GAC Open Meeting with the ICANN Board Tuesday, 27 October 2009 ICANN Meeting Seoul, Korea >>CHAIR KARKLINS: Good afternoon, ladies and gentlemen. I would like to welcome board members to the board/GAC open session, and I would welcome all those representatives of the community who decided to spend time with us, listening to this discussion. We have today two agenda items. One is IDN ccTLD fast track, and the second is the new gTLDs. And if you would accept these two items, we would start immediately with the first one. And as it is a custom since recently on the board meetings, there is agenda items which are -- there are decisions which are taken without discussion. And I don't know whether the first one, proposed item on fast track, may belong to that category. But what I would like to say is that we had a very interesting session on Sunday related to the final version of the implementation plan of the fast track. This session was preceded by a conference call with the staff explaining the proposals which were put in the final version before that version was formally published. And what I can say on behalf of the GAC, without prejudging the formal statement which will be part of the communiqué, that GAC appreciates developments which has led to the current state of preparation and level of acceptance of implementation plan. GAC notes that there was exemplary cooperation between different supporting organizations and advisory committees throughout the preparatory process, the preparation of the fast track from the very beginning to the very end. And that may serve, maybe, as an example in our future work. And we also note the date of proposed implementation, 16th of November, which was wisely chosen because that coincides with the IGF meeting in Egypt. And I think that the noise which -- or positive noise which will be created with this date or at that date, when I heard that number of countries will submit applications already on 16th of November or on 17th, will create a positive momentum in IGF as well. So on maybe less serious note, I can say that GAC will keep you accountable -- I mean, GAC will keep board accountable for the money spent yesterday celebrating introductions of IDNs if Friday's decision will not be the way as we expect it to be. [ Laughter ] >>CHAIR KARKLINS: And we will keep you accountable for spend money. Not for the decision. But no, it was a joke. At least I tried. [ Laughter ] >>CHAIR KARKLINS: So that would be remarks from my part. And I'm looking around if there is somebody else who wants to come in and add something from GAC side. I see no requests from the board side. >>PETER DENGATE THRUSH: Thanks, Janis. I just want to agree and endorse all that you have said. I think this certainly is an occasion for celebration, and it is the result of the cooperation that you have worked towards. And what I'm pleased about is that in the end the solution is something that preserves something that is very strong in the ccTLD community and very strong, I think, in the GAC, and that is the nature of the relationships. And that has been preserved. And I think I welcome that. >>ITALY: Just to report that in the press the news that there is revolution in the Internet addresses is not only Latin characters has already sold the news. So we very hope that the board will approve -- >>PETER DENGATE THRUSH: One of the suggestions we have had for these meetings is we should actually have the board meeting on the Monday and then do all the work during the week. And perhaps we have started that by having the celebration first and then moving through. >>CHAIR KARKLINS: So that brings us to the second issue of new gTLDs. We had -- First of all, we would like to start by thanking ICANN staff for the work which has been done intersessionally engaging with the GAC. We had a number of interactions with the staff members with Kurt Pritz, with Doug Brent on the issues. And we appreciate that because we usually do it at noon UTC, which is early time in California. And at no moment there was any hesitation to accept our requests for engagement and explanations. Intersessionally -- namely, on 18th of August -- the GAC submitted comments on guidebook Version 2 as we promised in Sydney. And we welcome response of the board on our comments. Certainly we understand the complexity of the issue, but we think that new gTLDs should be introduced at the early possible moment, because it is GAC's view that new gTLDs should be put in place as soon as possible. And we want to contribute in a very positive way to this process. We understand the complexity of the issues, and we are trying to do our best in our comments, in our submissions, to contribute to possible solutions of the issues, and our comments should be taken exactly from that perspective. We had this time a long session where we talked about implementation of -- sorry. We talked about protection of intellectual property rights. We had a briefing from representative of WIPO. Equally, the chair of IRT was present in the room and then briefed the GAC. And we had a very good exchange on this particular subject. We listened to representatives of law enforcement agencies who gave their perspective on the issue. And I identified a number of points which are new, and which appeared since the meeting in Sydney. And I'm referring to the root scalability study. And in this respect, we would like maybe to start the session -- or maybe to construct the session more as asking questions to the board on different issues, but which we think need to be resolved as soon as possible. And the first issue is -- our first question, what I would like to ask is what is the board's