Please see the response from the ICANN Compliance Department.
"Quis custodiet ipsos custodes?" -Juvenal
I. NARALO Q&A - This is an opportunity for At-Large and members of the community to pose questions directly to ICANN Staff concerning Compliance issues.
- Question(s) from At-Large Members concerning unsolicited domain sales marketing: The Registrar Accreditation Agreement (RAA) has a special provision prohibiting the use of WHOIS record data for "commercial advertising or solicitations." The Chair has been receiving multiple complaints from At-Large members concerning deceptive marketing of domain purchases or transfers from unknown "registrars" sent to the contact address in their WHOIS. In one example "Asian Domain Registration Service in China" sent a notice to a domain owner falsely claiming the domain owner's trademark was being used in domain purchases and that the domain owner should purchase the domains with "Asian Domain Registration Service in China" to avoid their trademark from being abused. This is in fact a well documented scam. In a second example an At-Large member and domain owner received several emails claiming a similarly named domain string was pending sale should be re-registered through the linked service. In one email the service was called "Ourbestnames" in another it was called "Jackdomains" with the actual service being called "Active Domain (Re)Sale." The business address posted for these services is 2710 Thomes Ave Cheyenne WY which is widely documented as being associated with shell companies and fraud. The name of the entity behind these services is "Great Value Domains LLC ." No records have been found so far validating the existence of "Great Value Domains" in California, Nevada, Delaware or Wyoming. There is zero transparency on their sites as to which Registrar they resell for. According to RAA 3.12.3 "Reseller shall identify the sponsoring registrar upon inquiry from the customer," but an email to their contact address was returned with the message "Recipient address rejected: User unknown in virtual alias table." Our specific questions for ICANN Compliance are as follows:
A. How and Where can members of the community report violations of 3.12.3 and 3.3.5?
B. How and Where can members of the community monitor the status of such complaints?
C. What is ICANN Compliance doing to handle such clear abuses of the registration system?
- Question(s) from At-Large Members concerning Registrar responsibility for sponsored names: The Registrar Accreditation Agreement explicitly states the conditions under which a domain reseller must operate, specifically that the reseller must not represent itself as the sponsoring Registrar. It has been reported to the Chair that an At-Large member attempted to report a phishing email to the sponsoring Registrar and was referred to the domain reseller who rejected the complaint out of hand. By conferring its duties to a reseller and abandoning responsibility the Registrar is in effect denying its sponsorship and representing the reseller in the role of Registrar. Our specific questions for ICANN Compliance are as follows:
A. How and Where can members of the community report attempts by a Registrar to deny sponsorship and assign contractual responsibilities to a reseller?
B. How and Where can members of the community monitor the status of such complaints?
- Question(s) from community member about abuse occurring within ccTLD domains: The InterNIC Complaint form (AKA "Registrar Complaint Form", AKA "Registrar Problem Report Form") has a radio button labeled "ccTLD" as an issue. This is extremely misleading as ICANN does not handle ccTLD Compliance issues. The ICANN website has a page with the Compliance area entitled "ccTLD Compliance Program." This is extremely misleading since there is no program. The first line of this page states: "ICANN does not have contract authority to take compliance action against ccTLD operators." Our specific questions for ICANN Compliance are as follows:
A. Can the "ccTLD Compliance" pages be transformed into a referral list where members of the community may directly access ccTLD administration information, thus sparing Compliance Staff the need to respond to such complaints and also giving the community an real avenue for redress?
B. How and who can the community engage to develop a comprehensive and responsible mechanism for ccTLD compliance?
C. Can the "ccTLD" issue item on the complaint form be removed or modified for the sake of clarity?
II. Review of Compliance Newsletter
Comments or questions here refer to the last (October 2012) Compliance Newsletter
- In reference to the "Volume of Complaints per Notification Cycle - Oct 2012" Bar chart, there appears to be a lack of context, for example the number of "closed" complaints exceeds the number of "received" complaints. There is no explanation of what these numbers really mean or how the related to each other. Can Compliance clarify the data?
- Under the "Responding to Whois Inaccuracy Complaints" section it is stated that Registrar "Reasonable steps" include canceling the domain registration if the registered name holder (A) Provided inaccurate or unreliable information, (B) Failed to promptly update information, and/or (C) Failed to respond for over fifteen calendar days to inquiries. This appears to be in direct conflict with the Compliance advisory from 2003 which states in part that "Subsection 188.8.131.52 of the Registrar Accreditation Agreement does not require a registrar to cancel a registration in the event a customer fails to respond within 15 days", "the registrar is given discretion to act", "a registrar can appropriately conclude that much more than 15 days should be allowed before the registration is cancelled". Additionally, Compliance staff stated in the WHOIS Review Team Report that "there is no requirement in the RAA for registrars to ensure that WHOIS data is accurate." Compliance appears to overstepping its authority in the most recent newsletter and contradicting the standing policy without rescinding that policy. In the interests of transparency can Compliance cite the specific authority which allows ICANN to state that the "registrar should...cancel the domain registration" when this language does not exist in the contract?
- The "Enforcement Activity" Section of the Newsletter has no reference to the 14 September 2012 Breach of AB Connect Sarl, yet it has references to breaches issued before and after the AB Connect breach. Our specific question is: why is the AB Connect Sarl breach not listed in the October summary?
III. Review of Compliance Meeting in Toronto
In Toronto the Chair requested a follow up to a question asked in Prague concerning the "re-accreditation" of A-Technology Company after being de-accredited in a notice which states in part that "ICANN does not intend to renew the A Technology Company’s accreditation". In response Compliance stated that "The breach was cured 30th of June 2010." The problem with the answer is that A Technology's ability to cure a breach had already expired. Compliance also stated that: "The Registrar was not officially terminated", however the question concerned the de-accreditation or non-renewal. Regardless, it may be difficult for the casual onlooker to grasp these semantic differences, especially when the non-renewal notice states: "we look forward to amicably resolving any domain name transition issues that may arise from this termination." In general the timelines established in Compliance matters seem rather fluid. The questions are then, (1) at what point does a Registrar become officially de-accredited (whether through termination or non-renewal)? And (2) at what point are they required to completely submit a new application?
IV. Review of Compliance Recent Activities
- On 14 September 2012 AB Connect Sarl received a Breach/Non-Renewal notice from ICANN Compliance for failure to Escrow. The deadline to cure was 19 September 2012. As of 25 November 2012 there is no update on this breach and AB Connect Sarl is still listed as an active Registrar. Our specific question is: What is the status of this breach?
- On 19 November 2012 Bargin Register Inc. received a Breach notice from ICANN Compliance for a number of items with varying deadlines: Bargin must pay $3,845.44 by 30 November 2012 AND Bargin must supply communications, process relating to a UDRP by 12 December 2012. Our specific question is: The breach makes extensive reference to the Registrar's failure to comply with a UDRP process yet it does not hold the Registrar in breach of RAA 3.8 which states " Registrar shall comply with the Uniform Domain Name Dispute Resolution Policy", why?
- In general breaches marked as "cured" do not have any dates or specifics provided. Therefore the community has no transparent information as to the timelessness or conditions of the cure. Our specific question is: Can Compliance at a minimum post the date which the Registrar responded and a brief of the actions taken?
V. Previous Questions
There are a number of outstanding unanswered compliance questions which can be found here
The above questions are asked in the context of the ICANN Compliance stated goals to:
- Demonstrate the openness and transparency of ICANN's operations
- Provide fair and equitable treatment to all business partners
- Establish clear and easy-to-use channels for communication on compliance matters
- Supplement staff knowledge and enable greater responsiveness to changes in the environment
- Provide clear and regular communications to the community regarding contractual compliance activities, accomplishments and ongoing work
- Identify areas for reform to be considered by the ICANN community
This recent Article in SecurityWeek notes a number of concerns without any response or quotes from ICANN staff