Home / Blogs

Cluck, Cluck… ICANN and Contract Compliance Enforcement

I’ve always been a fan of co-ops. In New York, we shop at greenstar.coop and my wife banks at alternatives.coop, in the UK we shop at co-operative.coop. So when the .COOP domain opened, I wondered if I could get my own clever domain name, but found that chicken.coop was taken by a small producer co-op in the southern U.S. Drat.

Back in June I got a note from the .COOP registry saying that they were issuing new passwords for zone file access and I needed to confirm my contact details. Out of idle curiosity I took another look at chicken.coop and found that the small co-op had sold out to a large company that didn’t look like a co-op to me. So when I sent in my contact details, I asked whether they still restricted registrants to co-ops, and if so they should take a look at chicken.coop. I promptly got a personal note from Carolyn Hoover thanking me for pointing it out, since they were clearly in violation of the rules.

Three days ago I got another note telling me that they’d finally revoked chicken.coop and it’s available. (Some friends run a CSA that raises chickens, so maybe they can do a coop-cam.) It’s nice that they finally did revoke the non-coop registration but it took six months, which I’d say was slow except that compared to compliance efforts by ICANN it’s warp speed. And as far as I can tell, there’s still no compliance process in .COOP other than tips like mine.

As ICANN and its contractors are slowly and painfully learning, compliance is hard, it’s expensive, and it’s only going to get harder and more expensive as time goes on. As has been well documented in the press, for a long time ICANN had no meaningful compliance process for bad WHOIS data. Then they set something up, but it was far too underpowered to deal with all the reports, particularly once Knujon started doing automatic reporting. ICANN is now mostly able to keep up with the reports, but now there’s a second round of what to do when the registrars who get the reports don’t act on them.

Last week ICANN sent out a press release saying that they’d sent out notices of contract breach to chronic problem registrars joker.com and dns.com.cn. But those registrars have been famous bad actors for years, and ICANN says the process leading to these notices started in November 2007, almost a year ago. That’s still orders of magnitude too slow when registrations take no more than hours.

Contract compliance enforcement is hardly a new or obscure activity, and every ICANN contract that affects third parties (notably registry and registrar agreements) is going to need it. I don’t have any brilliant ideas here, except that I wish ICANN would take advantage of other people’s experience rather than reinventing this wheel from scratch.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

You're a little out of date, John Kieren McCarthy  –  Oct 13, 2008 5:27 PM

All useful pointers, John, except that you’re about six months out of date.

The announcement (not press release) that ICANN had sent Breach Notices to Joker and DNS.com.cn (http://www.icann.org/en/announcements/announcement-01oct08-en.htm) was just one point in the September edition of the Contractual Compliance newsletter (http://www.icann.org/en/compliance/newsletter/).

The September edition was the sixth published and it - and the five previous - have been clearly outlining the steps being taken with regard to compliance.

There is also a semi-annual report that I would recommend - http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf - as it outlines the work ICANN is doing and has already done.

If you follow the announcements ICANN has made over the past few months, you will see that, far from the ineffectual process you appear to believe exists, ICANN has been actively and, where appropriate forcefully, applying contractual compliance.

One example: in July, registrar 1dni.com was de-accredited. ICANN then asked for registrars interested in assuming the company’s domains (http://www.icann.org/en/announcements/announcement-2-30jul08-en.htm). And on 18 September, announced they had been moved to Tucows.

The same thing happened earlier in the year with DotForce - it was de-accredited and a bulk transfer of its domains made (http://www.icann.org/en/announcements/announcement-14aug08-en.htm). The same thing is going on now with Esoftwiz (http://www.icann.org/en/announcements/announcement-12sep08-en.htm). And there are a number of other registrars that are been actively chased-up by the compliance team.

So, while your views and comments are always welcome, it is a case of the community not keeping up to date with ICANN on this one, rather than ICANN not keeping up to date with the community.

You can sign up to the Compliance newsletter (and other ICANN newsletters) here: http://www.icann.org/en/newsletter/

Kieren McCarthy
General manager of public participation, ICANN

Better than before, but still not good John Levine  –  Oct 14, 2008 12:44 PM

It's true, ICANN's compliance is a lot better than it used to be, but since it used to be nonexistent, that's faint praise. And if Joker got their breach letter in September rather than October, so it was two years and 11 months late rather than three years late, well, OK. But ICANN's compliance is still weak. Last night I did a little experiment looking to see if registrars provide the required port 43 WHOIS server, and found several dozen that as, far as I can tell, don't. (I also found several whose alleged web sites are parking pages, making me wonder just how rigorous the accreditation process is.) As I said originally, compliance is hard but it's not rocket science, so I wish ICANN would learn from organizations that have been doing it for a long time rather than making it up as they go along.