perception of the -- or what could be the consequences of the scalability study? And what changes the conclusion of the study brings to the landscape of question of new gTLDs, introduction of new gTLDs? How you see that. And what impact that that will have to the process and to decision- making on the new gTLDs. >>PETER DENGATE THRUSH: Thanks, Janis. Well, the short answer is that we haven't yet had a chance to finish that work. And the root-scaling study is only recently out. It's now getting processed by the rest of the technical community. It's being digested. It's being, hopefully, peer reviewed. And the board technically is now waiting for advice in relation to that from RSSAC and SSAC. So that's the technical position. The reality is that we take this -- all of the information contained in that very seriously. The obligation is first to do no harm. And the security and stability of the Internet is something that's, again, deeply in the DNA of ICANN, and certainly something the board is very much aware of. So I think with those sort of high-level comments from me, there's probably some more useful comments from some of the more technical board members who have been engaged. The board had some deep engagements on this issue, and I am looking at Thomas, who is a member of the IETF; Harald, who is a previous chair of the IAB; Bruce, Ram, other board members. If they want to make a specific contribution about the reports themselves. The summary of it, I think I mentioned some of this also in my opening comments, but we understand what introducing DNSSEC may well do, and the issue of introducing simultaneously an increasing number of gTLDs along with IPv6 is all something we have to handle very carefully. Let me just close by making perhaps the obvious point. It's not the number of TLDs. It's the characteristics -- if you like, the size of them -- that makes the difference. So adding small ones may well be different from adding ones that become enormous. Thomas, is there something you want to add either on the technical level about the studies themselves or perhaps about the way you have seen the board approaching the topic? And obviously Harald, Ram, others who have been contribute to go the board debate, I would appreciate it if you were able to contribute to this joint session. >>THOMAS NARTEN: Thank you. I don't really want to add too much to that, other than just to say as you indicated, the study is just out. It is being digested by the community. I think we just have to have time to allow people to sort of come to grips with what the implications are and whether it has implications for ICANN. And numb we get sort of more concrete advice and more specific advice, we need to just sort of wait. >>PETER DENGATE THRUSH: Thanks, Thomas. I see Ram Mohan coming forward. Thanks, ram. Ram is the chair -- excuse me, the liaison from the Security and Stability Advisory Committee. >>RAM MOHAN: Thanks. I will echo what Thomas said. One thing that I just wanted to mention is, what's very clear from that study and that SSAC is certainly digesting is it's not just about the number of top-level domains you are adding. It's about the rate at which you are adding them. It's the rate of change that is, in some ways, perhaps more important than just the number of TLDs. So we don't really have a final recommendation to come out for the board to look at as of yet, but in general, the advice that is coming through to the board is be conservative in how abruptly you want to add to the root zone. >>CHAIR KARKLINS: Thank, Ram. So now -- >>PETER DENGATE THRUSH: Bruce as well. >>CHAIR KARKLINS: Sorry. Bruce. >>BRUCE TONKIN: I don't want to get too buried into the topic either, but I just thought I would mention there are two types of limits that are being considered. One is I guess down at the sort of technical computing level, so things like DNSSEC make some of the files bigger, so that has implications for computing resources, networking resources and so on. And then the other aspect of it in the system is business processes. And so those business processes include processes on the ICANN side, like approving applications, approving contracts. And then there's business processes when you go through to putting changes into the root and the business processes used for making changes to the top- level name. So at the moment, typically when change gets made, I think a day someone was saying, or a month, then if there's lots of new names, then there's more changes being made in the business processes that would need to adapted to cope with the larger system. So technical issues and business process issues. >>CHAIR KARKLINS: Thank you. European Commission. >>EUROPEAN COMMISSION: Two points. One regarding the practice. And I made that point already in the Affirmation of Commitments. Would it not be a good practice to do this kind of study early on before one launches processes and before some of this stuff is already implemented, is on the way of being implemented, like DNSSEC? Because the choice that the board has then to do things is going to be more limited. Secondly, I'm coming back to IDN implementation. We learned this morning that that DNSSEC will see the world only on July 1st, because it remains internal until then. And then we have to see how the system behaves. Now, what is the implications of that on the rollout of IDNs? Thank you. >>THOMAS NARTEN: So just let me try to answer at least part of the question. The notion that we have to roll out DNSSEC first and then wait and see what happens, and then maybe roll out IDNs, that is not a decision we have made yet. It is not clear that we need to make that decision. What