[RDS-WHOIS2-REC4-Compliance] Compliance Subteam 4 meeting

Susan Kawaguchi susankpolicy at gmail.com
Thu May 17 05:13:48 UTC 2018 

 Hello All,

I have copied the F2F agreements and to do's below along with the response
from the compliance team to our latest set of questions.

I have put in a few comments in red below for discussion.

F2F agreements



●     Subgroup analyzed findings for rec 4 implementation but has not
formulated recommendations yet .

●     Subgroup has not documented findings/analysis for its second
objective yet, although it put forward two recommendations associated with
that objective.

●     The compliance and accuracy subgroups need to consider how to
reconcile overlaps between their findings and recommendations.

●     Accuracy-related findings/issues remain in the accuracy subgroup
report; however, recommendations related to compliance will be integrated
into the compliance subgroup report.

●     Rec (4)1: All policies implemented should require metrics,
measurement, auditing, tracking, reporting and enforcement by the
compliance team.

Rec (4)2: All DN registrations should be required to adhere to the WHOIS
requirements in the 2013 RAA

To DO

●     Susan to confirm questions for ICANN compliance. Done

●     RDS-WHOIS2 Questions to Contractual Compliance

●     WHOIS1 Rec #4: Compliance Subgroup Follow-up emails to
maguy.serad at icann.org from Alice Jansen on 20 April 2018

●     1. Is it known (or can it be determined from ARS-sampled data) how
often Registrant Contact data elements such as Registrant email address,
Registrant postal address, and Registrant telephone number are absent from
WHOIS records for grandfathered domain names?

●     WHOIS Inaccuracy complaints created from the WHOIS Accuracy Reporting
System (ARS) are processed in parallel with single and bulk submission of
WHOIS Inaccuracy complaints. ICANN Contractual Compliance tracks and
reports based on Syntax, Operability and Identity; more information about
each category can be found at this link -
https://features.icann.org/compliance/dashboard/archives#annual-detailsor
on the WHOIS ARS reports. In addition, WHOIS Inaccuracy complaints are
tracked for legacy and for new gTLDs. This data can be found in the monthly
dashboards at this link:
https://features.icann.org/compliance/dashboard/report-list.

●     Contractual Compliance’s participation in the WHOIS ARS is limited to
providing guidance for Registrar Accreditation Agreement obligations
regarding syntax and accuracy, and processing complaints with inaccuracies
identified by the WHOIS ARS. The WHOIS ARS program is managed by ICANN’s
Global Domains Division.

●     Interesting that the compliance team does not have an answer to this
question   They do not seem to track the lack of information in the
grandfathered domain names. Still have no idea if this is a problem.



●     2. Why are a significant number of WHOIS Inacccuracy Complaints
closed without any action being taken? What does Compliance treat as valid
reasons for immediate ticket closure and are there any metrics for how
often tickets are closed for each of those reasons?

●     According to the ICANN Contractual Compliance 2017 Annual Reports

●
https://features.icann.org/compliance/dashboard/2017/complaints-approach-process-
registrars, out of approximately 25,000 WHOIS Inaccuracy complaints
received during 2017, approximately 12,000 were closed before contacting
the registrar. Common reasons for closing a complaint before a 1st notice
is sent to the registrar include:

●     - The reporter not providing information requested to validate the
complaint, - The domain name is suspended when the complaint was received,
or - The complaint is outside of the scope of ICANN’s contractual authority
(e.g., it is too broad or incomplete or is a request to change a
registrant’s own domain name information).

●     While certain WHOIS Inaccuracy complaints are automatically closed by
the complaint processing system (including complaints for country code
top-level domains and suspended domain names), for those that are not
automatically closed, Contractual Compliance will attempt to validate the
information in the complaint or obtain more information before closing the
complaint.

●

●     1

●     ICANN Contractual Compliance recently began reporting on closure
reasons by complaint type, including those for WHOIS Inaccuracy complaints.
These metrics are reported on a quarterly basis and the first quarter of
2018’s report is found at
https://features.icann.org/compliance/dashboard/2018/q1/registrar-resolved-codes
.

In reviewing the additional information in the dashboard report it appears
that many inaccuracy reports are not valid reports.  One issue we should
look at is closing of inaccuracy reports due to the domain names being
suspended previously.

The WHOIS record still exists with suspended domain names and the registrar
can choose to unsuspend at any moment.  The inaccuracy issue remains and
should be addressed.



●     3. What additional evidence in WHOIS Inaccuracy Complaints would
Compliance find useful?

●     Additional evidence in WHOIS Inaccuracy complaints that compliance
might find useful if the reporter provides are listed below:

●     - Evidence of returned mail sent to the postal address listed in the
WHOIS information - Evidence of a bounceback or undeliverable email
notification for email sent to the email address listed in the WHOIS
information - Evidence or explanation why the telephone number listed in
the public WHOIS is not accurate - Evidence or explanation why the person
or entity listed in the public WHOIS does not exist or is not the
registered name holder (RNH)

●     4. Does Compliance do any analysis of WHOIS Inaccuracy trends? If
not, why not? For example, would a policy be necessary to enable trend
analysis?

