gac communiqué – copenhagen, denmark - icann · gac communiqué – copenhagen, denmark 1 i....
TRANSCRIPT
1
Copenhagen,15March2017
GACCommuniqué–Copenhagen,Denmark1
I. Introduction
TheGovernmentalAdvisoryCommittee(GAC)of the InternetCorporationforAssignedNamesandNumbers(ICANN)metinCopenhagen,Denmarkfrom11to16March2017.
59GACMembersand8Observersattendedthemeeting.
TheGACmeetingwasconductedaspartofICANN58.AllGACplenaryandWorkingGroupsessionswereconductedasopenmeetings.
II. Inter-ConstituencyActivities&CommunityEngagement
MeetingwiththeICANNBoard
TheGACmetwiththeICANNBoardanddiscussed:
• 2-charactercountrycodesatthesecondlevel.• TheICANNCEO’sresponsetothequestions intheHyderabadCommuniquéconcerning
mitigationofDNSabuse.• ConfidentialityofGACdocuments.• TheBoard’snewprocessforconsideringandprocessingGACadvice.• Anupdateonthedotwebauctionissue.• ThefacilitateddiscussiononIGOprotectionsandRedCrossRedCrescentprotections.• CCWG-AccountabilityWS2• GACpriorities
MeetingwiththeGenericNameSupportingOrganisation(GNSO)
TheGACmetwithmembersoftheGNSOCouncilanddiscussedincreasedengagementbyGACMembersinPolicyDevelopmentProcesses2-lettercountrycodesatthesecondlevel,aproposedcross-communitysessionatICANN59ongeographicnames,theGAC-GNSOConsultationGroup
1 To access previousGAC Advice,whether on the same or other topics, past GAC communiqués are available at:https://gacweb.icann.org/display/GACADV/GAC+Communiques
2
Final Report ImplementationPlan and common concerns aboutworkload createdbymultiplesimultaneousPDPs.
MeetingwiththeCountryCodeNameSupportingOrganisation(ccNSO)
TheGACmetwiththeccNSOanddiscussedtheccNSOPDPonaretirementandreviewmechanismforccTLDs,theCrossCommunityWorkingGrouponUseofCountryandTerritoryNamesasTLDs,support for the GAC Working Group on Under-Served Regions regarding ccTLD issues,implementation of Bylaws concerning the Empowered Community and ICANN meetingscheduling. Itwasagreed thatan inter-sessional conferencecallsbetweenGACandccNSObescheduled.
MeetingwiththeAtLargeAdvisoryCommittee(ALAC)
TheGACmetwiththeALACanddiscussedgeographicnames,thereportcommissionedbytheCouncilofEuropeoncommunityapplications,thesurveybeingdevelopedbytheGACWorkingGrouponUnder-ServedRegions, theAt LargeReviewandCCWG-AccountabilityWork Streamtopicsofjointinterest.
MeetingwiththeRegistrarStakeholderGroup(RrSG)
The GAC met with the Registrar Stakeholder Group of the GNSO and discussed Registraroperations,marketdevelopmentsandmechanismsfordealingwithabuse.
MeetingwiththegeoTLDGroup
TheGACmetwiththegeoTLDGroup(representingTop-Leveldomainsidentifyingacity,region,language or culture) and discussed policies on geographic names, cooperation with localauthoritiesandissueswithnationaldataprotectionlaws.
MeetingwiththeUniversalAcceptanceSteeringGroup(UASG)
The GAC received an update from the Universal Acceptance Steering Group (UASG) on theiractivitiestomakeIDNdomainnamesandemailaddresses,aswellasnewgTLDs,workseamlesslyonallbrowsers,applicationsandsoftwareprograms.TheGACnotedwithinterestthattheUASGwould be publishing a White Paper on 11 April 2017, and discussed suggestions on howgovernments can assist with the dissemination of UA information and engage their owndepartmentsandlocalsoftwarecommunitiestomaketheirsystemsUAReady.
CustomerStandingCommittee(CSC)
The GACwas briefed bymembers of the Customer Standing Committee for Public TechnicalIdentifiers(PTI)ontheoperationsoftheCommitteetodate.
3
DataProtection
TheGACmetwithdataprotectionofficialsconvenedwiththeassistanceoftheCouncilofEurope.The discussion enabled meaningful exchanges on the implementation of data protectionprinciplesinICANN.ParticipantsexpressedtheneedtocontinuethisimportantdialogueandtooknoteoftheproposaloftheChairoftheCommitteeofConvention108toproviderepliestoanyquestionsputtoit.TheGACwelcomedtheseexchangesandencouragesICANNtocontinuethedialoguewithdataprotectionauthoritiestoenhanceprivacyanddataprotection.
Cross-CommunityDiscussions
TheGACPublicSafetyWorkingGroupledacross-communitysessiononDNSabusemitigation,coveringtrendsinabuseandtheneedformitigation;industryresponses;andtheroleofICANN.Thesessionhighlightednewinitiativesby ICANN’sOfficeoftheCTOaswellassolutionstobeexploredbytheCommunitytowardseffectiveDNSAbuseMitigation, includingleveragingNewgTLDauctionproceedswhereappropriate.
TheGACWorkingGrouponUnder-ServedRegionsledasessionthatexploredoptionsforcapacitybuildingandICANNengagementindevelopingcountries.
III.InternalMatters
1. NewMembers
TheGACwelcomedZimbabweasanewMember.ThisbringsGACmembershipto171Members,and35Observers.
2. Board-GACRecommendationImplementationWorkingGroup(BGRI-WG)
TheBGRI-WGandtheGACmetanddiscussedtheissuesofwhatconstitutesGACadvice,clarityofGACadviceandpost-CommuniquécallsbetweentheGACandtheICANNBoard.Workintheseareaswillbepursuedinthelead-uptotheJohannesburgmeeting
3. GACWorkingGroups:UpdatesasreportedtotheGAC
TheGACOperatingPrinciplesReviewWorkingGroupagreedtopresenttheGACwithproposedminoramendmentstotheGACOperatingPrinciples,includingintroducingonlinevotingfortheupcomingGACelections,withaviewtoformalisingthoseamendmentsaccordingtotheproceduresoutlinedinOperatingPrinciple53.Theamendedprincipleswillbesubjecttofurther
4
reviewaspartofaholisticapproachthathasalreadystartedinparallel.Inthatrespect,theWorkingGroupalsoagreedtopresenttheGACwithapreliminarylistofhigh-levelprinciples,tobeconsideredassubjectheadingsforafullyrevisedsetofOperatingPrinciples.TheWorkingGrouprecommendedthattheGACcloseditsWorkingGroupandthatongoingeffortstorevisetheGACOperatingPrinciplescouldcontinuewithinGACPlenarysessions.
TheGACUnder-ServedRegionsWorkingGroupheldtwosessionstoprogressitsworkandprovideupdatesonvariousactivitiesasstipulatedinitsworkplan.Inordertoprogressongoingwork,theWorkingGroupCo-Chairsmetwith:
• TheccNSOandthePTItodiscussandexplorevariousapproachestothetasksmandatedbytheGACfortheWorkingGrouptoactasthefirstpointofcontactforGACMembersexperiencingccTLDdelegationandre-delegationissues.