the root server scaling study is really saying is that you have a system that's fairly complex, and as you make changes to the system, you know it takes time for those changes to sort of ripple throughout and for you to fully understand what the implications are. Now, today we make changes to the root zone on a daily basis. There are sort of normal updates that come along with updating servers and so forth. We create new TLDs sometimes and do a new delegation. And enabling DNSSEC in the root is going to be one more change, it's going to be a quantitatively different change than what we have seen before. And so there might be some implications from that that are different, but it doesn't mean we can only do one thing at a time. And one of the things that the sort of technical community and we have to grapple with is how much change we are willing to make over what period of time. And until we get a more concrete recommendation or understanding, it's really premature to say that we aren't going to be able to do TLDs until such and such a day. We are still in the information gathering state. Ram, do you want to say something else? >>RAM MOHAN: Very briefly to add on to that. When I read the root- scaling study, what comes out at me is there is capacity in the system, and the primary finding is to go in a conservative manner. And what it means is, as Thomas is saying, it doesn't mean stop and do DNSSEC only first. That's the way I read it, and there will be advice coming out. As for IDNs, the question on IDNs, from the way I look at it both IPv6 and IDNs are basically nothing to really worry about. It's not something that there's a great deal of focus on. What you are talking about with the IDNs is a string that is a few characters or many characters longer than a regular ASCII -- English language or ASCII string. But in terms of what it does to scaling, it doesn't seem to be a significant thing. That's just my personal reading of it. >>PETER DENGATE THRUSH: Just when you are saying "IDNs," I assume that's shorthand for ccTLD IDNs. And at this stage there are not going to be any more than 30 in the fast track, as far as we can tell. So again, that's a very small number, quantitatively. >>EUROPEAN COMMISSION: Could you perhaps answer the first part as well of my question regarding the timing of such -- such a study? Because, Rod, you weren't there, but we have been continuously asking in this kind and the specific questions, will the system be able to cope with changes regarding new gTLDs? We've asked the same question regarding DNSSEC. The question we haven't asked is, will the system be able to do it at the same time. But not having asked this question doesn't mean that one shouldn't look at these things very early in this stage to have all the options open. >>ROD BECKSTROM: Thank you, Michael, for that comment. And I believe that those are issues that the RSSAC and SSAC committee are discussing and debating, is what are the implications of each of these elements and then doing them simultaneously or staggering them, as Ram mentioned. I think the issue that's been stated with respect to the IDN ccTLDs is that the expectation is certainly that the number is quite limited of those. And so there's not been an expressed concern heard yet by parties about that small potential change in the scale of the system. Not to say that it's without any risk whatsoever. But it's been viewed as being perhaps very, very small. And so we are still waiting for the feedback from -- as stated in the beginning of this discussion, from the RSSAC and the SSAC on these issues. And I think your points are well taken. >>CHAIR KARKLINS: So I see Thomas is moving to add something. >>THOMAS NARTEN: One other thing is worth putting into context. I think that the scalability study was done or was sort of done in the context of how many TLDs are we talking about? And there is no answer to that. So when we say can we do new TLDs and DNSSEC? Some people may be thinking, well, I've heard numbers of 10,000 or 100,000. Okay? That's qualitatively very, very different than 100 more per year. And up until this point, ICANN has not really been very clear about whether there is an upper bound on the limits over the next two or three or four or five years. And some people certainly in the community have been advocating, you know, TLDs to everyone, which implies a very large number. >>CHAIR KARKLINS: So I have two speakers now from the GAC side, Sweden and U.K. >>SWEDEN: Yeah. Thank you so very much, Janis. We had a very interesting presentation from Lars-Johan Liman on the root scalability report. And, of course, it raised a lot of questions. So I -- it was interesting to hear his view upon introducing DNSSEC in a small root, which will affect in a certain way than doing it -- introducing when it's become much larger. And then you said, like, hundred instead of hundred thousand. But how do you know it's hundred? I mean, you don't know. No -- exactly, you don't know. So you have to prepare for whatever, which means that that kind of element is also very important to consider. And of course we can talk about all this and do it in certain orders and all these elements of IDN fast track, DNSSEC, IPv6, and gTLDs. But what I am very interested in is the process that's going to lead to the decisions and what kind of facts or advice are going to be taken into account during the process step by step. Thank you. >>PETER DENGATE THRUSH: Can I just respond to one point? It's not the number of applications that's the worry. It's the rate at which they're introduced to the root. So we could open applications and get 10,000. That doesn't mean we're going to release