richi

Not Good: ICANN Leaks Sensitive Data of gTLD Applicants

by Administrator on ‎13-04-2012 04:39 AM

Last week, Teresa Meek told us all about the plans to add countless new 'generic' top-level domain names (gTLDs). However, a potentially mighty faux-pas has thrown the plan into disarray. It almost certainly involves the leakage of commercially-sensitive data, and will only add to the weight of criticism on the Internet's domain system managers' heads.

But first, what's a gTLD? In last week's beautifully clear article, Teresa explained:

Starting in January, ICANN allowed those willing to foot the £116,000 application fee a chance to create a dot-anything registry. Some large companies...see the possibilities of additional branding; .canon, .deloitte, and .hitachi are among the applicants.
...
Businesses will have far greater protection over their brands with an entire gTLD than with a dot-com domain name. ... ICANN’s stated purpose in creating the gTLDs is to promote domain name competition and increased consumer choice.

The deadline for the first round of applications was to have been yesterday morning. However, The Internet Corporation for Assigned Names and Numbers (ICANN) has had to temporarily shut down the system for applicants to register their desired domain.

 What's wrong? Aunty knows:

[O]rganisations now have until 20 April to apply for the new domains. ... Icann had previously said it would announce who had applied for which of the gTLDs on 30 April. It did not say whether this date would be affected by the incident.

So what happened? ICANN's COO, Akram Atallah, offers this dripping-with-PR-speke apology:

We have learned of a possible glitch...that has allowed a limited number of users to view some other users' file names and user names in certain scenarios. Out of an abundance of caution, we took the system offline.

That's not good. It means that the system's authorisation controls weren't working properly. Private -- probably commercially-sensitive -- data were accessible to competitors.

Many have taken this to mean that, though there's theoretically a risk of leakage, no domain-buyers' data have actually been accessed by an unauthorised user. But I don't buy that.

This wasn't a rushed press release: it was the second statement, adding more background information about the situation. As a follow-up communication, ICANN's statement would have been carefully-worded, as there was more time. Every nuance would have been closely reviewed. So notice the words attributed to Atallah, as we strip out the obfuscatory verbiage:

[The] glitch...has allowed...users to view [others' data].

PR spin at its finest, folks.
  

, editor of Input Output UK, is also an independent analyst, specializing in blogging, email, spam, security, and other technology topics. His writing has won ASBPE and Neal awards. You can encircle him at , follow him as @richi on Twitter, pretend to be his friend at Facebook.com/richij or just use boring old email: io@richij.com.

Article Options
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
 


The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
£50K-£80K for a Dead Computer? Oh, Wait... Twitter Alienates its Flock 400 more fibre engineers being hired, mainly ex-military Will the 'Real' Charles Babbage Please Stand Up?
 


©2012 Hewlett-Packard Development Company, L.P | Privacy Statement | Using this site means you accept its terms | Rules of Participation