• TheDevelopmentandPublicResponsibilityDepartment(DPRD)ofICANNtodiscusscollaborationindevelopingandimplementingaWorkingGroupsurveyforGACMembersfromunderservedregions.
• TheGovernmentEngagement,GlobalStakeholdersEngagementandSecurityStabilityandResiliencyteamsofICANNtoplanforthenextseriesofregionalcapacitydevelopmentsessionsforGACMembersandlawenforcementagenciesfromunderservedregionsinAsiaPacific,MiddleEastandLatinAmericaandtheCaribbeanbeforetheendof2017.
TheWorkingGroupwillcontinuetoparticipateinthefollowingactivities:• ThenewgTLDSubsequentProceduresPDPspecificallyWorkTrack1whichisdealing
with"SupportforApplicantsfromDevelopingCountries".• WorkbytheCCTReviewondevelopingcountryissues.• CCWGonNewgTLDAuctionProceeds.• CCWGAccountabilityWS2subgrouponDiversity.
TheGACHumanRightsandInternationalLawWorkingGroupreceivedanupdatefromtherapporteuroftheCCWGWS2HumanRightssubgrouponpreparationofaFrameworkofInterpretationforICANN'sHumanRightsBylaw.TheWorkingGroupalsodiscussedhumanrightsperspectivesoftheCouncilofEurope'sReportonApplicationsforCommunity-basedNewgTLDswithoneoftheauthorsofthereport.TheGACWorkingGrouponProtectionofGeographicNamesinNewRoundsofNewgTLDsreviewedaproposaltoestablishasetofbestpracticesrulesandthepossibleestablishmentofarepositoryofnames.Itwasinformedandagreedthattherewillbeacross-communitywebinarandacross-communitydialoguesessionduringICANN59.TheWorkingGroupwillengageinthesedialogueeffortsandwillcontinueworkingonapossibleproposal.
5
TheGACWorkingGrouponGACParticipationintheNomComagreedthattheWorkingGroupwillrefineatexton"GACcriteriaforNomCom"andshareanewversionwiththeGACbeforethenextICANNmeeting.AboutthepossibleappointmentofaGACnon-votingmemberintheNomCom,theWorkingGroupwillreviewlegalbackgroundandpreviousexperiencesinfulfillingthisrole.ThisinformationwillbesharedwithGACwhenavailableandanalyzed.TheGACPublicSafetyWorkingGroup(PSWG)reportedtotheGAConitsanalysisoftheresponseprovidedbyICANNtoAnnex1oftheGACHyderabadCommuniquéandproposedaFollow-upScorecard.ItinformedtheGACthatitwillbeseekingendorsementofaDraftSecurityFrameworkforRegistriestoRespondtoSecurityThreats,whichtextwasagreeduponwithrepresentativesofRegistryOperatorsinCopenhagen.SimilarendorsementwillsoonbesoughtregardingtheupcomingPSWGproposalforaLawEnforcementDisclosureFrameworkaspartofthePrivacy/ProxyServicesAccreditationPolicyImplementation(PPSAIIRT).RegardingtheRegistrationDirectoryService(RDS),WorkingGroupvolunteersnominatedbytheGACtojointheRDSReviewTeamareseekingguidancefromtheGACtodefinethescopeoftheReview.ThePSWGproposedthatGNSOsuggestionsinthismatterbeendorsed,exceptforanylimitationsimposedonmatterthatmayormaynotoverlapwiththeongoingNextGenerationRDSPDP.BuildinguponthemeetingoftheGACandthedataprotectionofficials,theWorkingGroupbriefedtheGAConthebalancetobeachievedbetweenprivacy,theneedsoflawenforcementandpublicinterestsinanyfutureRDS.
4. IndependentSecretariat
TheGACnotedthatthecurrentcontractwithACIGtoprovideanindependentsecretariatservicetotheGACexpiresinJuly2017andagreedthattheGACleadershipurgentlyengagewithICANNonitsextension.PledgesfromGACmemberstocontributetothecostsofthesecretariathavebeenincreasinglynumerousbuttodatenotsufficienttomaintainthesamelevelofserviceprovided,whichimpliestheneedforadjustingthelevelofserviceprovidedintheshortterm.Furtherpledgesaresoughtandencouragedasamatterofurgency.Inaddition,theGACleadershipwillworkonmid-termsolutionswithaviewoffindingsustainablefundingarrangements.
IV.EnhancingICANNAccountability
TheGACcontinuedtoworkonaseriesofmeasurestoimplementtheICANNBylawsthatcameinto effect on 1 October 2016. These include the provision of GAC Advice to the Board andproceduresforGACparticipationintheEmpoweredCommunity.
The GAC received an update fromMembers representing GAC in CCWG-AccountabilityWork
6
Stream2activities,inwhichtheywillcontinuetoparticipate.Inparticular,theGACnotedthe importanceofthe jurisdictionquestionnaireasakeypointofCCWGWS2,andcallsonallgovernmentsandotherstakeholderstorespondtoitbeforetheexpiryofthedeadlineof17April2017.OtheractivitiesofCCWGWS2alsoneedtobepursued.
V.OtherIssues
1. Competition,ConsumerTrustandConsumerChoiceReviewTeam(CCT-RT)
TheGACwasbriefedbytheCCT-RTontheReviewTeam’swork,includingtherecentlyreleaseddraftreport.GACMemberswillreviewthedraftreportindetail.
2. NewgTLDs:SubstantivePolicyIssues
The GAC discussed specific policy issues relevant to possible future release of new gTLDs,including:
• Community-basedgTLDapplications:FollowingtheCouncilofEurope'ssubmissiontotheGACatICANN57oftheirreport“ApplicationstoICANNforcommunity-basednewgTLDs:OpportunitiesandChallenges fromaHumanRightsPerspective”,apresentationof thereport's recommendations was provided by one of the authors. The GAC expressessupportfortheserecommendationsgoingforwardforfurtherconsiderationbytheNewgTLDSubsequentProceduresPDPWorkingGroup.
• Supportforapplicantsfromdevelopingcountries.• Geographicnames.
3. ICANNGeographicRegions
TheGACwillexaminetheissueofICANNgeographicregionsandconsidertheissuefurtheratthenextmeetings.
7
VI.GACConsensusAdvicetotheBoard2
1. ProtectionoftheRedCrossandRedCrescentdesignationsandidentifiers
Re-affirmingpreviousGACAdviceforapermanentreservationoftheRedCrossandRedCrescentdesignationsand identifiers, theGACacknowledges theconclusionsof the facilitateddialogueheldduringICANN58onresolvingoutstandingdifferencesbetweentheGAC’spreviousadviceand the GNSO's past recommendations to the Board on the protections of the names andidentifiersoftherespectiveRedCrossandRedCrescentorganizations.Consistentwiththeconclusionsoftheabovementioneddialogue,
a. TheGACadvisestheICANNBoardto:
I. request theGNSOwithoutdelay tore-examine its2013recommendationspertaining to the protections of Red Cross and Red Crescent names andidentifiers (definedas “Scope2”names in theGNSOprocess)whichwereinconsistentwithGACAdvice.
