Home / Blogs

Section 3.18 of the 2013 RAA: Reasonable Investigations, Appropriate Responses

John Horton

Section 3.18 of the ICANN 2013 Registrar Accreditation Agreement (RAA) contains language requiring registrars to investigate and respond to abuse complaints. Nearly one year into the new RAA's effective period, what do we know about Section 3.18? If a person or entity wants to submit a complaint, what should they keep in mind?

This article reviews the meaning of Section 3.18, how to leverage it, offers a list of do's and don'ts for complainants, and offers a few recommendations for registrars.

My company, LegitScript, routinely notifies registrars and registries about rogue Internet pharmacies. Most registrars suspend and lock domain names that are the subject of our notices. But some registrars disregard our notifications. This has led, so far, to three ICANN breach notices against the registrar for failing to comply with Section 3.18 (against TodayNIC, NameVault and IP Mirror). Other complaints that we submitted to ICANN appear to have been resolved through the informal compliance process. (I use the word "appear" because the informal compliance process is shrouded in secrecy.) LegitScript has Section 3.18.2 designation from the Japanese Ministry of Health, Labour and Welfare, and one of these three breach notices (against IP Mirror, which has an office in Japan) was the first one issued by ICANN for a Section 3.18.2 violation. (All three companies have remedied, or stated that they would remedy, the violation.)

Section 3.18: What it Says

Section 3.18.1 requires registrars to "take reasonable and prompt steps to investigate" and "respond appropriately" to reports of abuse related to domain names. Section 3.18.2 imposes additional requirements related to the registrar's responsiveness and availability if the complaint is submitted by certain government authorities (or their designees) where the registrar has an office or is registered as a corporation. Section 1.13 defines "abuse" as including "conduct ... that is prohibited by applicable law."

The wording leads to questions, of course. Does "prompt" mean one day, a week or a month? (By contrast, Section 3.18.2 is explicit, requiring a response within 24 hours.) What does it mean to "investigate" a claim of illegal activity? If illegal activity is verified, what constitutes "respond(ing) appropriately"? Must the domain name always be suspended, or are there other viable options? If the registrar cannot immediately verify the illegal activity, what then?

Answers to some of those questions remain unclear, but LegitScript's experience and observations, as well as common sense and a plain-text reading of Section 3.18, suggest some preliminary answers.

Section 3.18: What it Means

First, a basic but important observation is that Section 3.18 does, in fact, require registrars to be responsive to complaints regarding domain names used to point to content that is alleged to be illegal. The days of registrars refusing to respond to abuse complaints related to content, and telling complainants to talk to the content host (or registrant) instead or get a court order, are long gone. Sections 3.18 and 1.13, read together, codify the requirement that registrars have responsibilities when a domain name is being used as an instrumentality of crime and they receive a complaint about it. ICANN's breach notices underscore this conclusion.

What must a Section 3.18 "investigation" consist of? Common sense suggests that the registrar must take some reasonable, independent, good-faith steps to "carry out a systematic or formal inquiry to discover and examine the facts of an ... allegation ... so as to establish the truth," which is the Oxford Dictionary definition of the word "investigate." In a few cases, we have observed that a registrar merely relays a complaint to the registrant but does not actually investigate it. (Or, one variation of that is to simply ask the registrant if it's true that they are operating illegally, and when the registrant says "No," to call that an investigation.) However, if the drafters of Section 3.18 had meant that merely informing the registrant about the complaint and doing nothing further was satisfactory, they presumably would have used the word "relay" instead of "investigate."

Here, it's important not to conflate the minimum required steps for investigating WHOIS inaccuracy with the basic elements of a reasonable Section 3.18 investigation. For a WHOIS inaccuracy complaint, showing that the registrar can contact the registrant and receive a response are minimum required steps precisely because they go to a central element (potentially the central element) of the complaint: the lack of contactability. By contrast, a Section 3.18 complaint will not necessarily have anything to do with contactability or responsiveness. Accordingly, the investigation should, to the extent possible, be directed at what is being alleged, not just at relaying the complaint. For example, for rogue Internet pharmacy complaints, requesting the registrant to produce the legally required pharmacy license(s) is a common-sense, easy investigative step.

What, then, if the registrar verifies the allegation? The RAA is silent as to what it means to "respond appropriately." As a matter of common sense, however, it seems reasonable to assume that a registrar must take action: something must happen so that the domain name is no longer used as an instrumentality of crime. It does appear that suspension is one satisfactory resolution in these cases: LegitScript complaints to ICANN regarding registrars have been closed or resolved when the domain names were suspended, so suspension appears to be at least one way to "respond appropriately."

