Jump to content

Contractual Compliance: Difference between revisions

From ICANNWiki
JP (talk | contribs)
JP (talk | contribs)
Line 30: Line 30:


===DNS Security Threat Audits===
===DNS Security Threat Audits===
====2019 Registry Operator Audit====
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />


In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.<ref name="21audit">[https://www.icann.org/en/system/files/files/compliance-registrar-audit-report-2021-24aug21-en.pdf ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit], August 24, 2021 (PDF)</ref> Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:
====2021 Registrar Audit====
In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.<ref name="21audit">[https://www.icann.org/en/system/files/files/compliance-registrar-audit-report-2021-24aug21-en.pdf ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit], August 24, 2021 (PDF)</ref> Registrars were selected for audit if they at least 5 domains listed in the the Security Threat Reports received during the 2019 Registry Operator Audit, or listed in the November 2020 OCTO Abuse Reports based on metrics from Reputation Block Lists (RBLs).<ref name ="21audit" /> During the RFI phase, one registrar was terminated for unrelated reasons, leaving a total of 126 registrars in the audit pool. The registrars being audited managed over 90% of all registered second-level domains at the time of the audit.<ref name="21audit" /> Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:


{| class="wikitable"  
{| class="wikitable"  
Line 55: Line 57:
|}
|}


In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured any reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of work to cure.<ref name="21audit" />
In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />


==Outreach==
==Outreach==

Revision as of 18:11, 8 December 2021

The Office of Contractual Compliance is an ICANN department charged with enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and compliance audits.

History[edit | edit source]

The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, registry agreements and registrar accreditation agreements with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.

Complaints[edit | edit source]

Complaints commonly handled by this office include unauthorized domain name transfers or unsuccessful transfer requests; registry violations, such as providing more favorable treatment to some registrars; renewal reminders, fees, or redemption issues; and incorrect WHOIS data or access issues.[1]

Compliance Reports[edit | edit source]

Periodic reporting of compliance performance was initiated by the department in July 2014.[2] The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.[2] ICANN's Annual Report incorporates some of the contractual compliance information as well. In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.[2]

GDPR and Registration Data Complaints[edit | edit source]

As the EU's General Data Protection Regulation came into effect, Contractual Compliance shifted its focus around and response to complaints related to inaccuracies or misrepresentations in registration data.[3] The department noted that the shifts in registrar and registry policies in response to the implementation of GDPR resulted in changes in the number and relevance of complaints:

The decrease in complaint volume from a monthly average of 2,774 pre-GDPR to 1,003 post-GDPR resulted from a significant reduction in external complaints and from ICANN org no longer releasing WHOIS ARS reports beginning in June 2018.
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.[3]

Monitoring[edit | edit source]

"Monitoring activities are ICANN-initiated, based in part on industry articles, social media postings, previous complaints, and trend analysis in an effort to proactively address any alleged failure to comply with contract terms."[4] In 2020, ICANN-initiated monitoring resulted in the submission of 1,412 complaints for processing. These complaints represented roughly 8% of the total complaints submitted that year.[5]

Auditing[edit | edit source]

The Audit Program is a continuous, ongoing activity that follows a recurring cycle.[6] Each audit round consists of six phases:[7]

  1. Planning Phase: ICANN plans the audit scope and timeline.
  2. Request for Information Phase: ICANN issues a notice of audit to the selected contracted parties, who must compile information and respond to the audit request.
  3. Audit Phase: ICANN reviews, tests, and validates the responses to ensure compliance with the contractual obligations.
  4. Initial Report Phase: ICANN issues a confidential initial audit report to each auditee containing the initial findings and allowing the contracted party to address the findings or provide clarity.
  5. Remediation Phase: ICANN collaborates with the auditees to remediate issues.
  6. Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit report.[7]

DNS Security Threat Audits[edit | edit source]

2019 Registry Operator Audit[edit | edit source]

In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.[8] The audit was conducted over seven months, from November 2018 to June 2019.[9] The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."[10] The report noted that many of the non-complying registries had a limited number of registrations:

In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.[10]

The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.[10]

2021 Registrar Audit[edit | edit source]

In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.[11] Registrars were selected for audit if they at least 5 domains listed in the the Security Threat Reports received during the 2019 Registry Operator Audit, or listed in the November 2020 OCTO Abuse Reports based on metrics from Reputation Block Lists (RBLs).[11] During the RFI phase, one registrar was terminated for unrelated reasons, leaving a total of 126 registrars in the audit pool. The registrars being audited managed over 90% of all registered second-level domains at the time of the audit.[11] Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:

Registry Agreement Requirement # of Registrars with Deficiencies % of Registrars with Deficiencies
General Abuse Reporting (RAA 3.18.1) 46 37%
Law Enforcement Abuse Reporting (RAA 3.18.2) 33 26%
Abuse Handling Procedures (RAA 3.18.3) 78
62%

In total, only 15 registrars passed the audit process without any notice of deficiency.[11] Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.[11]

Outreach[edit | edit source]

Contractual Compliance presents frequently at ICANN meetings, and conducts seminars and other educational programs throughout the ICANN regions.[12]

Roles at ICANN[edit | edit source]

  • Senior Manager, Contractual Compliance Risk and Audit
  • SVP, Contractual Compliance & U.S. Government Engagement
  • Contractual Compliance Risk and Audit Senior Specialist
  • Contractual Compliance Lead
  • Sr. Manager, Contractual Compliance
  • Contractual Compliance Analyst
  • Contractual Compliance Specialist
  • Contractual Compliance Senior Specialist

References[edit | edit source]