Office of the Ombudsman
In a matter of a Complaint by Garth Bruen and others
Report dated 28 October 2013
This investigation began initially as a complaint from Garth Bruen, but has been expanded by a collective approach from at least 173 other complainants, coordinated by Garth Bruen. The complaints are essentially an attack on the way in which the Compliance Department of ICANN operates, and seek a full investigation into the performance of Compliance. I should add that one complainant objected to the word “attack” and asked that this be removed, because he did not want to use such a term. He is of course anonymous, but I record that at least he did feel this was a constructive criticism. The complainants allege that Compliance is not being run properly and that this has resulted in registrars not be held to the terms of the Registrars Accreditation Agreement, which they then allege causes or permits spam and phishing and rogue domain holders to operate freely.
At the heart of the issue is a complaint formulated by Mr. Bruen which was shared with a number of groups resulting in a large number of filings of complaints on the same issues. These have come from a number of places, and I cite some of the wording from various sites and from the complaints. The extracts illustrate the difficulty in resolving matters which are factual, from rhetorical statements of position.
“1. The records for the domains were forged
2. We used the official process for reporting them
3. The registrar did not enforce
4. The domain remained online
5. ICANN did not enforce the contract
5. ICANN refused to explain why
6. Employees who asked about it were fired
7. The public trust is broken”
“What do we want out of this? Not just an investigation, we want results and improvement. To be clear, we want a public accounting of what happened to your complaints and why certain employees were fired or retaliated against. However, on a grander scale we want a system which actually addresses the problems plaguing the Internet. Despite claims that “ICANN does not have any power to prevent unsolicited email” they actually have the power to cut down on significant amounts abuse by properly enforcing the contract and collecting statistics on abusive – things which they have refused to do so far.”
A typical extract says
“The domains cited were registered with false WHOIS which violates the registrant agreement and used in abuse directed at me. While proper complaints were filed and the domains remained in violation ICANN did not issue enforcement actions against the cited registrars”
“I am requesting a full and open investigation of the handling of the listed complaints by ICANN staff to be conducted by an impartial outside party. This review should also include a review of the way ICANN handled staff involved in the investigation of the complaints as I have heard reports of intimidation and unfair treatment. As a continuous recipient of Internet abuse I would like to see a compliance system put in place which is truly transparent and accountable. Part of this should be 1) a simple, user-friendly process which accepts abuse reports from the Internet user at-large without the expectation that those users will understand the complexities of ICANN policy, 2) an ongoing analysis of abuses of the Domain Name System and their impact regardless of direct contractual authority of ICANN in those abuses, 3) a quarterly review of compliance activities to be conducted by non-contracted members of the Internet community, and 4) a proactive plan to reduce abuses of the Domain Name System through effective use of ICANN policy.”
And more recently from a blog at CircleID by Garth Bruen at http://www.circleid.com/posts/20130924_icann_and_your_internet_abuse/
“KnujOn has published a report which demonstrates that ICANN Compliance appears to completely collapse between September 2012 and December 2012. Following December 2012, ICANN seems to stop responding to or processing any complaints. It is around this time certain compliance employees start disappearing. This was not limited to the Sydney office as some would have us believe, all while we have been given assurances the compliance team was being ramped up not down. The accepted budget has 20 Compliance staffers listed but in reality there are only 14 employees with another ubiquitous staff member vanished from the roster. Six phantom employees is a lot.”
“The focus of my complaint is not that spam is being sent subsequent to legitimate information being provided in WHOIS details, but instead that where false information has been provided, there are many examples of where nothing has been done about it when highlighted in complaints. It is simply not good enough for compliance to start flapping a broken wing at us by declaring they cannot control spam. We are not asking them to. We are simply asking them to carry out the work they have been hired to do. Most of us accept that registrars have no control over spam; that is a no-brainer. The complaint from my perspective has always been about a failure by those responsible for compliance to execute their duties effectively when complaints of non-compliance are made. It is also about what I perceive to be the arbitrary, ineffective, and arrogant manner in which they have handled some documented complaints of non-compliance.
