[Ssr2-review] Compliance call follow-up questions

Jennifer Bryce jennifer.bryce at icann.org
Fri Jun 7 08:39:09 UTC 2019


Dear Norm, Laurin, KC, Kerry-Ann, Denise;

Below are answers to follow-up questions directed to ICANN Compliance. Please let me know if you have any questions.

Best,
Jennifer




Q: For many years, Compliance has been stating that they don’t have the tools, authority, contract language that they need to effectively address contractual compliance-related issues impacting DNS abuse, especially systemic abuse.  What stopped Compliance from doing a gap analysis and creating a list of improvements, and compiling a list of specific things they need in contracts, etc.?

A:  During periods of contract negotiations between ICANN org and the contracted parties, Contractual Compliance has provided input to those negotiating on behalf of ICANN org (e.g., GDD, Legal). This input has focused on implementation and enforcement matters. In turn, ICANN org’s negotiating team takes into account Contractual Compliance’s input, along with that of other departments within ICANN org, and incorporates it into ICANN org’s overall strategy and approach for negotiation. In addition, Contractual Compliance provides continuous input to GDD, Legal, OCTO and others regarding enforcement of the agreements after they have been executed so as to inform discussions of potential future amendments or changes to those agreements. Contractual Compliance does not maintain or publish a separate set of demands, independent of ICANN org.

Q: It is common for regulatory/compliance entities worldwide to specify the tools, authority, etc. they need to improve impact, and compliance representatives are often directly involved in negotiating and effecting these changes.  Jamie indicated that Compliance is not involved in discussions/negotiations to change the RAA & Registry agreements as it “wouldn’t be appropriate.”  What does he base this statement on? What, specifically are the barriers (Bylaw language? Contract language?) that prevents Compliance from having a seat at the negotiating table to get what they need?

A: Since Contractual Compliance has the responsibility of enforcing ICANN org’s agreements with registries and registrars, it would be neither appropriate nor advantageous for us to participate directly in the negotiations. By negotiating provisions in an agreement, our ability to enforce them could be compromised by our participation in the negotiations, particularly with provisions that may have more than one interpretation. By not participating in the negotiations, we are able to assume a neutral approach in enforcing the agreements, not tainted or limited by the dynamics of the negotiation.

Q: When will the Spec 11 Registry audit be done? Will it be publicly posted when done?

A: The Registry DNS abuse Audit began in November 2018 and should conclude in June or July 2019. We have already completed many of the individual registry operator audits. The results of the individual audits will remain confidential. At the conclusion of the audit, Contractual Compliance will post a public report. Again, this report should be published in June or July on the Audit landing page at https://www.icann.org/resources/pages/audits-2012-02-25-en.

Q: Is Compliance doing an audit of Registrars’ compliance with the requirement that they must investigate and respond to abuse?

A: As previously announced, Contractual Compliance will conduct a Registrar DNS Abuse Audit after the conclusion of the Registry audit.

Q: Jamie said Compliance is using DAAR in the Registry audit. Are they using it in Registrar audits? If not, why not?

A: For the upcoming Registrar Audit, Contractual Compliance will rely on data from Reputational Block Lists (RBLs) that are publicly available.

Q: Jamie indicated that, in the future, DAAR will provide the public with aggregated abuse stats at the Registrar level, but staff responsible for DAAR stated in Kobe that this would not be done. Please provide clarification.

A: DAAR is not currently being used to publish registrar data due to challenges in accurately associating domain names with registrars. ICANN org is exploring possible solutions and hopes to be able to provide information on registrar DNS abuse in the near future.  ICANN’s SSR team is leading the DAAR effort and they will be the appropriate team to discuss the technical capabilities of the DAAR tool.


From: Ssr2-review <ssr2-review-bounces at icann.org> on behalf of Jennifer Bryce <jennifer.bryce at icann.org>
Date: Thursday, May 30, 2019 at 11:58 AM
To: Denise Michel <denisemichel at fb.com>
Cc: "ssr2-review at icann.org" <ssr2-review at icann.org>
Subject: Re: [Ssr2-review] [Ext] Compliance call follow-up questions

Hi Denise,

Thank you for sending the follow-up questions for compliance. We will begin working on these per our usual process and will keep the team apprised of progress.

Best,
Jennifer

From: Denise Michel <denisemichel at fb.com>
Date: Wednesday, May 29, 2019 at 8:23 PM
To: Jennifer Bryce <jennifer.bryce at icann.org>
Cc: Norm Ritchie <norm at webcatcher.ca>, "Weissinger, Laurin" <laurin.weissinger at yale.edu>, k claffy <kc at caida.org>, "Barrett, Kerry-Ann" <KABarrett at oas.org>
Subject: [Ext] Compliance call follow-up questions

Hi, Jennifer.

Here are the questions from the Compliance Subgroup that should be expedited for answers. Please let the following members know when the answers will be provided, and please direct any follow-up questions to:  Norm, Laurin, KC, Kerry-Ann, Denise

Thanks for your help.
Denise




  *   For many years, Compliance has been stating that they don’t have the tools, authority, contract language that they need to effectively address contractual compliance-related issues impacting DNS abuse, especially systemic abuse.  What stopped Compliance from doing a gap analysis and creating a list of improvements, and compiling a list of specific things they need in contracts, etc.?
  *   It is common for regulatory/compliance entities worldwide to specify the tools, authority, etc. they need to improve impact, and compliance representatives are often directly involved in negotiating and effecting these changes.  Jamie indicated that Compliance is not involved in discussions/negotiations to change the RAA & Registry agreements as it “wouldn’t be appropriate.”  What does he base this statement on? What, specifically are the barriers (Bylaw language? Contract language?) that prevents Compliance from having a seat at the negotiating table to get what they need?
  *   When will the Spec 11 Registry audit be done? Will it be publicly posted when done?
  *   Is Compliance doing an audit of Registrars’ compliance with the requirement that they must investigate and respond to abuse?
  *   Jamie said Compliance is using DAAR in the Registry audit. Are they using it in Registrar audits? If not, why not?
  *   Jamie indicated that, in the future, DAAR will provide the public with aggregated abuse stats at the Registrar level, but staff responsible for DAAR stated in Kobe that this would not be done. Please provide clarification.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190607/6c4936fa/attachment-0001.html>


More information about the Ssr2-review mailing list