[Ssr2-review] Questions re: the Abuse/Compliance Findings text

Thu Sep 26 16:16:28 UTC 2019

Hello all,

I’m working through the text added by the Abuse/Compliance sub-team, and have a first batch of questions ready. I am happy to put these in the doc itself, but am uncertain who should be assigned to the comments to make sure they are addressed.

The current text can be found here, starting on page 16 according to Google docs (the doc itself says page 15)
https://docs.google.com/document/d/10KOW2F6oqR3OdV7hfuWmnYo6gtE0d0wOZHOQzXmijx4/edit <https://docs.google.com/document/d/10KOW2F6oqR3OdV7hfuWmnYo6gtE0d0wOZHOQzXmijx4/edit>

—

1. Is this a section heading, or was this intended to be an endnote? (See page 20 in the google doc)
"[1] Gaps: SecurityWorld Threats & ICANN’s failed attempts to mitigate harms? Action”

--

2. Does anyone have any concerns about moving entirety of the examples to an appendix? My working draft (I haven’t put this in the google doc yet) has revised the text on pages 17-25 in the Google doc as follows:
The SSR2 team identified a significant upward trend in multiple examples of abusive behaviors that can and often do leverage the DNS.  Cybercriminals and other threat actors capitalize on identifiable gaps in DNS security measures currently in place. Relevant trends especially have been observed since the first SSR Review Team report was adopted by the Board in 2012. See Appendix $foo for examples.

In our review of ICANN’s activities, we found that the publications and statements from ICANN Org have consistently understated or omitted the impact of systemic abuse of the DNS and its use as a platform for launching systematic attacks on individual and organizational systems worldwide. See Appendix $bar for details in the areas of New gTLD Abuse, Registrar Accreditation Agreements, and gTLD Registry Agreements.

--

3. With regards to:

"2. [Additional information & cites to be added] Recommendations from the Government Advisory Committee, e.g., safeguards applicable to all new gTLDs[cite] also call for WHOIS validation, security checks, security threat reporting and complaint handling. [add additional key communique SSR recommendations and Constituency filings]” (page 26 of the Google doc)

is The GAC itemized advice (https://gac.icann.org/advice/itemized/ <https://gac.icann.org/advice/itemized/>) the correct place to point a citation, or should there be something(s) more specific?

—

4. What additional information is required here?

"ICANN also failed to act on additional SSAC recommendations aimed at registries that would help improve DNS security, stability, and resiliency. [add additional]” (page 26 of the Google doc)

In terms of citations, this section already points to  https://www.icann.org/groups/ssac/documents <https://www.icann.org/groups/ssac/documents>

—

5. On the last SSR2 RT call, a suggestion was made to point in some way to the CCT report. Should this section be revised to do that? Would that resolve the comment re: adding additional text?

"3. Similar recommendations offered by review teams commissioned by ICANN to assess WHOIS[32] and Competition, Consumer Trust and Consumer Choice[33] have not been adopted by the ICANN Board. As of now, these have not been addressed in registry or registrar agreements with appropriate enforcement mechanisms. ICANN’s Compliance Performance Measurements Reports[34] illustrate the gravity and longevity of the WHOIS inaccuracy problem, but the measurements are otherwise unhelpful. Compliance does not report details of resolution, and there is no transparency in the disposition process that ICANN and contracted parties employ, and responses provided to complainant lack detail. [add additional text re review recommendations]” (page 27 of the Google doc)

—

6. This sentence is problematic:

"However, ICANN Org has never stated what tools it needs and how its current, narrow interpretation of the RAA and RAs hamper its work.” (Page 29 o the Google doc)

Does ICANN admit anywhere that it actually has a current, narrow interpretation of the RAA and RA contracts? I see the they have said they don’t have tools, but the implication that they also say they have a narrow interpretation might be wrong. Is this more how the SSR2 RT sees things?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190926/ff5866cb/attachment.html>