RATIONALETheGACacknowledgestheoutputsofthefacilitateddialogueonthistopicandrequeststheBoardtoproceedaccordinglywithoutdelay
2. IGOProtections
TheGACnotesthatadialoguefacilitatedbytheBoardonthistopichasbegunbetweentheGACandtheGNSO(includingitsrelevantWorkingGroups).TheGACexpectsthatthesediscussionswould resolve the long-outstanding issue of IGO acronym protections and understands thattemporaryprotectionswillcontinuetoremain inplaceuntilsuchtimeasapermanentagreedsolutionisfound.Baseduponthefacilitateddiscussionsuptothisstage,
a. TheGACadvisestheICANNBoardto:
I. pursue implementation of (i) a permanent system of notification to IGOsregardingsecond-levelregistrationofstringsthatmatchtheiracronymsinuptotwolanguagesand(ii)aparallelsystemofnotificationtoregistrantsforamorelimitedtimeperiod,inlinewithbothpreviousGACadviceandGNSOrecommendations;
2TotrackthehistoryandprogressofGACAdvicetotheBoard,pleasevisittheGACAdviceOnlineRegisteravailableat:https://gacweb.icann.org/display/GACADV/GAC+Register+of+Advice
8
II. facilitate continued discussions in order to develop a resolution that willreflect(i) thefactthat IGOsare inanobjectivelyuniquecategoryofrightsholdersand(ii)abetterunderstandingofrelevantGACAdvice,particularlyasitrelatestoIGOimmunitiesrecognizedunderinternationallawasnotedbyIGOLegalCounsels;and
III. urgetheWorkingGroupfortheongoingPDPonIGO-INGOAccesstoCurativeRightsProtectionMechanismstotakeintoaccounttheGAC’scommentsontheInitialReport.
RATIONALE
ThisAdvicecapturesachievementsmadetodateinthefacilitateddiscussions,inthehopethatthiswillbeinstrumentalinresolvingthislong-standingissueattheearliestopportunity.
3. MitigationofDomainNameAbuse
a. TheGACadvisestheICANNBoardto:
I. providewrittenresponsestothequestionslistedintheFollow-upScorecardattached to this Communique, no later than 5May 2017 for appropriateconsideration by theGAC before the ICANN 59meeting in Johannesburg,takingintoaccountthattheICANNPresidentandCEOwillactascontactpointfortheGACinthismatter.
RATIONALE
TheGACisseekingtoassesstheeffectivenessofitsAdvicetotheICANNBoard.
Annex 1 of the GAC Hyderabad Communiqué listed a number of questions to conduct suchassessment in relation to Advice implemented as part of the 2013 Registrar AccreditationAgreementandtheNewgTLDRegistryAgreement.
TheGACisalsointerestedinassessingthecontributionoftheSSRandContractualCompliancedepartmentsofICANNtothepreventionandmitigationofdomainnameabuse.
While ICANN responded to Annex 1 of the GAC Hyderabad Communiqué, the informationprovidedwasnotsufficienttoconductthenecessaryassessments.
9
4. 2-CharacterCountry/TerritoryCodesattheSecondLevel
InlightofthediscussionswiththeICANNBoardinCopenhagenontheBoardResolutionof8November 2016 and its implementationof 13December 2016 regarding two-letter countrycodesassecondleveldomains,
a. TheGACadvisestheICANNBoardto:
I. TakeintoaccounttheseriousconcernsexpressedbysomeGACMembersascontainedinpreviousGACAdvice
II. EngagewithconcernedgovernmentsbythenextICANNmeetingtoresolvethoseconcerns.
III. Immediatelyexploremeasurestofindasatisfactorysolutionofthemattertomeettheconcernsofthesecountriesbeforebeingfurtheraggravated.
IV. Provideclarificationofthedecision-makingprocessandoftherationalefortheNovember2016resolution,particularlyinregardtoconsiderationoftheGACadvice,timingandlevelofsupportforthisresolution.
RATIONALE
The GAC noted serious concerns expressed by some governments about the consequencesintroducedbythechangescreatedbythe8November2016Resolution.Inparticular,accordingtothenewprocedureitisnolongermandatoryfortheregistriestonotifygovernmentsoftheplansfortheiruseof2-lettercodes,norareregistriesrequiredtoseekagreementofgovernmentswhenreleasingtwo-lettercountrycodesatthesecondlevel,which,forexample,allowsregistriestochargegovernmentssubstantialfees.
VIII.NextMeeting
TheGACwillmeetduringICANN59inJohannesburg,SouthAfrica,scheduledfor26-29June2017.
PartI–Question1-WHOISAccuracyProgramSpecification-CrossValidationRequirement Page1
GACFollow-upScorecardtoAnnex1ofGACHyderabadCommuniqué(asof15March2017)
PartI.Implementationof2013RAAprovisionsandRegistrarsAccreditation
GACQuestion(HyderabadCommuniqué)
1.WHOISAccuracyProgramSpecification-CrossValidationRequirementWhatistheimplementationstatusofthe2013RAA,WHOISAccuracyProgramSpecification,Section1(e)whichprovidesthatRegistrarwill“Validatethatallpostaladdressfieldsareconsistentacrossfields(forexample:streetexistsincity,cityexistsinstate/province,citymatchespostalcode)wheresuchinformationistechnicallyandcommerciallyfeasiblefortheapplicablecountryorterritory”?
a) DetailedinformationonwhatregistrarsandICANNhavedonetofulfillthisRAArequirementtodate;b) Atimelinewithspecificmilestones&dates,includingaprojectedclosuredateforcompleteimplementationofthisrequirementc) Detailedinformationoncross-fieldvalidationsoftware,approaches,etc.thathavebeenconsidered,includingsupportingdataandresearch;d) Detailedinformationregardingregistrars'concernsaboutwhyspecificoptionsarenottechnicallyandcommerciallyfeasible,includingsupportingdataand
research;ande) Currentproposalsforcross-fieldvalidation(publishedatthetimetheyaresharedwithanyregistrar).
ICANNResponse(8Feb.2017)
Inmid-2014,ICANNOrgandtheRegistrarStakeholderGroupjointlyagreedtoplaceonholdtheacrossfieldvalidationinitiativespecifiedinSection1(e)oftheWHOISAccuracyProgramSpecificationtothe2013RegistrarAccreditationAgreement.ThisinitiativewasplacedonholdduetotheimplementationofthedomainverificationandsuspensionrequirementoutlinedintheWHOISAccuracyProgramSpecification.Registrarswerechallengedwithmaintainingparalleltracksasitpertainedtothesetwoinitiatives.Overthecourseofthelastthreeyears,ICANNOrghasfocuseditseffortsonidentifyingcommerciallyreasonableandglobalsolutionsthatwouldmeettherequirementsoftheRAAaswellasregionalandglobaladdressinganddataformatrequirements.DuringICANN57inHyderabad,India,ICANNOrgpresentedtheresultsofthisresearchinanopensession,aswellasastrawmanproposaltoaddressthisissue.InJanuary2017,theWHOISValidationWorkingGroupwasre-formedtofocusitseffortonidentifying,specifying,andapproving(byaminimumoftwo-thirds(2/3)voteoftheRegistrarWHOISValidationWorkingGroup),anappropriatesetoftoolstoenableregistrarstocompletetheacrossfieldaddressvalidationspecifiedinSection1(e)oftheWHOISAccuracyProgramSpecificationofthe2013RegistrarAccreditationAgreement.Startinginthefirstquarterof2017,theWorkingGroupandICANNOrgplantodefineandmutuallyagreeupontheabilitytodetermineifasolution(s)iscommerciallyviable,basedonprovidercriteriathatwillbedraftedandagreeduponbyWorkingGroupandICANNOrg.AcompletesetofdocumentsislocatedontheAcrossFieldAddressValidationWikiPage:https://community.icann.org/display/AFAV/Registrar+Across+Field+Address+ValidationTheWikipagealsoincludesdetailsofpotentialcommerciallyreasonablesolutionsthattheWorkingGroupwillevaluateandanalyzeinconjunctionwithICANNOrg.
PartI–Question1-WHOISAccuracyProgramSpecification-CrossValidationRequirement Page2
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.1.1 GACrequestsfurtherdetailsonwhatregistrarsandICANNhavedonetofulfillthisRAArequirementtodate(questionI.1.a).BasedonICANN’soriginalresponse,itappearsthatagrouphasbeenformedbuthasasofyetproducednoresults,andnoprogresshasbeenmadeinfinalimplementation.
Open
I.1.2 GACrequestsfurtherdetailsonitsrequestforatimelinewithspecificmilestones&dates,includingaprojectedclosuredateforcompleteimplementationofthisrequirement(questionI.1.b).NoclosuredatehasbeenprovidedforcompletionandimplementationoftheCrossValidationcontractualrequirement.
Open
I.1.3 GACrequestsfurtherdetailsonitsrequestfordetailedinformationoncross-fieldvalidationsoftware,approaches,etc.thathavebeenconsidered,includingsupportingdataandresearch(questionI.1.c).TheanswerprovidedbyICANNtodatedidnotincludeanyspecificapproaches,toolsthatwereconsidered,rejectedandthereasoningbehindsuchdecisions.Nofinancialdecision,discussion,analysisofanycross-fieldvalidationsolutionswereprovided.DetailsonconsiderationoranalysisofanysolutionbyeitherICANNorathird-partyshouldbeprovided,includingdetailssuchasnameofthird-party,cost,function,andotherrelevantinformation.
Open
I.1.4 GACrequestsfurtherdetailsonitsrequestfordetailedinformationregardingregistrars'concernsaboutwhyspecificoptionsarenottechnicallyandcommerciallyfeasible,includingsupportingdataandresearch(questionI.1.d).Theanswerprovidedtodatedidnotincluderegistrars'concernssuchasthetechnicaland/orcommercialissuesregardingcross-validation.
Open
PartI–Question1-WHOISAccuracyProgramSpecification-CrossValidationRequirement Page3
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.1.5 CanICANNprovidedetailsonwhythe“acrossfieldvalidationinitiative”specifiedinSection1(e)oftheWHOISAccuracyProgramSpecificationwasstoppedifitwasacontractualobligationperthe2013RAA,WHOISSpecification?Inaddition,itisnotclearwhytheserequirementswereviewedasseparatestreamsastheywerebothdetailedinthesameWHOISSpecification.
Open
I.1.6 PleaseprovidetheGACwiththeresultsofICANN’sstrawmanproposal“identifyingcommerciallyreasonableandglobalsolutionsthatwouldmeettherequirementsoftheRAAaswellasregionalandglobaladdressinganddataformatrequirements”
Open
I.1.7 Astheacrossfieldaddressvalidationisacontractualobligation,whyisitsubjecttobeingconsidered“commerciallyviable”?
Open
I.1.8 Whatisconsideredcommerciallyviable? Open
I.1.9 Hasadeadlinebeensetfordevelopingatool/methodologytoenableregistrarstocompletetheacrossfieldaddressvalidationspecifiedinSection1(e)oftheWHOISAccuracyProgramSpecification?
Open
PartI–Question2-EnforcementbyICANNofWHOISVerification,ValidationandAccuracyRequirement Page4
PartI.Implementationof2013RAAprovisionsandRegistrarsAccreditation
GACQuestion(HyderabadCommuniqué)
2.EnforcementbyICANNofWHOISVerification,ValidationandAccuracyRequirementPerthe2013RAAWHOISSpecification,howdoesICANNenforceallregistrarWHOISverification,validationandaccuracycontractualobligations?PleaseprovideexamplesthatdemonstratehowICANNisenforcingeachofthesecontractualobligations?
ICANNResponse(8Feb.2017)
ICANNContractualCompliancemonitorsandensurescompliancewiththeverification,validation,andaccuracyrequirementsofSection3.7.8ofthe2013RAAandtheWHOISAccuracyProgramSpecification(WAPS)through:
• ProcessingWHOISinaccuracycomplaintscoveringverification,validation,andinvestigationandcorrectionofaccuracyissues.BetweenNovember2015andNovember2016,WHOISinaccuracycomplaintsconstitutedapproximately70%ofcomplaintsprocessedbyICANNContractualCompliance(almost32,000complaints).
• PerformanceoftheICANNContractualComplianceregistraraudit,whichincludesWHOISdataverificationandvalidationrequirements.• ProcessingtheWHOISAccuracyReportingSystem(ARS)inaccuracyreports.TheARScheckssamplesofWHOIScontactinformationformat(syntax)and
functionality(operability)foraccuracyfromacrossthegTLDs.ThedataisprovidedtoICANNContractualComplianceforfollow-upwithregistrars(includingWHOISinaccuracycomplaintsandregistraroutreach).
• ProactivemonitoringandoutreachbyICANNContractualCompliance.EnforcementofSection3.7.8:ThissectionrequiresregistrarstotakereasonablestepstoinvestigateandcorrectWHOISdatainaccuracies.Percontract,Registrarshave15calendardaysaftertriggerevent(forexample:newregistrations,inboundtransfers,changetoregistrantinformation,WHOISInaccuracycomplaints)toverify/validate,asapplicable.ICANNenforcestheobligationbyrequesting:
1. Evidencesuchaswhen,how,andwithwhomcommunicationwasconducted2. Validationofanydataupdatedfollowinginvestigations3. VerificationofregistrantemailperSection4ofWAPS
ICANNlooksforoneofthreeresultswhenreviewingWHOISinaccuracycomplaints:
1. WHOISupdatedwithin15daysofnotifyingtheRegisteredNameHolder–registrarprovideddocumentationofvalidationofupdatesandverification(includingaffirmativeresponseormanualverification)
2. NoresponsefromRegisteredNameHolderwithin15daysofnotifyingRegisteredNameHolder–domainsuspendeduntilregistrarhasverifiedinformation3. WHOISverifiedasaccurate(nochange)within15daysofnotifyingRegisteredNameHolder–registrarprovideddocumentationofverification
ICANNmayalsorequestevidenceofWAPSfulfillmentunderSection1.