●     ICANN Contractual Compliance does attempt to identify patterns and
systemic issues of noncompliance within and across all of the complaint
types. This effort is useful in identifying trends of issues and most
importantly in identifying opportunities to conduct outreach or additional
proactive monitoring.

●     5. It shows that one of Compliance activities is ICANN-initiated
monitoring to take proactive actions. What kind of monitoring programs have
been conducted or planned?

●     Please provide more information on what “It” refers to, so that
Contractual Compliance may provide an accurate response.

●     To address the question about the kind of monitoring programs – Proactive
monitoring is ICANN’s effort to take initiative in identifying potential
issues instead of waiting for issues to happen. Proactive monitoring
actions, to list a few, are: the audit program, review of blogs and social
media, observed behavior from complaints, WHOIS Quality Review, review
related to the DNS infrastructure for example, usability and format of data
escrow files, or the automated monitoring system to ensure compliance with
Specification 10 of the Registry Agreement. Contractual Compliance reports
on the proactive monitoring activities in the Quarterly and Annual Report
published on ICANN.org under Report & Blogs.

●

●     2

●     6. Is there any monitoring program to check some common grounds or
linkages among ARS, Audit Program, public complaints received, e.g. from
specific registrar, gTLD, region?

●     As stated in the response to question 5, ICANN monitors the observed
behavior from complaints. For example, based on trends identified by
Contractual Compliance (including review of WHOIS inaccuracy complaints
submitted by the public and generated as a result of the WHOIS ARS), WHOIS
Inquiry efforts were taken in 2016 that focused on registrars in China and
Korea. These inquiries focused on issues with the 2013 RAA WHOIS Accuracy
Specification Program (WAPS) requirements. These efforts continued for
registrars in China, the United States, and other regions. Please refer to
the annual update published at this link
https://www.icann.org/en/system/files/files/annual-2016-31jan17-en.pdf.

●     7. Does compliance credit-rate registrars or just treat all of them
equally?

●     ICANN treats all registrars equally and does not rate them.

●     Please refer to the WHOIS1 Recommnedation 5-9 Data accuracy Subgroup
for additional questions and responses regarding WHOIS ARS.

●

●     2)  WHOIS verification review out reach focused on the APAC region to
ensure compliance with the 2013 RAA requirement to verify and validate
WHOIS information. Registrars that could not demonstrate initial compliance
collaborated with the team to update systems and processes to ensure future
compliance.



●     .



●     Subgroup to try testing recommendation on WHOIS policies that are
being examined by this review (e.g., PP, IDN) to see if
metrics/monitoring/reporting and enforcement have been defined for those – In
process

●     Susan to formulate recommendation to include compliance taking a
risk-based approach that is not just reactive - addressing systemic
complaints and taking a risk-based approach –

One of the follow up questions to the compliance team #6 they report that
they have performed proactive monitoring of the WHOIS verification review
in the APAC region.  There does not seem to be any other proactive approach
concerning the WHOIS.



We should recommend that they expand this monitoring to other areas of
WHOIS compliance.



What does the team recommend?

●     Susan to examine CCT recommendation on DAAR to build this subgroup’s
recommendation

CCT

Recommendation C: Further study the relationship between specific registry
operators, registrars and DNS abuse by commissioning ongoing data
collection, including but not limited to, ICANN Domain Abuse Activity
Reporting (DAAR) initiatives. For transparency purposes, this information
should be regularly published in order to be able to identify registries
and registrars that need to come under greater scrutiny and higher priority
by ICANN Compliance. Upon identifying abuse phenomena, ICANN should put in
place an action plan to respond to such studies, remediate problems
identified, and define future ongoing data collection.

●

Susan to research 2013 RAA negotiation materials to determine any reasons
for allowing grandfathering.



Have not found out any additional information on this but will continue to
pursue



Additional Points

ICANN should publicize the Bulk Whois inaccuracy submissions tool more
widely.   Currently only 10 users have gone through the process  to be able
to submit.   Last year only 3 submitters used the tool. 300 domain names at
a time.

Background Information: ICANN Contractual Compliance provides a mechanism
for bulk WHOIS inaccuracy complaint submissions, which allows a user to
submit multiple complaints through a single file upload. Each user can
submit up to 300 total complaints per week. The complaints are processed in
the same method and queue for WHOIS inaccuracy complaints. Users of the
bulk system must agree to mandatory terms of use, and their complaint
quality is monitored by ICANN to ensure submission of complaints are within
scope of the RAA and WHOIS requirements. There are currently approximately
ten approved users for the bulk system, and within the past six months,
three were active users.

Look forward to our discussion tomorrow.

Susan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/rds-whois2-rec4-compliance/attachments/20180517/a0c1c048/attachment-0001.html>

More information about the RDS-WHOIS2-REC4-Compliance mailing list