Running through the system Kieren McCarthy  –  Oct 14, 2008 4:22 PM

We're in agreement about one thing - ICANN's compliance program used not to be as good as it needed to be. But from there, particularly this arbitrary idea that ICANN is "making it up as it goes along", we have to differ and I would point you again to the compliance newsletters and semi-annual reports for evidence, rather than conjecture. The fact is that compliance is not a switch. You can't turn it on and everything suddenly works fine. The compliance team in ICANN are taking a clear, methodical approach to compliance matters and clamping down on abuse as it is uncovered. If you read the August newsletter (http://www.icann.org/en/compliance/archive/compliance-newsletter-200808.html#3) you will see that ICANN has engaged the National Opinion Research Center (NORC) - "one of the largest and most respected social research organizations in the United States" - to develop a new methodology for assessing Whois accuracy. In the meantime, the results of the previous audits are available online, and the evidence of the action taken following those audits is also online. ICANN would ask only that people read it before making broad and inaccurate comments about the state of the compliance program. It is going to take time for this approach to run through the system. Registrars have been to be given an opportunity to correct any holes in their compliance because that it industry best practice and it is also the responsible and reasonable thing to do. If they don't, they will lose their accreditation, pure and simple. Will you be able to find examples of non-compliance? Yes. And that is never going to end, in the same way that there will always be companies in every sector of business that push the boundaries. But if you want a competitive market, you have to deal with a bit of that. Is there too much non-compliance at the moment in the registrar market at the moment? Yes. Is ICANN doing what it can to fix that? Yes it is. You can already see the fruits of the compliance's department's work, and you will continue to see that as the market gradually gets used to a firmer response. If you want to know what ICANN is doing, subscribe to the newsletter, or attend one of the compliance events at an ICANN meeting, or - even better - help play a pro-active role as a member of the community by reporting Whois inaccuracy through the WDPRS system. Kieren McCarthy General manager of public participation, ICANN

My, we're touchy John Levine  –  Oct 14, 2008 7:30 PM

Having a process is better than not having a process, but having a process is not the same as having an effective process, or having adequate results. The compliance newsletter reports lots of registrars cancelled for non-compliance, although for most of them the problem is the most mortal of ICANN sins, not paying their bill, which is not exactly the kind of compliance the rest of the world is worried about. But this really says it all about the bureaucratic mindset: help play a pro-active role as a member of the community by reporting Whois inaccuracy through the WDPRS system. ICANN can't audit the WHOIS data, so it's my job to do so? Aw, come on. WDPRS is a useful band-aid to help with the enormous backlog of bogus WHOIS, but if the compliance process worked, ICANN would find the bad stuff themselves rather than expecting unpaid volunteers to do their work for them. Perhaps you should hire the Knujon guys. And, as I've pointed out, the compliance issues only begin with bogus WHOIS. There's registrars with no WHOIS at all, and lots of other egregious violations that I know that Kieren knows about.

Community Kieren McCarthy  –  Oct 14, 2008 10:36 PM

The Internet community has always taken ICANN and its work very personally, and I think your response reflects that John. The point I have tried to make is that ICANN is doing alot of compliance work, and it is making that work public through newsletters and reports. With any luck the results will be such that in a year's time, this same sort of discussion will occur on CircleID, but on a completely different topic. Kieren

Kieren "a lot" is two words John Berryhill  –  Oct 15, 2008 5:53 AM

I have repeatedly reported the false telephone number in the whois data for wipo.org. I even used it as an example in a compliance session at the Paris ICANN meeting. Still the domain name remains registered. Why?

17 January 2006 - Public Comment on .coop renewal John Berryhill  –  Oct 14, 2008 5:42 AM

Jon,

I’ve been complaining about the chicken.coop name being owned by an entity other than a co-op for over two years.  It was specifically noted in the public comment forum when .coop was up for renewal.  Ms. Hoover’s pretense that this was “news” is b.s.:

http://forum.icann.org/lists/coop-renewal/msg00006.html

I commend Mr.Levine and Garth of Knujon Michael Johnson  –  Oct 19, 2008 1:57 PM

I commend Mr.Levine and Garth of Knujon for pointing out a major issue domain registration with inaccurate Whois Data.  How long has this happening and why has it only been recently addressed is the key question.  Is it because knujon and Mr. Levine have now brought these issues to the press that ICANN(OT) feels that it must “now” act.

What is particulary scary is how many of the clients who register with inaccurate Who IS date are cyber criminals who attempt to deceive, mislead and fraud people.  And yet other clients who do this are interested in only spreading viruses, worms, trojans, and malware.  For some these tools have the sole intent of comprising surfer’s computers and making their internet connections part of a botnet, with the sole intent of mounting a illegal DDOS attack on other sites and spreading Spam.  Not to sound paranoid, but it even makes one wonder whether terrorists have not got wind of how easy it is to register with inaccurate whois data and how they may use this to their advantage(i.e., acts of cyber terrorism agains major American institutions).  And yes, I know that ICANN(OT) does not have the mandate and is not legislated to address the spread of malware, cyberterrorism, viruses, trojans, etc., However, considering that taking more timely action on addressing inaccurate Whois data can have a major impact on such issues, one really has to wonder why they tend to drag their heels on this.