them all at once or even in one year. We would then have the problem of an allocation policy program under that. So serious people are putting to us that we should open the application process and then close it and get the number of current -- that are currently interested. Let's see what the market does. Maybe that's a way of answering the question. Because we cannot just keep going on wondering how many are going to come in. Why not perhaps open the process for a period and then close it. >>CHAIR KARKLINS: Mark, United Kingdom. >>UNITED KINGDOM: Thank you, Chair. I think you mentioned the market. And I think we're coming on to another kind of related issue there in terms of the groundwork. Just on the technical side, I think governments are coming to the view that a thorough examination of all the technical impacts in all scenarios and all kind of migration paths, if this happens, we do that. If we don't do that, what will happen if we do that? What are the exit strategies? All that kind of thorough explanation of anything major to be done to the root is done at the earliest possible stage. We in government were just very surprised, as we've made clear at the last meeting with you, that this root scaling report came at such a late stage. And on the market side, again, we've been very critical of ICANN in not undertaking the thorough market and economic analysis that will tell you, what is the likely demand? Or what would impact on demand? We've continued to be dissatisfied that the amount of analysis on that side just had not been undertaken. And we note what you said in your reply to us, that there is going to be further economic analysis. And we obviously will track that and look forward to the results of that with very keen interest. And there is a lot of interest. But also, my ministry is called department for business. And we've got business stakeholders who are coming on to me and saying, "There's no timetable. We're investing money." So there's a lot of angles to this that are of great public interest. And, you know, sorry to reiterate again, but we are, you know, continuing to express concerns that the whole process seems to have been back-to-front or not thorough enough. And I think that's going to be the sense of view from the governments around this table. Thank you. >>ROD BECKSTROM: Thank you very much, Mark, for sharing that. And I think that being somewhat of a newcomer to this, but being somewhat of an old-comer to looking at decentralized and complex systems and how they interact, I think one of the fascinating challenges in the Internet is that it is such an incredibly decentralized phenomenon. And ICANN's role as a policy authority on names and numbers and a policy platform for developing does not mean that we control the various elements and pieces, which is what, for example, we do run one root. But the 12 roots and the root policies are -- and practices are established by the root server operators. The ISP have their set of practices, which -- and both of those relate deeply to DNSSEC, for example. As well as IPv6 and scaling the root, many other things. So in a highly complex, decentralized system, I think what we see taking place with the new gTLD program is an iterative process where certain problems get solved and then other parties bring forth other issues. And there's an iterative solution set. So this is a highly complex problem. And I think that certainly the hope that we have and I have in getting involved here is to do our utmost to run those iterative processes in a constructive fashion to move towards the highest level of relative -- I don't want to say relative certainty, but well-managed outcomes, with the best information from the parties bubbling up through the bottoms-up process. And that inherently is frustrating to some business people that may want a tight time frame, understandably, because then they can plan their investments and know what to expect of what's going to come when. But that expectation for specific tight time frames is simply incompatible with a multistakeholder process with multiple appeals, multiple reviews, et cetera. And yet I think that we shall endeavor to do our best to find a middle path and incorporate that feedback. So thank you. >>PETER DENGATE THRUSH: And I'm not sure it's productive to keep running the same issues again and again. The issue is not about the ability of the root to handle more TLDs. All the technical advice the board has had about that for years has been, there is no real problem with the addition of large numbers of TLDs to the root. The rate of addition is an issue. But never really a problem about adding hundreds or thousands more to the root. The issue that emerged, to our surprise, was the cons- -- the simultaneous emergence of a rush to DNSSEC and the TLDs and IPv6. Now, that's -- they came together in a different way. And so this root study, this scalability study, is looking at the effect of the concentration of those three things. And we did that as soon as it became clear that those three things may all happen at once. So I think it's not that we decided in a fit of enthusiasm to add a lot of TLDs to the root and only late suddenly thought, we better check if this is going to cause any concerns. Right from the beginning, nontechnical people like me were asking, "Will the root be able to take more?" And we were assured by competent technical people that it could. And that advice hasn't changed. There seems -- no one is suggesting at this stage an upper bound. The problems that have been emerging have been different. As Bruce has suggested, some of them are system ones. You've got to be cautious in