ICANN Compliance, Domain Registrars Clash on New Whois, Abuse Report Language

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

By Joseph Wright

April 22 — Domain name registrars are increasingly at odds with ICANN's compliance office over the interpretation of their ICANN contracts, particularly in the area of responsibility fighting online abuses, several registrar and registry representatives told Bloomberg BNA.

The substantive issues of concern range from intellectual property enforcement requirements to the accuracy of registrant Whois data, but the crux of the issue that ICANN lacks any formal mechanism to settle contract interpretation disputes between the so-called “contracted parties” and its own compliance department. The only extant options appear to be arbitration, litigation or living with ICANN's unilateral interpretations.

ICANN's recent decision to contact the Federal Trade Commission and its Canadian counterpart regarding the practices of the Vox Populi registry in connection with its .sucks TLD cast a spotlight on the organization's Compliance Department, which has taken the public lead on the issue, beginning with an April 9 blog post by Chief Compliance Officer Allen Grogan.

ICANN president Fadi Chehade announced Grogan's appointment to the new position during the October 2014 ICANN Public Meeting 51 in Los Angeles. Representatives from multiple contracted parties — registries and registrars — told Bloomberg BNA that Grogan has helped bridge the divide between ICANN and their organizations over lingering contractual interpretation issues.

“He's made a difference and I think he will continue to make a difference,” Jeff Neuman, SVP of Valideus and registrar Com Laude, told Bloomberg BNA

Grogan told Bloomberg BNA that he has two top priorities for the Compliance Department, clarification and solving problems.

“I want to clarify for the community the interpretation and enforcement of key provisions of the contracts and try to consistently enforce those provisions so that everybody can have a predictable and understandable way of doing business,” Grogan said, “And then secondly I want to work to explore how we can go beyond pure contract matters and work with the community to help solve problems.”

Grogan said the department's extra-contractual role may turn out to be circumscribed because ICANN is neither a regulatory nor a law enforcement body, but it may be able to help properly direct complaints and to assist with education and outreach to solve problems outside the scope of the registry and registrar agreements.

New gTLDs, New RAA Expand Compliance Role

Michele Neylon, CEO of Blacknight Solutions and chair of the ICANN Registrar Stakeholder Group, told Bloomberg BNA that ICANN's compliance relationships with registries and registrars have changed in the last few years. On the registry side the sheer number of registries has multiplied from a handful to hundreds due to the new gTLD program. For registrars, the 2013 version of the Registrar Accreditation Agreement (RAA) has created new, thorny compliance issues.

A major sticking point, Neylon said, created by the RAA is the registrars' duty under Section 3.18 to investigate reports of abuse. Section 3.18.1, regarding complaints registrars receive from the general public, provides: “Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”

The critical points of contention involve the extent of the necessary investigation and the resulting response required, Neylon said. He gave several examples, such as a registrar receiving multiple identical complaints from different users or a minor, clearly not actionable abuse report against a massive company.

If a registrar receives 25 different abuse reports for the same precise issue, Neylon said, registrars should not need to perform 25 separate investigations or issue 25 separate responses, but ICANN has not always agreed. Or if a user complains about adult content found through a large site such as Google — clearly outside the registrar's remit to police — is ignoring the complaint altogether an appropriate response? For that matter, what about a complaint so lacking in information that the registrar is not even clear on what the purported abuse is?

“If a registrar gets a viable complaint with sufficient information to act on, then the registrar has a duty to investigate,” Neylon said. “But you cannot really define this clearly—all investigations are not the same.”

Even a sufficiently detailed complaint that addresses a legitimate abuse might not result in registrar action, Neylon said, for good reason. For example, the URL shortener bit.ly has been used millions of times, including undoubtedly for some illicit sites. But Neylon said that if he were bit.ly's registrar, he could do little more than pass along the complaint, due to a lack of alternatives.

Grogan told Bloomberg BNA that Section 3.18 of the RAA has probably generated as much discussion as the rest of the issues of debate and dispute between ICANN and the contracted parties, precisely because it leaves plenty of room for interpretation and has generated a wide range of interpretations.