Perhaps, what is required is people like Mr. Levine and Garth of Knujon on the ICANN(OT) Board, who understand the core importance of such issues and ways to address them in a timely manner.  With the US Presidential Change, perhaps ICANN(OT), its policies, and mandates need to be reviewed and it needs to be revamped and restaffed to better serve the Internet community and not just act in ways to minimize issues which only serves to protect Registars, criminals, spammers, malware authors, and cyberterrorists.

Compliance newsletter Kieren McCarthy  –  Oct 20, 2008 12:51 AM

Hi Michael, You can subscribe to ICANN's compliance newsletter at http://www.icann.org/newsletter, and read previous editions at http://www.icann.org/en/compliance/newsletter/. If you feel that ICANN is missing something in its compliance work, then the best way to change it directly is to provide details of what ICANN could do to improve in this area in the public comment period that the organization is holding right now on "Improving Institutional Confidence". An online, interactive forum is available here: http://comment.icann.org/en/iic/ You will note that compliance is specifically mentioned, and you can make your comment on this precise topic by just clicking on this link and registering to make a comment (just like CircleID) : http://comment.icann.org/.ee7b92f Hopefully a clear, direct, public and simple method to provide solid input directly to the President's Strategy Committee will alleviate some of your concerns. Thanks Kieren McCarthy General manager of public participation, ICANN

Red Tape Is Not The Answer Michael Johnson  –  Oct 24, 2008 3:12 AM

Allowing direct public input without taking serious action is really a cop out when there is more than sufficient evidence to warrant or justify timely action. The solution is not to put up a bunch of red tape and barriers by calling for more public input when you have more than enough to act. As a a Government employee, I see this type of stuff far too often. Sounds like your major role in this Karen is largely PR work, so thanks but no thanks. I have made my input and feedback quite evident by posting my concerns. As ICANN's PR Agent maybe you can share this with the appropriate individuals. There is more than enough evidence(previous and present) and more than sufficient public input has been provided that we don't need to put up barriers, minimize the severity of the issues, and continually dance around this while the malware authors, cyberterrorsists, trojan and spam distributors continue to run amok with the full blessing of some registars who continue to allow these individuals to continue to register domains with false Whois data. The problem is simple, there is a very serious issue of some registars registering with false Whois data which inturn has serious implications. How many times do you feel that the Public needs to hammer home this home before ICANN takes this seriously enough to act in a more timely manner. Let's get serious and cut through the bull. By the way Karen, do you have an E-Mail address and do you enjoy being constantly bombarded with all kinds of unsolicitated spam. Perhaps if you experience this on a regular basis, you may have a better appreciation of why many of us feel so victimized and violated by this kind of stuff.

Public participation Kieren McCarthy  –  Oct 24, 2008 5:21 PM

I'm not sure I agree with your characterisation of direct input to the people in a position to make changes as "red tape". I'd argue it was the complete opposite in fact. I can however guarantee you that it will be more effective than your current approach. Use the system for public input, or don't, it's entirely up to you. My job as general manager of public participation is to create such systems in case people do want that direct approach. Either way, this conversation should be moot with a year as the compliance efforts underway - and outlined in the newsletters previously linked to - start to get a grip on what everyone agrees is a problem. Thanks Kieren McCarthy

System of Public Input Michael Johnson  –  Nov 2, 2008 12:32 PM

Seems that I logged onto your "system of public input" but was only able to view written re: changes considered or made all of which primarily focused on issues pertaining to ICANN itself, and not really public concerns. I was even unable to post this as a comment or input as the message "no access" in red popped up. Talk about a wild goose chase and further evidence of red tape. Anyway, since your system of public input does not allow public input Kieren and you are the manager of public participation. I will clearly tell you what I think needs to be seriously looked at. A change in the Registrar Accreditation Agreement that will improve transparency and accountability is required. There is no requirement in the standard Registrar contract that requires public disclosure of Registrar ownership or location. I am concerned that this loophole in the agreement opens the door to fraud, secrecy and consumer abuse. Please consider adding the following language or equivalent to the RAA: "All Accredited Registrars must submit main office location, including country, to be publicly disclosed in ICANN web directory. Post Office boxes, Incorporation addresses, and mail-forwarding locations will not be acceptable. Registrars must also provide for public display the name of CEO or President. ICANN must be notified within 30 days of a location or presiding officer change.” Without public disclosure there cannot be true transparency, accountability or trust.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign