|
Section 3.18 of the ICANN 2013 Registrar Accreditation Agreement (RAA) contains language requiring registrars to investigate and respond to abuse complaints. Nearly one year into the new RAA’s effective period, what do we know about Section 3.18? If a person or entity wants to submit a complaint, what should they keep in mind?
This article reviews the meaning of Section 3.18, how to leverage it, offers a list of do’s and don’ts for complainants, and offers a few recommendations for registrars.
My company, LegitScript, routinely notifies registrars and registries about rogue Internet pharmacies. Most registrars suspend and lock domain names that are the subject of our notices. But some registrars disregard our notifications. This has led, so far, to three ICANN breach notices against the registrar for failing to comply with Section 3.18 (against TodayNIC, NameVault and IP Mirror). Other complaints that we submitted to ICANN appear to have been resolved through the informal compliance process. (I use the word “appear” because the informal compliance process is shrouded in secrecy.) LegitScript has Section 3.18.2 designation from the Japanese Ministry of Health, Labour and Welfare, and one of these three breach notices (against IP Mirror, which has an office in Japan) was the first one issued by ICANN for a Section 3.18.2 violation. (All three companies have remedied, or stated that they would remedy, the violation.)
Section 3.18: What it Says
Section 3.18.1 requires registrars to “take reasonable and prompt steps to investigate” and “respond appropriately” to reports of abuse related to domain names. Section 3.18.2 imposes additional requirements related to the registrar’s responsiveness and availability if the complaint is submitted by certain government authorities (or their designees) where the registrar has an office or is registered as a corporation. Section 1.13 defines “abuse” as including “conduct ... that is prohibited by applicable law.”
The wording leads to questions, of course. Does “prompt” mean one day, a week or a month? (By contrast, Section 3.18.2 is explicit, requiring a response within 24 hours.) What does it mean to “investigate” a claim of illegal activity? If illegal activity is verified, what constitutes “respond(ing) appropriately”? Must the domain name always be suspended, or are there other viable options? If the registrar cannot immediately verify the illegal activity, what then?
Answers to some of those questions remain unclear, but LegitScript’s experience and observations, as well as common sense and a plain-text reading of Section 3.18, suggest some preliminary answers.
Section 3.18: What it Means
First, a basic but important observation is that Section 3.18 does, in fact, require registrars to be responsive to complaints regarding domain names used to point to content that is alleged to be illegal. The days of registrars refusing to respond to abuse complaints related to content, and telling complainants to talk to the content host (or registrant) instead or get a court order, are long gone. Sections 3.18 and 1.13, read together, codify the requirement that registrars have responsibilities when a domain name is being used as an instrumentality of crime and they receive a complaint about it. ICANN’s breach notices underscore this conclusion.
What must a Section 3.18 “investigation” consist of? Common sense suggests that the registrar must take some reasonable, independent, good-faith steps to “carry out a systematic or formal inquiry to discover and examine the facts of an ... allegation ... so as to establish the truth,” which is the Oxford Dictionary definition of the word “investigate.” In a few cases, we have observed that a registrar merely relays a complaint to the registrant but does not actually investigate it. (Or, one variation of that is to simply ask the registrant if it’s true that they are operating illegally, and when the registrant says “No,” to call that an investigation.) However, if the drafters of Section 3.18 had meant that merely informing the registrant about the complaint and doing nothing further was satisfactory, they presumably would have used the word “relay” instead of “investigate.”
Here, it’s important not to conflate the minimum required steps for investigating WHOIS inaccuracy with the basic elements of a reasonable Section 3.18 investigation. For a WHOIS inaccuracy complaint, showing that the registrar can contact the registrant and receive a response are minimum required steps precisely because they go to a central element (potentially the central element) of the complaint: the lack of contactability. By contrast, a Section 3.18 complaint will not necessarily have anything to do with contactability or responsiveness. Accordingly, the investigation should, to the extent possible, be directed at what is being alleged, not just at relaying the complaint. For example, for rogue Internet pharmacy complaints, requesting the registrant to produce the legally required pharmacy license(s) is a common-sense, easy investigative step.