Grogan said that a wide variety of abuse complaints fall outside of the scope of ICANN's agreements — particularly those that are purely content-driven, such as complaints about the existence of pornography on a site. Those reports, he said, do not require a response.

For complaints within the scope of Section 3.18, he said, some stakeholders believe that an “appropriate response” requires taking down the offending website, while registrars often believe the same complaints should be properly directed at the registrant or hosting company rather than the registrar itself. One of his main goals, Grogan said, is to reach out to affected stakeholders on this issue and attempt to achieve something closer to consensus on what Section 3.18 actually requires. He said he has reached out to registrars, IP interests, and civil society and is attempting to set up meetings with law enforcement toward that end.

Ultimately, he is working toward issuing an advisory to help clarify two issues, he said: “What should a reasonably detailed complaint look like, and what is a reasonable investigation and response?”

Not Like Other Contracts

The divide between ICANN and contracted parties stems in part from ICANN's unique role in the Internet governance world, Neuman told Bloomberg BNA. In traditional contract law two parties may have their own interpretations of a provision, but neither side's own subjective interpretation controls the dispute. In ICANN's mind, however, it acts as a regulator asserting its own interpretation as binding, Neuman said.

Disputes over contractual provisions, Neuman said, should theoretically be resolved if possible by amicable discussions with the possibility of escalation, and ICANN's contracts have built-in dispute mechanisms for cooperative engagement and, if necessary, arbitration. Often, though, he said, ICANN simply issues a compliance action, which gives it all the leverage by giving ICANN the ability to make the compliance action public knowledge. Even if the registry's interpretation is ultimately vindicated, the effects of the publicized action could be devastating, especially for a non-profit entity or a public company.

Grogan agreed that ICANN's contracts differ from those in an ordinary commercial environment, but cited ICANN's multistakeholder nature as the reason for the difference.

“Because of the nature of ICANN in that we are operating on a multistakeholder model, and that the contracts were put out for public comment and ultimately approved by the community, while its still a contract between two parties — us and the registrar or registry — the community does have an interest in how those contracts are interpreted,” Grogan said. “So at the end of the day, issues do need to be resolved between ICANN and the contracted parties, but various members of the community at least want to be consulted or have some input on how those contracts are interpreted or enforced.”

Getting Its Priorities Straight


This would be less of an issue if ICANN's Compliance Department had its priorities in order, but Elliot Noss, president and CEO of Tucows Inc. registry, told Bloomberg BNA that too often that is has not.

Noss said that Whois accuracy — a longstanding point of contention between contracted parties and the law enforcement and intellectual property communities — has become a source of “gotcha” complaints. The updated Whois Accuracy Program Specification of the RAA added detailed requirements for registrars to validate the accuracy and syntax of registrants' Whois registration data.

Noss gave the example of compliance notices issued because a registrant has not provided a valid fax number; Neylon similarly said registrars have received notices for not including a country code in a phone number, even though the country is apparent from the registration. Neylon said compliance notices should be saved for malicious issues, not syntactical ones.

The RAA process for validating registrants — particularly renewal as opposed to new registrants — has led to mass cancellations for no good reason, he said.

Neuman said this misplaced focus is not unique to ICANN, but is part of a regulatory mindset focused more on box-checking than the big picture.

“The Compliance Department can get into what I call ‘compliance by checklist,'” Neumann said. “In a normal contractual situation you would prioritize rather than pursue technical violations, but this is not a normal environment because everyone looks to ICANN to be the regulator.”

Grogan disagreed that the Compliance Department has been overly picky regarding Whois accuracy, saying “opinions are in the eye of the beholder there.” The Whois specification is very detailed in terms of both information required and the format of the information, Grogan said, and having a standardized format to allow the reviewing and scanning of data was precisely the point of all of that negotiated detail.

Currently, he said, registrars must validate the syntax of Whois data — for instance, verifying that an address includes a street number, street name, city, state if in the U.S. and a five- or nine-digit zip code. They must also operationally validate either a phone number or e-mail address to determine that someone actually answers a phone call or that an e-mail message does not bounce back.

