Notes/ Action Items
Action Items - RDA Scoping Team to review ICANN org’s recent memo on the Whois Accuracy Reporting System (Whois ARS). Please see email here: https://mm.icann.org/pipermail/gnso-accuracy-st/2022-January/000236.html.
- Still Outstanding: By Wednesday, 26 January, Scoping Team to consider what is needed and from whom to obtain information identified as necessary to measure whether current goals are met. Additionally, scoping team members to begin identifying specific ways in which measurement can be undertaken. As noted during today’s meeting, Support Staff has begun inputting the responses received from the Gap Analysis here:https://docs.google.com/document/d/11msexuoqWSUsFj8ZjVvWF-XHpcMJntWH/edit?pli=1#.
Registration Data Accuracy Scoping Team – Meeting #14 Thursday 20 January at 14.00 UTC
- Welcome & Chair Updates (5 minutes)
- Vice-chair – review expressions of interest received, if any
- To date, no expressions of interest for vice-chair have been received.
- Proposal: continue with no vice-chair for now.
- Would anyone object to Olga stepping in as a chair on an interim basis in the event Michael is unavailable?
- No objections noted.
- Upcoming meetings:
- GNSO Policy Webinar on 22 February at 14:00 UTC
- This webinar will be hosted by ICANN org
- There will be an update from Michael regarding the work of this team, for anyone interested in joining
- ICANN73 Accuracy Scoping Team meeting scheduled for 7 March at 12:30 – 14:00 (local time) / 16:30 – 18.00 UTC
- The standard meeting time will not occur the week of ICANN73
- For the ICANN73 session, please be sure to register for the session
- ICANN org responses to Scoping Team questions (45 minutes)
- Review scoping team follow up questions / comments (see https://community.icann.org/x/mdMGCw)
- Brian sent two communications to the Team: (1) response to follow-up questions from last week and (2) a memo from Org colleagues regarding the Whois Accuracy Reporting System (ARS)
- With respect to the question regarding the DPA negotiations – following the Board’s adoption of the EPDP Phase 1 recommendations, a group of CPs and ICANN org colleagues have been working on the DPA
- Additional Q & As
- How does ICANN org square its controller role with lobbying European parliament? Specifically, should a civil society rep be added to these discussions since there are two sides to this argument?
- What is the 66% of “other”?
- There is a list of options for reporters to use when submitting complaints; however, reporters may have another reason that is not provided. The “other” category is a catch-all. This is a list the reporter picks themselves, and, accordingly, the category should be taken with a grain of salt as not every reporter is as familiar with the system. It may, for example, be a reporter that is trying to purchase a domain name.
- Complaints remain confidential until the complaints have reached a breach status.
- Comapliance does provide metrics on how many complaints are closed, how many result in first notice, etc.
- Metrics may not provide specific trends regarding non-compliance with a specific provision; however, there are metrics regarding specific issues like UDRP or WHOIS inaccuracy. However, there are no public numbers regarding issues related to specific contracted parties.
- If there are trends related to WHOIS inaccuracy complaints, for example, Compliance may use this as a tool regarding a policy or a region to discuss clarifications on requirements. This could involve engaging in conference calls or regional events.
- Is there any thought into outsourcing compliance functions?
- There are no recommendations yet – this is a big question – not sure if this is something that should be discussed yet.
- This could be a two-part question: compliance and auditing – reorganizing the compliance function may be a separate question
- Compliance does not have numbers for legal persons complaining about domain theft – the metrics do not go down to this level
- Registrars have cited the existing contractual requirements as the working definition of accuracy
- There seems to be confusion as to what is validation and what is verification. Validation is making sure that all fields are filled in and in the correct format, e.g., UPU. Verification requires sending a communication to email/phone.
- Registrars validate that fields are accurate
- Registrars needed different terminology for different kinds of accuracy checking. ICANN and registrars agreed to check that all fields are in the formats that they have to be in – that the postal address is formatted in the UPU standard.
