Contractual Compliance: Difference between revisions

JP (talk | contribs)
No edit summary
Jessica (talk | contribs)
 
(28 intermediate revisions by 2 users not shown)
Line 1: Line 1:
ICANN's '''Contractual Compliance and Consumer Safeguards''' department charged by [[ICANN]] with enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and compliance audits.  
ICANN's '''Contractual Compliance and Consumer Safeguards''' department is charged by [[ICANN]] with enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and compliance audits.  


==History==
The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, [[Registry Agreement|registry agreements]] and [[Registrar Accreditation Agreement|registrar accreditation agreements]] with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.
The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, [[Registry Agreement|registry agreements]] and [[Registrar Accreditation Agreement|registrar accreditation agreements]] with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.


Line 8: Line 7:
transfer requests; registry violations, such as providing more favorable treatment to some registrars; renewal reminders, fees, or redemption issues; and incorrect [[WHOIS]] data or access issues.<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-complaint-31mar18-en.pdf Contractual Compliance Complaints]</ref>
transfer requests; registry violations, such as providing more favorable treatment to some registrars; renewal reminders, fees, or redemption issues; and incorrect [[WHOIS]] data or access issues.<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-complaint-31mar18-en.pdf Contractual Compliance Complaints]</ref>


===Compliance Reports===
===Complaint Reports===
Periodic reporting of compliance performance was initiated by the department in July 2014.<ref name="perfstats">[https://features.icann.org/compliance/dashboard/report-list ICANN.org - Contractual Compliance Performance Reports], last visited December 2021</ref> The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.<ref name="perfstats" /> ICANN's Annual Report incorporates some of the contractual compliance information as well.  In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.<ref name="perfstats" />  
Periodic reporting of department performance was initiated by the department in July 2014.<ref name="perfstats">[https://features.icann.org/compliance/dashboard/report-list ICANN.org - Contractual Compliance Performance Reports], last visited December 2021</ref> The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.<ref name="perfstats" /> ICANN's Annual Report incorporates some of the contractual compliance information as well.  In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.<ref name="perfstats" />
 
====Complaint Review and Rejection====
It is notable that in any given year, a large percentage of complaint tickets received by Contract Compliance are rejected upon review. In 2020, for example, out of 15,739 complaint tickets received against registrars, 12,834 were closed before submission of the first notice to the subject registrar.<ref>[https://features.icann.org/compliance/dashboard/2020/complaints-approach-process-registrars ICANN.org Contractual Compliance Dashboard - 2020 Registrar Complaints per Compliance Approach and Process]</ref> While there are many reasons that a complaint might be closed before a first notice is sent, a majority of these complaints are closed because the complaint is deemed to be outside the scope of ICANN's authority to act. During Prep Week for ICANN 70, Contractual Compliance noted that 2,279 of the 2,676 DNS abuse complaints submitted between February 2020 and January 2021 were deemed out of scope.<ref name="70prep">[https://cdn.filestackcontent.com/content=t:attachment,f:%22Pre-ICANN%2070%20Webinar%20Contractual%20Compliance_10March2021.pdf ICANN 70 Archive: Contractual Compliance Update Presentation Slides], March 10, 2021</ref> In the fourth quarter of 2020, 3,832 of the 7,644 complaints received against registrars and registries (excluding complaints regarding DNS abuse issues) were deemed out of scope.<ref name="70prep" />
 
As the department explains, "The volume of complaints closed before 1st Inquiry / Notice refers to complaints that are not sent to the Registrar or Registry Operator. A reason for closing a complaint before 1st Inquiry / Notice could be: complaint is invalid, a duplicate complaint is already open, requested evidence or additional information not provided by reporter, data changed, etc. ... Closure rate before first Notice means these complaints are resolved or rejected before sending to a Registrar/Registry. This is a direct result of the quality checks performed by ICANN’s Contractual Compliance department."<ref>[https://features.icann.org/compliance/dashboard/archives#definition ICANN Contractual Compliance Dashboard - Explanations of Terms and Figures]</ref> In its Prep Week presentation at ICANN 70, compliance staff elaborated on common rationales for "out-of-scope" determinations:
* Complainant did not respond to ICANN’s request for evidence;
* Complaint was about a domain registered in a [[ccTLD]];
* Complaint misunderstood ICANN’s role and authority;
* Complainant submitted a duplicate complaint before resolution of the original complaint; or
* Complainant submitted a complaint about an issue that was already resolved at the time the complaint was reviewed<ref name="70prep" />