criticizing the time this study was done, because it's a different study from the way that was portrayed. And I think we've been through this a couple of times before. I thought we made that reasonably clear. But we can do this again if you want to next time. >>CHAIR KARKLINS: So I have U.S. and France. Suzanne. >>UNITED STATES OF AMERICA: Thank you, Janis. I did want to simply flag some additional concerns and I guess sort of give you a heads-up that you are not likely to get comments from the GAC on DAG V3, because, actually, we -- the time line is awfully short. But the outstanding questions, the related issues of the -- how the root scalability study will be factored in, economic study, there's an outstanding issue, certainly there are several outstanding issues on intellectual property protection, and whether those concerns have been adequately addressed, I think that remains outstanding. There's a question, there was a very good session on registry/registrar separation, the integration, vertical integration - - sorry, I'm not being very articulate at this point. And, of course, we have the enduring consumer harm questions. And that is, you know, first and foremost. I hope you don't mind. I would like to give an opportunity to two law enforcement colleagues, because I know that several of you probably were not able to attend the session Monday afternoon. But just to reinforce the concerns that there are about criminal behavior that they currently have to deal with continuing, being addressed now and continuing. Thank you. >>PETER DENGATE THRUSH: The answer is, yes, I'd welcome an opportunity to hear from law enforcement. >>ROBERT FLAIM: Good afternoon. My name is Robert Flaim. I work for the U.S. Department of Justice, Federal Bureau of Investigation. I'm here with representatives of the U.K. law enforcement, the Korean National Police, the Thai Department of of Special Investigation, Ministry of Justice, and the Swiss federal police. We just wanted to bring a few things to the attention of -- to the GAC and to the board. We spoke at the first GAC session on Sunday. And we also were given the opportunity to address publicly ICANN and the community on Monday, which we did certainly appreciate. A very big thank you to Greg Rattray for doing that for us. And at yesterday's session, we saw that DNS abuse is still rampant. And we wanted to bring that to the attention, in light of the fact that there might be the new gTLDs and the applicant guidebook and everything like that. And as had been mentioned in a prior session, we view it as one and the same abuse. The old gTLDs is current. We also want to prevent any abuse from the new gTLDs. And as we saw yesterday, my colleague from the U.K., Paul Hoare, gave a very excellent briefing on the current examples of crime that currently exist. And we see that it's growing exponentially with the Internet. We also see that there's a huge increase in organized crime that is behind that crime. And it is imperative that ICANN, through self-regulation and enforcement of current policies, that they do that before other Internet bodies decide or governments decide to do that. We don't want the Internet to crush under the weight of its own -- well, crush under its own weight. ICANN needs to adopt best practices that are already adopted by the most responsible registrars and registries. And in light of that, law enforcement has drafted some due diligence recommendations. We have a short form and also long form that will give, in detail, exactly what we're referring to. And we will give that to the GAC for their review and for their advancement. And just so you know exactly what it's referring to, we have three basic principles: Due diligence, the WHOIS, and transparency and accountability. Due diligence, I think, refers to two things. Number one, due diligence on the part of ICANN to make sure that only the most responsible registries and registrars are accredited. Number two, due diligence concerns the registrar accreditation agreements, the RAA, the current ones and the proposed ones under the new gTLDs. We want to make sure that the information that is gathered by registries and registrars is actually validated. We want to make sure it's correct and accurate. We find that that is a growing problem and an ongoing problem concerning DNS abuse, concerning botnets, phishing, malware, Fast Flux, you name it, all the things that are out there. Secondly, we are also, you know, concerned that, you know, we want ICANN to make sure -- when we talk about due diligence on the part of ICANN, to make sure that we have registrars and registries that are free from criminal activities, that are sound financial institutions, and that are legally incorporated in the country or nation in which they exist. When we speak about transparency, we want to make sure that everything is clear-cut, that there is public accessibility to the information of who these companies are, who their parent companies are, who the board of directors are, officers, so on and so forth. Now, as I said, we're going to present -- we have two versions. One was actually at the request of ICANN, the contractual compliance, that we give something very succinct. We also wanted to make sure that we gave you enough information behind that so you'd know exactly what we're referring to. This has been drafted by the United States, Great Britain, Canada, Australia, and New Zealand. But I'll let me U.K. law enforcement partner tell you about the fact that it has been supported internationally by law enforcement, not just those particular five countries. We also view this as a perfect opportunity or vehicle concerning the Affirmation