PartI–Question2-EnforcementbyICANNofWHOISVerification,ValidationandAccuracyRequirement Page5
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.2.1 WhiletheanswertoquestionI.2providesstatisticsandgeneralinformation,itdoesnotaddresstheintentofthequestion.TheGACadviceaimedatdeterminingspecificallywhatactions/stepsaretakentoverify,validate,andconfirmtheaccuracyofcontractually-requiredWHOISinformation.Inotherwords,isthereasetofcriteriausedinverification,i.e.,whenastaffmemberreviewsWHOIScomplaints;arecomplaintstracked,analysed,etc.?
Open
I.2.2 Whatweretheresultsofthe32,000WHOIScomplaintsprocessed? Open
I.2.3 Wereanyregistrarsde-accreditedforWHOISviolations?Ifnot,doesthatmeanall32,000WHOIScomplaintsresultedinregistrarstakingappropriateactions?
Open
I.2.4 Whatactions,ifany,hasICANNtakenagainstanyregistrarfornon-complianceofWHOISrequirementsin2013RAA,startingJanuary1,2014?
Open
I.2.5 DoesICANNconsiderde-accreditationforaWHOISinaccuracyviolationtoosevere?Ifso,shouldtheRAAbeamendedtospecificallyprovideagraduatedscaleofpenaltiesorsanctionsforWHOISinaccuracies?
Open
I.2.6 Pleaseprovidespecificactions,stepsandanalysisthatICANNtakesduringanaudit?
Open
I.2.7 DoesICANNuseatemplateorstandardizedmethodologytoconducteachaudit?
Open
I.2.8 Howoftenareauditsconducted? Open
I.2.9 Whatdeterminesifanauditisneeded,specifically? Open
I.2.10 Whoconductsanaudit? Open
I.2.11 Howmuchtimeisneededforanaudit?Hours,days,weeks? Open
PartI–Question2-EnforcementbyICANNofWHOISVerification,ValidationandAccuracyRequirement Page6
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.2.12 Whatareassociatedcostswithaudits?Howmuchdoeseachauditcost,withbreakdownoflabor,travel,andanyotherrelatedcosts?
Open
I.2.13 Pleaseprovidespecificexample(s)ofactionstakenafterareportofanactualaudit(withnamesredacted)?
Open
1.2.14 AccordingtoMay2016ContractualComplianceRegistrarAuditReport,“Ten(67%)oftheRegistrarscompletedtheauditwithdeficiencies[…]TheseRegistrarswillrequirefollow-up(i.e.partialre-audit)fromICANNtoverifytheremainingdeficiencieshavebeenremediated.”Howisthisfollow-upachieved,andhowisitreported?
I.2.15 Pleasedefine“proactivemonitoring”andwhatactionsaretakeninthisprocess?
Open
I.2.16 Howoftenisproactivemonitoringdone? Open
I.2.17 Doesproactivemonitoringapplytoeachregistrarandregistry?Whyorwhynot?
Open
I.2.18 DoesICANNhaveenoughresourcestoconductproactivemonitoringforeachregistryandregistrar?
Open
I.2.19 WhatdoesICANNmeanby“outreach”? Open
I.2.20 Howisoutreachconducted? Open
I.2.21 DoesICANNhaveenoughresourcestoconductoutreachtoeachregistryandregistrar?Specifically,whatisconsidered“follow-up”withregistrars?
Open
I.2.22 PleaseexplainhowICANNdefines“evidence”inthiscontextofICANN’senforcementofSection3.7.8relatedtotheinvestigationandcorrectionbyRegistrarsofWHOISdatainaccuracies.
Open
I.2.23 HowmanydomainnameshavebeensuspendedduetonoresponseofRegisteredNameHolderwithin15daysofrequestforverificationofWHOISdataaccuracy?
Open
PartI–Question3-DiligencebyICANNinRelationtoRegistrars’DutytoInvestigateReportsofAbuse Page7
PartI.Implementationof2013RAAprovisionsandRegistrarsAccreditation
GACQuestion(HyderabadCommuniqué)
3.DiligencebyICANNinRelationtoRegistrars’DutytoInvestigateReportsofAbuseWhatisthestandardofdiligencethatICANNappliestoregistrarsintheregistrar’sdutytorespondtoreportsofabuseaccordingtoSection3.18ofthe2013RAA?
ICANNResponse(8Feb.2017)
ICANNContractualCompliancemonitorscompliancewithSection3.18ofthe2013RAAthrough:• ProcessingabusecomplaintssubmittedthroughtheRegistrarStandardsComplaintForm
(https://forms.icann.org/en/resources/compliance/complaints/registrars/standards-complaint-form).• ConductingtheRegistrarAuditProgramwhichincludestheobligationsofSections3.18.1,3.18.2,and3.18.3ofthe2013RAA.
Forabusecomplaints,ICANNconfirmsthatthereportersentabusereport(s)toregistrarabusecontactemailaddressbeforeICANNsendscomplainttoregistrar.Onceconfirmed,ICANNcouldrequesttheregistrartoprovide:
1. Adescriptionofthestepstakentoinvestigateandrespondtoabusereport2. Theamountoftimetakentorespondtoabusereport3. Allcorrespondencewithcomplainantandregistrant4. Thelinktowebsite’sabusecontactemailandhandlingprocedure5. Thelocationofdedicatedabuseemailandtelephoneforlaw-enforcementreports6. TheRegistrar’sWHOISabusecontacts,emailaddress,andphonenumber7. Examplesofstepsthatregistrarshavetakentoinvestigateandrespondtoabusereportsinclude:
a. Contactingtheregistrantb. Requestingandobtainingevidenceorlicensesc. Providinghostingproviderinformationtocomplainantd. PerformingWHOISverificatione. Performingtransferuponrequestofregistrantf. Suspendingdomain
PartI–Question3-DiligencebyICANNinRelationtoRegistrars’DutytoInvestigateReportsofAbuse Page8
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.3.1 Unfortunately,ICANNhasnotprovidedspecificdetailsinhowitinvestigatesreportsofabusebyprovidingspecificdocumentation.WhileitisunderstoodICANNwouldnotwanttoreleaseinformationorwasteresourcesonsuperfluousorunfoundedabusereports,itwouldbehelpfulifICANNcanprovideaclear,transparentandconsistentinvestigativeapproachtoreportsofabuse.
Open
I.3.2 WhatarethedeterminingfactorsforICANNtorequesttheinformationlistedfromregistrarwhenhandlingabusecomplaints?
Open
I.3.3 Isthereathresholdand/orstandardizedanalysisperformedforeachreportofabuse?
Open
I.3.4 Isalloftheinformationlistedintheanswerrequestedoftheregistrarwheninvestigatinganabusereport?Ifnot,howdoesICANNdeterminewhichquestionsarepresentedtoregistrar?
Open
I.3.5 DoesICANNprepareawrittenreportuponthecompletionofeachinvestigation,withsupportingdocumentation?
Open
I.3.6 PleaseprovidecomprehensivestatisticsdetailinghowmanyreportsofabusearereceivedbyICANNandtheiroutcomesoradjudication.
