[Gnso-newgtld-wg] Notes and Action Items - New gTLD Subsequent Procedures PDP WG - 24 October 2019

[Julie Hedlund]

Working Group members,

Please see below the notes from the meeting on 24 October 2019. These high-level notes are designed to help WG members navigate through the content of the call and are not a substitute for the recording, transcript, or the chat, which will be posted at: https://community.icann.org/display/NGSPP/2019-10-24+New+gTLD+Subsequent+Procedures+PDP.

Kind regards,
Julie
Julie Hedlund, Policy Director

Notes and Action Items:

Actions:

No actions captured.

Notes:

1. Updates to Statements of Interest: No updates provided.

2. Review of summary documents:

a. DNS Abuse: https://docs.google.com/document/d/1nIorSwzwom_yXvzWwo9pElsnFfK7bwcuYQq_Hur4Dls/edit?usp=sharing

-- New type of document, stems from discussions we’ve had and the CCT-RT recommendations.
-- CCT-RT came out with its final report several months ago.  The ICANN Board has accepted some of the recommendations and some are pending.
-- One that has been accepted is related to DNS abuse.
-- Others are pending, but they still seem like ones we should be taking a look at.

Applicable recommendations: 13, 14, 15, 17, and 25

Although many of the recommendations above are still pending review by the ICANN Board, the SubPro Working Group recognizes that there is a good deal of overlap between topics for which we have been developing policies and the recommendations by the CCT-RT.  The recommendations touch various topics within our Charter, such as registrant protections, public interest, and the Base Registry Agreement (RA).

The Working Group also recognizes that there is currently extensive interest within the ICANN Community on the topic of DNS Abuse, and that DNS Abuse is not unique amongst new gTLDs nor would addressing DNS Abuse in this Working Group solve any of the real or perceived issues existing in the TLDs that have already been delegated.

-- Question: What precipitated this sudden addition of  DNS Abuse to the agenda?  Was there outreach from ICANN Board or Staff on it?  Was on previously part of the work plan.  Answer: There were a number of comments that talk about not wanting to do another round until DNS abuse issues are solved.  Also related CCT-RT recommendations.  Charter mentions keeping tabs with the CCT-RT.  So, Co-Chairs decided the WG should consider DNS Abuse issues relating to the work of the WG and the CCT-RT recommendations.

Comments from the WG on the document:
-- Recommendation 13 not directed at SubPro.
-- Recommendation 14: Financial incentives are outside of the picket fence.  A PDP that is forward looking doesn’t have to be within the picket fence.   Concerning “proactive” -- not possible to identify a crime before it’s committed.  This means to take certain measures before it is reported to you as a problem.

Recommendation 15:
-- negotiate amendments to the Registrar Accreditation Agreement and Registry Agreements to include provisions aimed at preventing systemic use of specific registrars or registries for DNS Security Abuse. COMMENT: there is no way for a registry (with exclusion of Brands) or a registrar to ensure nothing happens with the good registrant who turned rogue, or whose credentials were stolen and used for bad activities.
-- And “with a higher threshold at which registrars and registries are presumed to be in default of their agreements.” COMMENT: this opens gates to blackmailing registries or registrars on purpose , extorting money for not using domains registered for this very purpose to cancel the RA, RAA (via , as example inclusion of records from those in some bad activity and sending a complaints the same time to ICANN). Such actions will endanger security and stability of the internet. Without a proof that a particular Registry or a Registrar participated in DNS abuse on purpose , it is a punishment without a crime.

Recommendation 17:
-- Absolute metrics for information security, including DNS abuse, not available from Computer Science, preventing establishing hard numbers
-- Feasible for registrar, registry and registry service provider, but not downwards from registrar (reseller, reseller of reseller etc.)

Recommendation 25:
-- looks something targeted at the perceived backdooring of ideas in PICs, not at DNS abuse.

Discussion:
-- according to the details of the CCT-RT report, they ARE talking about activities that precede a potentially abusive registration.
-- such as perhaps the registration of a few thousand names at low cost in singe transactions  I assume that is a prequi; to a *possible* suspicion of doubtful activity to follow but may be perfectly innocent as well…

Current State of SubPro Work:

-- Covered some aspects of abuse:

  1.  Mandatory Pics including Specification 11 3(b)
  2.  Incentives for Registries to adopt anti-abuse measures
  3.  From CCT-RT, Recommendation 25 seems to have support from this Working Group

The Community is already addressing a number of aspects of DNS Abuse (See Section III below).
Any new recommendations we make would impact only new TLDs on a going forward basis.

Proposed Recommendation.  Given the work already going on within the community, other than the topics that we are already covering relating to DNS Abuse in Subsequent Procedures, we encourage the community to continue to work on all issues pertaining to DNS Abuse which can ultimately apply to all TLDs, not just future ones.

OTHER CURRENT DNS ABUSE RELATED ACTIVITIES WITHIN ICANN COMMUNITY

Existing Policy Work:
--2010: Report from the Registration Abuse WG -- differentiated between “registration abuse” and “use abuse.”  It found that “Registration Abuse” involved issues akin to those that have already been included in the Registry and Registrar Agreements.  Registration Abuses, it found, were within ICANN’s jurisdiction and therefore were appropriate for future policy development.  “Use Abuse”, however, it found, was not a topic within ICANN’s jurisdiction and therefore was not appropriate for future policy development.  Use Abuse included things like intellectual property infringement, defamation, spam (when it does not serve as a delivery mechanism for the other forms of DNS Abuse), etc.