===GDPR and Registration Data Complaints===
===GDPR and Registration Data Complaints===
Line 16: Line 25:


In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.<ref name="gdpr" /></blockquote>
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.<ref name="gdpr" /></blockquote>
===SSAD Design and Contractual Compliance===
At [[ICANN 72]], the [[SSAD]] [[Operational Design Phase]] team presented on the progress of the operational design phase for the System for Standardized Access/Disclosure.<ref name="ssadblog">[https://www.icann.org/en/blogs/details/ssad-odp-update-contractual-compliance-and-identity-verification-methodology-2-11-2021-en ICANN.org Blog - SSAD ODP Update: Contractual Compliance and Identity Verification Methodology], November 2, 2021</ref> The presentation included a description of the Contractual Compliance department's role in the new system. Noting that the "alert mechanism is not an appeal mechanism,"<ref name="ssadpreso">[https://www.icann.org/en/system/files/files/presentation-ssad-odp-project-update-community-discussion-28oct21-en.pdf ICANN 72 Archive - SSAD ODP Project Update Presentation Slides], October 28, 2021 (PDF)</ref>, the design team notes that  compliance complaints could be filed within narrow procedural contraints in  two categories:
* Procedural failures regarding alert mechanisms & complaints regarding contracted party behavior. For example, a contracted party fails to provide a sufficient rationale for a denial of an information request; or a contracted party dismisses a request without first seeking additional information from the requesting party; and
* Failure to respond to urgen requests within the timeframes listed in the contracted party's [[Service Level Agreement]].<ref name="ssadpreso" />
Although the design team anticipated that there may be changes in the scope and method of Contractual Compliance's complaint processes related to SSAD, the recommendations of the [[Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP)|EPDP on the Temporary Specification for gTLD Registration Data]] anticipate that the SSAD system will have its own processes, as well as avenues of legal recourse for people requesting registration data. As such, they presently anticipate that Contractual Compliance will have limited and specific involvement with the SSAD.<ref name="ssadpreso" />


==Monitoring==
==Monitoring==
Line 29: Line 45:
# Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit report.<ref name="phases" />
# Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit report.<ref name="phases" />


===RAA Audit Rights===
===Audit Rights===
====2009 Amendment Process====
ICANN is authorized to audit registries and registrars based on contractual provisions within the the Registry Accreditation Agreement (RAA) and Registry Agreements (RA) with registry operators.
 