Ten Things Complainants Should Do

If you are going to submit a complaint to a registrar under Section 3.18, here are ten things that you should keep in mind.

  1. Correctly identify the registrar and their abuse email. This may seem obvious, but make sure you have correct, current information about who the registrar is and whether they are, in fact, subject to the 2013 RAA. ICANN Compliance's list is a better resource than internic.net, because the latter indicates whether the registrar has signed the 2013 RAA, but not yet whether it has actually taken effect for the registrar. The former identifies both. Also check the top-level domain to make sure that the domain name is subject to ICANN rules — if you are concerned about a domain name using a ccTLD such as .UK or .FR, you might still want to contact the same registrar, but the 2013 RAA will not apply. Finally, if all of those factors check out, find the registrar's abuse email address in the WHOIS record for the domain name itself. (If it isn't there, that's an RAA violation in itself.)
  2. Identify yourself. This, too, may seem obvious, but some registrars — entirely reasonably — find anonymous complaints less credible. Introduce yourself and, if applicable, your organization. Explain who you are, what you do, who you represent (if applicable), and any expertise you have in the relevant field.
  3. Be professional and courteous. Be polite. Don't automatically assume that the registrar somehow knows about the illegal activity and is tacitly permitting it; registrars don't have the time or capability to monitor every domain name. Assume good faith on the part of the registrar, absent evidence to the contrary.
  4. Be accurate. Above all, don't damage your own credibility: one mistake is all it takes. Double- and triple-check your information to make sure it's 100% accurate. Registrars don't have the time to respond to frivolous complaints. Don't put them in the bad position of potentially taking action against a domain name that isn't doing anything wrong.
  5. Be thorough. You don't need to write a 100-page thesis, but don't just say, "This is obviously illegal." It might be obvious to you, but not to everyone else. Point to what, exactly, you believe the domain name is being used to do and why it is illegal. Explain it in basic layman's terms, not dense legalese. In other words, be thorough, but keep it simple.
  6. Cite the law or regulation that is being violated. If you're alleging illegality, you should be prepared to tell the registrar what law is being violated and why that jurisdiction's laws are applicable to the situation. Registrars are most comfortable when you can point to a legal violation in their own jurisdiction, but if the applicable law is elsewhere, discuss why that is, and then discuss both if you can. If the registrar is in Germany but fake drugs are only being shipped to Japan, it's usually best to explain how the conduct is illegal in Japan, and how it would also violate German laws were the activity being directed there.
  7. Cite the registrar's Terms and Conditions. Try to make it as easy as possible for the registrar. If a domain name is used in a way that is illegal and also specifically violates the registrar's published Terms and Conditions, point it out.
  8. Standardize your format. This one is difficult, because different registrars have different preferences. If you are notifying the registrar about a single domain name, text within the email is fine, but if you have several domain names, a spreadsheet (or text file) may work best. Include, at a minimum, the domain name; the type of alleged abuse; and provide an example, along with the explanation of why it is illegal.
  9. Offer to help, and take (and offer to provide) screenshots. Let the registrar know that you are available to provide information about your complaint in more detail if they need it. Some illicit website operators have been known to "geo-target" registrars — display one type of content to their registrar's IP address but other content to the rest of the world. You don't necessarily need to send the screenshot in your complaint, but have one available in case the registrar can't see what you see.
  10. Give it a couple of weeks. Don't pester the registrar, but feel free to drop them a friendly note checking on the status if you haven't heard back. I usually give it a week or two, except where we have Section 3.18.2 designation, which requires responses within 24 hours.

If you unfortunately feel that you have to submit a complaint to ICANN because of the failure of a registrar to investigate or respond appropriately — the page to do so is here — there are two additional things to keep in mind.

  • Record-keeping. Document what you provided to the registrar. Odds are, ICANN will ask you for information about your complaint. Make sure you have it handy in PDF or other appropriate format.
  • Talk in the language of the RAA. Frame your complaint in language specific to Section 3.18. The key requirements are to "investigate" and "respond appropriately." To your knowledge, did the registrar investigate the complaint — or just ignore it? How did they respond? Be specific in providing facts that ICANN will likely find relevant to the exact language of Section 3.18.

Recommendations for Registrars

If you are accredited under the 2013 RAA, odds are that eventually you will receive a Section 3.18 complaint. What can you do to make the process as smooth as possible for you, your customer and the complainant? Here are six suggestions.