I find it puzzling that ICANN execs appear to feel that they have a right to decide what parts of their jobs they do and do not execute. It further appears to me that, like many administrators who either cannot or will not solve the problems they should be solving, ICANN execs have begun to invent new problems they assert demand their attention more, as they appear to think this justifies them not carrying out the matters being raised in this complaint. Whenever executives start telling us that we need to “move on” and look to the “new challenges” facing an industry, I am always suspicious about what is not being done that should be done.”
As well as the material given to me by the complainants, to enable me to get a balance of the position, I have also been provided with material from Compliance, and of course read material accessible on the ICANN website. See this site for example at http://www.icann.org/en/resources/compliance. It is important to note some substantial changes which have been introduced over the relevant period of this complaint and I quote as follows.
“ICANN Contractual Complaince Audit Program
On Monday, 26 November 2012, ICANN launched the Contractual Compliance Audit Program. This program will run on a three-year cycle during which each registry and registrar agreement will be randomly selected for audit. Contractual Compliance, working with KPMG as the contracted vendor, issued 323 Requests for Information (RFI) via email and fax to 317 Registrars and 6 TLDs. This is a major effort for ICANN and for contractual compliance as we seek to validate the contractual obligations per the RAA and Registry Agreement. More information can be found at https://www.icann.org/en/resources/compliance/audits. Contractual Compliance has released the first phase of the new consolidated complaint management system. The phased rollout improves both the user experience and the compliance operations by:
- Moving complaint submission from Internic.net to ICANN.ORG under Compliance
- Adding site navigation based on complaint types and FAQs
- Improving email correspondence to the complaint reporter and the Registrar/Registry
- Adding a follow-up Continuous Improvement Pulse Survey for the reporter and contracted parties
- Whois Inaccuracy is the first complaint type to migrate to the new application
- 1st step in consolidating the three complaint tools and different email complaints into one source”
There have also been very substantial changes in the way in which the website describes the compliance function, and new compliance complaint entry pages.
I am unsure whether the complainants have read the relevant pages on the Compliance pages of the ICANN site. The Compliance Operating plan for example, at http://www.icann.org/en/resources/compliance/operating-plan has a number of bullet points which are relevant in the questions raised by the complainants. The first which says “work constructively with registrars and registries to foster a culture of compliance”, has a philosophy of working with people to ensure compliance goals are met. While the plan does prioritise informal resolution if possible, it does state that non-compliance will be pursued aggressively. It is also relevant in this context to look at the audit program, which is on this page http://www.icann.org/en/resources/compliance/audits and which describes how Compliance are using a three-year audit cycle, with a goal of enabling ICANN to first identify and frame and then properly manage and help remediate deficiencies.
In these specific areas which have attracted most of the attention from Compliance critics, the pages contain detailed information about WHOIS complaints and enable users to lodge a ticket using a number of different complaint forms for various problems.
This is a matter where I clearly have jurisdiction because it falls under the issue of delay or unfairness within ICANN.
However I should also mention a specific concern about the late lodging of the complaint. I acknowledge that the initial complaint from Garth Bruen came in to my office in March 2013. But the specific matters he complains about occurred in 2012. The subsequent complaints, which are in reality the same issues, have come in over a period of time from early August to mid September 2013. It is not a strict pre-requisite or procedural requirement but the Ombudsman Framework adopted in 2009 does state that normally complaints will not be accepted for matters older than 60 days. The reason for such a time limit is the speed with which matters typically progress at ICANN.
In the balance, if there are over 173 people who have gone to the trouble of making a complaint, even if the issues are based on events from 2012, it would be wrong not to carefully consider what they have submitted.
To undertake this investigation I have read a considerable amount of material sourced from Compliance, all of which is available to the public, on this section of the ICANN website at http://www.icann.org/en/resources/compliance/reports and at http://www.icann.org/en/resources/compliance/operating-plan. In particular I have read the presentations from Compliance presented from ICANN 42 at Dakar to ICANN 47 at Durban. I have also read the attachments which have been provided by the individual complainants, and their emails. A number of the complainants went to some trouble to explain that their own experience was unique and I acknowledge that their interaction with spamming and phishing does of course differ. In the course of this investigation I have had the opportunity to discuss this matter with a number of members of the Compliance team, and also with some registrars so that I could get a perspective of the relationship between registrars and Compliance. The individual complainants are of course only one part of the picture. The relationship between registrars and Compliance is also significant and important in discussing the allegations which have been made. During my discussions with the registrars I was told that complaints had been made about domains which they administered, but which had no validity at all. I have seen such a complaint provided by one of the registrars by Knujon, which makes it clear that the information is not only inaccurate but out of date.