of Commitments. In light of that, we think this is a very good opportunity to go forth with the concepts and the principles in that. Our time line for seeing some of this actually get implemented would be Brussels 2010. The other thing that I just wanted to mention is that we have done this in consultation with registries, registrars. We've also spoken to the ICANN contractual compliance. And another thing that we also support is what was presented at our DNS malicious abuse was the high security zone verification program which ICANN itself has come up with. That, we felt, is an excellent concept. And as opposed to having registrars/registries opt into that, we would believe it would be the most productive that it actually would be mandated as a minimum standard for current registrars/registries, and also future registrars and registries. So with that, I will have my U.K. colleague, Paul Hoare, speak. >>PAUL HOARE: Thank you. My name is Paul Hoare. I am head of operations for the serious organized crime agencies, e- crime directorate. I just wanted to reiterate some of the key messages from law enforcement in regards to this. It's very important that you understand that we're not here as a U.K. agency and as the FBI. We have consulted widely with the global law enforcement, including the Interpol cyber working groups and the G8 cyber working groups who give explicit support to this proposal. So it's not five countries that are here. It's the global law enforcement that are represented. It's really important self-regulation is positive. It must be obligatory in whatever form is taken by ICANN. The RAA must be amended in our submission. Best practice must become regulation. Compliance as well. It's important compliance is swift and doesn't take several months strung into years for compliance to be dealt with in order to ensure that criminal groups don't have the opportunity to establish business continuity plans where they can simply move. We feel that -- certainly law enforcement globally feels that the submissions that Bobby has put forward are in the public interest and we feel it's a good opportunity for ICANN to demonstrate their commitment to the AoC values which were flagged earlier at the start of the week. Make sure I cover everything. The proposals we put forward are not just law enforcement view, certainly not Draconian law enforcement view. We want them to be workable within a business plan and economically viable. But the standards sought by law enforcement and governments need to be reached. And if this means that some can't reach this standard, that's unfortunate, but it needs to be accepted. As the presentation, it seems to be my want to keep everybody from leaving this week. I was last on yesterday, last on today, and I am going last on Thursday as well, I think. But examples of DNS abuse are -- on an industrialized scale are available, and certainly I am more than happy to give the further presentation to anybody who would be interested in those examples. And certainly in the DNS abuse session that's on Thursday I will be talking further about the RAA amendments that have been submitted and the issues raised. I think that's it. Thank you. >>PETER DENGATE THRUSH: A couple of quick responses. First of all, let me say thank you both very much, Mr. Flaim and Mr. Hoare. I actually was in some of the session on Monday and appreciated the range of skills that were on display there and also what Greg Rattray has been doing. This is something that's getting greater attention in ICANN. So thank you for your participation in that. And thank you, really, for what's a fantastic demonstration of multistakeholderism in action. The principle is when you have got a position, you have to bring it forward. And you are doing that. And that's just what this is all about. If there's any doubt about it, there is obviously every intention to cooperate. We have it take action against misuse. We do want to cooperate with law enforcement on issues such as this. And it's another demonstration, also, of multistakeholderism in terms of the community work that you have done. The fact that you have reached out to all the other countries and agencies that you have done is further proof of the model in action. So that's a tremendous session. I am going to defer to Rod who is an expert in security by comparison with me. I just have two questions in relation to our current topic. What is the difference, in your view, either in rate or in nature, or quantitatively or qualitatively, in all the problems that you describe, that more TLDs in the root will cause? And does it make any difference if they are IDN TLDs? >>ROBERT FLAIM: Well, I think the problem that we have now is that you currently have 21 gTLDs. And if we go forward with hundreds of gTLDs, it's just more of an opportunity for abuse. I don't think there's a difference. I just think it's more quantitative than qualitative. >>PETER DENGATE THRUSH: But I don't understand, because even if there were three TLDs, wouldn't there be the same -- I don't see how the number of criminals and the extent of their activity and the targeting is affected by how many TLDs they have to use. So help me with that. And does it make any difference, on that theory, if they are IDN or ccTLDs or generic TLDs? There's a big disconnect in my mind between criminal activity and the number of TLDs. >>PAUL HOARE: I think from our point of view, the most important fact is that there's a common standard across all the TLDs, so that law enforcement and industry know exactly where they stand, actually, with removal of abusive domains. What we have seen recently is certainly the growth of where