  1. Update your abuse policies — and be specific. Simply put, be prepared. Tell your customers what behavior you prohibit with language more specific than "Our services may not be used for illegal purposes." There are a limited number of well-known, high-risk areas, like illegal pharmacy, child pornography, spam/phishing/botnets, and weapons sales. Figure out your abuse policies in these five or six areas ahead of time, and be prepared to act on them.
  2. Update your Standard Operating Procedures. When you get a Section 3.18 complaint (or, any abuse complaint), what will your process be? Set this out in advance — including how you will investigate certain types of allegations. For example, we recommend that registrars "investigate" rogue Internet pharmacy complaints in a very simple way: by requiring the registrant to produce a pharmacy license in the jurisdictions they offer to ship prescription drugs to.
  3. Consult with experts. For the most common types of illegal activity, there are resources that can help on issues both general (overall policy) and specific (abuse reports): LegitScript for illegal online pharmacies and designer drugs; the National Center for Missing and Exploited Children for child pornography; Spamhaus and others for spam. Most anti-abuse organizations will be happy to help, both as to general policy and recommended procedures for reviewing allegations.
  4. Be clear with complainants about what information you need. If you don't understand the complaint, or feel that the complainant hasn't submitted enough detail, ask for what you need. Absent evidence to the contrary, assume that the complainant is operating in good faith.
  5. Convey the complaint to your customer in a timely manner. Registrars owe their customers fair dealing and communication. As a matter of common sense, it is a good practice to convey the complaint to the registrant and seek their viewpoint and response. However, merely receiving a response from the registrant stating that the domain name is not being used illegally does not, standing alone, absolve the registrar of its responsibility to conduct an independent investigation.
  6. Close the loop. Report the results of your investigation to the complainant and, if appropriate, the registrant.

Doubtless, debate will continue about where to draw the line regarding domain names allegedly used as instrumentalities of crime, along with the attendant issue of jurisdiction. But those who simply protest with the tired old canards that "ICANN doesn't regulate content" or "ICANN isn't (or, registrars aren't) a law enforcement agency" miss the point. Of course ICANN and registrars aren't law enforcement agencies. Nor are the countless other companies, nonprofits, accreditors or similar entities for which compliance is a daily fact of life.

A very basic principle of compliance is that a company or institution must take reasonable steps to prevent its services — including the privilege of accreditation — from being used as an instrumentality of crime. Clairvoyance isn't required, but reasonable steps are. For registrars, the requirement to conduct a prompt and reasonable investigation, and to respond appropriately, is now codified in the 2013 RAA; this presents an opportunity to bring transparency and order to settling complaints. For complainants, the challenge is to submit complaints in a way that is accurate, polite, not frivolous, and that makes the process as easy as possible for registrars. For ICANN, the challenge is to interpret and apply the language in a way that is consistent, transparent, and effective. Whether ICANN is doing so is also an important question, but is not the subject of this article.

By John Horton, President of LegitScript
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Useful, but not entirely accurate Volker Greimann  –  Dec 10, 2014 7:29 AM PDT

Having worked with John and his organization, I feel it is safe to say that they are the senders of the most organized and most useful complaints, always ready to supply additional evidence and discuss with us how to improve their reports which are usually well researched and of high quality.

That said, it worries me that a private for profit organization is being granted a status equal to LEAs when all that was envisioned in the RAA negotiations was to allow countries to designate official representatives only, i.e. allow for a process by which Registrars could be told officially who is official law enforcement and who is not. Organizations like Johns' were seen as "not" in the negotiations and it was not intended to grant them a fast track for responses. This channel was only meant for official law enforcement and cases requiring extreme urgency. This example may mean that this provision will have to be revisited to prevent this "abuse" of the fast-lane abuse reporting provisions dedicated to official LEAs to avoid them being clogged.

All in all a useful article, especially with regard to the kind and form of evidence necessary to report abuse. You are entirely correct that unless a report is sufficiently substantiated, it is largely useless for the investigation.

You are trying to bend the language of the RAA however when you attribute certain duties to the terms "investigate" and "take appropriate action".

Investigate means just that. Look at the evidence and look how the registration matches that evidence. It does not require us to enter into a full legal analysis of issues that are largely opaque, especially when it comes to trans-national laws. Look at the evidence and the domain to allow yourself to form an uneducated opinion on the merit of the complaint as a basis for further steps is all that was meant.

Appropriate action can be anything.
- Reporting the complaint to the registrant and asking him to take action can be appropriate.
- Reporting the complaint to the police for further investigation can be appropriate.
- Asking the registrant to transfer the domain away can be appropriate action.

What appropriate action does not mean however is for registrars to assume the role of LEAs and courts and take justice into your own hands. We may reserve the rights to do more when a domain name violates our terms of service, but the RAA contains no such duty.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign