Unredacted: ICANN's hidden role in fierce battle over .Africa rights

Damning review was censored – but we've seen the full report

Domain-name overseer ICANN's pivotal role in a controversial fight over .africa is today revealed in full for the first time.

An independent review into the .africa saga, which was two years in the making, concluded that ICANN had broken its own bylaws: the organization had failed to properly investigate claims made by one of the two applicants battling for the rights to own the top-level domain.

But before the 63-page final report [PDF] was published last week, repeated references to ICANN's own involvement in favor of one of the applicants were systematically removed by the organization itself.

The report contains no less than 39 redactions, many pulling out entire paragraphs of text. The Register has obtained a non-redacted version of the report [PDF], and we can say that most of those redactions concern the fact that ICANN's head of operations, Dai-Trang Nguyen, drafted a letter that was then used by ICANN to advance a competing .africa bid.

There were two applications for .africa. The first came from DotConnectAfrica (DCA), which originally received support from the African Union Commission (AUC), Africa's equivalent of the European Commission.

Subsequently, however, the AUC decided it wanted to be in control of the .africa internet space, and so rescinded its support for DCA and ran its own process to find a company to run the top-level domain. DCA refused to participate in that process, and applied through ICANN's processes for the rights to the dot-word itself. As a result, it ended up in conflict with the company that the AUC eventually chose: South Africa's ZACR.

In an effort to push its choice, and eliminate the DCA bid from ICANN's process, the AUC then carried out an extensive lobbying campaign, including lodging formal objections to the DCA bid. In response to that campaign, ICANN rejected DCA's application. And DCA appealed the decision.

More than two years later, an independent review of ICANN's rejection decision found that ICANN did not properly investigate DCA's claims and so had acted unfairly.

However, what the report also revealed – and which ICANN then removed before publishing – was that ICANN's staff had assisted the AUC and its competing bid.

Questions raised

An early letter to ICANN from the African Union Commission (AUC) in support of its own candidate to run dot-africa did not fulfill ICANN's criteria, was not in the correct format, and sparked a "clarifying question" from the third party that ICANN tasked with checking that the bid had the requisite support.

In response, the AUC privately asked ICANN staff for help, and no less than ICANN's head of operations obliged, drafting a new letter that, unsurprisingly, fulfilled all the necessary criteria.

That ICANN-drafted letter, duly signed by the AUC, was then used as the key piece of evidence to show that ZACR had sufficient support for its bid, and just a week later ICANN signed a contract with ZACR to run .africa.

Essentially, ICANN drafted a letter in support of ZACR, gave it to the AUC, and the AUC submitted the letter back to ICANN as evidence that ZACR should run dot-africa.

Not exactly Switzerland

This process in which ICANN engineered approval of a particular application, and so undermined its own requirement to act "neutrally and objectively with integrity and fairness," was repeatedly referenced in the independent report.

In one redacted section, ICANN admits it wrote the letter, but argued that it "did not violate any policy in drafting a template letter at the AUC request." Later on it said that there was "absolutely nothing wrong with ICANN staff assisting the AUC."

However, ICANN's failure to act neutrally may put the entire ZACR application at risk.

ICANN also redacted mention of a number of other related accusations: for example, ICANN allegedly told InterConnect – which was, along with other consultants, scrutinizing dot-word applications – to take the ICANN-drafted AUC letter as evidence that all African governments fully supported ZACR for the dot-africa job.

If true, it is another clear violation of the organization's neutrality.

Next page: Broader problems

Similar topics

Other stories you might like

  • There’s a wave of ransomware coming down the pipeline. What can you do about it?

    AI can help. Here’s how…

    Sponsored The Colonial Pipeline attack earlier this year showed just how devastating a ransomware attack is when it is targeted at critical infrastructure.

    It also illustrated how traditional security techniques are increasingly struggling to keep pace with determined cyber attackers, whether their aim is exfiltrating data, extorting organisations, or simply causing chaos. Or, indeed an unpleasant combination of all three.

    So, what are your options? More people looking for more flaws isn’t going to be enough – there simply aren’t enough skilled people, there are too many bugs, and there are way too many attackers. So, it’s clear that smart cyber defenders need to be supplemented by even smarter technology incorporating AI. You can learn what this looks like by checking out this upcoming Regcast, “Securing Critical Infrastructure from Cyber-attack” on October 28 at 5pm.

    Continue reading
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

    Or so says infsec outfit Emsisoft

    Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

    Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

    Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

    Continue reading
  • Windows XP@20: From the killer of ME to banging out patches for yet another vulnerability

    When NT and 9x became one

    Feature It was on this very day, 20 years ago, that Microsoft released Windows XP to General Availability.

    Regarded by some as the cockroach of the computing world, in part due to its refusal to die despite the best efforts of Microsoft, XP found its way into the hands of customers on 25 October 2001 and sought to undo the mess wrought upon the public by 2000's Windows Millennium Edition (ME). While ME used the Windows 9x kernel, XP was built on the Windows NT kernel, formerly aimed at the business market and a good deal more stable.

    It also upped the hardware requirements on its preceding consumer OS. Where ME recommended 64MB of memory, XP wanted at least 128MB. And although masochists could run ME on a VGA screen, XP insisted on a minimum of SVGA. It all seems rather quaint now, but could be a painful jump back in the day.

    Continue reading

Biting the hand that feeds IT © 1998–2021