organized crime are becoming more involved in it, and that bring their trade craft with them. There is a tendency for them to set themselves up as legitimate business, to use people with no previous convictions, not previously known to law enforcement set themselves up as legitimate business and then allow criminals to use and abuse through that domain system. I think the introduction of the new TLDs, it will be easier to report six months after they are in, I think, rather than beforehand. >>ROBERT FLAIM: I think the big difference isn't the fact that new gTLDs are being introduced. That's just part of the equation, one of the variables, if you will. Our current issue is the current system. You know, we're trying to correct a lot of problems with the current system, so we are using this as an opportunity to correct the current problems and prevent any future problems. >>PAUL HOARE: One further point. Sorry. We have seen crime being very adept at utilizing methods that draw people into being defrauded. Therefore, we have got to be very careful about the naming of gTLDs which are issued. Because certainly what undoubtedly will happen is they will look to source gTLD names, which look on the face of it trustworthy and will attract more victims. >>ROD BECKSTROM: First, I just want to thank you, Robert and Paul, for your excellent thoughts, well considered work that you are bringing forward and the collaboration that you have shown with your partners around the world. And secondly say that in addition to the work that you are doing to present to the GAC that they will review and then bring forward to the board, which is excellent and is valued, I also want to mention that with the Draft Applicant Guidebook public comment period being open, it would also be excellent to get your feedback into that process if you deem it appropriate, because one of the opportunities, of course, we have with new gTLDs is to set up different contracts with different disclosure, different reporting requirements. And as I'm sure you have already noted, there are background checks and things that are involved in new gTLDs that may not have been involved in the past. So we would certainly very much welcome your and other law enforcement parties from around the world engaging in this comment period that ends on November 22nd, only because, again, we get to shape the contracts moving forward and have more control over them than perhaps we have had in the past. And at the same time that new gTLDs might create new opportunities for malicious actors, at the same time it might actually create an opportunity for more secure new gTLDs and raising the bar moving forward. But like Peter, I really want to thank you very much for entering and engaging with ICANN and the community, and that we very much value that and look forward to hopefully a very productive long-term relationship. >>CHAIR KARKLINS: Thank you. We're five minutes away from the end of the session. I have Bruce and Steve Goldstein, and then I will take one more intervention from the GAC. So Bruce. >>BRUCE TONKIN: Thanks, Janis. Just coming back to the question about demand, and I just wanted to put some sort of numbers out there just so people who perhaps aren't as familiar with the industry have a feel for it, you can address demand at several levels. You can address demand for a top-level name, you can address demand for second-level domains, and you can address demand by users that actually use domain names as opposed to other methods of never getting on the Internet. So taking the top one, the demand for top-level domains, the staff estimates, and that's based on actually going and asking potential applicants as well as, I guess, just the general activity of requests and information people are asking for, their estimate at the moment is of the order, and this is not exact numbers, but of the order of sort of 500 new top-level names over three years. If you asked me, as opposed to the staff, that question a year ago, it was probably under a hundred because we are in an economic recession in many parts of the world. Asking the question now, I think it's certainly in the hundreds. And I think the economies in many parts of the world are recovering so it could well get back up to the 500 mark. But it's certainly not tens of thousands. It's in the hundreds. And it's just a question of how many hundred. This is over, say, a three-year time frame. As Peter pointed out, and this even applies to IDN ccTLDs, there's a difference between the part of the process where a person applies or an applicant applies and is granted a TLD and when they launch. So last time ICANN requested applications for top-level names was in 2004, and those names were -- it's probably, say, of the order of ten applications that got through the process. They were added to the root over a period of about five or six years. So even though we had -- there is a posting from ICANN that said they might have finished the discussions on the topic of dot post. That was 2004 and it's now 2009. So the input is one thing, so you might have several hundred applications. You are not going to have several hundred applications deployed in the root in the first year. So it's just giving you a feel of numbers of demand at the top level. Then if you look at the second level, the numbers there, there's about 184 million registrations at the second level across gTLDs and ccTLDs. Of the 184 million, about 74 million are in ccTLDs. That's growing roughly at 10% a year, in some prior years it's been growing at 20%. So last year actually slowed down quite a bit compared to some previous years, but roughly the second-level domains run