Open
I.3.7 Pleaseprovideareportofmeasuresthathavebeentakenagainstregistrars,includingviolation,date,andlengthofinvestigation,costsassociated,outcomesandfollow-ups.
Open
PartI–Question4-AwarenessEffortsbyICANNonRegistrars’Obligations Page9
PartI.Implementationof2013RAAprovisionsandRegistrarsAccreditation
GACQuestion(HyderabadCommuniqué)
4.AwarenessEffortsbyICANNonRegistrars’Obligations:WhateffortsdoesICANNundertaketoensureregistrars,areeducatedandawareoftheircontractualobligations?Per2013RAA,Section3.13,canICANNprovidedetailsofrequiredtraining,forinstance:
a. IsthereanICANNtrainingprogramwithcorrespondinglinksandinformation?b. Howoftenisthistrainingprovided?c. Otherdetailsofthetrainingprogram?
ICANNResponse(8Feb.2017)
Yes.ICANNhasdevelopedatrainingprogramincollaborationwiththeregistrarcommunity.TheprogramisintendedtohelpICANN-accreditedregistrarsunderstandandcomplywiththeirobligationsundertheRegistrarAccreditationAgreementandincorporatedconsensuspolicies.ThetrainingisavailableontheICANNLearntrainingplatform:https://www.icann.org/resources/pages/registrar-training-resources-2015-09-23-en.Thetrainingisweb-basedandcanbeaccessedatanytimeuponsuccessfulaccountcreationandlogin.Section3.13ofthe2013RAArequirestheprimarycontactordesigneetocompleteatrainingcoursecoveringregistrarobligationsunderICANNpoliciesandagreements.ACertificateofRegistrarTrainingCourseCompletionispublishedathttps://www.icann.org/resources/pages/registrar-training-resources-2015-09-23-en.Registrarsarerequiredtosendinasignedanddatedcopyofthecertificateuponsuccessfulcompletionofthetrainingprogram.Inaddition,ICANNconductsoutreachtocontractedpartiesatICANNpublicmeetings,GDDIndustrySummits,viaawebinar-typeapproach,orthroughpublishedmaterialonICANN.org.Theoutreachprovidesoverallcontractualguidelines,informsofpolicyand/orcontractchanges,andprovidesanopportunitytoproactivelycollaborateandaddresscomplianceissues.
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
None
PartI–Question5-VettingRegistrarAccreditationApplications Page10
PartI.Implementationof2013RAAprovisionsandRegistrarsAccreditation
GACQuestion(HyderabadCommuniqué)
5.VettingRegistrarAccreditationApplicationsICANNhaslistedcriteriaforregistraraccreditation.Pleaseexplainhowthesecriteriahavebeenputintopracticeandenforced?Specifically:
a. HowdoesICANNverifyinformationprovidedinregistraraccreditationapplications?b. Whatdatabases,recordchecks,etc.areused?c. HowmanyapplicationshasICANNreceivedsincethenewprocessbegan?Ofthose,howmanyapplicationshavebeenrejected,why?d. HowlongdoesittakeICANNtoevaluateeachapplication?e. Whatarethefinancialcostsassociatedwithprocessingeachapplication,includingverificationcosts?
ICANNResponse(8Feb.2017)
ICANNconductsathoroughreviewofapplicationsforRegistrarAccreditation.Thisreviewincludes,butisnotlimitedto:• Backgroundchecksconductedthroughathird-partyserviceprovider,ThomsonReuters.Thesechecksinclude:Litigation,Bankruptcy,Regulatory,andLaw
Enforcementchecks,aswellasinternetsearches.• Financialreview;areviewoffinancialstatementsandbankverification• Reviewofgoodstandingdocuments,e.g.,CertificatesofIncorporation,BusinessRegistration/License• ICANNContractualCompliancestatus
ICANNhasreceivedatotalof2,157applicationsincalendaryears2012through2016,fourofwhichwerewithdrawnandelevenofwhichwererejected.Reasonsforrejectionincludedbackgroundcheckfindings,financialreviewfindings(suchasinsufficientcashonhand),andapplicationreviewfindings.Table1.RegistrarAccreditationApplications,2012–2016
Year Applications Withdrawals Rejections2012 57 0 62013 183 2 32014 519 1 12015 847 1 12016 551 0 0Total 2157 4 11
ReviewofRegistrarAccreditationApplicationstakeonaveragethreetosixmonths.However,thistimingislargelydependentupontheresponsivenessoftheapplicant.Delaysinapplicantresponsemayextendtheoverallreviewcycletotwelvemonthsorlonger.
PartI–Question5-VettingRegistrarAccreditationApplications Page11
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
I.5.1 GACrequestsfurtherdetailsonwhatarethefinancialcostsassociatedwithprocessingeachapplication,includingverificationcosts(questionI.5.d).HowmuchdoesICANNpayThompsonReuterstoconductchecks?Also,arethereanothercostsICANNincursafteritreceivesThompsonReutersdata,i.e.,isfurtherinvestigationorchecksrequired?
Open
I.5.2 Havetherebeeninstanceswhentheabove-referencedatabaseshavenotproduceddata?Ifso,whatdoesICANNdoinsuchcircumstances?
Open
I.5.3 IsThompsonReutersabletoprovideabove-referencedchecksforeverycountryintheworld?Ifnot,whichcountriesarenotincludedintheirchecks?
Open
I.5.4 WhatdoesICANNdoifthereisinsufficientorcontradictorydataprovidedbyabove-referencedchecks?
Open
PartII–Question1–VettingRegistryAccreditationApplications Page12
PartII.ImplementationofNewgTLDApplicantGuidebookandRegistryAgreement
GACQuestion(HyderabadCommuniqué)
1.VettingRegistryAccreditationApplicationsTheNewgTLDApplicantGuidebook(v.2012-06-04),Module1,Section1.2.1,Eligibilitystatesthat“ICANNwillperformbackgroundscreeninginonlytwoareas:(1)Generalbusinessdiligenceandcriminalhistory;and(2)Historyofcybersquattingbehavior.”HowisICANNmonitoring,enforcingand/orverifyingcontinuedcompliancewithSection1.2.1?
ICANNResponse(8Feb.2017)
TheApplicantGuidebookrequirementswereusedtoevaluatetheapplicants.ICANNmonitors,enforces,and/orverifiescontinuedcomplianceviaArticle1.3.aRepresentationsandWarrantiesintheNewgTLDRegistryAgreement,whichcoverscontinuedcompliancewithwhatanapplicantstatedinitsapplication.ICANNmonitorsmediareportsincludingsocialmedia,reviewscomplaintsreceivedandtheregistry’sannualcertificationwhereapplicable,andconductsauditsaddressingtheseissues.VerifyingcompliancemayincluderequestingdifferenttypesofdocumentssuchascurrentCertificateofSubsistence(alsoknownas"GoodStandingCertificate")orthelocalequivalent,andrecentfiscalyearFinancial/OperationalStatementorthelocalequivalent(audited,ifavailablewithredactedproprietaryorconfidentialdata).
