeriSign
were ever to act in a manner that is inconsistent with the interests of
the Internet community, ICANN has built additional mechanisms into the
agreement to resolve such disputes promptly and effectively.
Continuing Relationship With the United States Government
ICANN has been engaged in a long-standing and important
relationship with the U.S. Government since ICANN's inception, which
has been administered by the U.S. Department of Commerce's NTIA. ICANN
is about to successfully complete the sixth separate amendment to its
original Memorandum of Understanding with the DOC.
ICANN will continue in its relationship with the U.S. Government,
having recently entered into a new 5-year arrangement for ICANN to
manage the Internet Assigned Numbers Authority (IANA) function.
Additionally, ICANN and the NTIA are in the final stages of
discussions, which will confirm an appropriate continuing relationship
and will recognize ICANN's global private sector role providing
technical management of the DNS in a manner that promotes stability and
security, competition, coordination, and representation.
ICANN's Private-Sector Multi-Stakeholder Model and its Continuing
Evolution
One of the greatest achievements of ICANN has been the successful
creation, support and coordination of an ICANN Community and creation
of the bottom-up policymaking process supported by various stakeholders
involved in the DNS. Since ICANN's creation, the Internet community
stakeholders, have vigorously discussed and reviewed ICANN's mission
and values. Accordingly, ICANN has continued to build into a robust
entity, and has continued to evolve ICANN's multi-stakeholder model,
which remains encapsulated in ICANN's Bylaws and its Mission and Core
Values.
The evolution continues in many ways, but most recently in the
following actions:
1. This week, the ICANN Board, having reviewed the comments
about ICANN and its processes generated from the community
during the past year, has commenced a review of its own guiding
principles and is publishing a set of Private-Sector Management
Operating Principles (ICANN PSMOPs), which will be offered for
public review.
2. Last week, the London School of Economics provided an ICANN-
commissioned independent third-party review of one of ICANN's
key policy development supporting organizations, ICANN's
Generic Name Supporting Organization (GNSO). The information
contained in this review will likely result in considerations
of additional improvements to ICANN's GNSO and supporting
organizational structure.
ICANN's Continuing Accomplishments
Since 1998, ICANN's self-governance model has succeeded in
addressing stakeholder issues as they have appeared, and bringing lower
costs and better services to DNS registrants and everyday users of the
Internet.
ICANN has been continuing its efforts to manage and adapt in the
face of continued and dynamic growth of the Internet. ICANN, with the
efforts of the ICANN Security and Stability Advisory Committee, has
worked to make the Domain Name System more resistant to external
attack.
ICANN has undertaken significant work in relation to
Internationalized Domain Names (IDNs) that will enable people across
the world to interact with the Internet's domain name system in their
own languages, which will work to avoid the creation of alternate root
systems. Working in coordination with the appropriate technical
communities and stakeholders, ICANN's adopted guidelines have opened
the way for domain registration in hundreds of the world's languages.
ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP) has
been highly successful and of great value to individuals, businesses
and intellectual property holders. The policy enables them to assert in
allowing them to assert their rights against domain name squatters and
infringers of intellectual property interests. The UDRP has resolved
more than 17,000 disputes over the rights to domain names, and proven
to be efficient and cost effective for those utilizing this alternative
dispute resolution mechanism.
After significant study and discussion, and working with the
accredited gTLD registrars, ICANN developed a domain name transfer
policy enabling domain name holders to transfer management of their
domain name from one registrar to another readily. The implementation
of this policy has been highly successful and has been an important
step in providing additional registrar market changes and greater
choice to consumers.
ICANN continues to introduce new Top Level Domains to give
registrants right of choice. These include the introduction of seven
new gTLDs in 2000 and four additional ones so far from the 2004
sponsored top-level domain name round.
ICANN re-bid the .NET registry during 2005, resulting in a new
agreement being executed between ICANN and VeriSign. ICANN has proposed
five additional gTLD agreements with the registry operators of .ASIA,
.BIZ, .COM, .INFO, and .ORG. All of the newly proposed registry
agreements contain new language supporting ICANN's role in the security
and stability of the DNS.
The market competition for generic Top Level Domain (gTLD)
registrations established by ICANN has lowered domain name costs in
some instances by as much as 80 to 90 percent, with savings for both
consumers and businesses. Additional detail is provided below.
Registry-Registrar Level Competition
Since ICANN was founded in 1998, ICANN has entered into many
private arms-length agreements with registries (that operate the
generic top-level domains), and with registrars (who are accredited by
ICANN to sell domain names directly to consumers). Through these
actions, ICANN has provided a private-sector solution and helped break
down the monopoly position by a single dominant company, which provided
both registry and registrar functions to the majority of consumers
purchasing domain names.
In 1998, there were only three main generic top-level domain name
registries (.COM, .NET, and .ORG) from which domain names could be
purchased by American small businesses. Only one company was running
all three registries, Network Solutions (which was later acquired by
VeriSign). Most registrations by small businesses were in .COM.
There was a single registrar in 1998. That same company that ran
the registries, Network Solutions, was the only registrar from which a
consumer could purchase a domain name. The price of a single domain
name in .COM in 1998, was approximately $90.00 per domain name. The
.COM Registry still controls a significant amount of the marketplace,
but now less than 50 percent of the market, including ccTLD operators.
The price for a .COM registration today depends upon where you
purchase the name from, but in some instances the price of a domain
name has been reduced by as much as 90 percent. Today, the price ranges
from $7 to $35 per domain name. Go Daddy is now the largest registrar,
displacing Network Solutions, which has been spun out of VeriSign.
Consumers can choose from over 845 ICANN-Accredited Registrars,
derived from more than 250 unique business groups (a significant number
owning interests in multiple registrar companies), located in over 40
countries.
Between 2000 and today, 11 new generic top-level domains have
signed agreements with ICANN. Five of those (.CAT, .JOBS, .MOBI, .TEL
and .TRAVEL) having signed agreements with ICANN in the last 18 months.
Conclusion
In conclusion Mr. Chairman, ICANN is committed to its continuing
role as the private sector steward of a stable and globally
interoperable Internet, and is committed to fostering competition in
the domain name marketplace.
The Chairman. Thank you very much. We will look forward to
coming back to you with some questions concerning your
position.
Our next witness is Mr. Ken Silva, the Chief Security
Officer for VeriSign.
STATEMENT OF KEN SILVA, CHIEF SECURITY OFFICER, VeriSign
Mr. Silva. Thank you, Mr. Chairman.
My name is Ken Silva, and I serve as Chief Security Officer
for VeriSign. I also serve as the Chairman of the Internet
Security Alliance, as well as serving on the Board of Directors
for the Information Technology--Information Sharing and
Analysis Center. I'm also an advisor to the Bush
Administration's National Security Telecommunications Advisory
Council.
Internet governance is an important issue today, because
the Internet is so critical to our national and economic
security. The technology of the Internet has transformed
personal communications, banking and finance, government
processes, and manufacturing. For example, 25 percent of
America's value moves over our networks each day.
The United States is not the only country focused on
Internet governance, however. A number of countries, such as
China, Cuba, and Syria banded together last year in an attempt
to shift control of the Internet over to the United Nations or
the International Telecommunications Union. They did so,
because they believe the United States has too much control
over the Internet. Their efforts were not successful, in large
part due to the outstanding efforts by the State Department and
the Commerce Department. These countries, however, have not
given up on their goal. The dramatic rise in usage bears out
the Internet's importance globally.
The dot-com bust gave the illusion that the Internet growth
had slowed down, but, in fact, it has actually grown at a
remarkable rate. At the height of the dot-com boom in 2000, for
example, there were roughly 250 million people using the
Internet. Today, that's about a billion. So, that's about a
300-percent increase since--over 300-percent increase since
2000.
So, there are two questions we would pose today. The first
is, is the Internet able to meet the growing demands on its
infrastructure? And the second, is the Internet secure and
reliable, and will it continue to be so?
VeriSign's role in supporting the Internet's infrastructure
gives us a unique perspective on the Internet and these
questions. VeriSign operates two of the 13 authoritative
``root'' servers, including the A root. VeriSign also manages
dot-com and dot-net domain registries.
So, let's start with the first question. Is the Internet
able to meet the growing demands of the infrastructure? The
answer is yes, as long as we continue to promote investment in
the infrastructure. While users have increased 300 percent
since 2000, the volume of traffic has increased 1900 percent.
VeriSign is very proud of the fact that dot-com and dot-net
systems have had 100 percent up-times 7 years straight. To
support these functions, VeriSign has invested hundreds of
millions of dollars in building a global network of computers
that are a critical component of the Internet's infrastructure.
VeriSign is not alone in this. There are more than 250 other
such registries. It is, therefore, essential that a framework
is in place, for all operators, that drives operational
excellence so we can meet the demands of the Internet.
Now to the second question. Is the Internet secure and
reliable? While the Internet has operated remarkably well, we
can never get lulled into a false sense of security. What makes
for good security today is a vulnerability tomorrow. The very
growth of Internet users, broadband capacity, and the number of
Internet-enabled devices has created an opportunity for
hackers, organized criminals, and, even more serious,
terrorists to attack our networks. Therefore, we must
continually probe our weaknesses and invest in and strengthen
our networks.
Let me give you some historical examples of what I'm
talking about here.
In October 2002, the Internet community got a wake-up call
when 13--all 13 of the DNS root servers came under a heavy
denial-of-service attack. That attack was viewed at the time as
the largest attack ever to hit the Internet. It was viewed as a
national crisis. Dick Clark, at the time, raised a red flag to
this. There were a number of hearings on this subject, and a
massive investigation by government to ensure that the root
server system was secure.
That attack, unfortunately, in 2002, while it was a massive
attack and did affect a large number of the root servers, would
be considered a very weak and feeble attack today. Just a few
months ago, in January of this year, we observed an attack that
was ten times that size and was targeted at the dot-com
servers. We weathered that attack, but 1,500 other websites
over a 6-week period of time did not bear the attack as well.
Now, these hackers targeted their victims over a 6-week period
of time, and they used about 32,000 of what we estimate to be a
half a million available resources to them. So, that's just 6
percent of what's available. This could have been much worse,
and the fact--and, in fact, would have taken down even the
largest ISPs, had it been directed at any of them.
The lesson learned there is that we must be prepared
against these threats. VeriSign, for example, has invested over
$250 million on the Internet infrastructure, and expects to
continue to invest significantly in the near-term to strengthen
against the new, more devastating attacks. To put this
investment in perspective, VeriSign today can manage 10,000
times the capacity of Internet traffic that it handled in 2000.
We must move forward as an industry and a community to
strengthen the Internet. In the last year, several steps have
been taken by the community to ensure a strong Internet.
Progress has been made on introducing internationalized domain
names and expanding the number of Internet addresses. ICANN has
also established a framework for registry operators that, one,
gives ICANN the authority to fire an operator if it fails to
meet its performance levels; two, provides incentives for
continued investment; and, three, imposes safeguards for
consumers. This new framework advances the objective of
security and stability by ensuring the necessary investment
into the critical infrastructure.
To conclude, Mr. Chairman, the last 5 years have brought
painful lessons on the importance of preparation. We must not
lose that vigilance, and we must continually take steps to
strengthen the Internet so it remains reliable and always
available.
I thank you for this opportunity to testify.
[The prepared statement of Mr. Silva follows:]
Prepared Statement of Ken Silva, Chief Security Officer, VeriSign
Good morning, Chairman Smith, and distinguished members of the
Committee. My name is Ken Silva and I serve as Chief Security Officer
of VeriSign.
VeriSign operates intelligent infrastructure services that enable
and protect billions of interactions every day across the world's voice
and data networks. The company is headquartered in Mountain View,
California, and it has additional corporate facilities in Virginia,
Kansas, Washington State and Massachusetts.
Thank you for the opportunity to testify today. I have a prepared
statement, which I would request be inserted in the record.
Internet governance is not a topic that 5 years ago would have been
the subject of a Congressional hearing. The Internet was still
relatively new and was not thought of yet as critical to our national
and economic security.
We have all witnessed, and learned, a lot over the last 5 years. We
have had tragic reminders that our critical infrastructure and national
symbols are targets. We have seen how not adequately preparing for
events can have disastrous consequences. And we have seen how questions
of who controls our critical infrastructure, such as the port issue,
can spark controversy.
And the United States is not the only country focused on Internet
governance. In fact, a number of countries such as China, Cuba, and
Syria last year sought to shift control of the Internet over to the
United Nations or International Telecommunications Union. They did so
because they believe the United States has too much control over the
Internet.
Their efforts were not successful in large part due to the
outstanding efforts by the State Department and Commerce Department.
These countries, however, have not given up on their goal.
Internet governance is an important issue today because the
Internet is critical to our national and economic security. The
technology of the Internet has transformed personal communications,
banking and finance, government process and manufacturing. Twenty-five
percent of America's economic value moves over network connections each
day. If the Internet were to go down for a just few hours, we would
lose hundreds of millions of dollars of economic activity. If it went
down for several days, U.S. economic activity would be severely
curtailed; payrolls would not be met, securities transactions not
cleared; invoices not paid.
So whether it's Wal-Mart, the House of Representatives or a soccer
mom checking e-mail to see if today's practice is still on, we all rely
on the Internet.
The dramatic rise of Internet usage bears that out.
The dot-com bust gave the illusion that Internet growth slowed
down, but in fact it has grown at a remarkable rate. At the height of
the dot-com boom in 2000, for example, roughly 250 million people used
the Internet. Today, according to Internet World Stats, more than 1
billion users worldwide rely on the Internet, a 300 percent increase
since 2000.
So, there are two questions we would pose today:
Is the Internet able to meet the growing demands on its
infrastructure?
Is the Internet secure and reliable?
VeriSign's role in supporting the Internet's infrastructure gives
us a unique perspective on the Internet, and these questions.
VeriSign operates two of the 13 authoritative ``root'' server
operation centers that direct Internet traffic, including, at the
request of the U.S. Commerce Department, the ``A'' Root Server. In this
server, we maintain the authoritative address list of all Internet top-
level domains. VeriSign also manages the ``dot COM'' and ``dot NET''
domain registries. These are the central databases that enable you as
an Internet user to simply type in a domain name on your computer, such
as ``verisign.com,'' and connect it over the Internet to the machine
that hosts the proper website.
Let's start with the first question: Is the Internet able to meet
the growing demands on its infrastructure?
The answer is yes, as long as we continue to promote investment in
the infrastructure. The explosion of Internet-enabled devices and
applications--text messaging, music downloads, VoIP, Blackberries and
device-to-device communications--has created exponential growth in
Internet traffic far surpassing the increase in users. While users have
increased 300 percent since 2000, the volume of traffic on .com and
.net has increased 1,900 percent.
VeriSign is proud of the fact that the .com and .net systems have
had 100 percent uptime 7 years straight. To support these functions,
VeriSign has invested hundreds of millions of dollars into building a
global network of computers that are a critical component of the
Internet's infrastructure.
VeriSign is not alone in this. There are more than 250 domain
registries in the world--for domains such as .fr for France, .de for
Germany and what are called generic top-level domains such as .info,
.org and .biz. All of these domains have registry operators that, like
VeriSign, must operate and invest in critical infrastructure to keep
the systems running smoothly.
It is therefore essential that a framework is in place for all
operators that drives operational excellence so we can meet the coming
demands for the Internet, such as broadcast quality video and other
real-time high-bandwidth applications.
Now, to the second question: Is the Internet secure and reliable?
While the Internet has operated remarkably well we can never get
lulled into a false sense of security. What makes for good security
today is vulnerability tomorrow. We must continually probe our
weaknesses and invest and strengthen our networks.
This very growth of Internet users, broadband capacity and number
of Internet-enabled devices has created an opportunity for hackers,
organized criminals and even more serious terrorists to attack our
networks. Some do so for technical trophies, some for political
objectives, but today, most bad behavior on the Internet is done for
financial gain.
In fact, the very devices and increased bandwidth that make the
Internet more robust and user friendly are being deployed to compromise
the Internet. Now that computers are always-on, they are easily
accessible to hackers and other abusers to hijack. And the increased
bandwidth and computing power available literally gives hackers more
ammunition to utilize against the infrastructure:
Regular PCs are being hijacked to mount these attacks.
According to CipherTrust, more than 180,000 PCs are illegally
hijacked each day and turned into zombies.
Hackers are utilizing the computing capacity available to
their advantage. While a Jupiter Research report in 2004 found
that the typical home needed less than 3 Mbps of bandwidth,
that level has steadily grown and given the demands of gaming
and video that capacity is expected to grow to 57 Mbps by 2009.
That means that hackers will have 19 times the computing
capacity available to them in the PCs they hijack in that
period.
Let me give you some historical examples of what types of attacks
we as a community have experienced.
In October 2002, the Internet community got a wake-up call when the
13 DNS root servers, which serve as the heart of the Internet
addressing system, came under heavy denial of service (DoS) attack. In
these attacks, the hackers send countless bogus inquiries to domain-
name servers, which are computers that direct Internet traffic. By
sending phony website requests to these servers, they overload and
disable them, making websites unavailable.
These attacks significantly impaired the operations of several of
the root servers. The industry stepped up, and today an attack of that
scale and type would be a blip on the radar.
But hackers never give up innovating. In early January 2006, for
example, a hacker systematically disabled over 1,500 websites using
hijacked PCs. In these attacks, the hacker didn't directly attack the
domain-name servers. Instead, they sent their traffic to a legitimate
server with a DNS query and a forged source address.
In this case, the hacker also made the DNS query larger, by a
factor of 70 times, which amplified the attack and further disabled the
victims servers.
These hackers used hijacked PCs to target their victims over a six-
week timeframe. And the scary part is the hacker used a small
fraction--32,000 of 500,000 PCs (or just 6 percent)--available to them.
This could have been much worse, but it was still severe enough to
significantly disrupt the operations of 24 registry operators as well
as hundreds of businesses.
These attacks remain under investigation.
The lesson learned is that we must be prepared against all threats.
VeriSign, for example, has invested over $250 million in the Internet
infrastructure and expects to continue to invest tens of millions of
dollars in the near-term to strengthen it against potential attacks.
To put that investment in perspective, VeriSign today can manage
10,000 times the capacity of Internet traffic that it handled in 2000.
Looking Toward the Future
The Internet is made up of a number of entities that all must work
together. The root servers serve at the heart of Internet enabling
Internet traffic to get to the right address, over 250 domain name
registries around the world ensure that each of the domains is
operational, service providers such as EarthLink provide service to
businesses and consumers, and registrars provide the services that
consumers use to register domain names.
