Jump to content

Contractual Compliance: Difference between revisions

From ICANNWiki
JP (talk | contribs)
JP (talk | contribs)
Line 65: Line 65:
Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the [[.com]] domain contained no mention of compliance audits until its amendment in December 2012.<ref>[https://www.icann.org/en/registry-agreements/com/com-registry-agreement-1-12-2012-en ICANN.org - .com Registry Agreement], as amended December 1, 2012. Compare with [https://www.icann.org/en/registry-agreements/com/com-registry-agreement---1-march-2006-amended-22-september-2010-22-9-2010-en the .com Registry Agreement] as amended September 22, 2010</ref>
Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the [[.com]] domain contained no mention of compliance audits until its amendment in December 2012.<ref>[https://www.icann.org/en/registry-agreements/com/com-registry-agreement-1-12-2012-en ICANN.org - .com Registry Agreement], as amended December 1, 2012. Compare with [https://www.icann.org/en/registry-agreements/com/com-registry-agreement---1-march-2006-amended-22-september-2010-22-9-2010-en the .com Registry Agreement] as amended September 22, 2010</ref>


===Three-Year Audit Program, 2012-2015===
===Three-Year Audit Program, 2012-2014===
In advance of the [[New gTLD Program]], Contractual Compliance launched a three-year audit of all ICANN-accredited registrars and TLDs launched before 2013.<ref name="3yr">[https://www.icann.org/resources/pages/compliance-past-audits-2015-12-04-en#three-year ICANN.org - Past Audit Programs: Three-Year Audit]]</ref> One-third of all active gTLD registries and registrars were audited over each of the three years. The audit excluded ccTLDs, [[.arpa]], [[.mil]], [[.gov]], and [[.edu]].<ref name="3yr" /> At [[ICANN 45]] in Toronto, Contractual Compliance presented on the specifics of the program and its process.<ref>[https://toronto45.icann.org/meetings/toronto2012/presentation-compliance-audit-17oct12-en.pdf ICANN 45 Archive - Compliance Audit Presentation Slides], October 17, 2012</ref> The registry audits resulted in "observation reports" to each participating registry. The audit results for registrars are summarized below:
In advance of the [[New gTLD Program]], Contractual Compliance launched a three-year audit of all ICANN-accredited registrars and TLDs launched before 2013.<ref name="3yr">[https://www.icann.org/resources/pages/compliance-past-audits-2015-12-04-en#three-year ICANN.org - Past Audit Programs: Three-Year Audit]]</ref> One-third of all active gTLD registries and registrars were audited over each of the three years. The audit excluded ccTLDs, [[.arpa]], [[.mil]], [[.gov]], and [[.edu]].<ref name="3yr" /> At [[ICANN 45]] in Toronto, Contractual Compliance presented on the specifics of the program and its process.<ref>[https://toronto45.icann.org/meetings/toronto2012/presentation-compliance-audit-17oct12-en.pdf ICANN 45 Archive - Compliance Audit Presentation Slides], October 17, 2012</ref> The registry audits resulted in "observation reports" to each participating registry. The audit results for registrars are summarized below:



Revision as of 19:29, 9 December 2021

ICANN's Contractual Compliance and Consumer Safeguards department is charged by ICANN with enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and compliance audits.

The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, registry agreements and registrar accreditation agreements with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.

Complaints[edit | edit source]

Complaints commonly handled by this office include unauthorized domain name transfers or unsuccessful transfer requests; registry violations, such as providing more favorable treatment to some registrars; renewal reminders, fees, or redemption issues; and incorrect WHOIS data or access issues.[1]

Complaint Reports[edit | edit source]

Periodic reporting of department performance was initiated by the department in July 2014.[2] The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.[2] ICANN's Annual Report incorporates some of the contractual compliance information as well. In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.[2]

Complaint Review and Rejection[edit | edit source]

It is notable that in any given year, a large percentage of complaint tickets received by Contract Compliance are rejected upon review. In 2020, for example, out of 15,739 complaint tickets received against registrars, 12,834 were closed before submission of the first notice to the subject registrar.[3] While there are many reasons that a complaint might be closed before a first notice is sent, a majority of these complaints are closed because the complaint is deemed to be outside the scope of ICANN's authority to act. During Prep Week for ICANN 70, Contractual Compliance noted that 2,279 of the 2,676 DNS abuse complaints submitted between February 2020 and January 2021 were deemed out of scope.[4] In the fourth quarter of 2020, 3,832 of the 7,644 complaints received against registrars and registries (excluding complaints regarding DNS abuse issues) were deemed out of scope.[4]

As the department explains, "The volume of complaints closed before 1st Inquiry / Notice refers to complaints that are not sent to the Registrar or Registry Operator. A reason for closing a complaint before 1st Inquiry / Notice could be: complaint is invalid, a duplicate complaint is already open, requested evidence or additional information not provided by reporter, data changed, etc. ... Closure rate before first Notice means these complaints are resolved or rejected before sending to a Registrar/Registry. This is a direct result of the quality checks performed by ICANN’s Contractual Compliance department."[5] In its Prep Week presentation at ICANN 70, compliance staff elaborated on common rationales for "out-of-scope" determinations:

  • Complainant did not respond to ICANN’s request for evidence;
  • Complaint was about a domain registered in a ccTLD;
  • Complaint misunderstood ICANN’s role and authority;
  • Complainant submitted a duplicate complaint before resolution of the original complaint; or
  • Complainant submitted a complaint about an issue that was already resolved at the time the complaint was reviewed[4]

GDPR and Registration Data Complaints[edit | edit source]

As the EU's General Data Protection Regulation came into effect, Contractual Compliance shifted its focus around and response to complaints related to inaccuracies or misrepresentations in registration data.[6] The department noted that the shifts in registrar and registry policies in response to the implementation of GDPR resulted in changes in the number and relevance of complaints:

The decrease in complaint volume from a monthly average of 2,774 pre-GDPR to 1,003 post-GDPR resulted from a significant reduction in external complaints and from ICANN org no longer releasing WHOIS ARS reports beginning in June 2018.
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.[6]

Monitoring[edit | edit source]

"Monitoring activities are ICANN-initiated, based in part on industry articles, social media postings, previous complaints, and trend analysis in an effort to proactively address any alleged failure to comply with contract terms."[7] In 2020, ICANN-initiated monitoring resulted in the submission of 1,412 complaints for processing. These complaints represented roughly 8% of the total complaints submitted that year.[8]

Auditing[edit | edit source]

The Audit Program is a continuous, ongoing activity that follows a recurring cycle.[9] Each audit round consists of six phases:[10]

  1. Planning Phase: ICANN plans the audit scope and timeline.
  2. Request for Information (RFI) Phase: ICANN issues a notice of audit to the selected contracted parties, who must compile information and respond to the audit request.
  3. Audit Phase: ICANN reviews, tests, and validates the responses to ensure compliance with the contractual obligations.
  4. Initial Report Phase: ICANN issues a confidential initial audit report to each auditee containing the initial findings and allowing the contracted party to address the findings or provide clarity.
  5. Remediation Phase: ICANN collaborates with the auditees to remediate issues.
  6. Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit report.[10]

Audit Rights[edit | edit source]

ICANN is authorized to audit registries and registrars based on contractual provisions within the the Registry Accreditation Agreement (RAA) and Registry Agreements (RA) with registry operators.

2009 RAA Amendment Process[edit | edit source]

ICANN's right to audit registrars for compliance with contract provisions was added to the Registrar Accreditation Agreement in 2009 during the amendment process for the RAA.[11] The amendments permitted ICANN to audit registrars for compliance with the following contract requirements:

  • maintenance of a functioning WHOIS lookup service;
  • collection, verification, review, and retention of valid registrant data;
  • inclusion of mandatory provisions and policies in the registrar's registrant agreement;
  • inclusion of mandatory provisions and policies in the registrar's reseller agreements, as well as RAA-mandated handling of any registrant data submitted via a proxy or privacy service;
  • compliance with all consensus and temporary policies in existence (at the time, the UDPR, Expired Domain Deletion Policy, and WHOIS Data Reminder Policy);
  • published link to ICANN's registrant educational information;
  • proof of completion of a required training course by the registrar's primary contact or designee; and
  • maintenance of valid contact information on the registrar's website and within RADAR.[12]

2013 Expansion of RAA Audit Rights[edit | edit source]

Starting in 2011, ICANN engaged in a cooperative process of negotiations with accredited registrars to review and update the RAA.[13] The resulting amendments to the RAA were approved by the ICANN Board in June 2013.[14] The amendments expanded ICANN's audit rights in a number of ways:

  • Increased compliance requirements around notice to registrants of ICANN policies;
  • Increased compliance requirements regarding contractual relationship to resellers and reseller compliance;
  • Additional consumer protection measures, such as ensuring a registrar had a published complaint and dispute resolution policy;
  • Technical specifications regarding WHOIS and IPv6; and
  • Requirements regarding DNS abuse and security threat reporting.[15]

Registry Agreement Audit Rights[edit | edit source]

The base Registry Agreement (RA), created in advance of the new gTLD round, grants ICANN or its subcontractor the right to perform "contractual and operational compliance audits" after "reasonable advance notice" has been provided to the registry operator.[16]

Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the .com domain contained no mention of compliance audits until its amendment in December 2012.[17]

Three-Year Audit Program, 2012-2014[edit | edit source]

In advance of the New gTLD Program, Contractual Compliance launched a three-year audit of all ICANN-accredited registrars and TLDs launched before 2013.[18] One-third of all active gTLD registries and registrars were audited over each of the three years. The audit excluded ccTLDs, .arpa, .mil, .gov, and .edu.[18] At ICANN 45 in Toronto, Contractual Compliance presented on the specifics of the program and its process.[19] The registry audits resulted in "observation reports" to each participating registry. The audit results for registrars are summarized below:

Year Breach Notices (Registrars) Terminations (Registrars) Report
2012 12 3 Year One Audit Report (PDF)
2013 11 3 Year Two Audit Report (PDF)
2014 10 10 (including 5 self-terminations) Year Three Audit Report (PDF)

DNS Security Threat Audits[edit | edit source]

In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."[20] Since approval of the first base Registry Agreement for new gTLDs, there have been DNS security-related requirements for registry operators. The July 2013 base Registry Agreement contained abuse mitigation provisions requiring registry operators to publish contact information for abuse reporting, and to take action to remove orphan glue records "when provided with evidence in written form that such records are present in connection with malicious conduct."[16] Other provisions address issues of technical security and baseline operational standards.[16]

The alterations to scope were part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.[21]

2019 Registry Operator Audit[edit | edit source]

In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.[21] The audit was conducted from November 2018 to June 2019, and reviewed data and reports from 1207 TLDs.[22] The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."[23] The report noted that many of the non-complying registries had a limited number of registrations:

In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.[23]

The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.[23]

2021 Registrar Audit[edit | edit source]

In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.[24] Registrars were selected for audit if they at least 5 domains listed in the the Security Threat Reports received during the 2019 Registry Operator Audit, or listed in the November 2020 OCTO Abuse Reports based on metrics from Reputation Block Lists (RBLs).[24] During the RFI phase, one registrar was terminated for unrelated reasons, leaving a total of 126 registrars in the audit pool. The registrars being audited managed over 90% of all registered second-level domains at the time of the audit.[24] Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:

Registry Agreement Requirement # of Registrars with Deficiencies % of Registrars with Deficiencies
General Abuse Reporting (RAA 3.18.1) 46 37%
Law Enforcement Abuse Reporting (RAA 3.18.2) 33 26%
Abuse Handling Procedures (RAA 3.18.3) 78
62%

In total, only 15 registrars passed the audit process without any notice of deficiency.[24] Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.[24]

Outreach[edit | edit source]

Contractual Compliance presents frequently at ICANN meetings, and conducts seminars and other educational programs throughout the ICANN regions.[25]

Roles at ICANN[edit | edit source]

  • Senior Manager, Contractual Compliance Risk and Audit
  • SVP, Contractual Compliance & U.S. Government Engagement
  • Contractual Compliance Risk and Audit Senior Specialist
  • Contractual Compliance Lead
  • Sr. Manager, Contractual Compliance
  • Contractual Compliance Analyst
  • Contractual Compliance Specialist
  • Contractual Compliance Senior Specialist

References[edit | edit source]

  1. Contractual Compliance Complaints
  2. 2.0 2.1 2.2 ICANN.org - Contractual Compliance Performance Reports, last visited December 2021
  3. ICANN.org Contractual Compliance Dashboard - 2020 Registrar Complaints per Compliance Approach and Process
  4. 4.0 4.1 4.2 ICANN 70 Archive: Contractual Compliance Update Presentation Slides, March 10, 2021
  5. ICANN Contractual Compliance Dashboard - Explanations of Terms and Figures
  6. 6.0 6.1 ICANN.org - Registration Data Accuracy Obligations Before and After GDPR, June 14, 2021
  7. ICANN.org FAQ - What is ICANN's Contractual Compliance Approach and Process?
  8. ICANN.org Contractual Compliance Dashboard - 2020 Complaints by Reporter Category
  9. ICANN.org - Contractual Compliance Audit Program
  10. 10.0 10.1 Audit Phases, ICANN
  11. ICANN.org Archive - Consultation on RAA Amendments, 2009
  12. ICANN.org - Contractual Compliance 2009 RAA Audit Plan (PDF)
  13. RAA Amendment Negotiations Workspace, last updated October 1, 2013
  14. ICANN.org - Resolution (2.b) of the Board, June 27, 2013
  15. ICANN.org - 2013 RAA Audit Plan Scope (PDF)
  16. 16.0 16.1 16.2 ICANN.org Archive - Base Registry Agreement, as approved July 2, 2013
  17. ICANN.org - .com Registry Agreement, as amended December 1, 2012. Compare with the .com Registry Agreement as amended September 22, 2010
  18. 18.0 18.1 ICANN.org - Past Audit Programs: Three-Year Audit]
  19. ICANN 45 Archive - Compliance Audit Presentation Slides, October 17, 2012
  20. ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report, published September 2018 (PDF)
  21. 21.0 21.1 ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse, November 8, 2018
  22. CC Audit of DNS Security Threats, ICANN Announcements
  23. 23.0 23.1 23.2 ICANN.org - Report on the RO Audit for Addressing DNS Security Threats, September 17, 2019 (PDF)
  24. 24.0 24.1 24.2 24.3 24.4 ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit, August 24, 2021 (PDF)
  25. ICANN.org - Contractual Compliance Outreach Activities