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
None
PartII–Question2–SecurityChecks,Specification11,Section3(b) Page13
PartII.ImplementationofNewgTLDApplicantGuidebookandRegistryAgreement
GACQuestion(HyderabadCommuniqué) ICANNResponse(8Feb.2017)
2.SecurityChecks,Specification11,Section3(b)a. DoesICANNcollectand/orreviewthesestatisticalreportsorotherwise
verifythatthePublicInterestCommitmentisbeingmet?
Specification11intheNewgTLDRegistryAgreementenablesICANNtorequestreportsrelatedtotheSecurityChecksundertakenbyRegistryOperatorsandtheactionstakentoaddressthem.ICANNreviewseachreportindividuallytoaddressareportedissue;thisisaproactivereviewinitiatedasaresultofmonitoringoranaudit.Statisticalreportsmostcommonlyinclude:
• Numberofdomainnamesreviewedduringanalysis• Listofdomainnameswithpotentialthreats• Typeofthethreatidentified-malware,botnets• Typeofactionstakeninresponsetothreats• Status(open/pending/closed)andstatisticsonactionstaken• AdditionaldetailsonthreatssuchasIPaddress,geographiclocation,and
registrantinformation• Trendsandalerts
b. IsICANNconductinganytypeofindependentresearchthatallowsittoobtainmetricsandgeneratestatisticsrelatedtoconcentrationofmaliciousdomainnamesperregistrar/registryandhowthistrendsoveradeterminedperiodoftime
Atthistime,ICANNisnotgeneratingstatisticsonmaliciousdomainsinacomprehensiveway.However,theOfficeoftheChiefTechnologyOfficerisconductingaresearchprojectthatworkswithindustryexpertstodevelopaservicethatconsolidatesanumberofDNSabuse-relateddatafeedstogeneratestatisticsonavarietyofmaliciousdomainnamesperregistrarandregistry.Theintentofthisresearchprojectistoprovideanauthoritative,unbiased,andreproducibledatasetthattracksDNSabuse-relatedtrendsovertime.
c. IfICANNisconductingthisresearch,pleaseprovideabriefexplanationofhowtheanalysisisperformedandwhatspecificactionsICANNtakesinresponsetotheresultsindicatedbythedata.
Asmentionedinresponse2b,thereisaresearchprojectindevelopment.Theanalysisbeingperformedistoaggregatedatafeedsandgenerateanindexbasedontheprevalenceofthedifferentkindsofabusethatarebeingreported.WhileICANN’splansregardingactionswiththedatahavenotyetbeenfinalized,itislikelythoseactionswillincludeatleastinformingregistriesandregistrarsoftheirabusestatisticsandtheirpositionrelativetothemedianfortheindustry,andworkingwiththeorganizationsthatrequestICANN’shelpinmitigatingtheabuse.
PartII–Question2–SecurityChecks,Specification11,Section3(b) Page14
PartII.ImplementationofNewgTLDApplicantGuidebookandRegistryAgreement
GACQuestion(HyderabadCommuniqué) ICANNResponse(8Feb.2017)
2.SecurityChecks,Specification11,Section3(b)d. IfICANNisNOTconductingthisresearch,pleaseexplainwhynot.Inthe
interestsoftransparency,theGACrequestsareportcontainingthesestatisticsandsummariesofactionstakeninresponsetothesecuritythreatsidentifiedabove.
Atthispointintime,thetoolusedtoaggregateandreportonDNSabuseisstillunderdevelopment.Thecurrentplanistohavethetoolinbetabythesecondquarterof2017
e. TheGACwouldliketoremindICANNthatthelistofSecurityThreatsintheNewgTLDSafeguardsisnotmeanttobeexhaustive.Infact,theSecuritychecksSafeguardapplicabletoallNewgTLDsrefersto“securitythreatssuchasphishing,pharming,malware,andbotnets”(emphasisadded),whichdoesnotexcludeotherrelevantthreats.Pleasedescribewhatanalysisandreportingisconductedregardingotherrelevantthreatsnotlistedabove,includingspam?
Thetoolbeingdevelopedislimitedtothedatawecancollectfromthevariousmaliciousdomainname-relatedservicessuchasSURBL,Spamhouse,etc.Atthistime,thedataavailableallowsustoaggregateinformationrelatingtomalware,botnetcommandandcontrol,phishing,andspam.Asmoreformsofabuseareprovidedviadatafeedswecangainaccessto,thetoolwillbemodifiedasappropriate.
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
II.2.1 ThepurposeofthisquestionwastosolicitbeneficialinformationonhowSpecification113(b)isfosteringgreatersecuritythroughdiligence,transparencyandaction,especiallyinthenewgTLDspace.Theresponseprovidedonthereceiptofreportswithunidentifiedactions,statistics,etc.shouldbemoredetailedindeterminingwhetherSpecification11,3(b)issuccessfulinidentifying,mitigatingandattributingabuseontheDNSthroughdomainnameregistrations.
Open
II.2.2 CanICANNprovidethelistofstatisticalreportsithasreceived,perbelowresponse?
Open
II.2.3 HowmanyreportshasICANNreceived? Open
II.2.4 DoesICANNtakeanyactionbasedonthecontentofthosereports?Ifso,whatactions,specifically?Ifnot,why?
Open
PartII–Question2–SecurityChecks,Specification11,Section3(b) Page15
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
II.2.5 Pleaselistanddescribewhatspecificactionsondomainnameswithpotentialthreatsaretaken?IstherereportingtolawenforcementornationalCERTs?ICANNcontractualenforcementactions?Otheractions?
Open
II.2.6 Pleaseprovidestatisticsonopen/closed/pendingactionsreported. Open
II.2.7 Howis“AdditionaldetailsonthreatssuchasIPaddress,geographiclocation,andregistrantinformation”usedinrelationtosecuritychecks?
Open
II.2.8 WhatspecificactionsdoesICANNtakeregarding“trendsandalerts?” Open
II.2.9 TheGACPSWGisawareICANNhasbeenworkingonanAdvisorytoclarifytheprovisionsofSpecification11section3(b)intheNewgTLDRegistryAgreementrelatingtotheidentificationandreportingofSecurityThreats.ConsideringtheoriginoftheseprovisionsintheNewgTLDGACSafeguards,doesICANNplantoconsultwiththeGACPSWGinthismatter?
Open
II.2.10 WhendoesICANNplantoissuetheseclarifications? Open
PartII–Question3–AwarenessEffortsbyICANNonRegistries’Obligations Page16
PartII.ImplementationofNewgTLDApplicantGuidebookandRegistryAgreement
GACQuestion(HyderabadCommuniqué)
3.AwarenessEffortsbyICANNonRegistries’ObligationsWhateffortsdoesICANNundertaketoensureregistries,areeducatedandawareoftheircontractualobligations?IsthereanICANNtrainingprogramwithcorrespondinglinksandinformation?
ICANNResponse(8Feb.2017)
ICANNconductsoutreachtocontractedpartiesatICANNpublicmeetings,GDDIndustrySummits,viawebinars,andthroughpublishedmaterialonICANN.org.Theoutreachprovidesoverallcontractualguidelines,informsofpolicyand/orcontractchanges,andprovidesanopportunitytoproactivelycollaborateandaddresscomplianceissues.Inadditiontotheongoingeffortsoutlinedabove,in2014,ICANN’sGlobalDomainsDivisionconductedaseriesofglobal,interactive,hands-onworkshopsdesignedtoprovideguidancetoRegistryOperators,RegistryBack-endTechnicalOperators,andAgentsofRegistries.
