Home / Blogs

Cluck, Cluck… ICANN and Contract Compliance Enforcement

John Levine

I've always been a fan of co-ops. In New York, we shop at greenstar.coop and my wife banks at alternatives.coop, in the UK we shop at co-operative.coop. So when the .COOP domain opened, I wondered if I could get my own clever domain name, but found that chicken.coop was taken by a small producer co-op in the southern U.S. Drat.

Back in June I got a note from the .COOP registry saying that they were issuing new passwords for zone file access and I needed to confirm my contact details. Out of idle curiosity I took another look at chicken.coop and found that the small co-op had sold out to a large company that didn't look like a co-op to me. So when I sent in my contact details, I asked whether they still restricted registrants to co-ops, and if so they should take a look at chicken.coop. I promptly got a personal note from Carolyn Hoover thanking me for pointing it out, since they were clearly in violation of the rules.

Three days ago I got another note telling me that they'd finally revoked chicken.coop and it's available. (Some friends run a CSA that raises chickens, so maybe they can do a coop-cam.) It's nice that they finally did revoke the non-coop registration but it took six months, which I'd say was slow except that compared to compliance efforts by ICANN it's warp speed. And as far as I can tell, there's still no compliance process in .COOP other than tips like mine.

As ICANN and its contractors are slowly and painfully learning, compliance is hard, it's expensive, and it's only going to get harder and more expensive as time goes on. As has been well documented in the press, for a long time ICANN had no meaningful compliance process for bad WHOIS data. Then they set something up, but it was far too underpowered to deal with all the reports, particularly once Knujon started doing automatic reporting. ICANN is now mostly able to keep up with the reports, but now there's a second round of what to do when the registrars who get the reports don't act on them.

Last week ICANN sent out a press release saying that they'd sent out notices of contract breach to chronic problem registrars joker.com and dns.com.cn. But those registrars have been famous bad actors for years, and ICANN says the process leading to these notices started in November 2007, almost a year ago. That's still orders of magnitude too slow when registrations take no more than hours.

Contract compliance enforcement is hardly a new or obscure activity, and every ICANN contract that affects third parties (notably registry and registrar agreements) is going to need it. I don't have any brilliant ideas here, except that I wish ICANN would take advantage of other people's experience rather than reinventing this wheel from scratch.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Domain Names, Registry Services, ICANN, Policy & Regulation, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

You're a little out of date, John Kieren McCarthy  –  Oct 13, 2008 10:27 AM PDT

All useful pointers, John, except that you're about six months out of date.

The announcement (not press release) that ICANN had sent Breach Notices to Joker and DNS.com.cn (http://www.icann.org/en/announcements/announcement-01oct08-en.htm) was just one point in the September edition of the Contractual Compliance newsletter (http://www.icann.org/en/compliance/newsletter/).

The September edition was the sixth published and it - and the five previous - have been clearly outlining the steps being taken with regard to compliance.

There is also a semi-annual report that I would recommend - http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf - as it outlines the work ICANN is doing and has already done.

If you follow the announcements ICANN has made over the past few months, you will see that, far from the ineffectual process you appear to believe exists, ICANN has been actively and, where appropriate forcefully, applying contractual compliance.

One example: in July, registrar 1dni.com was de-accredited. ICANN then asked for registrars interested in assuming the company's domains (http://www.icann.org/en/announcements/announcement-2-30jul08-en.htm). And on 18 September, announced they had been moved to Tucows.

The same thing happened earlier in the year with DotForce - it was de-accredited and a bulk transfer of its domains made (http://www.icann.org/en/announcements/announcement-14aug08-en.htm). The same thing is going on now with Esoftwiz (http://www.icann.org/en/announcements/announcement-12sep08-en.htm). And there are a number of other registrars that are been actively chased-up by the compliance team.

So, while your views and comments are always welcome, it is a case of the community not keeping up to date with ICANN on this one, rather than ICANN not keeping up to date with the community.

You can sign up to the Compliance newsletter (and other ICANN newsletters) here: http://www.icann.org/en/newsletter/

Kieren McCarthy
General manager of public participation, ICANN

Better than before, but still not good John Levine  –  Oct 14, 2008 5:44 AM PDT

It's true, ICANN's compliance is a lot better than it used to be, but since it used to be nonexistent, that's faint praise. And if Joker got their breach letter in September rather than October, so it was two years and 11 months late rather than three years late, well, OK.

But ICANN's compliance is still weak. Last night I did a little experiment looking to see if registrars provide the required port 43 WHOIS server, and found several dozen that as, far as I can tell, don't. (I also found several whose alleged web sites are parking pages, making me wonder just how rigorous the accreditation process is.) As I said originally, compliance is hard but it's not rocket science, so I wish ICANN would learn from organizations that have been doing it for a long time rather than making it up as they go along.

Running through the system Kieren McCarthy  –  Oct 14, 2008 9:22 AM PDT

We're in agreement about one thing - ICANN's compliance program used not to be as good as it needed to be.