- Validation and verification are definitions – they may be poor choices, but they are the definitions we have right now. We could propose to invert them or change them. Not sure if further elaboration on them is a good use of this group’s time.
- After reading the CCT report from 2018, p. 5 notes that Whois Accuracy complaints remain the largest category of complaints to Compliance. Prior to 2018, was this an accurate statement? Is it now true that it is no longer the largest number of complaints?
- Do not have the exact number of complaints, but that sounds correct.
- Is there a professional opinion on this change?
- No – would refer the group review the metrics to examine the facts.
- If a domain name is already on clienthold, these would be closed before going to the contracted party.
- When did this particular processing decision occur and why? Just because a domain name is inactive, it doesn’t mean accurate information is associated with it.
- The WAPS does mention suspension as a potential outcome of investigation - This kind of process existed prior to GDPR and may have existed prior to the 2013 RAA. This may have come down to how a suspension impacts a registrant’s ability for updates to be made to Whois data.
- There are two ways to respond to inaccurate complaints: delete the domain name or suspend the domain name. If the domain name is already suspended, what would ICANN ask Compliance to do?
- The correction of Whois data is not something that can be enforced; if the registrar does not have the data, it cannot correct it. Inaccurate data allows a quicker road to suspension.
- There are reports of suspended domain names that mysteriously become unsuspended with the same information. Understand that Compliance is now auditing this.
- There may be reasons to remove a suspension from a domain name – if a registrant comes back and shows evidence, registrars could reactivate the name. In other cases, it may be a problem with how a registrar may implement its suspension. The RAA is clear that the name cannot be un-suspended unless there is a confirmation or updated information.
- At the end of the response of Q17, if the registrant has names already registered, reverification may not be required. Do registrars allow the same registration information for multiple domain names?
- If I own a domain name, why would I not be allowed to own another domain name? There may be separate accounts for business needs.
- If I purchase a domain name and use the same registration data as another account, would that be prohibited? There is no policy requirement from prohibiting this.
- Some registrars operate on a wholesale basis, so there could be multiple account holders with the same registrant. Account holders could be third parties that provide services for registrants (like resellers)
- If someone provides an email address that has been verified by someone else, and it no longer has to be validated, that is concerning
- Concern: bad guys could use an info set already verified to avoid verifying their own information. Does anyone have information that this actually happens? How would a criminal get this information? The registration information is typically redacted.
- This does happen. However, the verification happens per registrar. Some criminals planning to engage in abusive activity would use a well-known brand’s email address. There is no clear way to resolve this quickly – the bad guy would get their 15 days of a live domain name. It should be noted why a domain name was suspended.
- Should not be concerned with how often this happens if this is a vector for abuse.
- Abusers register domain names in the name of companies to show that this is a legitimate site – rarely saw registrants using email addresses of the abused entities since emails get sent to these entities. This is a non-problem.
- Hearing concerns that are anecdotal or historical. Disagree with not being concerned with how often this occurs. If it should be more difficult to lift a domain suspension than it currently is – this could adversely affect real domain owners. If it is harder to lift the suspension, this would affect real people and this is something to consider when suggesting solutions – these should be proportional. Please remember to look at facts and solve concrete problems.
- With respect to NIS and FIDO requirements regarding authentication, that may get to some of the questions regarding identity theft.
- Gap Analysis (10 minutes)
- Finalize review of input (still missing BC): https://docs.google.com/document/d/11msexuoqWSUsFj8ZjVvWF-XHpcMJntWH/edit [docs.google.com]
- Scoping team input
- Confirm next steps
- Measurement of current goals identified (20 minutes) – see page 25 https://docs.google.com/document/d/11msexuoqWSUsFj8ZjVvWF-XHpcMJntWH/edit [docs.google.com] (20 minutes)
- Review input received
- Confirm next steps
- Confirm action items & next meeting (Thursday 27 January at 14.00 UTC)
|