It is a theme of the complaints in fact, that the information is largely out of date. Virtually all of it goes back to 2012.
It is critical in understanding this complaint to outline the role of the Registrars Accreditation Agreement in the various editions. This agreement is at the very core of the function ICANN was created to administer. ICANN established market competition for generic domain name registrations, and did so by adopting policy and then developing specific contracts with the registrars which have been refined to the most recent 2013 edition, which is gradually extending to all registrars. Such contracts have been developed through a vigorous policy development process and considerable debate and negotiation between ICANN and the registrars. Registrars must maintain a registration agreement which must include certain terms in Section 3.7.7 of the RAA and related consensus policies (such as the UDRP). It is important to understand the role of Compliance in the administration of the contracts. This is expressed on the ICANN website as “The overall goal of the Contractual Compliance Program is to ensure that ICANN’s contracted parties fulfill the requirements set forth in their agreements with ICANN.” For the purpose of this complaint it is therefore critical to understand where the obligations as alleged by the complainants are set out in the agreement. Because the complaints are historical, it is not necessary to consider the new 2013 version. However the Compliance Program is set out in full at this site http://www.icann.org/en/resources/compliance/registrar
A common theme through the complaints and from the original complaint relates to the WHOIS obligation, and the role of Compliance in ensuring that accredited registrars comply with their obligations. The complainants say that the failure to rigorously enforce the obligations has permitted spam and phishing, and made it difficult to enforce removal of such sites because the WHOIS information is not up-to-date. Garth Bruen goes to some pains to explain the commercial services which his company provides which are designed to cope with spam, phishing and other dubious sites.
Spam and website content have always been outside of the scope and authority of ICANN. After all, every ICANN staff member is issued with appropriate software to deal with spam and phishing and blocking inappropriate emails. If it were possible to control such problems, then obviously ICANN is as interested as any other Internet user in reducing the time wasted. ICANN cannot do anything about website content or spam, as it is outside of the RAA. However I was also told by Compliance that Internet users often make Whois inaccuracy complaints about spam domains without any evidence. There is a section of the RAA that states that registrars must abide by applicable laws, but ICANN practice is to interpret this to mean a final judgment from a court of competent jurisdiction rather than allegations. Because laws vary by country, so does “what is illegal”.
So the real issue in this complaint is whether any alleged failure on the part of Compliance to enforce the terms of the Registrars Accreditation Agreement has contributed to the complainants getting unwanted spam and phishing and other unwanted email. None of the complaints on this issue refer to any attempt to use the ticketing system which has an elaborate multi-language set of options for lodging complaints about WHOIS accuracy. In addition, I have seen discussions, emails and memoranda which refer to the way in which bulk complaints are handled. Compliance has explained to me that the system for dealing with bulk complaints has been revamped and improved, and comments have been sought. There certainly has been some discussion, but I have not seen any criticism of the improved systems, which in my view appears to coincide with the very substantial improvements introduced in 2012/2013.
I have had discussions with various registrars, from small to large. They were very willing to discuss their relationship with Compliance, and several were frank about the fact that they have quite an active relationship. The larger registrars in particular must deal with substantial numbers of compliance issues, and typically have a team of people who deal with Compliance, as well as law enforcement and other aspects. A common theme of the discussions is that compliance has matured over the last few years, the process is getting better and communication has improved. They mentioned that there are often quite vigorous discussions and debates, not just about specific issues but also about policy. One registrar commented that compliance is a very specific process, and Compliance must comply with policy. If there are complaints about policy as to Compliance, then this is a matter for a PDP process because otherwise they are outside the remit of Compliance.
Another comment was that it is in the registrars’ best interests to have compliance working efficiently, because the registrar business model relies upon the compliance complaint program.
I also mention one registrar in particular which has been openly criticised, being Bizcn.com. As part of the monitoring by Compliance, scorecards of requests are kept. Compliance informed me that Bizcn.com is a registrar that is prompt & cooperative with Compliance inquiries, including Whois inaccuracy complaints. I was shown the scorecard, of all complaints since January 2013, which shows that all were resolved before a 3rd notice was needed.