about 10% a year, currently. So that's 10% on top of 184 million second- level registrations. Most of those registrations are for the traditional com, net, and org, or for the traditional ccTLDs. People want to be associated with their country. But companies are looking for names and things like dot TV, not because it's Tuvalu, but because they're looking for a short, simple name that represents their products. That shows people register things like dot TV or dot ME because they like the name and they think it's simple. So expect that those second-level registrations in a new gTLD would continue. Addressing user demand, users use domain names in e-mail addresses, and they use domain names in Web addresses. Those are probably the two biggest applications. In Web addresses, a lot of people have said that search engines will mean the death of domain names, because people will just type in a search term and then click on whatever comes back from that search term and won't need to use domain names, or they'll use social networking sites and click on banner ads and things so they won't need to use domain names. But currently there's no evidence of that happening. Users are still using domain names. And in many countries where domain names have been around for a long time, they're very common on, you know, newspaper advertisements, on television campaigns, on the radio. And so a lot of people use them as a way of directing people from offline environments to the online environments. I don't think we're going to see the death of domain names from a user point of view. Finally, on IDNs, IDN growth, talking specifically at the second level, because IDNs have been used at the second level for some time, still hasn't really got much traction in the gTLD environment. There may be a bit of growth in some of the ccTLDs. But in gTLDs, it's very early. It just goes to show you the inertia in the system. Because there was a lot of software applications that can't use IDNs, even at the second level. E-mail doesn't handle IDNs properly yet, either. So still more application work going on. Because of that, most companies won't use them, because they know a lot of their users won't be able to use them, only if they saw it on a billboard or something. So it's very rare to see an IDN on a billboard. So I just want to put some perspectives on demand. If you're asking for demand, usage by actual users of IDNs are still very low. We obviously expect it to grow. But it's at the very early stages of use by Internet end users. >>CHAIR KARKLINS: Thank you, Bruce. I have -- we are two minutes past the time. And we have a number of hands up. And, unfortunately, we will not be able to take all of them. I have already announced Steve Goldstein. But, Steve, if I may ask you, 30 second. And then I will give floor to our next host, from Kenya. And that will bring us to the end of the session. Sorry. Steve. >>STEVE GOLDSTEIN: Okay. I was very, very encouraged by the constructive and very informative input from our law enforcement people. As a board member, I want to ask a naive question. I know there are some interactions on an informal level between our people and your people. But can your resources be used in a formal sense to help vet some of these applications in the future? >>ROBERT FLAIM: That's a very good question. And that would be something that we would have to explore on our headquarters level. But we would certainly want to -- since we came up with the proposal, we would certainly want to do everything that we can to support that. So we would -- you know, it's a very sensitive issue. But on a -- if we could do it nation by nation based on the location, we would certainly look into that. >>CHAIR KARKLINS: Thank you. And the last speaker is Alice from Kenya. >>KENYA: Thank you, Chair. My question, actually, has already been responded to. I wanted to find out about whether there had been a study conducted on demand, especially taking into consideration -- I wanted -- we wanted to find out how the cost, application costs h been estimated, whether they were based on a demand study. That has been responded partly. So we can discuss that later. But to also welcome you all to Nairobi in March 2010. Thank you. >>ROD BECKSTROM: Quick response here. Thank you, Alice. And we look forward to being in Nairobi in March. The application cost -- the application fee, which is an expected fee, was based on an estimated -- some of the costs of administering the program. And I think many attempts were made to keep those costs as low as possible. It certainly was not driven by demand. It was based on a cost analysis of running the application process, which is quite a bit easier for an IDN ccTLD than for a gTLD, hence the great disparity in cost. The current forecast pricing for the gTLDs is 185K for the application, whereas the IDN ccTLD is $26,000, or a fraction. >>CHAIR KARKLINS: So thank you very much. On behalf of the GAC, I really appreciate your presence here. And, in fact, this was very intensive discussion during two hours. And thank you very much, indeed, for your time and for your engagement. I was informed that the last bus to the gala event leaves in 25 minutes. And that's why I think that we should end not to miss the last bus. And I am not sure that the last bus will accommodate all the people in this room. So -- and I apologize to those GAC members and board members who did not have an opportunity to speak in this session. >>PETER DENGATE THRUSH: Janis, I know people are leaving and I don't want to hold them up, but I do want to say thank you for organizing this session and for fitting us into this. We'll confirm later. Thank you.