====2009 RAA Amendment Process====
ICANN's right to audit registrars for compliance with contract provisions was added to the [[Registrar Accreditation Agreement]] in 2009 during the amendment process for the RAA.<ref>[https://archive.icann.org/en/topics/raa/ ICANN.org Archive - Consultation on RAA Amendments], 2009</ref> The amendments permitted ICANN to audit registrars for compliance with the following contract requirements:
ICANN's right to audit registrars for compliance with contract provisions was added to the [[Registrar Accreditation Agreement]] in 2009 during the amendment process for the RAA.<ref>[https://archive.icann.org/en/topics/raa/ ICANN.org Archive - Consultation on RAA Amendments], 2009</ref> The amendments permitted ICANN to audit registrars for compliance with the following contract requirements:
* maintenance of a functioning WHOIS lookup service;
* maintenance of a functioning WHOIS lookup service;
Line 48: Line 66:
* Technical specifications regarding WHOIS and IPv6; and
* Technical specifications regarding WHOIS and IPv6; and
* Requirements regarding DNS abuse and security threat reporting.<ref>[https://www.icann.org/en/system/files/files/audit-plan-2013-raa-31mar16-en.pdf ICANN.org - 2013 RAA Audit Plan Scope] (PDF)</ref>
* Requirements regarding DNS abuse and security threat reporting.<ref>[https://www.icann.org/en/system/files/files/audit-plan-2013-raa-31mar16-en.pdf ICANN.org - 2013 RAA Audit Plan Scope] (PDF)</ref>
====Registry Agreement Audit Rights====
The base [[Registry Agreement]] (RA), created in advance of the [[New gTLD Program| new gTLD round]], grants ICANN or its subcontractor the right to perform "contractual and operational compliance audits" after "reasonable advance notice" has been provided to the registry operator.<ref name="basera1">[https://newgtlds.icann.org/en/applicants/agb/agreement-approved-02jul13-en.pdf ICANN.org Archive - Base Registry Agreement], as approved July 2, 2013</ref>
Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the [[.com]] domain contained no mention of compliance audits until its amendment in December 2012.<ref>[https://www.icann.org/en/registry-agreements/com/com-registry-agreement-1-12-2012-en ICANN.org - .com Registry Agreement], as amended December 1, 2012. Compare with [https://www.icann.org/en/registry-agreements/com/com-registry-agreement---1-march-2006-amended-22-september-2010-22-9-2010-en the .com Registry Agreement] as amended September 22, 2010</ref>
===2007 Announcement of Compliance Audit Processes===
ICANN's earliest posted report of registrar compliance dates from October 2006.<ref name="06update">[https://www.icann.org/resources/newsletter/registrar-update-2006-10-01-en ICANN.org - Registrar Compliance Update], October 1, 2010</ref> That report indicated that ICANN intended to introduce audit processes for registrars, "similar to the registry audit program already in place."<ref name="06update" /> In March 2007, Contractual Compliance announced its intention to begin auditing the contractual and operational compliance of both registries and registrars.<ref>[https://www.icann.org/en/blogs/details/updated-contractual-compliance-program-24-3-2007-en ICANN.org Blog - Updated Contractual Compliance Program], March 24, 2007</ref> Three days earlier, ICANN's CEO at the time, [[Paul Twomey]], announced that review and revision of ICANN's Registrar Accreditation process was necessary to ensure consumer protection and enforcement goals.<ref>[https://www.icann.org/en/announcements/details/registrar-accreditation-policy-and-process-must-be-reviewed-21-3-2007-en ICANN.org - Registrar Accreditation Policy and Process must be reviewed], March 21, 2007</ref> The announcement was prompted in part by the termination of [[RegisterFly]] due to a large volume of customer complaints. Some commentators criticized ICANN at the time for failing to act sooner.<ref>[https://domainnamewire.com/2007/03/27/icann-lets-learn-from-registerfly/ Domain Name Wire - ICANN: Let's Learn from RegisterFly], March 27, 2007</ref> ICANN executives at the time identified the lack of enforcement mechanisms apart for revocation of accreditation hampered ICANN's capacity to respond.<ref>[https://www.cbc.ca/news/science/icann-to-review-domain-name-regulations-1.671879 CBC News - ICANN to Review Domain Name Regulations], March 27, 2007</ref>