Domain Abuse Activity Reporting
-- ICANN's Domain Abuse Activity Reporting (DAAR) project is a system for studying and reporting on domain name registration and security threat (domain abuse) behavior across top-level domain (TLD) registries.
-- Re:  “The data is currently being pushed to registries using the ICANN SLAM system.” COMMENT: There are no domain names in this data, only some digits, the data does not contain any kind of proof that the data is not fake (some DAAR sources are crowdsourced and have benefits and weak points of such method (multiple persons (or virtual persons, i.e. accounts directed by the same entity) may report some domain to be fraudulent because of being paid or directed to do so)). Number of false alarms could be requested from ICANN compliance (ICANN audit, where the suggested bad strings were sent to Registries, and not all of such strings were found to be bad))
-- Re: Spam COMMENT: spam is out of scope of ICANN, not all spam has dangerous payload

Contractual Compliance Registry Operator Audit<https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf>

COMMENT FROM MAXIM: “The final Audit Report lacks information about ratio of the domains reported by DAAR to the amount of domains , which were found to be actual abuse cases”

Public Comments on the Initial Report Addressing DNS Abuse

Discussion:
-- Don't we already have disparity between legacy gTLDs and new gtlds?
-- Some WG support for the proposed recommendation: Given the work already going on within the community, other than the topics that we are already covering relating to DNS Abuse in Subsequent Procedures, we encourage the community to continue to work on all issues pertaining to DNS Abuse which can ultimately apply to all TLDs, not just future ones.
-- QUESTION: SHOULD WE BE RECOMMENDING AN EXPEDITED PDP ON DNS ABUSE?  Are we going to get held up if we don't?  QUESTION
 -- Answer: That’s for the community to decide.  The WG would not recommend it.
-- Given that the Board has not accepted the recommendations from the CCT RT it seems premature for any discussions about a PDP or EPDP.
-- If the Board will not move forward on a next round until this is addressed, we should likely figure out how to expedite.  (There is some existing GAC ADvice on this which they would have to override to authorize a next round I think.)
-- If we can't move forward before addressing that, we could as well suspend new registrations in all gTLDs.

-- If our recommendation is that this needs to be handled elsewhere in the community aren’t we sending a mixed message?  We could say that these are the aspects that made sense and we’ve addressed them.  For the other items it’s for the community to figure out how to handle that.

b. Registrar Support for New gTLDs: https://docs.google.com/document/d/14HxLzQMXs90hAkpRStPAwHDC4CxaYXWqxZ-psTmxHdU/edit?usp=sharing page 8 (time permitting)

New Ideas/Concerns/Divergence:

Option: ICANN selects a "last-resort" wholesale registrar to provide resellers with the ability to sell TLDs that lack market interest and/or have their target markets in regions or verticals lacking ICANN-Accredited registrars. Only registries allowing Post Payment terms are eligible.
-- RySG: Some agreement/some disagreement
-- IPC: Divergence/New Idea.
-- BC: Divergence/New Idea.
-- RrSG: Divergence.

Additional comments on potential challenges for compliance oversight for this proposal.
-- question e.5: Does ICANN forcing registrars to carry TLDs or designating registrars as "registrars of last resort" pose challenges to compliance oversight of these entities? Should registrars be liable for compliance actions for TLDs for which they did not want to carry but were forced to? By handpicking a few selected registrars as "last resort" does this create the possibility for compliance to go easy on them because ICANN needs them to play a specific role in the marketplace?

Discussion:
-- Seems that we are not going to get general agreement on this option.

Option: ICANN Org provides a “clearinghouse” for registries and registrars that operating in different currencies.
-- RySG: Some agree and some don’t agree.
-- RySG: Did not agree.

Option: Allow an increase to the number of names that can be registered without the use of an ICANN-Accredited Registrar and allow these names to be registered for purposes other than the promotion or operation of the TLD.
-- RySG: Agreement.

Option: AGB encourages potential applicants to communicate with ICANN accredited registrars before applying, so that they fully understand potential issues that might be encountered.
-- RySG: Agreement.
-- RrSG: Divergence/New Idea.

Option: Registry contract bundles the capacity of becoming an Accredited Registrar.
-- RySG: Agreement/New Idea
-- RrSG: Divergence.

Any other proposals that could assist TLD Registries that have difficulty attracting ICANN Accredited Registrars?
-- RySG: No new additional proposals but recommends a balance between innovation and attractiveness for sales channels.

How do you identify whether a TLD with low market performance has low performance due to lack of demand or lack of sales channels?
-- RySG: Some members believe this is beyond the scope of this WG and the remit of ICANN. Some members disagree. Some members have concerns that there is not a cost-effective way to establish the connection postulated in this question.

-- At minimum ICANN should clearly warn applicants that delegating a gTLD doesn't guarantee registrations - and that they WILL need to build a sales channel.
-- Need to understand what’s the harm to a TLD if it’s not being supported by registrars.
-- We aren’t introducing new registrars, we’re introducing new registries.
-- So innovate on the Registrar side as well.  There are some registars like EnCirca who specialize in non standard niche TLDs
Exactly - is that ICANNs role.
-- Many new TLDs were stunned when they found out that many registrars would not carry them, even when similarly situated TLDs were carried.
-- Regards planning, applicants thought every 2009 RAA registrar would be able to carry them, but in the end, 2013 RAA was required.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-newgtld-wg/attachments/20191024/7a90bc69/attachment-0001.html>