Key Takeaways from ICANN 66 in Montreal, Canada
ICANN 66 was the third and final public meeting of 2019. This annual general meeting was held from November 2-7, 2019 in Montreal, Canada with over 2,500 participants from 130 countries. During this meeting, Maarten Botterman became the new ICANN Board Chairman. The former Chair, Cherine Chalaby, shared some parting words with the ICANN Community: “In the next five years, ICANN will face more external challenges than ever before, such as the exponential growth in security threats and the increasing risks of Internet fragmentation. But we have developed a bold and decisive strategic plan that responds to these challenges so that we can take ICANN where we want it to be.” Based on these words, it is unsurprising that the key takeaways from this meeting focus on community-wide efforts to improve anti-abuse efforts within the Domain Name System (DNS), implement changes to domain name registration data policy and develop a unified access system for non-public registration data, complete the evaluation of new gTLD program rights protection mechanisms, and finalize policy and implementation recommendations for future rounds of new gTLDs.
Domain Name Abuse
Registries and registrars are contractually required to address and mitigate various forms of DNS abuse.
Prior to ICANN 66, a group of registries and registrars published a Framewor k to Address Domain Name System Abuse focusing on five (5) key areas of abuse, namely malware, botnets, pharming, phishing, and spam. The Framework also identifies several forms of website content abuse that the signatories to the Framework would find actionable, namely child sexual abuse materials (CSAM), illegal distribution of opioids, human trafficking, and credible incitements of violence. Historically, most registries and registrars have drawn a hard line against taking action to address any form of content abuse, at least formally, so the Framework goes a step further in the right direction in terms of registry and registrar responsibilities to address certain website content abuses. That said, the intellectual property community is pushing for registries and registrars to also agree to take action in response to well-founded reports of intellectual property rights violations, which should be actionable in their own right, but also often are associated with other vectors of abuse such as malware or phishing.
However, there is an ongoing debate that continued throughout ICANN 66 over the precise definition of “DNS abuse” and what forms of abuse fall within the scope of ICANN’s mission and registry and registrar contractual obligations. Many stakeholders continue to argue that ICANN and contracted parties should only be responsible for addressing technical forms of abuse, but should not address any content-related abuse. On the other hand, many stakeholders, including from the intellectual property and business communities, continue to argue that ICANN and contracted parties should take greater responsibility for addressing content related abuses, given that most forms of domain name abuse ultimately rely on either websites or email services to effectuate the harm. Throughout the meeting, the community also pointed to the numerous, sometimes overlapping but sometimes conflicting, definitions for abuse that have been developed by various ICANN groups over the years, and agreed on the need to consolidate a single ICANN-wide definition. Another area of common agreement among most stakeholders was the need for the ICANN contractual compliance department to significantly enhance its efforts to ensure compliance by recalcitrant registries and registrars who fail to meet even the most basic anti-abuse requirements under existing ICANN contracts. Finally, discussions continued regarding the need to develop additional contractual requirements to enhance anti-abuse efforts by registries and registrars, for instance as part of the development of an updated base new gTLD registry agreement for future new gTLD rounds.
Domain Name Registration Data Access
The Expedited Policy Development Process (EPDP) was established to create a policy for the collection, transfer, and display of domain name registration data in response to the European General Data Protection Regulation (GDPR) that went into effect in May 2018. Phase 1 of the EPDP created a policy for processing registration data and established a baseline for “reasonable access” to individual requests for non-public registration data. Phase 1 was completed in March 2019 and the ICANN Board accepted 27 out of 29 of the Working Groups’ recommendations. The Phase 1 Implementation Review Team has been working since May 2019 to translate the policy recommendations into an actual final registration data processing framework. The IRT made some progress during ICANN 66, as it completes its internal work plan and identifies specific implementation tasks, which in many cases simply will involve finalizing policy language for the final data processing framework.
Phase 2 of the EPDP is focused on the creation of a policy for a system of standardized access /disclosure (SSAD) of non-public registration data by third parties with a legitimate interest in obtaining such data. The Phase 2 Working Group initially focused on the creation of “use cases” for third party access, including for intellectual property enforcement and related legal claims, cybersecurity, and law enforcement. The EPDP then reviewed these scenarios to identify universal “building blocks” for the SSAD policy. These building blocks include elements like accreditation for legitimate users and certain safeguards for all SSAD users to ensure that disclosed non-public data is protected from further inappropriate dissemination or use beyond the stated legitimate purpose associated with a disclosure request. During ICANN 66, the Phase 2 Working Group made some additional progress in reaching a conclusion on whether to draw a distinction between data of legal versus natural persons and the redaction of the registrant city field from public registration data, as well as refining SSAD building blocks concerning accreditation of requestors, content of requests, response requirements, query policy, acceptable use policy, automation, logging, and financial considerations (i.e. a possible cost recovery model for operating the SSAD).