At the time of the announcement, there were no contractual provisions for such audits, except to the extent that individual registry agreements might grant a right to audit technical records of registry operators. However, review of the RAA was discussed at [[ICANN 28]] in Lisbon at the end of March.<ref>[https://www.icann.org/resources/board-material/resolutions-2007-03-30-en#_Toc36876525 ICANN Board Meeting Minutes], June 30, 2007</ref> In June 2007, the ICANN Board initiated its Consultation on Registrar Accreditation Agreements.<ref>[https://www.icann.org/resources/board-material/resolutions-2007-06-29-en#k Resolutions 07.50-07.52 of the Board], June 29, 2007</ref> This process resulted in the 2009 amendments to the RAA.
====Initial Audits====
Contractual Compliance performed periodic compliance audits starting in 2007. The audits were initially conceived as multiple periodic phases of review.<ref name="07auditrep">[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-audit-report-18oct07-en.pdf ICANN.org - October 2007 Semi-Annual Contractual Compliance Report], October 18, 2007 (PDF)</ref> The first registrar audit report presented a proposed schedule for 2007 and beyond:<ref name="07auditrep" />
{| class="wikitable"
|-
! Quarter
! Registrar Audits
! Registry Audits
! Notes
|-
| Q1
| WHOIS Data Problem Report Findings<br />Primary Contact Information<br />
| Code of Conduct<br />Non-Discriminatory Access<br />
|
|-
| Q2
| Registrar Fees<br />Website Compliance<br />
| Registry Fees<br />Performance Specifications<br />
|
|-
| Q3
| WHOIS Server Accessibility<br />Registrar Data Retention*<br />
| WHOIS Data Accuracy
| *New Audit Process
|-
| Q4
| Insurance Verification<br />WHOIS Data Acuracy*<br />Inter-Registrar Transfer Policy*<br />
| Data Escrow<br />Registration Restrictions<br />
| *New Audit Process
|}
The initial report noted that the level of activity and work required for each audit varied from quarter to quarter.<ref name="07auditrep" /> Audits related to this plan continued for roughly two years, with additional reports being issued in July 2008<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf ICANN.org - July 2008 Semi-Annual Contractual Compliance Report], July 29, 2008 (PDF)</ref> and February 2009.<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-report-27feb09-en.pdf ICANN.org - February 2009 Semi-Annual Contractual Compliance Report], February 27, 2009 (PDF)</ref> The last report apparently related to this program was issued in December 2009.<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-report-24dec09-en.pdf ICANN.org - December 2009 Semi-Annual Contractual Compliance Report], December 24, 2009 (PDF)</ref>
===Three-Year Audit Program, 2012-2014===
In advance of the [[New gTLD Program]], Contractual Compliance launched a three-year audit of all ICANN-accredited registrars and TLDs launched before 2013.<ref name="3yr">[https://www.icann.org/resources/pages/compliance-past-audits-2015-12-04-en#three-year ICANN.org - Past Audit Programs: Three-Year Audit]]</ref> One-third of all active gTLD registries and registrars were audited over each of the three years. The audit excluded ccTLDs, [[.arpa]], [[.mil]], [[.gov]], and [[.edu]].<ref name="3yr" /> At [[ICANN 45]] in Toronto, Contractual Compliance presented on the specifics of the program and its process.<ref>[https://toronto45.icann.org/meetings/toronto2012/presentation-compliance-audit-17oct12-en.pdf ICANN 45 Archive - Compliance Audit Presentation Slides], October 17, 2012</ref> The registry audits resulted in "observation reports" to each participating registry. The audit results for registrars are summarized below:
{| class="wikitable"
|-
! Year
! Breach Notices (Registrars)
! Terminations (Registrars)
! Report
|-
| 2012
| 12
| 3
| [https://www.icann.org/en/system/files/files/registrar-registry-audit-2012-25jun13-en.pdf Year One Audit Report] (PDF)
|-
| 2013
| 11
| 3
| [https://www.icann.org/en/system/files/files/registrar-registry-audit-2013-07jul14-en.pdf Year Two Audit Report] (PDF)
|-
| 2014
| 10
| 10 (including 5 self-terminations)