The task of maintaining the technical coordination of these
sometimes disparate layers falls on ICANN, which gains its authority
through a Memo of Understanding, or MOU, with the Department of
Commerce.
The Internet community's challenge is to promote innovation so that
consumers can do more while strengthening the infrastructure.
In the last year, several steps have been taken by the Internet
community to ensure a strong Internet. Progress has been made on
introducing internationalizing domain names and expanding both number
of Internet addresses available. ICANN has also established a framework
for registry operators that both rewards strong performance and
provides incentives for investment and imposes safeguards for
consumers.
ICANN has implemented new agreements for the .net and .mobi
agreements, and proposed new agreements for .com, .info, .biz and .org
that incorporate these principles. These agreements, for example, give
the operators flexibility to increase prices while protecting Internet
users by, in some cases, imposing limits on the levels of increases and
requiring a six-month notice so consumers could lock in at existing
prices.
This new framework advances the objective of security and stability
by ensuring the necessary investment into the critical infrastructure.
Finally, the question comes to ICANN itself. At the heart of the
question is ICANN's independence and what that means for the core
infrastructure of the Internet. ICANN has taken steps, through its
registry agreements, to become more financially independent. Under the
old model, one industry controlled ICANN's budget and that was an
unhealthy system.
ICANN has taken steps to get additional funding from the registries
without conditions, which means it will have more independence.
To conclude, Mr. Chairman, the last 5 years have brought painful
lessons on the importance of preparation. The Internet has worked--in
fact, been taken for granted--because we have stayed a step ahead of
both the dramatic rise in Internet traffic as well as the nefarious
efforts to do it harm.
We must not lose that vigilance and continually take steps to
strengthen the Internet so it remains reliable and always available.
Thank you for this opportunity to testify.
The Chairman. Thank you very much.
I see Senator McCain is here. Senator, have you got a time-
frame or do you wish to make a statement?
STATEMENT OF HON. JOHN McCAIN,
U.S. SENATOR FROM ARIZONA
Senator McCain. Thank you, Mr. Chairman. I just would make
a brief comment. Thank you for holding this hearing.
I would point out that since the NTIA published its White
Paper on the governance of the Internet's naming and addressing
system, we obviously--our government has aspired to turn over
the technical management of the DNS to private nonprofit that
would be committed to several principles.
I apologize for not being able to stay. I wanted to thank
the witnesses. This is a very important issue. And one of my
many concerns is truly making sure that competition and the
resulting benefits to consumers exists in the DNS.
And a lot of people don't understand this issue, Mr.
Chairman, but I think it's a very important one, and I thank
you for holding this hearing, and I hope we can move forward to
a resolution to it.
I thank you, Mr. Chairman.
The Chairman. Thank you very much.
We'll next turn to Christine Jones, General Counsel,
Corporate Secretary, for Go Daddy Group. Glad to have you with
us.
STATEMENT OF CHRISTINE N. JONES, GENERAL COUNSEL/CORPORATE
SECRETARY, THE GO DADDY GROUP, INC.
Ms. Jones. Thank you. Good morning, Mr. Chairman, and
members of the Committee.
I'm Christine Jones--as you said, General Counsel and
Corporate Secretary of The Go Daddy Group. We're happy to be
here with ICANN and VeriSign. We are ICANN's largest benefactor
and VeriSign's largest customer, so we feel it's only fitting
that we should be sitting here at the table with them today.
I'm going to focus my remarks on three principal issues
that you raised with earlier witnesses: the renewal of the
Memorandum of Understanding between the Department of Commerce
and ICANN, the .com Registry Agreement, and the security and
stability of the Internet.
The Go Daddy Group is an Arizona corporation. It consists
of eight ICANN-accredited registrars, including GoDaddy.com,
our flagship company. When I joined Go Daddy in 2002, it was a
very small registrar, with well under 100 employees. Today, we
have over 15 million domain names under management, and we're
the number-one registrar in the world. That means we register a
domain name once every 3 seconds or less. And every time we do,
VeriSign gets another $6 from us. We currently employ over
1,200 people, and we do not utilize any offshore outsourcing of
any kind. And we're committed to that.
I want to talk about the renewal of the Memorandum of
Understanding. There was a DNS White Paper, which was first
published in 1998. That paper articulated that principles of
accountability, competition, private, bottom-up coordination
and representation, were necessary for guiding the transition
to private sector of the Internet domain-name system. And we
believe that those principles still remain relevant today.
ICANN has made some progress toward achieving some of the
goals there, but not all of them. Specifically--and this was a
question that came up with the government witnesses--ICANN has
not yet achieved the competition goal, nor have they achieved
this private, bottom-up coordination and representation called
for even in their own bylaws. And the events of the last 2
years call into question whether or not ICANN will ever be able
to accomplish those goals in the future.
The MOU, which is set to expire next Saturday, should be
extended, but it should also be modified to stress the need to
correct these deficiencies and require a clear roadmap from
ICANN as to how it will regain the confidence of the community
upon which its existence relies. This Committee's commitment to
ensuring ICANN appropriately administer that system is vital.
Private, bottom-up coordination and representation should
be a guiding principle in the ICANN policymaking process. While
we have repeatedly urged ICANN to abide by this principle, they
have chosen, instead, to conduct business behind closed doors
and without input from the ICANN community. Unfortunately,
ICANN has yet to commit to--or perhaps they are unable to
commit to--openness, transparency, and accountability. The
manner in which the new dot-com agreement was negotiated is a
relevant example of ICANN and VeriSign getting together off the
record, creating a mutually beneficial policy, and then boldly
announcing that they have made a decision without input from
any of the stakeholders.
ICANN is responsible for an important public trust. To
preserve that public trust, it is vital that all stakeholders
have access to and recognize input into these types of
discussions. The entire Internet community should be made to
fully understand the reasons for ICANN's decisions and to have
effective and unbiased recourse if they have reason to question
those processes and decisions.
ICANN's bylaws specifically state--and I'm quoting--``ICANN
and its constituent bodies shall operate, to the maximum extent
feasible, in an open and transparent manner and consistent with
procedures designed to ensure fairness,'' and, ``in carrying
out its mission as set out in these bylaws, ICANN should be
accountable to the community for operating in a manner that is
consistent with these bylaws.''
Now, despite those provisions, there is no appropriate
accountability mechanism in place to impartially review ICANN
Board actions. It doesn't exist. There are two accountability
and review mechanisms defined in the bylaws. One is called
``reconsideration,'' and one is called ``independent review.''
``Reconsideration'' is basically the Board reviewing itself.
And ``independent review'' is a mechanism which is entirely
untested and has never been used.
We believe there needs to be an independent evaluation of
how these accountability mechanisms have worked, or will work,
and the implementation of any adjustments recommended as a
result of that evaluation should be undertaken before any final
transition can be contemplated.
So, we believe the MOU must be revised to include openness
and transparency as overall guiding principles if we are ever
to see an effective transition of the Internet DNS management
to the private sector through ICANN.
We would be happy to be involved in the process of
determining appropriate revisions, if that assistance would
help move the ball forward. We'd be happy to volunteer to be
involved in that.
On security and stability, like all of us in this room and
at this table, Go Daddy believes that the security and
stability of the Internet is vital. We devote considerable time
and resources to working with law enforcement on preserving the
integrity and safety of the Internet by quickly closing down
websites and domain names engaged in illegal activities. We
work with law enforcement agencies at all levels and routinely
assist in a wide variety of criminal and civil investigations.
We're also quick to respond to complaints of spam and phishing
and pharming and online fraud, and the subject matter of
yesterday's hearing, Internet child pornography. And we work
closely with anti-fraud and security groups such as the Anti-
Phishing Working Group, the Digital PhishNet, the National
Center for Missing and Exploited Children, and CyberTipline.
I personally, and this company in general, have made it a
high priority to use our position as a registrar to make the
Internet a better and safer place, and we feel very strongly
about that.
We recognize that VeriSign also has an important role to
play in the security and stability of the Internet. They manage
the entire infrastructure that supports the largest generic
top-level domain, the dot-com. That's why it's incredible to us
that ICANN did not include an infrastructure investment
requirement in the proposed dot-com agreement. In negotiating
that agreement, VeriSign ensured that their revenue would
increase, and ICANN ensured that their budget would benefit,
but who's going to ensure the benefits of the public interest,
as well? This Committee should insist that the agreement
between VeriSign and ICANN require VeriSign to invest in
continued infrastructure in the future.
VeriSign has over a billion dollars at stake--$1 billion--
if the proposed .com Registry Agreement is not approved.
Because a substantial portion of that $1 billion comes from Go
Daddy customers, I'd like to focus on that agreement for a
minute.
According to ICANN, 75 percent of all generic top-level
domains are registered in the dot-com. Dot-com names accounted
for over 80 percent of the growth in the generic top-level
domain-name space in 2005. Today, there are over 56 million
dot-com names registered. One of those is SenatorStevens.com,
I'm sure. We'll be happy to try to help to track that down, if
you'd like. That number is projected to grow to over----
The Chairman. Let me say that was just an example.
[Laughter.]
The Chairman. I don't want to get involved in this anymore
than I already am.
[Laughter.]
Ms. Jones. Yes, too late, sir.
[Laughter.]
Ms. Jones. OK, so that number is projected to grow to over
61 million by the end of the year, and to over 350 million--350
million--dot-com names by the end of 2012. That means VeriSign
gets this huge windfall, if this agreement is approved.
The form of presumptive renewal in the proposed agreement
is simply anticompetitive. The form of renewal eliminates the
possibility that dot-com could ever be rebid to allow true
market mechanisms to set the price for dot-com.
It's important to note that when the dot-net contract was
rebid last year, it resulted in a price reduction of over 28
percent, from $6 down to $3.50, a price that was appropriate to
the then-existing market conditions.
Other legitimate monopoly companies, such as the Bell
Companies, for example, must justify their price increases, and
VeriSign, the monopoly provider, should be required to do the
same.
I'd like to thank you, Chairman Stevens and Senator Smith
and the members of the Committee, for the generous invitation
to testify today. We agree that the secure future of the
Internet is paramount to the overall success of our economy,
and that of the global community, as well. Your commitment to
bringing attention to this issue is sincerely appreciated.
Inasmuch as the current agreement between ICANN and
VeriSign does not expire until November 10, 2007, I
respectfully request that this Committee direct the NTIA not to
approve the agreement until such time as it has been reviewed
in an open and transparent manner by the entire ICANN
community.
Thank you.
[The prepared statement of Ms. Jones follows:]
Prepared Statement of Christine N. Jones, General Counsel/Corporate
Secretary, The Go Daddy Group, Inc.
Introduction
Good morning Mr. Chairman and members of the Committee. I am
Christine Jones, General Counsel and Corporate Secretary of The Go
Daddy Group, Inc.
First, I would like to thank you, Chairman Smith, for the kind
invitation to testify today regarding Internet governance and the
future of the Internet Corporation for Assigned Names and Numbers
(ICANN). We are thankful for your attention to this important issue and
for recognizing that the Internet is a resource significant enough to
deserve the attention of the U.S. Senate. We agree that its secure
future is paramount to the overall success of our economy, and that of
the global community, as well. The future of ICANN rests with the
public that it was formed to benefit. That community's confidence in
ICANN has been shaken by the lack of openness and transparency; by the
apparent unwillingness of the ICANN Board of Directors to be
accountable to anyone but itself; and, the giant step backward that is
now being taken by the introduction of anticompetitive registry
agreements that threaten to undo what progress has been made.
The Memorandum of Understanding between ICANN and the Department of
Commerce should be extended and modified to stress the need to correct
these deficiencies and require a clear roadmap from ICANN as to how it
will regain the confidence of the community upon which its existence
relies. This Committee's commitment to ensuring ICANN appropriately
administer that system is vital.
Background
The Go Daddy Group, Inc. consists of eight ICANN-Accredited
registrars, including GoDaddy.com. When I joined Go Daddy in early
2002, it was a very small registrar with well under 100 employees.
Today, we have over fifteen million domain names under management, and
are the number one registrar in the world. That means we register a
domain name once every 3 seconds or less. Go Daddy is also the largest
provider of hostnames in the world today. We currently employ over
1,200 people and do not utilize offshore outsourcing of any kind.
The Go Daddy Group devotes considerable time and resources to
working with law enforcement on preserving the integrity and safety of
the Internet by quickly closing down websites and domain names engaged
in illegal activities. We work with law enforcement agencies at all
levels and routinely assist in a wide variety of criminal and civil
investigations. We are also quick to respond to complaints of spam,
phishing, pharming, and online fraud and work closely with anti-fraud
and security groups such as the Anti-Phishing Working Group, Digital
Phish Net, the National Center for Missing and Exploited Children, and
CyberTipLine. I personally, and the company in general, have made it a
high priority to use our position as a registrar to make the Internet a
better and safer place.
The Go Daddy Group has been an active supporter of ICANN processes
for over 5 years. We continue to believe in the validity of the
transition of management of the Internet Domain Naming System (DNS) to
the private sector, but we have serious concerns regarding the progress
of that transition to ICANN.
The DNS White Paper, first published in 1998, articulated that
principles of accountability, competition, private, bottom-up
coordination, and representation are necessary for guiding the
transition to private sector management of the Internet DNS. We believe
those principles remain relevant, but our testimony will explain why we
also believe those principles have not yet been fully accomplished by
ICANN, and why the events of the last 2 years bring into question
whether ICANN will be able to accomplish them in the future.
Competition
Significant progress has been made in regards to competition at the
registrar level. However, that is only half the equation. The .com
extension still maintains overwhelming dominance among the generic top
level domain (gTLD) registries. In addition, the new form of registry
agreement that has been proposed for the .com registry, as well as the
other gTLD registries, threatens to further entrench that dominance and
even negate competition at the registrar level:
Proposed .com Registry Agreement
It's important to first understand the current metrics involved
with the .com registry:
According to the monthly registry reports posted on ICANN's
website, .com still accounted for 75 percent of all gTLD
registered domain names at the end of 2005, and accounted for
over 80 percent of the growth in the gTLD name space during
2005.
The number of registered .com domain names is growing at
increasing rates year over year. The .com registry increased by
over 16 percent in 2003, over 25 percent in 2004, and almost 34
percent in 2005.
There are over 56 million .com names registered as of the
date of this testimony. That represents a 25 percent growth so
far in 2006 and projects to 35 percent growth for the year, to
over 61 million .com domain names.
If .com just maintains a 34 percent growth rate over the
life of the proposed agreement, it will grow to over 350
million domain names by the end of 2012.
As a result, the incremental revenue from the 7 percent
price increases in 4 of the 6 years as allowed in the proposed
agreements will provide VeriSign a windfall of over $1.8
billion.
For example, if you go to www.GoDaddy.com and register the
domain name www.ChairmanSmith.com, you would pay a maximum of
$8.95 per year for that domain name registration. Of that
$8.95, by the current .com contract, $6.00 goes to VeriSign,
$.25 goes to ICANN as a transaction fee, and the balance of it
goes to operating expenses and profit for Go Daddy. Taking this
example further, if some portion of the current 56 million .com
names are renewed, under the proposed agreement, $6.00 would
still go to VeriSign, plus an automatic increase of 7 percent
in 4 out of the next 6 years, an increase without price
justification. This is an extraordinary profit and these are
just the renewals.
Of course, that windfall will come at the expense of consumers. The
increasing costs of .com will result in a leveling effect of .com
retail prices. At the same time, it provides VeriSign a marketing fund
of gigantic proportions in comparison to its so-called competitors. As
a public company with a fiduciary responsibility to its shareholders,
VeriSign will no doubt use these funds to market and innovate at a
level with which other gTLDs will not be able to compete. Given the
market power that .com continues to hold, allowing VeriSign this
windfall is inappropriate for an organization committed to the
promotion of competition.
The form of presumptive renewal in the proposed .com agreement is
also anticompetitive. It substantially allows a perpetual agreement
unless VeriSign breaches its agreement and fails to cure. It even
allows for repeated breaches with only monetary fines as the penalty.
This form of renewal eliminates the possibility that .com could ever be
re-bid to allow true market mechanisms to set the price for .com. It is
important to note that when the .net contract was re-bid, it resulted
in a price reduction of over 28 percent, from $6.00 per .net domain
name to $3.50. a price appropriate to then existing market conditions.
In addition, this form of presumptive renewal leaves no way ICANN
can ever decide to re-bid .com based on VeriSign's performance as a
steward of the .com name space. Note the four conditions below
(emphasis ours) under which ICANN could decide not to renew .com under
Section 25.B of the current agreement. They no longer exist in the
proposed COM agreement.
Registry Operator shall be awarded a four-year renewal term unless
ICANN demonstrates that: (a) Registry Operator is in material breach of
this Registry Agreement, (b) Registry Operator has not provided and
will not provide a substantial service to the Internet community in its
performance under this Registry Agreement, (c) Registry Operator is not
qualified to operate the Registry TLD during the renewal term, or (d)
the maximum price for initial and renewal registrations proposed in the
Renewal Proposal exceeds the price permitted under Section 22 of this
Registry Agreement.
Removing the above requirements is particularly alarming given that
under the proposed agreement, VeriSign is not required to make
infrastructure investments or demonstrate that such investments are
being made. What are they going to do with the $1.8 billion windfall?
How do they intend to accommodate the projected growth of the .com name
space to over 350 million domain names, an increase of almost 600
percent over the life of the proposed agreement? It is a serious
mistake on the part of ICANN to not ensure that appropriate investments
in infrastructure will be made, especially considering their overall
mission of the security and stability of the Internet. The .com name
space is too important to simply assume that a wide open presumptive
renewal is enough incentive for the registry operator to make
appropriate investments. The proposed .com agreement must, therefore,
be refined before it is approved by the NTIA.
Future of New gTLDs
We believe an effective and objective process for introducing new
gTLDs is another important change that needs to take place to increase
competition at the registry level. In fact, that is one of the specific
tasks set out in section II.C. of Amendment 6 of the Memorandum of
Understanding under which ICANN currently operates with the Department
of Commerce:
8. Continue the process of implementing new top level domains
(TLDs), which process shall include consideration and
evaluation of:
a. The potential impact of new TLDs on the Internet root
server system and Internet stability;
b. The creation and implementation of selection criteria for
new and existing TLD registries, including public explanation
of the process, selection criteria, and the rationale for
selection decisions;
c. Potential consumer benefits/costs associated with
establishing a competitive environment for TLD registries; and,
d. Recommendations from expert advisory panels, bodies,
agencies, or organizations regarding economic, competition,
trademark, and intellectual property issues.