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
None
PartIII–Question1–AbuseInvestigations,Research,Reports Page17
PartIII.DNSAbuseInvestigation,reportingandmitigationperformance
GACQuestion(HyderabadCommuniqué)
1.AbuseInvestigations,Research,ReportsICANN’sIS-SSRprogramsareaninternalresourcethatcouldbeutilizedforcontractenforcementpurposes.InadditiontoICANN’sIS-SSRprograms,thereareseveralpublicallyavailableanti-abusereportsthatcanbeusedtoassistICANNinenforcingcontractualobligationswithgTLDregistriesandregistrars.a) IsICANNcontractcompliancestaffawareofsuchpublicallyavailableabusereports?
i. Ifso,doesICANNutilizethesetoassistincontractenforcement?ii. IfICANNutilizessuchpubliclyavailableabusereportsforcontractenforcementpurposes,howdoesitutilizesuchreports?iii. IdentifywhatreportsorsourcesICANNutilizes?iv. IfICANNdoesnotutilizethesereportsforcontractenforcementpurposes,isthereanyreasonwhynotto?Arethereanyplansorawillingnesstodosoin
thefuture?b) DoesICANNhaveanyintentiontoutilizeitsIS-SSRprogramsforcontractenforcementpurposes?
i. Ifso,how?ii. Ifnot,whynot?iii. HasICANN'sIS-SSRconsideredestablishingabaselineforgoodregistryandregistrarbehavior?Ifso,pleaseprovidedetails.
ICANNResponse(8Feb.2017)
RegardingquestionsIII.1.aandIII.1.b,ICANN’sContractualComplianceApproachandProcessincludesmonitoringactivitiesthatareICANN-initiated,basedinpartonindustryarticlesandtrendanalysis.Thisincludespubliclyavailableanti-abusereportsandICANN-generatedreports.ThesereportsmaybeusedforCompliancereviewandactiontotheextentthatthereportscovertopicsthatarewithinthescopeofthe2013RegistrarAccreditationAgreementandRegistryAgreement.Inaddition,thesereportsareonepartoftheselectioncriteriafortheregistrarandregistryauditprograms.
PartIII–Question1–AbuseInvestigations,Research,Reports Page18
Follow-up
# Follow-upGACQuestion ICANNAnswertoFollow-upQuestion Status
III.1.1 ICANNhasnotprovidedinformationabouthowitutilizes“publiclyavailableabusereports”(questionIII.1.a.ii).Theanswer“ThesereportsmaybeusedforCompliancereviewandactiontotheextentthatthereportscovertopicsthatarewithinthescopeofthe2013RegistrarAccreditationAgreementandRegistryAgreement”doesnotprovideanyinformationonwhatspecificallyICANNcontractcompliancedoeswiththereports,especiallyasitrelatestoIS-SSR.Forexample,ifIS-SSReitherfindsoutfromathird-partyordiscoversthroughICANNinternalanalysis,thataregistrarorregistryiseithercommittingabuseorallowingabuse,whatdoesContractCompliancedo?Isthereaformalizedprocesstodealwiththesesituations?
Open
III.1.2 ICANNhasnotidentifiedreportsorsourcesitutilizes(questionIII.1.a.iii).Pleaseprovidespecifics.
Open
III.1.3 ICANNhasnotansweredwhetheritintends“toutilizeitsIS-SSRprogramsforcontractenforcementpurposes”(questionIII.1.b.i),andifsohow,andifnot,why.
PartIII–Question2–Multi-JurisdictionalAbuseReporting Page19
PartIII.DNSAbuseInvestigation,reportingandmitigationperformance
GACQuestion(HyderabadCommuniqué)
2.Multi-JurisdictionalAbuseReportingICANN’sformerChiefContractComplianceOfficer,AllanGrogan,publishedablogposton1October2015entitled“UpdateonStepstoCombatAbuseandIllegalActivity”.Inthisblogpost,Mr.Groganindicatesthecomplainantmustidentifythelaw/regulationviolatedandtheapplicablejurisdiction.Manycyber/malware/botnetattacksaffectmanyTLDsspreadacrossmanyinternationaljurisdictions.a) Pleaseclarifywhatproceduresshouldbefollowedwhenacomplainantseekstosubmitvalidreportsofabusetoregistrarsinvolvingincidentsinmultiple
jurisdictions?b) Inparticular,whatdoesICANNrequirefromcomplainantstoidentifythoselaws/regulationsinthejurisdictionsofeachaffectedregistrar?
ICANNResponse(8Feb.2017)
Reportersshouldprovideasmuchinformationaspossiblewhensubmittingacomplaint,includinginformationregardingallegedviolationsoflaws/regulationsinoneormoreapplicablejurisdictions.Asstatedintheblog,ICANNContractualComplianceconsidersitreasonableforaregistrartoexpectthatareportofabuseorillegalactivityshouldmeetatleastthefollowingcriteria,absentextenuatingcircumstancesorreasonablejustification:
1. Thecomplainingpartyshouldbeidentifiedintheabusereportandshouldprovideawayfortheregistrartocontactthecomplainingparty.2. Thespecificurl(s)thatareallegedtobethesourceoftheabuseorillegalactivityshouldbeidentified,i.e.,theregistrarshouldnothavetoguessor
searchthewebsitetounderstandwheretheoffendingmaterialislocatedoroffendingactivitiesarebeingconducted.3. Thenatureoftheallegedabuseorillegalactivityshouldbeidentifiedwithspecificity,includingidentificationoftherelevantlaworregulationallegedto
beviolatedandtheapplicablejurisdictionwheresuchlaworregulationisineffect.4. Ifthecomplaintallegesinfringementorviolationofanindividualorentity'srightsunderalaworregulation,thereportshouldidentifytheindividualor
entitywhoserightsareallegedtobeviolatedorinfringed,andtherelationshipbetweenthecomplainingpartyandsuchrightsholder(e.g.,isthecomplainingpartytheindividualorentitywhoserightsareallegedtobeviolatedorinfringed,oranauthorizedagentofthatpartyoristheresomeotherrelationship).
5. Ifacourt,regulatoryauthority,orlawenforcementagencyhasmadeaformaldeterminationthatabuseorillegalactivityistakingplace,thatformaldeterminationshouldbesubmittedifavailable.
6. Iftheabusereportrequeststheregistrar'scompliancewithaparticularlaworregulation,itshouldsetforththebasisforbelievingthattheregistrarissubjecttothatlaworregulation.
7. Acomplainingpartyshouldnotsubmitmultipleabusereportscomplainingaboutthesameinstanceofthesameactivityiftheregistrarhaspreviouslyrespondedtoanabusereportaboutthatactivity.
ICANNrequiressufficientinformationtoenableICANNandtheregistrartoreviewanddetermineaproperresponseoractioninrelationtotheallegedviolationoflaworregulationfortheapplicablejurisdiction(s).