The age of the complaints means that the transition from the previous Registrars Accreditation Agreement to the new 2013 version has largely overtaken the issues raised by the complainants. The principal complainant and the supporters in the group have not discussed the effect of these changes at all. There is no doubt that spam and phishing are an ongoing problem. However my investigations and discussions with compliance and with the registrars make it plain that there is an active and ongoing program to ensure that the old and new Registrars Accreditation Agreements are adhered to.
However it is important to note the new Whois requirements in the 2013 RAA, the new agreement says that for the Whois Accuracy Program Specification, registrar must within 15 days:
- Validate the information identified in section 1 (e.g. Email, phone, postal address)
- Verify the email address or phone number (by calling or sending SMS)
- If verification fails, the registrar can verify manually or suspend the domain. This is mandatory, and must also occur when the information is changed
It is worth noting that in the Whois Accuracy Specification that for willful provision of inaccurate Whois information, the registrar must suspend or terminate a domain for failure to update or respond to inquiries within 15 days.
- Registration Data Directory Service (Whois) Specification: registrars must include an abuse email and telephone number in the Whois output
- Whois Accuracy Spec and Whois Spec are effective 1 January 2014 for registrars that are on the 2013 RAA.
Part of the problem with the complaint is that it does not correctly identify the test which applied for the older version. The complainant has asserted that the registrant must provide verifiable information. In fact the agreement provides for reliable information, which is substantially different. The RAA says at 220.127.116.11
“The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 18.104.22.168, 22.214.171.124 and 126.96.36.199.”
This is not the same as verifiable.
The complainants also assert that the registrar must enforce registrant violations. But again the test is in fact that the registrar must take reasonable steps to investigate and correct incorrect information. This is significant because there is a substantial change brought in under the new agreement, where there is a 15 day takedown period. So the problem is that the complainants have overstated the duties of the registrar, the registrant and the role of compliance in this matrix. But in any event the new agreement effectively resolves many of these issues. The older agreement in fact refers to this in RAA 3.7.8 providing that:
“Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”
It is important to remember that these policies were developed by ICANN Consensus Policy, with extensive negotiation between the affected parties. One of the features of a consensus policy is that it may not satisfy every party, but in this case, the complainants had not correctly identified the test which applies. They may prefer to have a more difficult standard, and the 2013 agreement certainly reflects the policy development of stricter standards. But at the relevant time is of this complaint, the earlier agreement was in force and applied to the obligations of the registrar and registrant.
I was requested to look at a number of specific issues, including a list of “bad registrars” which was given to compliance at the Prague meeting. There were five registrars identified, but I am told that these registrars have all been most cooperative with compliance. One of them did have some issues which have been resolved with the assistance of compliance. There was full cooperation I am told.
This was done because someone commented “everyone knows who the bad registrars are,” but it was not clear to Compliance staff who the persons present were identifying. Some of the reasons why registrars were classified as “bad” were outside of the scope of the RAA (e.g. Spam, malware, cybersquatting havens). One registrar identified on the “bad registrar” list was under Compliance review prior to the Prague meeting. The registrar was found to be compliant with the RAA, but later independently made changes to its terms and conditions regarding “pharma” domains.
The complainant’s issue is that Compliance is not doing its job. This requires however a leap in their argument from the role of Compliance within ICANN, through to the ability to deal with the spam and phishing issue, which is mentioned by many of the complainants. This regrettably is a fundamental misunderstanding of the role of Compliance within ICANN.
A number of other aspects to the complaints also need to be answered. Many of the complainants referred to the number of staff at Compliance being inadequate, although it seems on my investigation that this was based on staff numbers in a draft budget. Draft budgets are not always what results once the final decisions are made. In the case of compliance this was the case, although it is also worth noting that compliance teams are being established at Istanbul and Singapore to extend global coverage. There has also been a criticism that staff members were fired for raising issues of inadequate compliance action, but on my investigation I have found that the staff members who actually did the work are still at ICANN. I am confident from my investigation that this allegation is unsubstantiated.
As a result of this investigation, I consider that there is no substance to the complaints.