Define and implement a predictable strategy for selecting new TLDs
using straightforward, transparent, and objective procedures that
preserve the stability of the Internet (strategy development to be
completed by September 30, 2004 and implementation to commence by
December 31, 2004).
A successful process for new gTLDs is an important element for
introducing competition into the gTLD space. The trickle of new gTLDs
we have seen so far has done little to change the market power that
.com has maintained since before the initial publication of the DNS
White Paper in 1998.
The Policy Development Process that will ultimately recommend a
process to fulfill the principles stated in task 8 above was initiated
by the Generic Names Supporting Organization (GNSO) early in December
2005. The current timeline calls for these recommendations to be
presented to the ICANN Board of Directors at the end of this year, a
best case scenario. It will be well into 2007 before the evaluation of
the success of any resultant process could even begin to be undertaken.
We believe fulfillment of this task is crucial to the future of
ICANN and believe it important not to complete the transition of the
management of the Internet DNS until a successful and sustainable
process for the introduction of new gTLD is firmly in place.
Competition exists at the registrar level only. The .com name space
continues to overwhelmingly dominate the gTLD domain name market. The
anti-competitive form of registry agreements being contemplated by
ICANN and the DOC could very well threaten existing competition even at
the registrar level. Promoting competition, and doing so successfully,
needs to remain a core task for ICANN if it is to maintain the support
of the public it has been formed to benefit.
Private, Bottom-Up Coordination, and Representation
The principles of private, bottom-up coordination, and
representation cannot be fully realized without ICANN's
commitment to openness, transparency, and accountability. ICANN
is responsible for an important public trust. To succeed, it is
vital that all stakeholders have access to those processes;
Fully understand the reasons for ICANN's decisions as a
result of those processes;
And have effective and unbiased recourse if they have reason
to question those processes and decisions.
Indeed, ICANN's own bylaws state: ``ICANN and its constituent
bodies shall operate to the maximum extent feasible in an open and
transparent manner and consistent with procedures designed to ensure
fairness,'' and ``In carrying out its mission as set out in these
Bylaws, ICANN should be accountable to the community for operating in a
manner that is consistent with these Bylaws.''
ICANN's Articles of Incorporation state that ICANN is a nonprofit
public benefit corporation and is not organized for the private gain of
any person. As such, Directors are bound in the bylaws to act in the
best interests of that public benefit and to do so in an open and
transparent manner.
However, a number of examples over the last few years demonstrate
the failure of the ICANN Board and Staff to follow through on these
obligations.
The .net Registry Agreement
The registry agreement that resulted from the .net re-bid was
executed by ICANN before the final draft was posted for public comment.
This agreement represented a significant shift in ICANN's policy
regarding the management of the gTLD DNS and name space. The public
that ICANN's actions supposedly benefited cried out loud and hard about
these policy changes without due process within the community. The
community pointed out several problems with the agreement that they
believed benefited only the registry and ICANN's corporate structure at
the community's expense. Ultimately, some minor compromises were agreed
to by the winning registry, and the ICANN Board publicly apologized and
committed to do better.
The .com Registry Agreement and Law Suit Settlement
The ICANN Board's idea of doing better was posting a notice that it
had reached a settlement agreement with VeriSign to end a long-standing
lawsuit. While it is true that ICANN posted the settlement agreement
for public comment, there had been no prior indication of what ICANN
was doing in this regard, or that it again was considering changes in
long understood policy in order to settle the suit. In fact, these
policy changes were the exact same ones that the community had
complained about in regards to the .net Registry Agreement.
Once again, as this Committee well knows, the community that ICANN
was supposedly benefiting by this settlement made its displeasure known
loud and clear, especially in regards to the unexpected and early
renewal of .com registry agreement that was part of the settlement.
Ultimately, minor changes to the .com registry agreement were agreed to
by ICANN and VeriSign. These changes did little to address the
overwhelming concerns of the Internet community. Once again, ICANN
chose to benefit itself at the expense of the public as a whole.
Other Registry Agreements
Most recently, the ICANN Board posted proposed new agreements (not
renewals) to the .biz, .info, and .org registry operator agreements.
Once again, there was no prior notice that, despite the previous
outrage expressed by the Internet community regarding the .com and .net
agreements, the ICANN Board was going to implement the exact same
policy changes in all new gTLD DNS and name space management
agreements. This belies ICANN's promise to do better and is in direct
contravention to their obligation to operate an open and transparent
manner.
This fact is even more serious as it relates to these proposed new
agreements. After the .net and .com agreement fiascos, the Generic Name
Supporting Organization (GNSO), which was appointed by ICANN's bylaws
for the specific purpose of recommending policy regarding the gTLD DNS
and name space, initiated a Policy Development Process (PDP) to address
the concerns raised by the community. It now appears that the ICANN
Board of Directors no longer believes it is bound by its own bylaws and
is moving ahead without waiting for the outcome of the GNSO's PDP
findings. This is yet another poignant example of why the Department of
Commerce must maintain control over ICANN, even after the current
Memorandum of Understanding expires on September 30, 2006.
Lack of Appropriate Accountability and Review Mechanisms
All of the above is exacerbated by the fact there are no
appropriate accountability mechanisms in place to impartially review
ICANN Board actions. There are currently two accountability and review
mechanisms defined in ICANN's bylaws:
Reconsideration--This is basically the Board reviewing
itself. The criteria the process calls for is restrictive and
not useful for most instances where affected stakeholders
question an action of the Board. In addition, the fact that
transcripts or recordings of Board meetings have never been
made available make it difficult if not impossible for those
affected by Board actions to effectively evaluate whether their
concerns or questions meet the criteria of the bylaws.
Independent Review--This mechanism is entirely untested and
has never been used.
We also invite you to visit ICANN's website and see if you can
discover how to take advantage of either of these accountability
mechanisms. It is next to impossible to find anything of substance
about how to file either a Reconsider Request or a Request for
Independent Review, or even who the Independent Review agent actually
is.
We believe there needs to be an independent evaluation of how these
accountability mechanisms have worked, or will work, and the
implementation of any adjustments recommended as a result of that
evaluation should be undertaken before any final transition can be
contemplated.
The interests and support of the community ICANN is supposed to
benefit is shifting. The World Summit on the Information Society (WSIS)
and the resultant Internet Governance Forum (IGF) is an outcome of that
shift. These failures on the part of ICANN to adhere to the principles
espoused in its own bylaws and Articles of Incorporation are
accelerating that shift. It is clear that ICANN's Memorandum of
Understanding with the Department of Commerce must be extended and
modified. Openness and transparency are only hinted at in the current
Memorandum of Understanding. We believe the Memorandum of Understanding
should be revised to include openness and transparency as overall
guiding principles if we are to ever see an effective transition of the
Internet DNS management to the private sector through ICANN.
Conclusion
The future of ICANN rests with the public that it was formed to
benefit. That community's confidence in ICANN has been shaken by the
lack of openness and transparency; by the apparent lack of the ICANN
Board of Directors to be accountable to anyone but itself, and the
giant step backward that is now being taken by the introduction of
anti-competitive registry agreements that threaten to undo what
progress has been made.
The Memorandum of Understanding between the Department of Commerce
and ICANN should be extended and modified to stress the need to correct
these deficiencies and require a clear roadmap from ICANN as to how it
will regain the confidence of the community upon which its existence
relies.
Thank you again, Mr. Chairman, for the opportunity to be heard on
these important issues. Your commitment, and the commitment of the
members of this Committee, to bringing attention to issues impacting
the future of the Internet is sincerely appreciated. I would be happy
to answer any questions you may have.
The Chairman. Senator Smith is here, and I do want to yield
the Chair to him. I've got to say that from my perspective, we
ought to have a go-lightly approach, because I think the worse
thing to happen to the Internet would be to have us start
trying to regulate it from Congress. We have to find a way to
assist, to make sure that the transparency and responsibility,
and, really, antimonopoly concepts, are there for someone like
the FTC or the Department of Commerce to make proper inquiries,
and, if necessary, deal with it. But I don't think we want to
start a process of increasing regulation on the Net.
I do agree, however, that we've got a real difficult
problem, because we're just back from China, some of us, in
August, and we've had some conversations over there about the
Net and about the U.S. domination of the management of the Net.
We have to find some way to take this to an international forum
where we can get an agreement that this is a process that the
governments of the world ought to keep their hands off, but
ensure it will function through proper transparency and proper
participation for all users. I don't know how we're going to
walk down that road, but we're going to continue to have an
interest in, and pay attention to, and have hearings on, this
matter to let more and more people express their points-of-
view, and hopefully we might even work up a trip to go to meet
with some of our counterparts in other governments,
particularly in the very large governments, such as China and
India and the very populated countries that want to have more
of a role in how this process functions in their country. But
it's a very delicate issue, as far as I'm concerned.
So, I'm happy to see you back, Mr. Chairman.
STATEMENT OF HON. GORDON H. SMITH,
U.S. SENATOR FROM OREGON
Senator Smith [presiding]. Thank you very much, Chairman
Stevens. And I apologize to all of you for an unavoidable
emergency, but I'm glad to be here.
The Chairman. Could I just do one thing? I'd like to place
in the record, the Glossary of Internet Governance Terms and
Organizations that was prepared by our staff to help us
understand the process we have here today.
Thank you.
[The information referred to follows:]
Glossary of Internet Governance Terms and Organizations
------------------------------------------------------------------------
------------------------------------------------------------------------
ccTLD Country code Top Two-letter long top-level
Level Domain domain (TLD) used and
reserved for a country or a
dependent territory (.uk for
United Kingdom, .jp for
Japan, etc.)
------------------------------------------------------------------------
DNS Domain Name System Translates domain names into
IP addresses
------------------------------------------------------------------------
gTLD Generic Top Level TLD domains used worldwide,
Domain such as .com, .org, .net and
.info
------------------------------------------------------------------------
ICT Information and General term for the use of
Communication technology in managing and
Technology processing information,
especially in large
organizations
------------------------------------------------------------------------
IANA Internet Assigned Operated by ICANN, oversees
Numbers Authority global IP address allocation,
DNS root zone management, and
other Internet protocol
assignments. The technical
side of ICANN is referred to
as ``the IANA function''
------------------------------------------------------------------------
ICANN Internet Oversees a number of Internet-
Corporation for related tasks, including
Assigned Names and managing the assignment of
Numbers domain names and IP
addresses, including the
introduction of new generic
top-level domains
------------------------------------------------------------------------
IGF Internet Governance Created at 2005 WSIS in Tunis.
Forum IGF's first meeting is
scheduled for October 2006 in
Athens
------------------------------------------------------------------------
ITU International International organization
Telecommunications within the U.N. where
Union governments and the private
sector coordinate global
telecom networks and
services; WSIS and IGF (see
below) fall under ITU's
purview
------------------------------------------------------------------------
NGO Non Governmental Group or association that acts
Organization outside of institutionalized
political structures and
pursues matters of interest
to its members
------------------------------------------------------------------------
NTIA National Agency of the Department of
Telecommunications Commerce serving as principal
and Information adviser on telecommunications
Administration policies, including economic
and technological advancement
------------------------------------------------------------------------
Registrar A body recognized by a
registry to sell/register
domain names (GoDaddy,
AfterNic, eNom, etc.)
------------------------------------------------------------------------
Registry A company or organization
maintaining a centralized
database for the TLDs or for
some IP address blocks
------------------------------------------------------------------------
WGIG Working Group on U.N. working group set up
Internet after 2003 WSIS in Geneva to
Governance make proposals for Internet
governance at the 2005 WSIS
in Tunis
------------------------------------------------------------------------
WHOIS Method of querying a registry
or registrar database to
determine the owner of domain
name
------------------------------------------------------------------------
WSIS World Summit on A series of meetings on
Information information and
Society communications, including
Internet governance, under
the purview of the IU and UN
------------------------------------------------------------------------
Senator Smith. Thank you, sir.
Senator Burns?
Senator Burns. Thank you, Mr. Chairman.
Dr. Twomey, you have a Working Group on Internet Governance
here from the U.N. What kind of a group is this, and what
standing does it have with regard to ICANN?
Dr. Twomey. Thank you, Senator. Good to see you again.
Senator Burns. Good to see you.
Dr. Twomey. That working group has actually completed its
work. It was an input to the U.N.'s World Summit on Information
Society. It, also, has finished its work. The implications for
ICANN have not been anything significant, in terms of the need
to change, although you and Senator Stevens have pointed out
the international interests, obviously, in some of these areas.
The U.N. continues to run a--what's called the Internet
Governance Forum. It's basically, a meeting point for
discussion. But, in terms of ICANN's own operations now, there
is--although this is an ongoing area for monitoring, they don't
have direct effect at all.
Senator Burns. In other words, they don't have any official
standing with ICANN, then.
Dr. Twomey. No.
Senator Burns. And we heard, in the testimony of Ms. Jones,
of the 5-day waiting period. Are you doing anything to address
that? I guess it caused--some problems are created by that
grace period. Can you address that situation and bring us up--
tell us, kind of, what it is and how it affects your operation.
Dr. Twomey. Senator, you're pointing out there's a--with
the registries, some of them have agreements--well, they have
agreements with registrars which allow for the registration of
a name, but not for the payment of that name, within--for a 5-
day period. And there is an emerging pattern of people putting
names in, in day one, and seeing whether there's any value in
those names, particularly for online advertising, by day five.
If there's not, they keep it--if there is, they keep it; if
it's not, they give it back. There are some aspects about this
that our compliance people are actually looking into, but there
are also aspects about this which are part of the market
operating.
Senator Burns. Do you want to comment on that, Ms. Jones?
Ms. Jones. Well, we have provided, upon ICANN's specific
request, detailed information about registrars who are engaged
in the practice of purchasing--or registering domain names and
then deleting them before the 5-day grace period expires.
Senator Burns. Is that term--that's ``tasting''?
Ms. Jones. We would call that ``domain-name kiting.''
Senator Burns. Kiting?
Ms. Jones. Yes. So, it would be like ``check kiting,'' but
only with a domain name, where you register it and then you get
a refund before the 5-day grace period ends, so you never have
to pay for it, essentially. We've provided information, and
they've assured us that they would investigate further, to the
openness and transparency discussion that we had earlier. We
haven't heard anything back from them.
We would like for the whole entire practice to be
eliminated. It does appear to be, at least in spirit, a
violation of the contract that registrars have as a part of
their accreditation.
Senator Burns. What is the cost of that registrar? What
does it cost?
Ms. Jones. Well, for example, with a dot-com name, it would
cost $6 to register the name, and then you would get the entire
$6 back when you cancel the registration within that 5-day
period. So, it wouldn't cost you anything. And that's the
insidious part of the whole practice, is that basically you're
using domain names, and taking them away from other legitimate
users, without paying for them.
Senator Burns. OK. I guess--maybe the next question--Dr.
Twomey said--can you justify doubling your budget in the last 5
years?
Dr. Twomey. Well, let me just--to the point just made,
Senator, I have confirmed, personally, with the CEO of Go
Daddy, that we are investigating this, and we will investigate
this particular thing you just referred to----
Senator Burns. OK.
Dr. Twomey.--in--within our compliance terms.
To come to your point about budget, the demands on--for the
coordination of the DNS to do the sorts of compliance work
we're talking about just in this conversation, to do many of
the things that Christine has already raised, and to be able to
support the large growth of the DNS, has--does require
additional resources. We have moved to increase that budget.
That budget process is done, Senator, through a very bottom-up
process. We have a process of--where we have a strategic plan
that the community develops. Behind that strategic plan, we
then develop--there's an operational plan the community all
responds on, project by project, and, at the end of that
process, it's actually then calculated how much does it cost us
to do all these things the community wants us to do? And that's
the process which has actually driven the increase in the
budget, as a reaction back to the things that people want to
do.
The budget is not a huge amount of money. For this coming
financial year, it is budgeted for about $33 million. So,
that's for the coordination of all of these factors coming out
of that community process.
I'm very, very conscious of the need for accountability on
that, and for transparency, and we do have, I think, a very
accountable and transparent process. I wonder if I might just
comment on that.
One of the things that I'm very conscious of, as the
President of ICANN, is, I think, as an organization, we are
actually very transparent. But, at the moment, we're suffering
a little bit of being transparent, like credit card agreements
are transparent--everything's there, but it's not necessarily
easy for people to understand what's there. And I think that's
one of our great tasks, going forward. We need to make it not
only transparent, but more easy for people to understand what's
in the material and what's being put forward. And that's one of
our very high priorities this coming year.
So, there's a distinction, I think, between being
transparent and being accessible, and accessibility is one of
our challenges, at the moment.
Senator Burns. Well, it seems to me that the matter of
transparency has surfaced here, and I guess that would--I could
follow-up--the leverage that the registrars have with regard to
the process of ICANN and also with regard to their budget, do
they have any leverage in that?
Dr. Twomey. Well, Senator, it's a good question. The
registrars, 2 years ago--well, 18 months ago--constituted the--
by far, the greatest contribution to the ICANN budget. And, at
the time, they themselves asked us to make an effort to
rebalance their contribution to ensure that the registrees made
more contributions. So, in the discussions with the registrees
concerning their contracts, we have actually moved to change
the financial flow so that there is more contribution, then,
from the registrees. We have frozen any increases from the
registrars on any sort of per-transaction basis, and, indeed,
we'd look at--they've got proposals in front of us of being
able to change that and amend it, and we are open to
alternative sources of revenue. If the registrars put forward
to us different views, we'd decrease their contributions
further, as well. So, we are very open to their input about
ensuring we have a widely balanced budget and sources of
revenue, and we've been working toward that, quite
specifically.
The registry agreements, including the dot-com agreement,
have terms in there specifically coming out of that
conversation, to shift the balance of contribution.
Senator Burns. Thank you, Mr. Chairman.
The Chairman. Mr. Chairman, if I may----
Senator Smith. Yes, of course.
The Chairman. For your information, I've just had a
discussion with Senator Smith. You know, at times we run into
subjects we need to know a lot more about. And we've had a
little habit of calling just for listening sessions. I think,
assuming the management doesn't change around here after this
new period we're going to go through here----
[Laughter.]
The Chairman.--I would want to hold a listening session and
get people to come in and just tell us what their function is
and how they view this arrangement, and how much they think we
ought to be involved, or ought not to be involved. We ought to
do some listening on this one before we really react.
Ms. Jones, I appreciate your comments, and I'm sure that
Dr. Twomey wants to have some counter-comments. But we used
that process in approaching the communications bill, and it
worked very well. And I would like to hold a listening session
early next year, if that's agreeable to you, Mr. Chairman.