But from there, particularly this arbitrary idea that ICANN is "making it up as it goes along", we have to differ and I would point you again to the compliance newsletters and semi-annual reports for evidence, rather than conjecture.

The fact is that compliance is not a switch. You can't turn it on and everything suddenly works fine. The compliance team in ICANN are taking a clear, methodical approach to compliance matters and clamping down on abuse as it is uncovered.

If you read the August newsletter (http://www.icann.org/en/compliance/archive/compliance-newsletter-200808.html#3) you will see that ICANN has engaged the National Opinion Research Center (NORC) - "one of the largest and most respected social research organizations in the United States" - to develop a new methodology for assessing Whois accuracy.

In the meantime, the results of the previous audits are available online, and the evidence of the action taken following those audits is also online. ICANN would ask only that people read it before making broad and inaccurate comments about the state of the compliance program.

It is going to take time for this approach to run through the system. Registrars have been to be given an opportunity to correct any holes in their compliance because that it industry best practice and it is also the responsible and reasonable thing to do. If they don't, they will lose their accreditation, pure and simple.

Will you be able to find examples of non-compliance? Yes. And that is never going to end, in the same way that there will always be companies in every sector of business that push the boundaries. But if you want a competitive market, you have to deal with a bit of that.

Is there too much non-compliance at the moment in the registrar market at the moment? Yes. Is ICANN doing what it can to fix that? Yes it is.

You can already see the fruits of the compliance's department's work, and you will continue to see that as the market gradually gets used to a firmer response. If you want to know what ICANN is doing, subscribe to the newsletter, or attend one of the compliance events at an ICANN meeting, or - even better - help play a pro-active role as a member of the community by reporting Whois inaccuracy through the WDPRS system.

Kieren McCarthy
General manager of public participation, ICANN

My, we're touchy John Levine  –  Oct 14, 2008 12:30 PM PDT

Having a process is better than not having a process, but having a process is not the same as having an effective process, or having adequate results.  The compliance newsletter reports lots of registrars cancelled for non-compliance, although for most of them the problem is the most mortal of ICANN sins, not paying their bill, which is not exactly the kind of compliance the rest of the world is worried about.

But this really says it all about the bureaucratic mindset:

help play a pro-active role as a member of the community by reporting Whois inaccuracy through the WDPRS system.

ICANN can't audit the WHOIS data, so it's my job to do so?  Aw, come on.  WDPRS is a useful band-aid to help with the enormous backlog of bogus WHOIS, but if the compliance process worked, ICANN would find the bad stuff themselves rather than expecting unpaid volunteers to do their work for them. Perhaps you should hire the Knujon guys. And, as I've pointed out, the compliance issues only begin with bogus WHOIS. There's registrars with no WHOIS at all, and lots of other egregious violations that I know that Kieren knows about.

Community Kieren McCarthy  –  Oct 14, 2008 3:36 PM PDT

The Internet community has always taken ICANN and its work very personally, and I think your response reflects that John.

The point I have tried to make is that ICANN is doing alot of compliance work, and it is making that work public through newsletters and reports.

With any luck the results will be such that in a year's time, this same sort of discussion will occur on CircleID, but on a completely different topic.

Kieren

Kieren "a lot" is two words John Berryhill  –  Oct 14, 2008 10:53 PM PDT

I have repeatedly reported the false telephone number in the whois data for wipo.org.  I even used it as an example in a compliance session at the Paris ICANN meeting.

Still the domain name remains registered.

Why?

17 January 2006 - Public Comment on .coop renewal John Berryhill  –  Oct 13, 2008 10:42 PM PDT

Jon,

I've been complaining about the chicken.coop name being owned by an entity other than a co-op for over two years.  It was specifically noted in the public comment forum when .coop was up for renewal.  Ms. Hoover's pretense that this was "news" is b.s.:

http://forum.icann.org/lists/coop-renewal/msg00006.html

I commend Mr.Levine and Garth of Knujon Michael Johnson  –  Oct 19, 2008 6:57 AM PDT

I commend Mr.Levine and Garth of Knujon for pointing out a major issue domain registration with inaccurate Whois Data.  How long has this happening and why has it only been recently addressed is the key question.  Is it because knujon and Mr. Levine have now brought these issues to the press that ICANN(OT) feels that it must "now" act.

What is particulary scary is how many of the clients who register with inaccurate Who IS date are cyber criminals who attempt to deceive, mislead and fraud people.  And yet other clients who do this are interested in only spreading viruses, worms, trojans, and malware.  For some these tools have the sole intent of comprising surfer's computers and making their internet connections part of a botnet, with the sole intent of mounting a illegal DDOS attack on other sites and spreading Spam.  Not to sound paranoid, but it even makes one wonder whether terrorists have not got wind of how easy it is to register with inaccurate whois data and how they may use this to their advantage(i.e., acts of cyber terrorism agains major American institutions).  And yes, I know that ICANN(OT) does not have the mandate and is not legislated to address the spread of malware, cyberterrorism, viruses, trojans, etc., However, considering that taking more timely action on addressing inaccurate Whois data can have a major impact on such issues, one really has to wonder why they tend to drag their heels on this.

Perhaps, what is required is people like Mr. Levine and Garth of Knujon on the ICANN(OT) Board, who understand the core importance of such issues and ways to address them in a timely manner.  With the US Presidential Change, perhaps ICANN(OT), its policies, and mandates need to be reviewed and it needs to be revamped and restaffed to better serve the Internet community and not just act in ways to minimize issues which only serves to protect Registars, criminals, spammers, malware authors, and cyberterrorists.

Compliance newsletter Kieren McCarthy  –  Oct 19, 2008 5:51 PM PDT

Hi Michael,

You can subscribe to ICANN's compliance newsletter at http://www.icann.org/newsletter, and read previous editions at http://www.icann.org/en/compliance/newsletter/.

If you feel that ICANN is missing something in its compliance work, then the best way to change it directly is to provide details of what ICANN could do to improve in this area in the public comment period that the organization is holding right now on "Improving Institutional Confidence".

An online, interactive forum is available here: http://comment.icann.org/en/iic/

You will note that compliance is specifically mentioned, and you can make your comment on this precise topic by just clicking on this link and registering to make a comment (just like CircleID) : http://comment.icann.org/.ee7b92f

Hopefully a clear, direct, public and simple method to provide solid input directly to the President's Strategy Committee will alleviate some of your concerns.

Thanks

Kieren McCarthy
General manager of public participation, ICANN

Red Tape Is Not The Answer Michael Johnson  –  Oct 23, 2008 8:12 PM PDT

Allowing direct public input without taking serious action is really a cop out when there is more than sufficient evidence to warrant or justify timely action.  The solution is not to put up a bunch of red tape and barriers by calling for more public input when you have more than enough to act.  As a a Government employee, I see this type of stuff far too often.  Sounds like your major role in this Karen is largely PR work, so thanks but no thanks.  I have made my input and feedback quite evident by posting my concerns.  As ICANN's PR Agent maybe you can share this with the appropriate individuals.  There is more than enough evidence(previous and present) and more than sufficient public input has been provided that we don't need to put up barriers, minimize the severity of the issues, and continually dance around this while the malware authors, cyberterrorsists, trojan and spam distributors continue to run amok with the full blessing of some registars who continue to allow these individuals to continue to register domains with false Whois data.  The problem is simple, there is a very serious issue of some registars registering with false Whois data which inturn has serious implications.  How many times do you feel that the Public needs to hammer home this home before ICANN takes this seriously enough to act in a more timely manner.  Let's get serious and cut through the bull.

By the way Karen, do you have an E-Mail address and do you enjoy being constantly bombarded with all kinds of unsolicitated spam.  Perhaps if you experience this on a regular basis, you may have a better appreciation of why many of us feel so victimized and violated by this kind of stuff.

Public participation Kieren McCarthy  –  Oct 24, 2008 10:21 AM PDT

I'm not sure I agree with your characterisation of direct input to the people in a position to make changes as "red tape". I'd argue it was the complete opposite in fact.

I can however guarantee you that it will be more effective than your current approach. Use the system for public input, or don't, it's entirely up to you. My job as general manager of public participation is to create such systems in case people do want that direct approach.

Either way, this conversation should be moot with a year as the compliance efforts underway - and outlined in the newsletters previously linked to - start to get a grip on what everyone agrees is a problem.

Thanks

Kieren McCarthy

System of Public Input Michael Johnson  –  Nov 02, 2008 5:32 AM PDT

Seems that I logged onto your "system of public input" but was only able to view written re: changes considered or made all of which primarily focused on issues pertaining to ICANN itself, and not really public concerns. I was even unable to post this as a comment or input as the message "no access" in red popped up. Talk about a wild goose chase and further evidence of red tape. 

Anyway, since your system of public input does not allow public input Kieren and you are the manager of public participation. I will clearly tell you what I think needs to be seriously looked at.

A change in the Registrar Accreditation Agreement that will improve transparency and accountability is required. There is no requirement in the standard Registrar contract that requires public disclosure of Registrar ownership or location. I am concerned that this loophole in the agreement opens the door to fraud, secrecy and consumer abuse. Please consider adding the following language or equivalent to the RAA:

"All Accredited Registrars must submit main office location, including country, to be publicly disclosed in ICANN web directory. Post Office boxes, Incorporation addresses, and mail-forwarding locations will not be acceptable. Registrars must also provide for public display the name of CEO or President. ICANN must be notified within 30 days of a location or presiding officer change.”

Without public disclosure there cannot be true transparency, accountability or trust.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

General Availability Kicks Off for .Website, .Press and .Host

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

Sponsored Topics