What, then, if the registrar verifies the allegation? The RAA is silent as to what it means to “respond appropriately.” As a matter of common sense, however, it seems reasonable to assume that a registrar must take action: something must happen so that the domain name is no longer used as an instrumentality of crime. It does appear that suspension is one satisfactory resolution in these cases: LegitScript complaints to ICANN regarding registrars have been closed or resolved when the domain names were suspended, so suspension appears to be at least one way to “respond appropriately.”
Ten Things Complainants Should Do
If you are going to submit a complaint to a registrar under Section 3.18, here are ten things that you should keep in mind.
If you unfortunately feel that you have to submit a complaint to ICANN because of the failure of a registrar to investigate or respond appropriately—the page to do so is here—there are two additional things to keep in mind.
Recommendations for Registrars
If you are accredited under the 2013 RAA, odds are that eventually you will receive a Section 3.18 complaint. What can you do to make the process as smooth as possible for you, your customer and the complainant? Here are six suggestions.
Doubtless, debate will continue about where to draw the line regarding domain names allegedly used as instrumentalities of crime, along with the attendant issue of jurisdiction. But those who simply protest with the tired old canards that “ICANN doesn’t regulate content” or “ICANN isn’t (or, registrars aren’t) a law enforcement agency” miss the point. Of course ICANN and registrars aren’t law enforcement agencies. Nor are the countless other companies, nonprofits, accreditors or similar entities for which compliance is a daily fact of life.
A very basic principle of compliance is that a company or institution must take reasonable steps to prevent its services—including the privilege of accreditation—from being used as an instrumentality of crime. Clairvoyance isn’t required, but reasonable steps are. For registrars, the requirement to conduct a prompt and reasonable investigation, and to respond appropriately, is now codified in the 2013 RAA; this presents an opportunity to bring transparency and order to settling complaints. For complainants, the challenge is to submit complaints in a way that is accurate, polite, not frivolous, and that makes the process as easy as possible for registrars. For ICANN, the challenge is to interpret and apply the language in a way that is consistent, transparent, and effective. Whether ICANN is doing so is also an important question, but is not the subject of this article.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com
Having worked with John and his organization, I feel it is safe to say that they are the senders of the most organized and most useful complaints, always ready to supply additional evidence and discuss with us how to improve their reports which are usually well researched and of high quality.
That said, it worries me that a private for profit organization is being granted a status equal to LEAs when all that was envisioned in the RAA negotiations was to allow countries to designate official representatives only, i.e. allow for a process by which Registrars could be told officially who is official law enforcement and who is not. Organizations like Johns’ were seen as “not” in the negotiations and it was not intended to grant them a fast track for responses. This channel was only meant for official law enforcement and cases requiring extreme urgency. This example may mean that this provision will have to be revisited to prevent this “abuse” of the fast-lane abuse reporting provisions dedicated to official LEAs to avoid them being clogged.
All in all a useful article, especially with regard to the kind and form of evidence necessary to report abuse. You are entirely correct that unless a report is sufficiently substantiated, it is largely useless for the investigation.
You are trying to bend the language of the RAA however when you attribute certain duties to the terms “investigate” and “take appropriate action”.
Investigate means just that. Look at the evidence and look how the registration matches that evidence. It does not require us to enter into a full legal analysis of issues that are largely opaque, especially when it comes to trans-national laws. Look at the evidence and the domain to allow yourself to form an uneducated opinion on the merit of the complaint as a basis for further steps is all that was meant.
Appropriate action can be anything.
- Reporting the complaint to the registrant and asking him to take action can be appropriate.
- Reporting the complaint to the police for further investigation can be appropriate.
- Asking the registrant to transfer the domain away can be appropriate action.
What appropriate action does not mean however is for registrars to assume the role of LEAs and courts and take justice into your own hands. We may reserve the rights to do more when a domain name violates our terms of service, but the RAA contains no such duty.