| [https://www.icann.org/en/system/files/files/contractual-compliance-audit-report-2014-13jul15-en.pdf Year Three Audit Report] (PDF)
|}
===New Registry Agreement Audit Program===
Starting in July 2014 Contractual Compliance performed a compliance audit on all registries that had signed the new base Registry Agreement that was approved for the New gTLD Program.<ref>[https://www.icann.org/resources/pages/compliance-past-audits-2015-12-04-en#new-registry-agreement ICANN.org Archives - New Registry Agreement Audit Program]]</ref> The department presented an overview to registries in May 2014.<ref>[https://www.icann.org/en/system/files/files/registry-agmt-audit-12may14-en.pdf ICANN.org - New Registry Agreement Audit Program Presentation Slides], May 12, 2014</ref> At ICANN 50, Contractual Compliance provided an update on its activities, including its work with registries to prepare for the audit.<ref>[https://archive.icann.org/meetings/london2014/en/schedule/wed-compliance/presentation-compliance-25jun14-en.html ICANN 50 Archive - Contractual Compliance Update], June 25, 2014</ref>
In all, 14 registry operators were selected for the first audit: 10 operators of ASCII TLDs ([[.berlin]], [[.ceo]], [[.guru]], [[.link]], [[.menu]], [[.onl]], [[.ruhr]], [[.uno]], [[.wed]], and [[.xyz]]), and 4 operators of [[Internationalized Domain Name|internationalized domain names]].<ref name="14ra">[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2014-03feb15-en.pdf ICANN.org - 2014 New Registry Agreement Audit Report], February 3, 2015</ref> Of the 14 registry operators, 10 passed the audit with no notice of deficiencies. Four registry operators were required to address deficiencies. The deficiencies ranged from failure to have valid abuse contact information to internal process gaps such as not having an active business continuity plan.<ref name="14ra" />
====Subsequent Audit Reports====
Contractual Compliance continued the New Registry Agreement Audit Program through March 2018. A summary of audit findings follows:
{| class="wikitable"
|-
! Report Date
! Subject TLDs
! Total TLDs
! Remediation Required*
! Report
|-
| 2015
| [[.bio]], [[.capetown]], [[.cooking]], [[.gent]], [[.moscow]], [[.ovh]], [[.tokyo]], [[.wales]], [[.wang]];<br />IDN: xn---io0a7i (网络)
| 10
| 10
| [https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2015-31mar15-en.pdf 2015 Audit Report] (PDF)
|-
| January 2016
| [[.airtel]], [[.amsterdam]], [[.bank]], [[.bnpparibas]], [[.firmdale]], [[.gdn]], [[.lat]], [[.pro]], [[.rio]], [[.ski]]
| 10
| 10
| [https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2016-12jul16-en.pdf January 2016 Audit Round Report] (PDF)
|-
| January 2017
| [[.army]], [[.bet]], [[.dubai]], [[.family]], [[.feedback]], [[.insurance]], [[.jprs]], [[.kiwi]], [[.moi]], [[.party]], [[.scb]], [[.shopping]], [[.sina]], [[.sucks]], [[.surgery]], [[.top]], [[.university]], [[.wtf]], [[.xxx]]<br />IDNs: xn---mxtq1m (政府),  xn---vuq861b (信息)
| 21
| 21
| [https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2017-11sep17-en.pdf January 2017 Audit Round Report] (PDF)
|-
| September 2017
| [[.airforce]], [[.bingo]], [[.creditcard]], [[.dentist]], [[.gripe]], [[.lawyer]], [[.ltd]], [[.pharmacy]], [[.poker]], [[.srl]]
| 10
| 6
| [https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2017-30apr18-en.pdf September 2017 Audit Round Report] (PDF)
|-
| March 2018
| [[.accountant]], [[.bid]], [[.brussels]], [[.cam]], [[.cricket]], [[.date]], [[.download]], [[.faith]], [[.loan]], [[.men]], [[.party]], [[.racing]], [[.review]], [[.science]], [[.stream]], [[.trade]], [[.webcam]], [[.win]]<br />IDNS: xn---ses554g (网址), xn---zfr164b (政务)
| 20
| 20
| [https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf March 2018 Audit Round Report] (PDF)<br />
|}
''*The public audit reports provide some statistical information regarding the audit process, but in most cases the reports are not clear regarding whether the initial reports to registry operators always included deficiencies. As a result, the "remediation required" number is not reliable. An exception is the report from the September 2017 audit round, where the executive summary of the public report explicitly states that four of the registries received no initial findings of deficiency.''


===DNS Security Threat Audits===
===DNS Security Threat Audits===
In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report], published September 2018 (PDF)</ref> This was part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.<ref name="dnsblog">[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse], November 8, 2018</ref>
In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report], published September 2018 (PDF)</ref> Since approval of the first base Registry Agreement for new gTLDs, there have been DNS security-related requirements for registry operators. The July 2013 base Registry Agreement contained abuse mitigation provisions requiring registry operators to publish contact information for abuse reporting, and to take action to remove orphan glue records "when provided with evidence in written form that such records are present in connection with malicious conduct."<ref name="basera1" /> Other provisions address issues of technical security and baseline operational standards.<ref name="basera1" />
 
The alterations to scope were part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.<ref name="dnsblog">[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse], November 8, 2018</ref>


====2019 Registry Operator Audit====
====2019 Registry Operator Audit====
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref name="dnsblog" /> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref name="dnsblog" /> The audit was conducted from November 2018 to June 2019, and reviewed data and reports from 1207 TLDs.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />
Line 79: Line 215:
|}
|}


In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />
In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. Nineteen registrars were unable to cure all deficiencies within the audit timeframe and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />
 
===2022 Round of Audits===
On April 4, 2022, Contractual Compliance sent pre-audit notifications to Registry Operators for 28 gTLDs. The selected Registry Operators received a Request for Information containing the audit questions.<ref>[https://www.icann.org/en/announcements/details/icanns-contractual-compliance-announces-new-audit-round-13-04-2022-en Contractual Compliance announces new audit round, ICANN Announcements, April 13, 2022]</ref><br/> The selection criteria for the 28 gTLDs included:
* not previously audited in a standard full-scope RA Audit
* at least 100 domains
* highest abuse score as reported by publicly available [[RBL|Reputation Blocklists]] (excluding spam)
When these criteria resulted in multiple gTLDs operated by the same Registry Operator, ICANN selected one gTLD to represent the Registry Operator.


==Outreach==
==Outreach==
Contractual Compliance presents frequently at [[ICANN Meetings|ICANN meetings]], and conducts seminars and other educational programs throughout the ICANN regions.<ref>[https://www.icann.org/resources/compliance/outreach ICANN.org - Contractual Compliance Outreach Activities]</ref>  
Contractual Compliance presents frequently at [[ICANN Meetings|ICANN meetings]], and conducts seminars and other educational programs throughout the ICANN regions.<ref>[https://www.icann.org/resources/compliance/outreach ICANN.org - Contractual Compliance Outreach Activities]</ref>  


==Roles at ICANN==
==ICANN CC Staffers==
* Senior Manager, Contractual Compliance Risk and Audit
* [[Leticia Castillo Sojo]], [[Jonathan Denison]], [[Roger Lim]]: Directors, Contractual Compliance
* SVP, Contractual Compliance & U.S. Government Engagement
* [[Yan Agranonik]]: Senior Manager, Contractual Compliance Risk and Audit
* Contractual Compliance Risk and Audit Senior Specialist
* [[Jamie Hedlund]]: SVP, Contractual Compliance & Consumer Safeguards, Managing Director
* Contractual Compliance Lead
* [[Joseph Restuccia]]: Contractual Compliance Risk and Audit Senior Specialist
* Sr. Manager, Contractual Compliance
* [[Amanda Rose]]: Contractual Compliance Lead
* Contractual Compliance Analyst
* [[Zuhra Salijanova]]: Sr. Manager, Contractual Compliance
* Contractual Compliance Specialist
* [[Mehdi Kurdmisto]], [[Genie Chou]], [[Mariana Solano]], [[Dickson Chew]], [[HuiYing Lim]], [[Leah Symekher]], [[Laine Tan]], [[Amanda Weddle]]: Contractual Compliance Analysts
* Contractual Compliance Senior Specialist
* [[Nicholas Axelrod-McLeod]], [[Charmaine Lim]], [[Bryan Tan]]: Contractual Compliance Specialists
* [[May Kim]], [[Holida Yanik]], [[Selim Manzak]], [[Jinzaemon Kimoto]]: Contractual Compliance Senior Specialists
* [[Pamela Howard]]: Performance Measurement & Reporting Senior Manager
* [[Cynthia Tinsley]]: Contractual Compliance Executive Assistant


==References==
==References==
{{reflist}}
{{reflist}}
__NOTOC__
 
[[Category:ICANN Organization]]
[[Category:ICANN Organization]]