Senator Smith. Yes, I would heartily agree with that as a
need, and certainly, I think we should consult Chairman-in-
waiting, Senator Pryor.
[Laughter.]
Senator Smith. But obviously it's the kind of thing that we
all look for more knowledge on.
The Chairman. Well, I have a feeling Senator Inouye would
agree.
Thank you very much. I must go to another meeting.
Senator Smith. OK. Thank you, Senator.
Senator Pryor?
Senator Pryor. Thank you, Mr. Chairman.
Dr. Twomey--is that how you pronounce your name--Twomey? I
would like to--I don't know if you heard my last series of
questions with the previous panel, but I'd like to ask you
about the dot-xxx domain. And I would like to understand what
happened. You know, my impression was that dot-xxx had a lot of
support, that a lot of folks here in this country and around
the world thought it was a good idea, could be a good
development. But it didn't happen. So, I'd like to hear ICANN's
version of the facts there and what happened.
Dr. Twomey. Senator, ICANN put out, as part of the process
for introducing more competition among the gTLD space, a round
of so-called ``sponsored top-level domains,'' top-level domains
that are sponsored by a community or a particular grouping for
the use of their own community. We received ten applications.
One of those applications was for dot-xxx for the community of
responsible adult-content providers, as they put it. That--our
processes of--included the posting of these agreements, the
posting of the comments, and allowed for a lot of public
comment on those consultations. It also allows for comments
from our various supporting organizations, and, very
importantly, allows for--in our bylaws, for the advice of
public--for the provision of public policy advice from the
Governmental Advisory Committee on which there are over a
hundred governments participating.
As the process continued with those various registries,
particularly dot-xxx, we received a lot of public comments. We
received, I would say, over 100,000 comments from various--
online comments from various members of different associations
in the United States against the dot-xxx. We received various
comments from people in favor of it. And we did receive
requests from governments--not just the United States, but a
number of other governments--asking for more time to allow
governments to consider the implications of the application. We
had a meeting in March this year in Wellington, New Zealand,
and in that meeting the Governmental Advisory Committee put
forward some advice concerning public-policy issues.
The Board eventually made a decision based on a number of
issues that--the reasons for those decisions were made public
for each of the Board Members. It's not one comprehensive set
of reasons. But not in a majority--not in a unanimous sense,
but in a majority sense, most of the Board Members decided that
the contract, as put before us by the applicant--and at the
time when the applicant asked us, the applicant not only put
forward to us a redraft of the contract, but said, ``Please
vote on this now''--the majority of the board, on the basis of
that contract, felt that they could not proceed, a number of us
feeling that some of the provisions in the contract were not
enforceable.
So, that's the sort of formal status of the process that
was followed. It has a lot to do with the nature of the
contractual language put forward by the applicant, and a lot to
do with the timing of the request for actually proceeding with
that vote.
Senator Pryor. Well, that may actually go to Senator
Stevens' previous point about, maybe we need to know more about
this. And maybe this also illustrates one of the problems, at
least from the outside looking in, with ICANN, is that there's
not a lot of transparency there, and--at least that's the
perception. And you all go through this process, and you're in
New Zealand, and you make this decision, and I guess I don't
know what it means that parts of the contract are not
enforceable. What does that mean, ``parts of the contract are
not enforceable''?
Dr. Twomey. There were aspects of the contract language
that was put forward that some Members of the Board--and I
should let the record speak for itself, Senator. I mean, I--the
Senate--the record of the ICANN Board meeting is available
publicly, and the decision was available publicly. And the
actual wordings of individual Board Members on their rationale
for decisionmaking is there, available. I--and they felt that
certain parts of the--being able to--certain language related
to enforcing all public--all relevant public policy from all
relevant countries was, sort of, language that some of them
found it difficult to consider that was enforceable under the
contract. I give that as an example, but I should point back to
the record. We actually--and we can--I can--I'm happy to come
back to you in writing to point out the--that record, point out
the reasons given by the Board Members who were voting.
Senator Pryor. Yes, I'd like for you to do that.
[The documents from the March 25-31, 2006 meeting in
Wellington, New Zealand are available at http://www.icann.org/
en/meetings/wellington/].
You said that you had about 100,000 negative responses from
inside the U.S. Do you know, were those generated by groups or
were those just----
Dr. Twomey. They were generated by groups, the--groups like
the American Family Association and others.
Senator Pryor. OK. And apparently some asked for more time,
as well. Has ICANN decided to give this more time, or have you
just--is this a flat rejection?
Dr. Twomey. There was extensive period of time additionally
given to this particular application, at that request. And
we're--it was the applicant who, themselves, said, ``Please
move forward with this vote. Please, we'd like you to move it
to the vote now and make a decision, one way or the other,''
when that decision was made.
Senator Pryor. Has there been any follow-up with the
applicant to see if they want to make another run at this?
Dr. Twomey. The applicant has--the process is not
completed, because we do have two rounds of--two processes for
review available to the applicant, both a review committee of
the Board and then an independent review panel, an independent
arbitrator.
Senator Pryor. Have that----
Dr. Twomey. And then----
Senator Pryor. Has the applicant requested review?
Dr. Twomey. They have requested--they have requested a
review--the review is underway--but those two mechanisms are
still available to the applicant.
Senator Pryor. OK.
Mr. Chairman, that's all I have right now. I may have some
more in writing, but I know we're trying to get to a vote here
in a few minutes.
Senator Smith. Well, thank you very much, Senator Pryor.
And I'll also have some written questions, because of the vote.
But I do want to ask one, and if you can answer as briefly
as possible so I can hear your answers, I would appreciate it.
As you all know, in 2005 the current dot-com registry operator
won a competitive bid process to continue to operate the dot-
net domain registry. And, with that, the prices have fallen, or
at least, for dot-net, dropped from $6 to 3.50 through the end
of 2006. At the same time, lots of security measures, I
believe, have been put into the system including infrastructure
investments. The competitive model seemed to work in dot-net,
but now, the proposed dot-com registry contract apparently
removes all of that and puts in automatic price increases. And
I'm just wondering if that's defensible, if that's the right
thing.
Dr. Twomey. Senator, I assume that question is to myself,
but I'll make two observations. I think you're actually
confusing two agreements. The dot-net agreement is the one
you're referring to, which----
Senator Smith. Correct.
Dr. Twomey. All right. The dot-com agreement--if your
question is going to the question of rebidding--the dot-com
agreement process of whether it could be rebid or not was
decided in 2000 and 2001 by discussions by then-ICANN Board
Members, the DOC, and VeriSign, and that was a whole set of
discussions involving, if you like, breaking up the control
that VeriSign had on dot-com, dot-net, and dot-org, where dot-
org was rebid so that VeriSign could not rebid, dot-net was
rewritten such that dot-net could be rebid and VeriSign could
be one of the bidders, and dot-com was agreed would continue
under dot-com's--under VeriSign's control. That was actually in
the 2001 contract.
As the contracts come up for renewal or rediscussion now,
the ICANN Board does not have any legal freedom to be able to
change the provision that was in the--already agreed in the
2001 set of arrangements agreed with the Department of
Commerce, VeriSign, and the then-ICANN Board. So, the point
you're--the point you're--it's just to distinguish between
those two contracts.
Senator Smith. Correct. Well, thank you for that.
I guess the question that a lot of people are asking now,
though, is, what's wrong with bidding out the dot-com? And why
not let VeriSign win it, if they can, with a competitive bid?
Dr. Twomey. Well, apart from the question that--the legal
difficulties that we have already under contract, with that
particular question, I think there's a second question that the
ICANN Board is taking very seriously about its responsibilities
for both competition and also security and stability. The
introduction of new gTLDs, introduction of new TLDs available
to compete with dot-com, we think, is a very important part of
implementing competition. The second point we should make very
clear is the introduction of new registrars has been a key part
of the competition for registrants. We now have nearly 800
registrars, and it's the competition amongst registrars that
have reduced prices significantly to the end users.
Indeed, the changes in pricing we saw in dot-net have not,
on the whole, been passed through to registrants. The
registrars themselves have taken the benefit of those price
reductions, not the registrants. And that's the nature of the
structure of the market, with registrars traditionally
competing separately.
So, the question of competition, we think, is very much
about an introduction of new gTLDs. The Board has also thought
very carefully about the position put to the--by the various
registries of their need for certainty for capital investment,
for the sorts of investments that security and other demands
are making upon them. And while the board has not moved to
reduce the provisions in the contract which allow us to
intervene in the case of people breaching security arrangements
and being able to move against them, the board has come down,
on balance, to say there is--they are persuaded by the need to
have certainty for capital investment as being an important
part of ensuring security and stability.
Senator Smith. And is that what justifies the automatic
price increases?
Dr. Twomey. Well, that's what's justifying the renewals.
Ms. Jones. Mr. Chairman, may I be heard briefly on that
point?
Senator Smith. Yes.
Ms. Jones. I'm happy to hear the commitment to additional
infrastructure spending, but I think the point is, if there is
going to be a presumptive renewal and an automatic price
increase built into this contract, there should be some price
justification. And to your point about the dot-net agreement,
when that was competitively bid, the price didn't increase by 7
percent, the price decreased. And that goes to a lot of
reasons, not just because of economies of scale, but also
because what we're talking about are commodity products--
bandwidth and hosting and all of the things that all of us buy
and all of us have to spend money on. We do it, too, with our
system and our networks. The costs of all of it--you know--
because when you buy a laptop today it costs you one-tenth of
what it cost 10 years ago. Prices go down. And so, put aside
for a minute the economies of scale, because we know that
VeriSign built this huge system that's magnificently scalable,
and we all admire them for it. Put that aside for a minute.
Even if we didn't take that into consideration, we still know
that commodity pricing goes down. And so, there is simply no
reason, that we can see, to build in a price increase; and if
they're going to build in a price increase, tell us why.
Senator Smith. What's the justification?
Ms. Jones. Why do you need the price increase, and why is
it so difficult to say it?
Senator Smith. I mean, you've said my question better than
I did. But, I mean, I've been in the commodity business,
myself, and, frankly, economies of scale and commodity pricing,
such that where there is competition, it doesn't warrant these
kinds of increases. But, Mr. Silva, maybe you have another view
of that.
Mr. Silva. Senator, I'd like to follow up on that, if I
may.
Ms. Jones is a very good attorney, and she's representing
her client very well. OK? But she's not a technologist. OK?
We're not talking about commodity hardware here. OK? We're
talking about massively scalable databases. OK? These are very
complex. Moving data in a disaster-recovery scenario from one
place to another is significantly more complicated in a
database that size. Significantly more.
So, dot-net prices did go down during the rebid process.
It's a different animal. It's a much smaller zone. It's a much
smaller problem, quite frankly. OK?
Now, I will point out that consumers never saw one red cent
of that reduction in price. OK? Registrars maintained the same
prices that they were before the price reduction from the
registry.
Now, let's--so, first of all, there's no automatic price
increase at 7 percent. OK? What there is, is the possibility of
a price increased based on the security and stability needs
that we have at the time. So, let me----
Senator Smith. And who will approve the increase?
Mr. Silva. Well--OK, so there is the--all right, so let's
think about what happened prior to Katrina. OK? The Army Corps
of Engineers, for a number of years, attempted to justify cost
increases to reinforce the levees around New Orleans. OK? For a
number of years. Sometimes they got some funding, sometimes
they didn't, but they probably never got all of the funding
that they wanted.
Now, when a hurricane started forming out in the tropics,
and started heading in that direction--OK?--they probably would
have gotten all the funding that they wanted at that time. The
problem is, it would have been too late. OK?
We constantly probe and penetrate our systems, and know
where their weaknesses are, know where their scalability is,
and know where it's about to fail. We know better than anyone
when we have to make that investment, sometimes 3 or 4 years
out. Sometimes it has to be made in 6 months, sometimes it has
to be made in 3 months. OK?
So, there are also consensus policies that are built into
the agreement--OK?--which continually change the raising of the
bar for the security standards. OK? This is a very fluid
requirement. And if we take--for example, 2 years ago, when I
worked on the NRIC Council, OK, on cybersecurity, we made 150
recommendations for what companies ought to do to reinforce
cybersecurity. The following year, we made 250. OK? We will
never know, at any snapshot in time, what that number's going
to be, or what it's going to equate to. But we have increased
capacity 10,000 times. We have 10,000 times the capacity today
that we had in 2000. OK? And that still is not enough. OK? And
I can't predict to you what it's going to be in 2012. OK? But
in terms of cost justification--OK?--this is really--this
really boils down to security and stability. When we need to
spend the money, we need to spend the money. OK? And we can't
go to our competitors and ask them for permission to spend it.
Senator Smith. Well, please be clear, I'm not saying the
price increase is justified or not. I'm simply inquiring,
because I want to make the point to you that this is one of the
areas of concern. Usually when you have just one provider, you
have a potential monopoly, and that requires regulation. I'm
not a regulator.
Mr. Silva. Right.
Senator Smith. But I am saying that with a monopoly,
without regulation, there has got to be some sort of market
test, and I think people are going to be looking to you to
justify these levels of increases. And it may be entirely
warranted. I'm not making a judgment on that. But it is an area
of real concern.
Mr. Silva. Right. So, I think, in this particular case--
OK?--that is what is built into the agreement, is a cap on the
amount that they can, in fact, be raised. OK? So, for 7 years
they weren't raised at all. OK? Not at all. OK? Even though the
number of registrations grew at a specific rate--OK?--the
threats and the volume of traffic that we see, just in normal
traffic--OK?--security issues aside, the security issues are so
phenomenally higher, in terms of the volume of activity that we
see, over what we register as new names--OK?--6 months ago--or,
excuse me--so, 8 months ago, I would have told you that, yes,
you know, it's perfectly reasonable, we could probably forecast
out a couple of years what we would need. And then all of a
sudden January came, and we got hit with an attack ten times
larger than anything we would have expected. And I can tell you
right now that when I briefed the Department of Homeland
Security, and when I held a classified briefing with the Senate
Intelligence Committee on exactly what this threat meant, not
only to our system, but to their systems--OK?--they took this
very seriously. National Infrastructure Protection Plan calls
for private industry to make significant investments where they
control critical infrastructure. We plan on making those
critical investments. And basically that's what these
provisions are for, so that when all of a sudden Windows
VistaTM comes out--and experts have said that that
could as much as double the amount of DNS traffic--we're able
to respond to it in a timely fashion.
Senator Smith. I wish we had more time to go on with this,
but I'm going to miss a vote if I don't adjourn this hearing.
I, again, apologize for my delay, and I thank my colleagues for
proceeding, out of respect for your time. We thank you for your
contribution to this hearing. And we have more to learn and
more to do, because this is an enormously important topic.
So, with that, we thank you and we're adjourned.
[Whereupon, at 11:30 a.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Gordon H. Smith, U.S. Senator from Oregon
I call to order this hearing of the Senate Subcommittee on Trade,
Tourism, and Economic Development.
Today's hearing considers Internet governance and the future of
ICANN.
In 1997, the Secretary of Commerce was directed by the President to
privatize the management of the domain name system in a manner that
increases competition and facilitates international participation in
its management.
Soon thereafter the Department of Commerce signed an official
Memorandum of Understanding recognizing ICANN--the Internet Corporation
for the Assignment of Names and Numbers, as the new, not-for-profit
corporation to manage the domain name system.
Under the terms of the MOU, ICANN has the authority to:
1. Set policy for, and direct the allocation of, the IP
addresses that underlie each domain name.
2. Oversee the operation of an authoritative root server
system,
3. Set the policies for determining how new top level domains
would be added to the root system; and
4. Coordinate the assignment of the Internet technical
parameters needed to maintain the universal connectivity of the
Internet.
The MOU between the Department of Commerce and ICANN expires on
September 30, 2006 among controversy in the international community.
Some are suggesting that no single government should have a
preeminent role in relation to the Internet and are calling for further
internationalization of Internet governance.
This would be a mistake. The current system for management of the
domain name system works. The Secretary of Commerce should maintain
oversight of ICANN so that ICANN can continue to manage the day-to-day
operation of the Internet's domain name and addressing system and
remain responsive to all Internet stakeholders worldwide.
Today's hearing will examine the management and governance of
ICANN, including the future of the Domain Name System, recent concerns
expressed regarding the current ICANN-VeriSign settlement agreement,
and privacy issues surrounding the ``WHOIS'' database.
I thank all of our witnesses for rearranging their schedules to
appear before the Subcommittee and look forward to your testimony.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
John M.R. Kneuer
Question 1. As part of the settlement of a long-running dispute
between ICANN and VeriSign, the ICANN Board of Directors approved a new
dot-corn agreement with VeriSign. Under this settlement, VeriSign will
be in charge of the dot-com registry until 2012 (with a presumption
that the agreement will be renewed beyond that date), and will be able
to raise domain registration fees by 7 percent in four of the next 6
years. Critics of the settlement assert that the agreement is
anticompetitive, giving VeriSign a virtually permanent monopoly over
the lucrative dot-com registry, while also enabling VeriSign to raise
registration fees without justification.
Many critics of the settlement agreement argue that the presumptive
renewal clause would allow VeriSign to hold on to the dot-com registry
in perpetuity. How do you see ICANN holding the registry operator
accountable without the strong leverage of awarding the contract to a
competing operator?
Answer. Over the course of the past 6 months, I and other Commerce
Department officials have met with a number of interested stakeholders
including registrars, Internet service providers, and search engine
companies with interests in or concerns about the .com Registry
Agreement. The concerns have largely focused on the impact on
competition of the proposed price increase for registrations permitted
by the new agreement and the terms for future renewals of the new .com
Registry Agreement. The Commerce Department has sought the advice of
the Antitrust Division of the Justice Department on the competition
concerns raised.
It is also important to note that other interested stakeholders
have advocated that the renewal terms of the proposed agreement benefit
the security and stability of the Internet domain name system. We have
also consulted with those Federal agencies with expertise in the areas
of security and stability on this matter.
Based on the information that we have gathered, I am confident that
any decision made by the Department will appropriately balance all of
these interests to ensure the continued stability and security of the
Internet domain name system and of promoting the consumer benefits of a
competitive marketplace.
Question 2. One of ICANN's primary missions is to promote
competition. How does a presumptive renewal clause promote competition?
Answer. As noted above, the Department is reviewing the proposed
new agreement in its entirety to ensure both the continued stability
and security of the Internet domain name system and of promoting the
consumer benefits of a competitive marketplace.
Question 3. Cybersecurity is a critical mission that all
organizations struggle with. How can ICANN ensure that the registry
operators are making the necessary security enhancements to guarantee
the stability of the domain name system? How can ICANN hold a registry
operator accountable?
Answer. Cybersecurity standards are developed by various industry
organizations, such as the Internet Engineering Task Force (IETF), ISO,
and IEEE, and adherence to the various standards is voluntary for the
most part. While ICANN is not a standards organization, it promotes the
adoption of industry standards through its agreements with registry
operators to comply with these standards. Registry agreements address
the technical performance obligations, including compliance with the
various industry-developed standards, security requirements and outage
reporting that all registry operators must meet. In addition each
registry agreement contains a service level agreement which clearly
sets forth the registry operator's obligation for failure to meet the
technical performance specifications.
Question 4. Assuming that NTIA approves the settlement agreement,
what mechanisms would ICANN have available to ensure that it has
meaningful control over the service quality or conduct of registry
operators?
Answer. Like any commercial agreement between private sector
parties, the proposed new .com Registry Agreement contains enforcement
provisions. It also contains quality of service commitments that ICANN
can enforce under the terms of the agreement.
Question 5. The settlement agreement allows VeriSign to raise
domain registration fees by 7 percent in four out of 6 years without
having to provide a justification. Do you believe that a registry
operator should be required to publicly justify any price increases?
If no--Why not? Doesn't a registry operator enjoy a monopoly over
the pricing for a specific top-level domain?
If yes--What concerns do you have with the VeriSign settlement that
would allow it to increase prices by 7 percent four out of 6 years
without having to provide a justification? How is such a clause not
anticompetitive?
Answer. The domain name marketplace is not a regulated one. Prices
are set based on negotiations between private sector parties. The price
cap for .com registrations and price adjustments permitted under the
proposed new .com Registry Agreement were negotiated by ICANN and
VeriSign.
Nevertheless, the Commerce Department is aware of the concerns
raised primarily by the registrar community about the impact of a price
increase on their industry. We have been in consultation with the
Antitrust Division on this issue and will be guided by its advice in
any final decision the Department makes.
Question 6. Do you think it is reasonable for a registry operator
to explain to ICANN their reasons for a price increase, and then have
ICANN approve or reject such a proposal accordingly?
What criteria is used to evaluate price increases? Specifically,
under what circumstances would an automatic price increase without
justification be acceptable?
Answer. As noted above, the domain name marketplace is not a
regulated one. Prices are set based on negotiations between private
sector parties. To introduce government price regulation would be a
significant departure from the status quo and massive introduction of
government regulations that does not currently exist into a private
marketplace.
Question 7. I understand the Department of Justice's Antitrust
Division was asked to review the settlement agreement. Can you share
with us the Division's concerns? How are these concerns being
addressed? Were there recommendations or suggestions made that are not
being implemented or considered?
Answer. During its review of the proposed new .com Registry
Agreement, the Commerce Department has sought the advice of the
Antitrust Division of the Justice Department regarding the impact on
competition of the proposed price increase for registrations permitted
by the new agreement and the terms for future renewals of the revised
new .com Registry Agreement. The Antitrust Division has been gathering
information from the parties, interested stakeholders, and others on
these issues, to provide its analysis and advice to the Department on
any competition issues that may be raised by the proposed agreement. We
expect to rely on this advice to evaluate the potential impact on
competition of this agreement.
Question 8. Are you open to bringing together the different
stakeholders in order to arrive at a solution that will satisfy the
different parties and still ensure the promotion of competition?
Answer. In addition to its consultation with the Department of
Justice's Antitrust Division regarding the competition issues raised by
the proposed new .com Registry Agreement, I and other Commerce
Department and Antitrust Division officials have met with a number of
interested stakeholders, including registrars, Internet service
providers, search engine companies, among others, with interests in or
concerns about the agreement. The Commerce Department has also heard
from a number of stakeholders advocating the benefits of the new
agreement for the security and stability of the Internet domain name
system. We have also heard from Members of Congress on both sides of
the issue. Commerce Department and Antitrust Division officials have
been gathering information from proponents and opponents of the
agreement and I am confident that this information will be taken into
consideration in any final decision that is made.
Question 9. Transparency has long been a concern with ICANN. Many
critics argue that the ICANN Board operates behind closed doors, even
though the organization is charged with developing consensus through a
``bottom-up'' approach. Can you comment on ICANN's transparency issues?
How has this improved over the years? How can the organization continue
to improve?
Answer. The Department has long considered transparency to be a
fundamental principle to ICANN's overall mission and function. The
current Memorandum of Understanding (MOU) was structured to ensure that
ICANN becomes a sufficiently stable, transparent, representative, and
sustainable management organization capable of handling the important
tasks associated with the technical management of the Internet domain
name system into the future. This MOU also contains specific provisions
intended to improve transparency, efficiency, and timeliness in the
consideration and adoption of policies. While ICANN has made several
improvements in its decisionmaking and policy development processes, as
well as in internal reviews and evaluations of these processes, I
believe ICANN is mindful of the need for continual improvement. The
Department's recent public consultation process has revealed strong
support from a majority of interested stakeholders for a more specific
focus on transparency and accountability in ICANN's internal procedures
and decision-making processes.
Question 10. The ICANN Board has proposed new contract agreements
for the operators of dot-biz, dot-info, and dot-org. The contracts for
dot-biz and dot-info are not up for renewal until next year and dot-org
isn't to be renewed until 2009. The public was not aware that
negotiations were taking place until ICANN posted the proposed
agreements for public comment. Can you comment on ICANN's transparency
in developing the proposed agreements for the dot-biz, dot-info, and
dot-org top-level domains (TLDs)?
One element of the newest proposal is to allow for differential
pricing of domain names. Can you explain the public policy rationale
behind allowing a registry to apply a differential pricing scheme for
specific domain names?
Is there concern that a registry could limit free speech by
charging an unreasonable fee to register a domain name critical of
political party, public figure, or issue?
Answer. The proposed new registry agreements for the .biz, .org,
and .info top level domains are commercial agreements between private
sector parties. As I understand it, under the terms of the existing
agreements, the parties can mutually agree to amend or enter into new
agreements. The Department of Commerce has not examined the pricing
provisions of these agreements. ICANN has posted all three agreements
for comments from interested stakeholders. I expect ICANN will fully
consider the interests of all interested stakeholders as it negotiates
these agreements.
Question 11. Last year NTIA urged ICANN to reject the creation of a
dot-xxx top level domain. Under pressure from the U.S. Government, and
much to the consternation of the international community as a result,
ICANN ultimately rejected the dot-xxx domain. Can you describe NTIA's
involvement in rejecting the creation of a dot-xxx top level domain?
Answer. In June 2005, the ICANN Board of Directors approved the
initiation of negotiations between ICANN staff and ICM Registry, the
applicant for the .xxx domain. Beginning in July 2005, ICANN's
Governmental Advisory Committee (GAC) began to raise questions
regarding the procedure followed by the Board in reviewing the
application and its rationale for entering into contract negotiations.
On August 11, 2005, then-NTIA Assistant Secretary Michael D. Gallagher
sent a letter to ICANN's Chairman of the Board requesting that ICANN
take into consideration all comments it received during its
consideration of this application (see letter to Dr. Vinton Cerf,
attached).
In response to the GAC's request for additional information and
requests from other governments, ICANN released its comprehensive
Evaluation Report on all of the sponsored top level domain applications
in November 2005. The ICANN Board elected to defer consideration of the
.xxx application pending a review of the Report by the GAC.
The GAC considered the report and additional information during its
March 2006 meeting in Wellington, New Zealand prior to the ICANN Board
meeting there. The GAC conveyed its views and concerns to the Board
through a communique. As part of the process in developing that
communique, I sent a letter dated March 20, 2006, to the GAC Chairman
expressing concerns about ICANN's ability to obtain the public policy
benefits promised by the applicant absent enforceable contract terms in
the proposed .xxx Registry Agreement (see letter to Mr. Sharil Tarmizi,
attached).
On May 10, 2006, the ICANN Board of Directors made a final decision
to disapprove the pending application from ICM Registry to manage the
proposed .xxx top level domain.
Attachments
U.S. Department of Commerce--The Assistant Secretary for
Communications and Information
Washington, D.C., August 11, 2005
Dr. Vinton Cerf,
Senior Vice President, Technology Strategy,
MCI
Ashburn, VA.
Dear Dr. Cerf:
I understand that the Board of Directors of the Internet
Corporation for Assigned Names and Numbers (ICANN) is scheduled to
consider approval of an agreement with the ICM Registry to operate the
.xxx top level domain (TLD) on August 16, 2005. I am writing to urge
the Board to ensure that the concerns of all members of the Internet
community on this issue have been adequately heard and resolved before
the Board takes action on this application.
Since the ICANN Board voted to negotiate a contract with ICM
Registry for the .xxx TLD in June 2005, this issue has garnered
widespread public attention and concern outside of the ICANN community.
The Department of Commerce has received nearly 6,000 letters and e-
mails from individuals expressing concern about the impact of
pornography on families and children and opposing the creation of a new
top level domain devoted to adult content. We also understand that
other countries have significant reservations regarding the creation of
a .xxx TLD. I believe that ICANN has also received many of these
concerned comments. The volume of correspondence opposed to creation of
a .xxx TLD is unprecedented. Given the extent of the negative reaction,
I request that the Board will provide a proper process and adequate
additional time for these concerns to be voiced and addressed before
any additional action takes place on this issue.
It is of paramount importance that the Board ensure the best
interests of the Internet community as a whole are fully considered as
it evaluates the addition of this new top level domain. Thank you for
your attention to this matter.
Sincerely,
Michael D. Gallagher.
cc: Dr. Paul Twomey
U.S. Department of Commerce--The Assistant Secretary for
Communications and Information
Washington, D.C., March 20, 2006
Mr. Sharil Tarmizi,
Senior Advisor, Office of the Chairman,
Malaysian Communications and Multimedia Commission;
Chair, Government Advisory Committee of ICANN,
Selangor Darul Ehsan, Malaysia.
Dear Mr. Tarmizi,
Pursuant to the ICANN Government Advisory Committee (GAC) meeting
in Vancouver in November 2005, the Department of Commerce has
undertaken an analysis of the proposed .xxx Registry Agreement to
determine whether its provisions reflect the commitments made by ICM
Registry. As you will recall, the ICM Registry presentation to the GAC
outlined in some detail the anticipated public interest benefits of its
application for the .xxx top level domain.
The attached assessment indicates that the key commitments offered
by ICM Registry to the GAC are not reflected in the provisions of the
proposed .xxx Registry Agreement. In your capacity as GAC Chair and GAC
liaison to the ICANN Board, NTIA would appreciate your sharing this
information with both the GAC and the Board prior to the Wellington,
New Zealand meeting.
Sincerely,
John M.R. Kneuer,
Acting Assistant Secretary.
cc: Mr. Paul Twomey.
Omissions in the Proposed .xxx Registry Agreement
In its application, supporting materials, and presentation to the
Governmental Advisory Committee in November 2005, ICM Registry (ICM)
promised certain public interest benefits as part of its bid to operate
the .xxx domain. These promises, however, have not been included in the
proposed .xxx Registry Agreement negotiated with ICANN, and thus, ICM
is not obligated to provide these public interest benefits. Section
8.12 of the .xxx Registry Agreement provides in pertinent part: ``This
Agreement (including its Appendices, which form a part of it)
constitutes the entire agreement of the parties hereto pertaining to
the operation of the TLD and supersedes all prior agreements,
understandings, negotiations and discussions, whether oral or written,
between the parties on that subject.'' Thus, if ICM is not required to
provide the public interest benefits by the terms of its registry
agreement, it is not obligated to do so.
Below is a sample of the ICM promises that do not appear in the
proposed .xxx Registry Agreement:
To Form a Nonprofit Policy Development Entity to Create Rules for
.xxx. In the .xxx application, ICM stated that it formed a nonprofit
Canadian entity (International Foundation for Online Responsibility
(IFFOR)) to develop rules and policies to govern a new .xxx domain. ICM
Application, Part B, at 2-5, 7-13. The proposed .xxx Registry Agreement
does not require ICM to form or maintain this nonprofit entity or to
abide by any .xxx rules it would establish. Instead, the proposed .xxx
Registry Agreement delegates all policy development authority for .xxx
to ICM. In fact, the proposed .xxx Registry Agreement provides that the
IFFOR Board will not be created until the day that the agreement is
signed and will not be in place until 90 days after signing. See .xxx
Registry Agreement, Appendix S. Moreover, IFFOR is not a party to the
proposed .xxx Registry Agreement.
To Require .xxx Registrants to adhere to Best Business Practices as
a condition of .xxx registration. ICM promised that IFFOR would develop
rules to this effect (ICM Application, at 3, 16). There is no
requirement to do so in the proposed .xxx Registry Agreement and IFFOR
is not a party to this agreement.
To Require all .xxx Registrations to be ICRA Labeled. In its
presentation to the ICANN Government Advisory Committee, November 29,
2005, ICM promised that it would require all .xxx registrations to be
labeled according to the Internet Content Ratings Association (ICRA)
ratings to permit filtering of content. ICM further promised that any
website that points to a .xxx site must also be ICRA labeled. There is
no provision in the proposed .xxx Registry Agreement that would
obligate 1CM to require such labeling.
To Safeguard Children Online. ICM promised that IFFOR would sponsor
the development of technology tools and education programs for parents.
(ICM Application, at 3, 16; The Sponsored .xxx TLD Proposals: Executive
Summary for the ICANN Board, at 2). ICM also promised that IFFOR would
fund the participation of independent advocates for children (ICM
Letter to ICANN, October 9, 2004, at 17). These promises are not
reflected in ICM's obligations in the proposed .xxx Registry Agreement
and IFFOR is not a party to this agreement.
To Combat Child Pornography. ICM promised that IFFOR would provide
funding and tools to combat online child pornography and to prohibit
child pornography in the .xxx domain as defined by international law.
(ICM Application, at 3; ICM Letter to ICANN, August 15, 2005, at 2;
ICM's Responses to Evaluators' Questions, Question 2). This promise is
not reflected in ICM's obligations in the proposed .xxx Registry
Agreement and IFFOR is not a party to the agreement.
To Implement a WHOIS Compliance Program. In its application (ICM
Application, at 20-21), ICM promised to document false and inaccurate
WHOIS data and to implement additional verification processes. This
promise is not reflected in ICM's obligations in the proposed .xxx
Registry Agreement.
To Provide Funds for Global Child Initiatives. ICM promised to give
IFFOR $10 per .xxx domain name so that IFFOR can make some of this
funding available for global child advocacy community targeted
especially to eradicate child pornography. (ICM Memorandum to the ICANN
Board of Directors, November 2, 2004, revised December 7, 2004, at 5).
ICM also promised that IFFOR would provide grants to developing
countries in the area of child online protection. (ICM's Responses to
Evaluators' Questions, Question 7). There is no obligation in the
proposed .xxx Registry Agreement for ICM to fund IFFOR or for IFFOR to
provide this kind of financial assistance to child advocacy groups or
developing countries. Moreover, IFFOR is not a party to the .xxx
Registry Agreement.
To Prohibit Child Exploitation including Requiring Proof of Age of
Actors Portrayed in Content in .xxx Domain. In its presentation to
ICANN's Board, April 3, 2005, ICM promised that this prohibition would
appear as part of its registration agreement with .xxx domain name
holders. There is no obligation in the proposed .xxx Registry Agreement
to this effect.
To Promote Responsible Marketing Practices by Requiring .xxx
Registrants to Agree to Combat SPAM and Not Use Malicious Codes and
Technologies (i.e., Spoofing) and other Illegal and Questionable
Marketing Practices. ICM Presentation to ICANN, April 3, 2005; White
Paper, Thinking Outside the Porn Box, Annex B, ICM's Intentions. There
is no obligation in the proposed .xxx Registry Agreement to this
effect.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Christine N. Jones
Question 1. Many of the concerns about the proposed VeriSign-ICANN
agreement are coming from other registrars. The transfer of the dot-com
registry to VeriSign would affect other registry services as a whole.
How do the presumptive renewal and guaranteed price increases included
in the proposed agreement concern registrars?
Answer. In the current environment, allowing .com prices to
increase without cost justification is anti-competitive. .Com still has
considerable market power making up 75 percent of all registered gTLD
domain names and 80 percent of the ongoing market share. The price
increases allowed in the proposed agreement will net VeriSign over $1
Billion in incremental revenue based on current growth projections, all
of which will be passed on directly to consumers, registrars'
customers.
VeriSign has repeatedly stated that it needs these additional funds
to ensure the stability and security of the .com DNS. We have no
problem with that, but ask then that at the very least VeriSign be
required to demonstrate that need when requesting all price increases,
and be required to invest a significant portion of the additional funds
in the .com DNS infrastructure.
We explain our concerns with the presumptive renewal in our
response to the next question.
Question 2. Would the proposed agreement possibly hinder ICANN's
ability to become an autonomous body by relinquishing a substantial
amount of control over the dot-com registry?
Answer. If ICANN's mission continues to include ensuring the
security and stability of the Internet's Domain Name System (DNS), then
yes.
The .com DNS is arguably the most important element of the Internet
DNS. Yet the proposed agreement basically hands the responsibility of
the security and stability of the .com DNS entirely over to VeriSign,
leaving ICANN very little recourse if there are problems. The form of
presumptive renewal being proposed in the agreement allows VeriSign to
breach it, even repeatedly, with little more than financial penalties
as long as they cure the breaches. There is also no requirement for
VeriSign to invest in the .com DNS infrastructure.
However, under the current agreement, the conditions of presumptive
renewal would allow ICANN to make a determination as to VeriSign's
continued ability to manage the .com DNS and to provide a substantial
service to the Internet community (Section 25.B). Breaches of the
agreement and its service level requirements in particular, would
certainly be a factor in that determination. The current agreement also
required VeriSign to make substantial investments in the DNS
infrastructure it was contracted to manage, $200 million to be exact.
.Com is too important to simply assume that giving VeriSign a
perpetual renewal without conditions will be incentive enough to ensure
they continue operating it responsibly, or that they will make the
necessary infrastructure investments to ensure stable and secure
operations. ICANN, at a minimum, must allow itself an out to re-bid
.com if VeriSign fails to continue to meet the conditions as stated in
25.B of its current agreement, and must require VeriSign to make
substantial investments in the .com DNS infrastructure.
Question 3. What concerns would the reduced control over the dot-
com registry and its security measures raise for the registrar
community?
Answer. The reduced control, as a result of the strengthened form
of presumptive renewal, demonstrates an assumption that ICANN is
making--that VeriSign will continue to qualify as registry operator for
.com and will continue to invest in its infrastructure appropriately.
.Com is too important to make such assumptions regardless of VeriSign's
past performance. Investment requirements, cost justifications for
price increases, and the potential for eventual re-bid would be far
more motivating and provide the Internet community better assurance of
reliable performance of its most important gTLD.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Hon. Jon Leibowitz *
---------------------------------------------------------------------------
* The written testimony submitted for the September 20, 2006
hearing reflects the views of the Federal Trade Commission (``FTC'' or
``Commission''). However, my responses to these post-hearing questions
reflect my own views and do not necessarily reflect the views of the
Commission or of any other Commissioner.
---------------------------------------------------------------------------
Question 1. What effect would the lack of competition and price
controls have on competition in the marketplace?
Answer. Your question raises important issues about the effects of
anticompetitive conduct and, as I understand it, specifically relates
to the competitive effects of the proposed settlement agreement between
ICANN and VeriSign, Inc. (the ``VeriSign Settlement Agreement'' or
``Agreement'').
Generally, consumers benefit from unfettered competition in the
marketplace. Consequently, the FTC seeks to prevent business practices
that restrain competition--including agreements among competitors to
limit competition, attempts to monopolize an industry through unfair or
exclusionary practices, and anticompetitive mergers and acquisitions.
However, each case requires a careful evaluation of the challenged
business practice.
In regard to the competitive implications of the VeriSign
Settlement Agreement, the Department of Commerce (DOC) and the
Department of Justice (DOJ) are both already considering this issue.
Pursuant to agreements among DOC, VeriSign, and ICANN, the VeriSign
Settlement Agreement is subject to DOC' s approval. DOC has consulted
with interested stakeholders about the Agreement and has sought DOJ' s
advice on its competitive effects. I am aware that Senators Hatch and
Leahy have sent letters to the Secretary of Commerce highlighting the
goal of open competition and the importance of DOJ' s guidance with
respect to whether the VeriSign Settlement Agreement has any potential
anticompetitive effects. I understand that DOC and DOJ are analyzing
the competitive implications of the Agreement and assessing its effects
on both stakeholders within the ICANN community and on American
consumers.
Question 2. What concerns do the lack of justification behind the
guaranteed price increases raise for you?
Answer. Again, my understanding is that your question relates to
the VeriSign Settlement Agreement, which DOC and DOJ are currently
reviewing.
Question 3. Worldwide attention is focused on ICANN and its role in
Internet governance. Many nations frustrated over the slow progress
toward ICANN autonomy are proposing individual governance of the
Internet. How would the proposed VeriSign agreement affect the road
toward autonomy for ICANN?
Answer. As your question aptly points out, we need to strike the
right balance to ensure that ICANN's passage to autonomy progresses as
quickly as possible--but also responsibly. To this end, DOC has a Joint
Project Agreement with ICANN to facilitate the transition of the domain
name system to the private sector. Pursuant to this agreement, DOC
advises ICANN on how to improve its transparency and accountability. It
also monitors whether ICANN effectively considers competition interests
in top-level domain management decisions. As part of its periodic
review process, DOC will evaluate relevant factors, including, if
necessary, the effects of the VeriSign Settlement Agreement, when
considering when to complete the privatization of the domain name
system.
Question 4. If ICANN does not make strides toward the goals of
transparency, bottom-up management, representation, and stability in a
more timely manner than it has, how do you think this could effect the
progress made at the World Summit on the Information Society?
Answer. I agree that transparency, bottom-up management,
representation, and stability are important goals for ICANN to pursue
and could help instill increased confidence in ICANN on the
international stage. One key to ensuring transparency and stability is
ensuring continued access to WHOIS databases, as the Commission
advocated in its testimony on September 20, 2006.
I am aware that the international community is focused on ICANN and
Internet governance as a result of discussions in the World Summit on
Information Society--and that relevant stakeholders--including DOC, the
Department of State, and ICANN--are working hard to try to satisfy all
relevant interests. As to a specific assessment of the progress ICANN
has made, DOC continues to monitor ICANN's progress in achieving the
important goals you have identified.
Question 5. How would an unstable political environment affect
domain name system (DNS) security and stability?
Answer. Preserving the security and stability of the Internet is
critical. One issue that the FTC advocates as a means of preserving the
security and stability of the Internet is continued access to WHOIS
domain name registration data. An unstable political environment could
lead to a decision not to provide WHOIS data to law enforcement and to
the public. This would have extremely negative consequences for
consumers in the United States and elsewhere, who want agencies like
ours to bring actions against Internet malefactors that attempt to
defraud them or that threaten their privacy.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Ken Silva
This submission is respectfully submitted on behalf of Mr. Silva in
response to the questions posed by the Senate Commerce Committee
following the hearing on September 20, 2006.
For purposes of background to its responses, VeriSign provides the
following brief summary of the operation of the Internet and the
functional distinctions between domain name registries and domain name
registrars.
Background
The Internet is a network of interconnected computers and computer
networks. Every computer connected directly to the Internet has a
unique address. These addresses, which are known as Internet Protocol
(``IP'') numbers, are necessary for computers to ``communicate'' with
each other over the Internet. An example of an IP number might be:
98.27.241.30. Because IP numbers can be cumbersome and difficult for
Internet users to remember or to use, the IP number system has been
overlaid with a more ``user-friendly'' system of domain names: the
Internet domain name system, or ``DNS''. This overlay associates a
unique alpha-numeric character string--or domain name--with a specific
IP number.
Internet domain names consist of a string of ``domains'' separated
by periods. ``Top-level'' domains, or ``TLDs,'' are found to the right
of the period and include (among others) ``.com,'' ``.gov,'' ``.net,''
and ``.biz,'' which are sometimes referred to as ``generic'' TLDs (also
known as ``gTLDs''). Other top-level domains are referred to as country
code TLDs (also known as ``ccTLDs''), and are represented by two-letter
abbreviations for each country, such as ``.uk'' (United Kingdom) and
``.ca'' (Canada), and .eu (Europe). gTLDs are functionally equivalent
to ccTLDs. There are approximately 250 top-level domains, which are
administered and operated by numerous entities, both in and outside of
the United States.\1\
``Second-level'' domains (SLDs) are those domains immediately to
the left of the top-level domain, such as ``senate'' in the domain name
``senate.gov.'', or ``aol'' in ``aol.com.'' There are approximately 100
million second-level domains currently registered within the various
TLDs.
Because domain names are essentially ``addresses'' that allow
computers connected to the Internet to communicate with each other,
each domain name must be unique, even if it differs from another domain
name by only one character (e.g., ``uscourts.com'' is different from
``uscourt.com'' or ``us-courts.com''). A given domain name, therefore,
can be registered to only one entity.
VeriSign acts as the ``registry'' for domain names registered in
the .com gTLD in accordance with a written agreement with ICANN and
through its cooperative agreement with the U.S. Department of Commerce.
Among the other services VeriSign performs as the ``registry'' for the
.com gTLD, VeriSign maintains the definitive directory that associates
registered domain names in this gTLD with the corresponding IP numbers
of their respective domain name servers. The domain name servers, in
turn, direct Internet queries to resources such as websites and e-mail
systems. Under the DNS architecture, one given domain name is
essentially associated by domain name servers with one IP number or
distinct computer.
For technological reasons, the uniqueness requirements of the DNS
architecture described above, mandate that there can only be one entity
that operates any TLD registry that maintains the authoritative
database of domain names registered in a particular TLD. Accordingly,
there can be only one registry operator for .com.
A domain name is created by an individual or organization that
registers the domain name and thereby includes it in the registry's
master database. The individual or organization that registers a
specific domain name is a ``registrant.'' Registrants do not have
direct access to the VeriSign registry. Instead, prospective
registrants must register domain names through any one of over 800
private companies located in the United States and throughout the world
that are accredited by, and enter into a Registrar Accreditation
Agreement with ICANN to act as domain name ``registrars'' for the
second-level domain names in the .com gTLD. While there can be only one
registry for each TLD, there are hundreds of registrars and thousands
of resellers around the world who sell these domain name registrations
to end users.
Registrars, not registries, sell domain names to registrants, or
consumers. There are no restrictions by ICANN or the government upon
the price for which registrars sell domain name services to
consumers.\2\ Nearly all domain name registrars that provide domain
registration services for the .com gTLD also provide domain name
registration services for other gTLDs and ccTLDs. For example,
according to its website, GoDaddy.com, one of the largest Internet
domain name registrars, offers prospective registrants the ability to
register SLDs in 29 gTLDs and ccTLDs in addition to the .com gTLD.
Domain name registrars set their own prices for domain name
registration services and the prices registrants are charged by domain
name registrars to register a domain name within the same TLD vary
widely.
Registrars provide direct services to registrants and prospective
registrants, such as processing domain name registrations. The VeriSign
registry has no contractual or other relationship with a registrant.
This means that VeriSign has no information as to the identity of a
registrant. Conversely, registrars have a contractual relationship with
registrants and keep all information regarding the registrants.
Regardless of the price paid for a domain by an end user to a
Registrant, the name works the same technically on the Internet. The
Registries who operate these top level domains are responsible for
ensuring that queries from around the world to that domain are answered
(``resolved'') when executed. The volume of these queries is dictated
by the growth of online users around the world and their increased
usage of the Internet. Over the last decade, the number of users and
usage of the Internet has grown at a pace that far outstrips the
corresponding growth in the number of domain names registered
worldwide. The ease of use for a user going online (i.e., access to
broadband and wireless devices that are Internet-enabled), access to
online content in non-English languages, and the meaningfulness of
content online are the key drivers of Internet usage. Even during the
historical slowing of domain name registration sales during the
``bust'' of the Internet bubble, usage continued to increase.
Question 1. Security is a significant concern of stakeholders and
Internet users at large. How do you address concerns about the
registrar's lack of a disaster recovery plan?
Answer. The lack of effective disaster recovery for registrars,
along with the absence of registrar security requirements, is a cause
for serious concern. Historically, in the absence of stringent security
requirements for registrars as part of their ICANN Accreditation
Agreements, registries, such as VeriSign, have been the safety net for
registrar security deficiencies. Under the current structure of ICANN
Registrar Accreditation Agreements, registrars have no incentive to,
and do not, invest in the security or stability of the DNS.
Accordingly, the work of insuring the operational security and
stability of the DNS falls to registries in general, and VeriSign in
particular for .com, through continued and significant investment
beyond that required in current contracts.
In light of the lack of infrastructure investments by registrars,
VeriSign supports adding requirements to the ICANN Registrar
Accreditation Agreements of registrars to fill the security and
stability void in those agreements and to establish obligations in the
Registrar Accreditation Agreements that provide ICANN with the ability
to address security and stability issues (for example through a
flexible Consensus Policy provision such as that currently provided for
in Section 3.1 of the proposed .com Registry Agreement). The Registrar
Accreditation Agreement is not part of the proposed .com Registry
Agreement.
Since the question above explicitly deals with the disaster
recovery systems of Registrars, we have provided, below, answers
related to the contractual requirement of data escrow/disaster
recovery, which is a core component to ensure proper disaster recovery.
Registrars maintain all personal end-user data related to the sale
of a domain name which is needed to fully recover the ownership of
domain. The registries maintain all data related to the technical
elements of the domain's status and location on the Internet, but no
personal data. The Registrar Accreditation Agreement, to which all
ICANN-accredited registrars are parties with ICANN, includes a
contractual requirement that the registrar maintain an escrow of the
registrar specific data related to their registrations. (Registrar
Accreditation Agt., Sect. 3.4).\3\
A similar obligation exists for the registry operator in the .com
registry agreement to maintain registry level data as noted above (but
no personal data). In particular, the registry operator is required to
establish at its expense a data escrow or mirror site for registry data
compiled by the registry operator. (Registry Agt., Sect. 3.1(c)(i)).\4\
Further specific details of this extensive, structured mirror site
obligation are set forth in Appendix 1 and Appendix 2 to the .com
Registry Agreement. In summary, the obligation requires that the
registry operator establish an escrow account to deposit a complete set
of all data identified in section 3.1(c)(i) of the .com Registry
Agreement to the data escrow provider on a daily and weekly basis. The
data is verified by the escrow provider for completeness, accuracy, and
format accuracy to avoid any risk of a failure to restore due to data
corruption. In addition, the schedule, content, format, and procedure
for escrow may be changed by ICANN as conditions warrant or through
establishment of Consensus Policies. The intent of the mirror site
obligation is to encapsulate registry operations and identified data
into a single escrow file available to a third party for escrow storage
and recovery.\5\
VeriSign is compliant with all requirements to provide updates in
escrow (as explained more fully in response to Question 3). Through a
time-proven process, it has a verifiable record of delivering
completeness, correctness and integrity of the data within each escrow
file. VeriSign completes daily and weekly deposits of reports and meta-
data for all .com domain names.
Further, VeriSign has a demonstrated record of compliance with its
escrow obligations and of continual monitoring of related issues. For
example, VeriSign switched providers of its escrow services in December
2005 because it became apparent that most large gTLD registrars were
using the same offsite data storage provider which was regarded as a
possible single point of failure in the system. VeriSign believed that
this circumstance created a risk to the community at large and,
therefore, initiated a community discussion of this risk, and proposed
a transition in its service to an alternate provider to eliminate the
overlap. The new provider was reviewed and approved by ICANN before the
transition was made.
As explained more fully in response to Question 3 below, the
proposed .com Registry Agreement also includes other substantial,
detailed requirements to ensure the secure and stable operation of the
.com registry, including thorough oversight by and accountability to
ICANN. For example, the proposed .com Registry Agreement expressly adds
the further contractual requirement that the registry operator take
those steps necessary to protect all personal data from loss, misuse,
unauthorized disclosure, alteration or destruction and includes monthly
data reporting requirements, together with ICANN audits of such
reporting. (Registry Agt., Sect. 3.1(c)(ii)).
Question 2. Does VeriSign have a plan to address these security
concerns?
Answer. As explained above, VeriSign acts as the ``registry'' (not
the registrar) for domain names registered in the .com gTLD in
accordance with a written agreement with ICANN. Accordingly, as
explained in response to Question 1, VeriSign does not have control
over any of the 800 registrars or their disaster recovery plans or
security or stability deficiencies.
However, the work of ensuring security and stability to make up for
this gap falls to the registries. VeriSign regularly conducts failure
mode analyses on all of the .com registry systems. This includes
testing to insure the mitigation of risks occurring due to possible
failures in hardware and software, the network layer, security systems,
facility-related issues, and environmental factors. As a financially
sound, U.S.-based, public company, with robust technical capabilities,
VeriSign has a carefully developed plan for data recovery, including
provisions for DNS restoration and data retrieval, and provisions to
facilitate system reconstitution.
VeriSign believes that the best place to address registrar security
concerns is through the addition of contractual obligations to the
Registrar Accreditation Agreements of registrars, such as the inclusion
of flexible Consensus Policy language such as the provision currently
included in Section 3.1 of the proposed .com Registry Agreement, which
gives ICANN the power to address security and other issues. Topics for
such policies and discussions could include registrar business
continuity, disaster recovery and periodic accreditation compliance
audit.
Question 3. Under the proposed agreement VeriSign has no
accountability to ICANN regarding security measures. How will VeriSign
ensure the safety of the DNS?
Answer. The premise of this question is not based on the facts of
the proposed .com Registry Agreement as the proposed Agreement not only
provides substantial accountability to ICANN for insuring the security
and stability of the registry and DNS, it increases the accountability
over what is currently called for in existing registry agreements that
have controlled the operation of the registry during the preceding 8
years. Under the preceding agreements, VeriSign has maintained 100
percent availability of the .com TLD for 8 years, an unparalleled
record in Internet security and stability.
Under the proposed .com Registry Agreement, VeriSign is
contractually obligated to maintain 100 percent availability of the DNS
systems for the .com gTLD. (Registry Agt., (Sect. 3.1(d)(ii), App. 7,
Sect. 7). In order to meet this obligation, VeriSign must take all
steps necessary to maintain the secure and stable operation of the DNS.
In fact, numerous provisions of the proposed agreement are specifically
directed to insuring compliance with this contractual obligation,
including by placing particular and detailed obligations on the
registry operator and providing for ongoing ICANN oversight. The
following provisions of the proposed agreement, for example, are
cumulative in their requirements:
VeriSign is obligated to meet detailed functional and performance
specifications incorporated into the contract in the form of Appendix
7. (Registry Agt., Sect. 3.1(d)(ii)). These contract requirements were
established by experts and standards bodies within the Internet
community in order to create a secure and stable DNS. The registry
operator also is required to maintain technical and operational
records, for inspection and audit by ICANN, sufficient to insure
compliance with these specifications. (Id.).\6\
The proposed agreement further provides a process for changes in
the contractual operational specification or policies affecting the
registry through the development of Consensus Policies by ICANN, and
the Internet community, during the existence of the agreement. This
process for the adoption of Consensus Policies is expressly intended to
allow for the continual monitoring and updating of policies affecting
the registry in order to insure ongoing security and stability in
response to changing conditions. (Registry Agt., Sect. 3.1(b)).
Pursuant to such provisions, for example, contractual operational
specifications on the registry operator may be changed during the term
of the contract as necessary to meet changing conditions affecting the
security or stability of the DNS or registry database. (Id.). Moreover,
unlike the existing .com Registry Agreement, or the Registrar
Accreditation Agreements, the proposed agreement adds important
flexibility to the process for adopting Consensus Policies by allowing
the process itself to be changed during the term of the contract
consistent with the requirements of ICANN's Bylaws.\7\
Similarly, the proposed .com Registry Agreement provides procedures
for ICANN to adopt, on an emergency basis, new policies necessary to
maintain the stability or security of the DNS. (Registry Agt., Sect.
3.1(a)(i)). The precondition for the exercise of this power by ICANN is
the determination of the ICANN Board that the change is necessary to
maintain the security or stability of the DNS. (Id.).\8\ This process
is an additional oversight and accountability mechanism of substantial
breadth.
Therefore, neither the process for the adoption of Consensus
Policies, nor the contractual specifications intended to address
security and stability, are frozen in place by the contract. Instead,
the proposed agreement specifically allows for monitoring and changing
requirements on the registry operator as necessary to address the
changing requirements for the security or stability of the DNS.
(Registry Agt., Sect. 3.1(b)(ii)). These flexible procedures provide
extraordinary oversight and accountability, including to address new
security and stability concerns.
The proposed .com Registry Agreement also substantially expands
ICANN's oversight, and VeriSign's accountability to ICANN, over changes
in registry services or new services introduced by the registry
operator, prior to such changes being implemented. Such oversight
includes reviews of changing services by DNS experts and public review
and comment periods. (Registry Agt., Sect. 3.1(d)(iv)). This process
for assessing changes in registry services has been used by ICANN as a
model for other new registry agreements, including .net and .mobi,
among others. There is no comparable process in the existing .com
Registry Agreement.
For example, before a change in registry services may be
implemented by the registry operator, including the introduction of new
services, information regarding the service and potential security and
stability implications must be provided to ICANN. ICANN thereafter has
the right to review the service, including by seeking advice by experts
on whether the service might have implications for the security or
stability of the DNS. ICANN further has the right to submit the
proposed change to a standing panel of experts to conduct a more
detailed analysis of the service prior to its adoption by the registry
operator. The panel consists of 20 persons expert in the design,
management and implementation of complex systems and standards-
protocols utilized in the Internet infrastructure and DNS. In the event
the proposed change is submitted to the standing panel, the panel shall
invite public comment on the proposed change. If it is determined that
the proposed change creates a reasonable risk of an adverse affect on
security or stability, the registry operator will not implement the
change.
The proposed .com Registry Agreement further requires a twice
annual security and stability review by ICANN of issues regarding
security and stability affecting the registry. (Registry Agt.,
Sect.3.1(g)). This requirement does not exist in the current agreement.
The proposed .com Registry Agreement requires the registry operator
to establish at its expense a data escrow or mirror site policy for
registry data compiled by the registry operator. (Registry Agt., Sect.
3.1(c)(i)). The operator is required regularly to deposit into the
escrow all registry data. The proposed agreement also expressly
requires the registry operator to take steps to protect all personal
data from loss, misuse, unauthorized disclosure, alteration or
destruction. (Registry Agt., Sect. 3.1(c)(ii)).
In addition to these contractual provisions providing
accountability, VeriSign also engages in other briefings and security
activities with ICANN and the Internet community. Currently, VeriSign
partners with Department of Homeland Security, National Security
Administration and other governmental parties regularly to brief these
agencies on the stability and security of the overall DNS and to give
timely updates and detailed information regarding attacks and their
impact on the Internet infrastructure. VeriSign considers this sharing
of information and coordination of data important to the overall
stability of the DNS.
VeriSign's technical staff further participates, including by
holding key positions in Internet standards and security groups,
including Root Server System Advisory Committee (RSSAC), Security and
Stability Advisory Committee (SSAC), Internet Engineering Task Force
(IETF), Internet Security Alliance (ISA), Information Technology--
Information Sharing and Analysis Center (IT-ISAC), National
Infrastructure Protection Center (NIPC), Network Reliability and
Interoperability Council (NRIC) and National Security
Telecommunications Advisory Committee (NSTAC). Such open forums enable
discussion and development of critical design considerations for
changes to the architecture of the DNS and Internet, both at the root
level and the interoperability of third-party systems and applications.
VeriSign staff has authored numerous RFCs that define the myriad of
standards, features, and best practices of DNS management, security and
operations. Through one of these organizations, the IETF, for example,
VeriSign has initiated, shaped and refined the standards for DNS
Security Extensions, an important issue in shaping future Internet
security.
Therefore, the proposed agreement provides multiple, cumulative
requirements on the registry operator to insure the stability and
security of the registry, provide oversight by ICANN, and ensure
accountability to ICANN.
Question 4. How will VeriSign justify the costs of improvements to
security systems without accountability to ICANN?
Answer. As explained in response to Question 3 above, the proposed
.com Registry Agreement provides multiple, cumulative requirements on
the registry operator to insure the stability and security of the
registry, provide oversight by ICANN, and ensure accountability to
ICANN. The proposed agreement explicitly requires VeriSign to meet
detailed specifications and other obligations designed to insure a
secure and stable .com registry. VeriSign has served as the operator of
the .com registry since its beginnings in 1992. During this period,
VeriSign established an unparalleled record in operating a secure and
stable registry. The proposed .com Registry Agreement not only
contractually obligates VeriSign to continue to meet that standard, the
proposed agreement explicitly provides for increased oversight by ICANN
and the Internet community, through Consensus Policies and other
provisions, to insure that the operator continues to meet, as it has in
the past, the changing requirements for security and stability for the
registry and DNS.
VeriSign has been a leader in Internet and DNS security throughout
its tenure as the operator of the .com registry. It has participated in
industry boards that have helped establish the security and stability
requirements for the Internet and DNS. VeriSign also has participated
in government reviews with the Department of Homeland Security and
National Security Administration, among other governmental security
organizations, aimed at developing a coordinated security strategy for
the Internet.
From the founding of the DNS through today, VeriSign has invested
hundreds of millions of dollars in creating a secure DNS
infrastructure, including as the volume of Internet traffic has grown
10,000-fold during just the years 2000 through present. No other
operator has ever created or run a registry of this magnitude.
The express terms of the proposed .com Registry Agreement establish
substantial and detailed accountability for the operation of the .com
registry. Moreover, under the proposed agreement, VeriSign is
contractually obligated to maintain 100 percent availability of the DNS
systems for the .com gTLD. (Registry Agt., (Sect. 3.1(d)(ii), App. 7,
Sect. 7). In order to meet this obligation, VeriSign must take all
steps necessary to maintain the secure and stable operation of the DNS.
In fact, numerous provisions of the proposed agreement are specifically
directed to insuring compliance with this contractual obligation,
including by placing particular and detailed obligations on the
registry operator and providing for ongoing ICANN oversight as
explained in response to Question 3. Further, VeriSign's consistent
performance since the founding of the DNS, a record spanning more than
a decade, establishes beyond any reasonable doubt that VeriSign is
motivated to continue to invest in and maintain a secure and stable
.com registry, a necessity to meet its performance obligations under
the .com Registry Agreement.
ICANN has carefully considered the issue of improvements to
security and stability and the methods to insure investment. Cost-based
price regulation is complex, costly, and inefficient in the context of
preemptive investment in the security and stability of the DNS. As a
result, regulators have been moving away from such strict, command-and-
control regulation. Such regulation would be particularly harmful in
light of the need for preemptive investment in the security and
stability of the DNS. The type of investment that needs to be made is
critical and often unpredictable until after the consequences of an
attack are known. The type of work that needs to be done requires
strategic, critical, and preemptive investment that if delayed or
derailed by cost justification assessment models would come too late to
have an effect. Setting a reasonable price cap that allows for some
limited price flexibility, together with the extensive price
protections in place in the agreement, strikes the right balance
between providing the incentive and flexibility needed for efficient,
ongoing, investment to protect security and stability while protecting
consumers.
As explained more fully in response to Question 5, those price
protections include among others, the prohibition on VeriSign from
discriminating in price among registrars or their customers, the
requirement that VeriSign give registrars 6 months' notice of proposed
price increases,\9\ and the requirement to allow registrations for
terms up to 10 years. This provision was included in the proposed .com
Registry Agreement specifically to allow registrants to lock in current
prices for up to 10 years and thereby avoid the impact of any proposed
price increase even if the registrant choose not to avail themselves of
competitive alternatives. (Registry Agt., Sect. 7.3(f)).\10\
ICANN has adopted this carefully considered framework as its model
for registry operator agreements. In fact, this model already has been
implemented with respect to the 2005 .net Registry Agreement, over a
year ago, and the .mobi Registry Agreement.
Question 5. According to the provisions of the proposed agreement,
VeriSign can increase prices up to 7 percent in most years, resulting
in an overall price increase of up to 31 percent in 6 years. The
proposed agreement includes presumptive renewal and guaranteed price
increases in most years. How does VeriSign respond to claims of
creating a monopoly environment?
Answer. VeriSign appreciates the opportunity to clear up some
misconceptions about the effects of the proposed .com Registry
Agreement on competition. This agreement has been subject to an
extensive and thorough competitive review by the Department of Commerce
with the assistance of the Antitrust Division of the Department of
Justice. VeriSign and ICANN have worked in concert with these
Departments. As a result, the proposed agreement is one which promotes
the security and stability of the Internet by providing the incentives
and contractual feasibility to make necessary investments in the .com
infrastructure. Additionally, the proposed agreement includes specific
provisions providing for increased oversight by ICANN of services
provided by the registry, including the adoption of a more efficient
consultative process with clearer guidelines to allow VeriSign to
introduce changes to or new registry services that can benefit the
Internet community and the public, while allowing ICANN to review any
security, stability and competitive affects of such services prior to
their introduction.
Price Increases: It is important to recognize that VeriSign does
not set the prices that consumers and businesses pay for domain name
registrations. Those prices are set by hundreds of independent domain
name registrars, some of whom charge as much as $35 for a domain name,
while paying VeriSign, the registry operator, only $6 to provide for
operation of the domain name on the Internet. VeriSign's price to
registrars for registering .com domain names has been contractually
frozen at $6 since 1999. The new .com agreement provides VeriSign some
limited flexibility to raise prices at the registry level but it does
so under conditions that are tailored to protect registrars and their
customers by leveraging important market forces.
The .com registry requires substantial investment in
infrastructure, and the demands on that infrastructure are ever
increasing, due to rapidly increasing use of the Internet and the
growing and more sophisticated attacks on Internet security that were
described at the hearing. \11\ As explained above, VeriSign has
invested hundreds of millions of dollars in creating a secure DNS
infrastructure, including while the volume of Internet traffic has
grown 10,000-fold during just the years 2000 through present. As the
registry operator, VeriSign must bear the entire burden of those
investments, and the only source of funding is the .com registry fees.
A freeze on those fees would chill incentives and jeopardize the
ability to fund needed investments.
The proposed .com Registry Agreement balances the interest in
removing inflexible price controls against the needs of registrars by
strictly limiting the amount and rate of price increases by VeriSign as
well as providing additional safeguards. Thus, VeriSign will only be
permitted to increase the price of .com registrations by a maximum of 7
percent and only in four of the six years of a contract term. Thus, by
the end of 2012, and assuming VeriSign actually takes the maximum price
increases permitted by the agreement, the cost of a .com domain name
registration to registrars would be only $7.86.
Other provisions of the agreement also operate to provide
safeguards for consumers. While there can only be one operator of the
.com or any other TLD registry, there is competition among numerous TLD
registries for the business of domain name registrants. There are over
250 TLD registries worldwide. Most domain name registrants can choose
among many generic TLDs (gTLDs) such as .com, .biz, .info, .org, .net,
and others, and also have choices from among country code TLDs (ccTLDs)
such as .de, .uk, .jp, .us and many others--including the recently
introduced .eu for registrants with activity anywhere in the European
Union. Many domain registrars promote these different TLDs as
competitive alternatives for their customers. If registrars view .com
as unduly expensive, they can use pricing and promotion to steer
registrants to other TLDs. Building on such competitive facts,
provisions of the proposed .com Registry Agreement leverage competitive
market forces to protect consumers.
First, the proposed .com Registry Agreement expressly prohibits
VeriSign from discriminating in price among registrars or their
customers. (Registry Agt., Sect. 7.3(e)). \12\ VeriSign cannot charge a
higher price for renewals of a .com domain name registration than it
charges for a new registration. It cannot charge U.S. registrants/
registrars a higher price than it charges foreign registrants/
registrars. Seventy five percent of the growth in Internet usage is
occurring outside the U.S. and it is estimated that over 60 percent of
all domain name registrations come from non-U.S. registrants. More than
half the domain names worldwide are registered in TLDs other than .com.
Thus, the ongoing competition to attract new registrants to .com--
particularly in foreign countries, where .com lags behind ccTLDs and
where the overwhelming growth in Internet use and domain name
registration is occurring--will force VeriSign to set its prices for
all registrants at a level dictated by competitive forces worldwide. At
the same time, increasing competition from search, keywords and new
Internet navigation methods constrain domain name pricing.
Second, the proposed .com Registry Agreement includes a provision
requiring VeriSign to give registrars 6 months' notice of proposed
price increases, and to allow registrations for terms up to 10 years at
the existing price. This provision was included in the agreement
specifically to allow registrants to lock in current prices for up to
10 years and thereby avoid the impact of a proposed price increase even
if they choose not to avail themselves of competitive alternatives.
(Registry Agt., Sect. 7.3(f)). \13\
Therefore, while VeriSign for technical reasons must be the sole
operator of the .com registry, it is not a ``monopoly'' in terms of
competitive choices to consumers. The provisions of the .com Registry
Agreement gradually relax the 8-year freeze on VeriSign's pricing, but
set strict caps on future price increases and include terms that in any
circumstances would prevent VeriSign from charging a supracompetitive
price for domain name registrations.
Strict price controls are strongly disfavored as a matter of public
policy. Even in cases where firms have dominant market shares, and
their market position stems in part from governmental grants, price
controls are often eschewed. \14\ Given the competitive forces at work,
allowing VeriSign some carefully limited pricing flexibility is plainly
in the public interest, especially given that unlike most contracts,
the .com Registry Agreement allows ICANN, through the adoption of
Consensus Policies, to change the operational performance requirements
for the registry, or require it to provide new services.
Presumptive Renewal: The renewal provisions of the proposed .com
Registry Agreement are virtually identical to the renewal provisions in
the existing agreement, which were approved by the Department of
Commerce in 2001. Both require renewal absent a material breach of the
agreement or other circumstances not present here. The existing
agreement also specifically provides that this presumptive renewal
provision ``shall be included in any renewed Registry Agreement.''
Consistent with renewal models in other infrastructure industries,
presumptive renewal is representative of the renewal model ICANN is
pursuing in its registry agreements generally, as set out in the .net
and .mobi agreements.
The 2001 .com Registry Agreement provides that the agreement
``shall be'' renewed absent a material breach of the agreement. (2001
Registry Agt., Sect. 25). \15\ With respect to the provision concerning
a breach of the registry agreement, the existing and proposed
agreements contain minor differences. Unlike the existing agreement,
the proposed agreement provides that a neutral arbitrator must
determine that the registry operator is in breach of the agreement
before such a dispute over contractual performance may be the basis for
denying renewal. This change is designed to protect VeriSign from the
potential loss of its investment in the registry based on a good faith
disagreement as to whether particular conduct may be within the scope
of the agreement, or the possible use of a claim of breach to extract
concessions under the contract. Disagreements regarding the
interpretation of the registry agreement have arisen between ICANN and
VeriSign from time to time in the past. The change is thus necessary to
resolve potential uncertainties in performance of the registry
agreement. Certainty in the operation of the registry is necessary to
allow ongoing investment in the DNS infrastructure.
The proposed .com Registry Agreement also allows VeriSign an
opportunity to cure a breach, which is a standard term of commercial
contracts, especially important to contractual certainty in a changing
environment for contractual performance such as the Internet. The same
clause has been adopted for this same reason in other registry
agreements, such as the .net and .mobi Registry Agreements.
Accordingly, there has been no loss of a previously existing
opportunity for competitive bidding to replace VeriSign as the operator
of the .com registry in the absence of material and uncured breach by
VeriSign.
The right to renewal of the .com agreement so long as VeriSign
lives by its terms is an enforceable contract right that VeriSign
already has. Such a provision is critical in order to allow the
registry operator to make the ongoing and substantial investment in the
DNS infrastructure necessary to its stability and security.
Despite the claims from self-interested opponent registrars, the
proposed .com Registry Agreement does not make any significant change
in VeriSign's existing contractual rights to retain its role as the
.com registry operator so long as it is performing in accord with the
requirements of the agreement. The explicit terms of the existing
agreement require that it be renewed upon its expiration and that the
renewal agreement include a similar provision.
Presumptive renewal, or a renewal expectancy, is a common feature
of contracts, licenses and franchises that involve long-term
investments for some public purpose. Such terms are used in varying
ways in broadcast, cable, satellite and other communications licenses,
utility franchises and other similar agreements. Without a renewal
expectancy, a firm would find it difficult to justify making
substantial investments that would take a long time to recoup. With
only a 6-year contract term, and with capped prices, an economically
rational registry operator would think long and hard about investing
millions of dollars in new infrastructure and systems to meet emerging
security threats or to respond to increased demand caused by new
Internet business models, such as the substantial (and largely
unremunerated) demands caused by domain name speculators and pay-per-
click advertising businesses. A rational registry operator that did not
have a secure renewal expectancy might well defer such investments,
particularly toward the end of the contract term, and then promise to
make them as part of a renewal bid. Such a framework would undermine
the security and stability of the DNS. Moreover, renewal expectancy
provides distinct benefits for consumers in the form of quality of
service as well as a minimized risk of service disruption due to an
arbitrary change in an underlying operator that has provided
satisfactory levels of service.
VeriSign has been a highly reliable steward of the .com registry
for over 8 years. It has provided unmatched reliability under the most
demanding conditions--unlike the problems experienced by firms
operating even much smaller and less demanding registries. Competition
from other TLD registries will continue to force VeriSign to keep .com
competitive. It would be short-sighted to destroy the renewal
expectancy, there is no competitive reason to do so, and it would be a
violation of the express terms of the existing registry agreement.
Question 6. How will the exclusion of competition affect pricing
elsewhere in the Internet registry market?
Answer. As the answer to Question 5 demonstrates, the .com
agreement will not exclude competition. There can be only one registry
for the .com TLD or for each of the other more than 250 registries
worldwide. The proposed .com Registry Agreement, therefore, will
neither eliminate any competition that would otherwise have existed nor
will it create monopoly power. Rather it carefully regulates the terms,
including the price, on which VeriSign can provide domain name
registrations and other registry services to registrars. Within the
constraints of the proposed agreement, VeriSign's pricing will continue
to be affected by the competitive pricing and service offerings of
other competitive registries, particularly as VeriSign seeks to assist
registrars in penetrating growing geographic markets in Asia, Europe,
Latin America and the rest of the world, and as the registry competes
for new domain name registrations in addition to renewal registrations,
which must be priced in a nondiscriminatory manner. Likewise,
innovative services from VeriSign will stimulate competition from those
other registries and benefit domain name registrars and registrants in
the U.S. and around the world.
Question 7. What strength is there to the VeriSign claims that not
renewing its contract will be a detriment to DNS security?