ICANN is continuing to explore the feasibility and advisability of some level of identity validation — verifying that registrants are who they claim to be — largely on the advice of the Governmental Advisory Committee and the Security and Stability Advisory Committee. Comments on a recent Whois Accuracy Pilot Study Report reflected a deep divide between the contracted parties and privacy advocates on the one hand and business and IP interests on the other regarding the value of identity validation.

Grogan said, though, that his office is not focused on penalizing contracted parties for violations, but simply on bringing them into contractual compliance through a series of notices and follow-ups.

The percentage of registrar complaints related to Whois inaccuracy rose from 57.9 percent in 2013 to 74.3 percent in 2014, according to ICANN's Contractual Compliance Annual Reports for those two years. For the first quarter of 2015, Whois inaccuracy comprised 74.0 percent of complaints.

What ICANN Compliance should be focused on, Noss said, are issues such as stolen domain names and registrars engaged in shady business practices.

“ICANN should be working proactively to have registrars, IP and law enforcement at the same table to focus on real harms — not on political victories rather than issues actively hurting users,” Noss said.

Controversy Over .sucks Raises Compliance Office Profile

The recent controversy around Vox Populi, the registry for .sucks, has added scrutiny to the ICANN's Compliance Department. In response to a letter from the Intellectual Property Constituency, ICANN contacted the Federal Trade Commission and Canada's Office of Consumer Affairs April 9, asking them to investigate whether Vox Populi's controversial registration practices violated either country's laws.

Writing separately to IPC president Gregory S. Shatan the same day, Global Domains Division president Akram Atallah said that ICANN's enforcement is limited to enforcing its contracts, disclaiming any additional regulatory powers.

“Accordingly, [Grogan], who oversees ICANN’s contractual compliance and consumer safeguards work, is analyzing Vox Populi’s actions and considering contractual remedies,” Atallah said.

ICANN released a blog post from Grogan simultaneously with the posting of Atallah's letter and the letter to the U.S. and Canadian authorities. While echoing Atallah's disclaimer of extra-contractual regulatory authority, Grogan gave an expansive notion of his mission in the post.

“When I was appointed to the position of Chief Contract Compliance Officer last October, I made a commitment to look for ways that ICANN can help safeguard Internet users and registrants that may go beyond the contractual enforcement tasks for which we are responsible,” Grogan said. “Asking the FTC and OCA for their assistance in this matter is one example of how we can work with others to strengthen our consumer and business protections and enhance our ability to meet public interest goals. Let's continue to work together as a multistakeholder community to build trust and advance the reputation of our industry.”

Nao Matsukata, president and CEO of Fairwinds Partners, however, told Bloomberg BNA that ICANN's actions reflect a deeper tension at the heart of the multistakeholder model of Internet governance. Matsukata said that while ICANN stakeholders across the board pay homage to the multistakeholder model of bottom-up governance and policymaking, they also do not hesitate to fall back on more conventional top-down rule of law when decisions and outcomes do not go their way.

Noss told Bloomberg BNA that brand interests have stirred up a wasps' nest unnecessarily in their reaction to the .sucks TLD, calling that string “almost a stupidity test for brands.”

“If no brand had bothered with it and no political capital was spent arguing about it or making it a big deal in the pro-IP portion of the media, no one would know about it and very few would ever use it,” Noss said. “It would make much more sense to register a complaint site as brandsucks.com than brand.sucks until and unless people knew broadly about .sucks, and the only press that .sucks is getting, and will get, is because of brands complaining. There is no chance that the registry would run a large marketing campaign for it. None.”

“Brands are being trolled and are falling for it in a big way.”

Neylon said ICANN's strong response to the IPC's concerns cannot be read apart from its political context. Large corporate interests have generally favored the proposed transition of U.S. government oversight of Internet Assigned Numbers Authority functions to ICANN and its multistakeholder community. Neylon said ICANN understands that it needs that support, so it is not inclined to take actions to alienate those interests while the transition remains politically controversial.

To contact the reporter on this story: Joseph Wright in Washington at jwright@bna.com

To contact the editor responsible for this story: Thomas O'Toole at totoole@bna.com