Answer. Currently, .com is under constant attack from hackers who
realize the economic devastation that would result if businesses that
use the Internet to conduct business via IP-based transactions (banks,
brokerage houses, stock exchanges, online commerce) were to lose the
ability to connect to one another via the Internet. For example, NASD,
the London Stock Exchange, Chase Bank and Citibank run on .com name
servers. Additionally, all of the agencies reliant upon .gov sites are
reliant upon .com as the resolution provider for all .gov names is
routed through a .com server. In February 2005, the World Bank
Operations and Policy Department issued a paper which outlined the
development of capital markets and eFraud. The paper reviewed several
case studies of fraud perpetrated upon various financial systems around
the word. The common component of the study reveals that the world's
economic models more and more heavily rely upon IP-based transactions.
While hackers attempt to penetrate these institutions at various
levels, including the private hardware and software of banks, it is
important to note that malicious attacks against the core
infrastructure providers of the DNS are the most malicious way to
attack the broadest segment of the financial institutions of this
country. Financial institutions are just one example of a meaningful
U.S. business sector reliant upon the stability of the DNS.
As explained in response to Question 5, due to the large ongoing
investments currently required in the development and maintenance of
the DNS infrastructure, such uncertainty would negatively impact the
willingness of registry operators to make the investments necessary to
guarantee a secure and stable registry, especially toward the end of a
registry term.
The express terms of the existing 2001 .com Registry Agreement
require renewal. More specifically, Section 25 of the agreement
explicitly provides that the agreement ``shall be'' renewed (absent a
material breach of the agreement, which is not present here) and that
this renewal clause shall be included in the renewal agreement. A
failure to comply with the renewal terms would constitute a breach of
the registry contract contrary to law. Equally fundamental, a failure
to comply with such terms, which are included in other registry
agreements as well as the 2001 .com Registry Agreement, would interject
damaging uncertainty into the performance of such agreements.
Furthermore, only VeriSign has demonstrated an ability to operate
in a secure and stable manner a registry of the magnitude of the .com
registry, as explained above. ICANN explicitly adopted such a finding
in November 2005. \16\ Unlike any other registry operator, VeriSign has
operated the .Com registry, the largest Internet registry, at 100
percent availability (with no interruption of service) for the last 8
years. Thus, there would be inherent risks to the security and
stability of the DNS in failing to renew the agreement (as its express
terms require) and transitioning the operation of the registry to a new
and necessarily untested operator.
Endnotes
\1\ Examples of TLDs available around the world include: .info,
.org, com, .travel, .mil, .us, .biz, .net, info, .name, .bz, .jp, eu,
.uk, .de, .kr, .mobi, .asia, .museum, .pro, .jobs, .edu, .gov. Norid,
the .no registry, has a complete list of worldwide domains at http://
www.norid.no/domenenavnbaser/domreg.html.
\2\ For example, registrars today offer a .com domain for prices
from $1.99 to $1,000 within packages and as stand alone sales. Domain
name registrations are accepted by Registrars from end-users for terms
of 1 (one) year to one-hundred (100) years. The registrars
differentiate themselves from one another based upon value added
services, customer service and some compete upon price. Regardless of
the registrar model, the registry wholesale price for a .com name, as
set in the ICANN contract with VeriSign is currently $6.00. This is the
``wholesale'' rate. The average ``retail'' rate charged for a .com
domain today is $21.00.
\3\ The Registrar Accreditation Agreement provides as follows:
``3.6 Data Escrow. During the Term of this Agreement, on a
schedule, under the terms, and in the format specified by
ICANN, Registrar shall submit an electronic copy of the
database described in Subsection 3.4.1 to ICANN or, at
Registrar's election and at its expense, to a reputable escrow
agent mutually approved by Registrar and ICANN, such approval
also not to be unreasonably withheld by either party. The data
shall be held under an agreement among Registrar, ICANN, and
the escrow agent (if any) providing that (1) the data shall be
received and held in escrow, with no use other than
verification that the deposited data is complete, consistent,
and in proper format, until released to ICANN; (2) the data
shall be released from escrow upon expiration without renewal
or termination of this Agreement; and (3) ICANN's rights under
the escrow agreement shall be assigned with any assignment of
this Agreement. The escrow shall provide that in the event the
escrow is released under this Subsection, ICANN (or its
assignee) shall have a nonexclusive, irrevocable, royalty-free
license to exercise (only for transitional purposes) or have
exercised all rights necessary to provide Registrar Services.''
http://www.icann.org/registrars/ra-agreement-17may01.htm#3.
\4\ The .com Registry Agreement Provides as follows:
``Data Escrow. Registry Operator shall establish at its expense
a data escrow or mirror site policy for the Registry Data
compiled by Registry Operator. Registry Data, as used in this
Agreement, shall mean the following: (1) data for domains
sponsored by all registrars, consisting of domain name, server
name for each nameserver, registrar id, updated date, creation
date, expiration date, status information, and DNSSEC-related
key material; (2) data for nameservers sponsored by all
registrars consisting of server name, each IP address,
registrar id, updated date, creation date, expiration date, and
status information; (3) data for registrars sponsoring
registered domains and nameservers, consisting of registrar id,
registrar address, registrar telephone number, registrar e-mail
address, WHOIS server, referral URL, updated date and the name,
telephone number, and e-mail address of all the registrar's
administrative, billing, and technical contacts; (4) domain
name registrant data collected by the Registry Operator from
registrars as part of or following registration of a domain
name; and (5) the DNSSEC-related material necessary to sign the
.com zone (e.g., public and private portions of .com zone key-
signing keys and zone-signing keys). The escrow agent or
mirror-site manager, and the obligations thereof, shall be
mutually agreed upon by ICANN and Registry Operator on
commercially reasonable standards that are technically and
practically sufficient to allow a successor registry operator
to assume management of the TLD. To this end, Registry Operator
shall periodically deposit into escrow all Registry Data on a
schedule (not more frequently than weekly for a complete set of
Registry Data, and daily for incremental updates) and in an
electronic format mutually approved from time to time by
Registry Operator and ICANN, such approval not to be
unreasonably withheld by either party. In addition, Registry
Operator will deposit into escrow that data collected from
registrars as part of offering Registry Services introduced
after the Effective Date of this Agreement. The escrow shall be
maintained, at Registry Operator's expense, by a reputable
escrow agent mutually approved by Registry Operator and ICANN,
such approval also not to be unreasonably withheld by either
party. The schedule, content, format, and procedure for escrow
deposits shall be as reasonably established by ICANN from time
to time, and as set forth in Appendix 1 hereto. Changes to the
schedule, content, format, and procedure may be made only with
the mutual written consent of ICANN and Registry Operator
(which neither party shall unreasonably withhold) or through
the establishment of a Consensus Policy as outlined in Section
3.1(b) above. The escrow shall be held under an agreement,
substantially in the form of Appendix 2, as the same may be
revised from time to time, among ICANN, Registry Operator, and
the escrow agent.''
.Com Registry Agt., Sect. 3.1(c)(i); http://www.icann.org/topics/
vrsn-settlement/revised-com-agreement-clean-29jan06.pdf.
\5\ http://www.icann.org/tlds/agreements/verisign/registry-agmt-
app1-22sep05.pdf; http://www.icann.org/tlds/agreements/verisign/
registry-agmt-app2-22
sep05.pdf.
\6\ For example, the .com Registry Agreement provides for reporting
and audit with associated penalties:
``Functional and Performance Specifications. Functional and
Performance Specifications for operation of the TLD shall be as
set forth in Appendix 7 hereto, and shall address without
limitation DNS services; operation of the shared registration
system; and nameserver operations. Registry Operator shall keep
technical and operational records sufficient to evidence
compliance with such specifications for at least 1 year, which
records ICANN may audit from time to time upon reasonable
advance written notice, provided that such audits shall not
exceed one per quarter. Any such audit shall be at ICANN's
cost.''
Registry Agt., Sect. 3.1(d)(ii).
``Monthly Reporting. Within 20 days following the end of each
calendar month, Registry Operator shall prepare and deliver to
ICANN a report providing such data and in the format specified
in Appendix 4. ICANN may audit Registry Operator's books and
records relating to data contained in monthly reports from time
to time upon reasonable advance written notice, provided that
such audits shall not exceed one per quarter. Any such audit
shall be at ICANN's cost, unless such audit shall reflect a
material discrepancy or discrepancies in the data provided by
Registry Operator. In the latter event, Registry Operator shall
reimburse ICANN for all costs and expenses associated with such
audit, which reimbursement shall be paid together with the next
Registry-Level Fee payment due following the date of
transmittal of the cost statement for such audit.''
Registry Agt., Sect. 3.1(c)(iv).
\7\ The provision provides as follows:
``Consensus Policies.
(i) At all times during the term of this Agreement and subject
to the terms hereof, Registry Operator will fully comply with
and implement all Consensus Policies found at http://
www.icann.org/general/consensus-policies.htm, as of the
Effective Date and as may in the future be developed and
adopted in accordance with ICANN's Bylaws and as set forth
below.
(ii) ``Consensus Policies'' are those specifications or
policies established (1) pursuant to the procedure set forth in
ICANN's Bylaws and due process, and (2) covering those topics
listed in Section 3.1(b)(iv) below. The Consensus Policy
development process and procedure set forth in ICANN's Bylaws
may be revised from time to time in accordance with ICANN's
Bylaws, and any Consensus Policy that is adopted through such a
revised process and covering those topics listed in Section
3.1(b)(iv) below shall be considered a Consensus Policy for
purposes of this Agreement.
(iii) For all purposes under this Agreement, the policies
identified at http://www.icann.org/general/consensus-
policies.htm shall be treated in the same manner and have the
same effect as ``Consensus Policies.''
(A) Consensus Policies and the procedures by which they are
developed shall be designed to produce, to the extent possible,
a consensus of Internet stakeholders, including the operators
of gTLDs. Consensus Policies shall relate to one or more of the
following: (1) issues for which uniform or coordinated
resolution is reasonably necessary to facilitate
interoperability, Security and/or Stability of the Internet or
DNS; (2) functional and performance specifications for the
provision of Registry Services (as defined in Section
3.1(d)(iii) below); (3) Security and Stability of the registry
database for the TLD; (4) registry policies reasonably
necessary to implement Consensus Policies relating to registry
operations or registrars; or (5) resolution of disputes
regarding the registration of domain names (as opposed to the
use of such domain names). . . .
\8\ That provision states as follows:
``Preserve Security and Stability.
ICANN Temporary Specifications or Policies. Registry Operator
shall comply with and implement all specifications or policies
established by the ICANN Board of Directors on a temporary
basis, if adopted by the ICANN Board of Directors by a vote of
at least two-thirds of its members, so long as the ICANN Board
of Directors reasonably determines that immediate temporary
establishment of a specification or policy on the subject is
necessary to maintain the Stability or Security (as defined in
Section 3.1(d)(iv)(G)) of Registry Services or the DNS
(`Temporary Specification or Policies'). Such proposed
specification or policy shall be as narrowly tailored as
feasible to achieve those objectives. In establishing any
specification or policy under this provision, the ICANN Board
of Directors shall state the period of time for which the
specification or policy is temporarily adopted and shall
immediately implement the Consensus Policy development process
set forth in ICANN's Bylaws. ICANN shall also issue an advisory
statement containing a detailed explanation of its reasons for
adopting the temporary specification or policy and why the
Board believes the specification or policy should receive the
consensus support of Internet stakeholders. If the period of
time for which the specification or policy is adopted exceeds
90 days, the ICANN Board shall reaffirm its temporary adoption
every 90 days for a total period not to exceed 1 year, in order
to maintain such policy in effect until such time as it shall
become a Consensus Policy as described in Section 3.1(b) below.
If during such 1 year period, the temporary policy or
specification does not become a Consensus Policy meeting the
standard set forth in Section 3.1(b) below, Registry Operator
shall no longer be required to comply with or implement such
temporary policy or specification.''
\9\ ``No price discrimination. Registry Operator shall charge the
same price for Registry Services subject to this Section 7.3, not to
exceed the Maximum Price, to all ICANN-accredited registrars (provided
that volume discounts and marketing support and incentive programs may
be made if the same opportunities to qualify for those discounts and
marketing support and incentive programs is available to all ICANN-
accredited registrars).'' Registry Agt., Sect. 7.3(e).
\10\ ``Adjustments to Pricing for Domain Name Registrations.
Registry Operator shall provide no less than 6 months prior notice in
advance of any increase for new and renewal domain name registrations
and for transferring a domain name registration from one ICANN-
accredited registrar to another and shall continue to offer for periods
of up to 10 years new and renewal domain name registrations fixed at
the price in effect at the time such offer is accepted. Registry
Operator is not required to give notice of the imposition of the
Variable Registry-Level Fee set forth in Section 7.2(c).'' Registry
Agt., Sect. 7.3(f).
\11\ The Shared Registration System (SRS) is the system maintained
by VeriSign as the .com registry operator that allows multiple
registrars to register and modify domain names in the registry
database. That, however, is only one component of VeriSign's
obligations under the .com Registry Agreement. VeriSign also must
maintain Domain Name System (DNS) up-time and availability. The DNS is
what makes the domain name ``work'' as a resource or locator on the
Internet. Stated another way, the DNS is what enables you as an
Internet user to simply type in a domain name on your computer, such as
``verisign.com,'' and connect it over the Internet to the machine that
hosts the proper website. The receipt of DNS queries or ``look-ups''
for a particular domain name is separate from the SRS or its operation.
Were the DNS to fail, the Internet would not work. Were the SRS to
fail, traffic would still move over the Internet. Registrars could
simply not register new domain names. While domain names may be
registered through the SRS and VeriSign receives $6, that fee also must
cover resources for processing queries/traffic. Such fee, however, is
not based on the volume of queries/traffic received. The explosion of
Internet-enabled devices and applications--text messaging, music
downloads, VoIP, Blackberries and device-to-device communications--has
created exponential growth in Internet traffic far surpassing the
increase in users. While users have increased 300 percent since 2000,
the volume of traffic on .com and .net has increased 1,900 percent in
that same period. Domain name registration has not kept pace.
\12\ ``No price discrimination. Registry Operator shall charge the
same price for Registry Services subject to this Section 7.3, not to
exceed the Maximum Price, to all ICANN-accredited registrars (provided
that volume discounts and marketing support and incentive programs may
be made if the same opportunities to qualify for those discounts and
marketing support and incentive programs is available to all ICANN-
accredited registrars).'' Registry Agt., Sect. 7.3(e).
\13\ ``Adjustments to Pricing for Domain Name Registrations.
Registry Operator shall provide no less than 6 months prior notice in
advance of any increase for new and renewal domain name registrations
and for transferring a domain name registration from one ICANN-
accredited registrar to another and shall continue to offer for periods
of up to 10 years new and renewal domain name registrations fixed at
the price in effect at the time such offer is accepted. Registry
Operator is not required to give notice of the imposition of the
Variable Registry-Level Fee set forth in Section 7.2(c).'' Registry
Agt., Sect. 7.3(f).
\14\ For example, a pharmaceutical company may obtain a patent on a
drug that is the sole drug approved by the FDA for a particular
indication. An airline may dominate a hub airport due to a lack of gate
space or takeoff/landing slots. A franchised cable operator may be the
sole provider of broadband Internet access in an area where the local
telephone company cannot feasibly provide DSL service. In none of these
situations does the government regulate prices.
\15\ That provision provides as follows:
``25. Procedure for Subsequent Agreement
B. ICANN shall consider the Renewal Proposal for a period of no
more than 6 months before deciding whether to call for
competing proposals from potential successor registry operators
for the Registry TLD. During this 6 month period, ICANN may
request Registry Operator to provide, and Registry Operator
shall provide, additional information concerning the Renewal
Proposal that ICANN determines to be reasonably necessary to
make its decision. Following consideration of the Renewal
Proposal, Registry Operator shall be awarded a four-year
renewal term unless ICANN demonstrates that: (a) Registry
Operator is in material breach of this Registry Agreement, (b)
Registry Operator has not provided and will not provide a
substantial service to the Internet community in its
performance under this Registry Agreement, (c) Registry
Operator is not qualified to operate the Registry TLD during
the renewal term, or (d) the maximum price for initial and
renewal registrations proposed in the Renewal Proposal exceeds
the price permitted under Section 22 of this Registry
Agreement. The terms of the registry agreement for the renewal
term shall be in substantial conformity with the terms of
registry agreements between ICANN and operators of other open
TLDs then in effect, provided that this Section 25 shall be
included in any renewed Registry Agreement unless Registry
Operator and ICANN mutually agree to alternative language.
C. In the event that ICANN fails to award a renewal registry
agreement to Registry Operator within the 6-month period
described above, Registry Operator shall have the right to
challenge the reasonableness of that failure under the
provisions of Section 15.
D. In the event ICANN does not award Registry Operator a
renewal registry agreement according to Subsection 25(B), ICANN
shall call for competitive proposals and Registry Operator
shall be eligible, to the same extent as similarly situated
entities, to submit a proposal in response to such a call and
to be considered for such award.''
\16\ http://www.icann.org/announcements/announcement-21nov05.htm.
______
Questions Submitted by Hon. Daniel K. Inouye to Dr. Paul Twomey *
---------------------------------------------------------------------------
* Response to written questions was not available at the time this
hearing went to press.
---------------------------------------------------------------------------
Question 1. One of ICANN's overarching principles is to create a
transparent, ``bottom-up'' consensus driven system of management. Many
critics argue that ICANN has strayed far away from this principle. What
response do you have to claims that ICANN does not satisfactorily
inform the public of its decisionmaking process, such as, in the case
of the dot-biz, dot-org, and dot-info proposed contract agreements?
Question 2. How do you respond to critics who note that ICANN has
yet to substantially involve Internet users? For example, the stalled,
and ultimately abandoned, attempt to hold open elections.
Question 3. Is the involvement that the NTIA had on the creation of
the dot-xxx domain name representative of the decisionmaking process in
ICANN?
Question 4. ICANN has been praised for its attention and success in
the areas of stability and security of the DNS. However, the proposed
agreement with VeriSign and the general evolution of the Internet has
raised new concerns. Under the terms of the proposed agreement, ICANN
and VeriSign are only required to meet to discuss security every 6
months. Is 6 months often enough to ensure the security of the DNS?
Question 5. The terms of the proposed VeriSign agreement reduces
ICANN's power to terminate the agreement. Compared to the 2001
agreement, how does this weaken ICANN's ability to oversee the dot-com
registry and maintain the security of the DNS?
Question 6. Do you think that breaking ties with NTIA's governance
will make the Internet vulnerable to other governing bodies?
Question 7. How do you address the concerns of those who feel that
the MOU should be renewed before the proposed VeriSign agreement is
approved or denied in order to address security concerns?
Question 8. The lack of transparency in the ICANN decisionmaking
system also extends to the budget. How do you address concerns about a
lack of accountability for the ICANN budget?