The Phase 2 initial report was originally expected to be published in December 2019, although the timeline may be delayed in light of a recent communication by the ICANN Org “Strawberry Team” which is working in parallel to EPDP Phase 2 to resolve some outstanding questions concerning development of RDS policy and the access model. Some key items that have yet to be addressed, where the EPDP Working Group and the ICANN Org are seeking further guidance from the European Data Protection Board, include:
● What entity(s) is considered the data controller (e.g. ICANN Org, Registries, Registrars or all)?
● Can access to non-public data be automated for accredited requestors, or is only a manual disclosure process permissible?
● Which of the third-party purposes for access to non-public data must be specifically enumerated, and can the disclosure system accommodate any unenumerated but potentially legitimate purposes?
The Governmental Advisory Committee (GAC) also delivered ICANN 66 advice reiterating the need for effective access to non-public data and enhanced ICANN compliance regarding improperly-denied disclosure requests or failures to respond to disclosure requests. Whether the advice will motivate swifter resolution of EPDP Phase 2 remains to be seen.
Rights Protection Mechanism (RPM) Review
During ICANN 66, the Rights Protection Mechanism (RPM) Working Group held sessions focusing primarily on finalizing recommended refinements to the Uniform Rapid Suspension System (URS), a faster, less expensive alternative to the UDRP developed in connection with the new gTLD program.
More specifically, the Working Group reviewed the recommendations and conclusions from the three URS Sub Teams that completed their work in September 2018. Many of the URS Sub Team recommendations related to ensuring appropriate operations by URS providers to comply with updated domain name registration data policy that, in certain cases, conflicts with existing URS requirements. For instance, the URS formally requires that all URS complaints identify the registrant name and physical address – information that is no longer generally published in public WHOIS records. URS providers have already adapted to this change by accepting “Doe complaints” using whatever WHOIS data remains publicly available in connection with the subject domain name(s). This process is becoming formalized through a proposed recommendation of the Working Group that would continue to allow the filing of such “Doe complaints” followed by disclosure of the underlying registrant data to the URS examiner and the complainant, as well as a recommendation that would allow amendments to the URS complaint within 3 days of disclosure to address the newly-disclosed registrant data within the complaint.
The Working Group also confirmed its agreement to recommend that the RPM Review Implementation Review Team develop a uniform set of guidance for all URS providers to promulgate to their examiners defining an appropriate level of rationale to be included in all URS decisions (without delving into the substance of the rationale, which would be left to the examiner on a case by case basis). This will ensure that all URS decisions include sufficient support for any suspension order or any decision not to suspend a domain name, which could then be challenged on appeal for any potential flaw in examiner rationale.
In addition to these discussions to finalize URS Sub Team recommendations, the Working Group also spent a considerable portion of its meetings at ICANN 66 debating whether and how to evaluate all the individual proposals received for revisions to the URS for possible inclusion in the Working Group’s Initial
Report. Some Working Group members favored simply publishing all 31 individual proposals in the Initial Report, without further assessing the overall level of support for the proposal within the group. Others, however, favored performing some level of further review to try and eliminate certain proposals from publication based on a lack of adequate support within the Working Group. Ultimately, it was agreed to perform some further evaluation, in the hopes of quickly identifying proposals with almost no support beyond the individual proponent and excluding those from publication, while confirming publication of any individual proposals with some low threshold of further support. This process should hopefully weed out certain extreme proposals, such as eliminating the URS altogether, which would be highly unlikely to garner any kind of Working Group consensus to proceed as a final recommendation.
New gTLD Subsequent Procedures
The New gTLD Subsequent Procedures (Sub Pro) Working Group is tasked with determining what changes may need to be made to new gTLD program policy and implementation to facilitate future rounds of new gTLDs. As the Working Group nears the completion of its efforts, the following issues have been identified for possible further public comment before the group can finish its Final Report:
● Predictability: fine-tune the framework of the Standing Predictability Implementation Review Team (SPIRT)
● Future TLD Offerings: additional work is needed to identify the threshold requirements for the commencement of the next and future rounds of additional new gTLDs
● Accreditation: Registry Service Providers (RSPs) need to address and eliminate ambiguity regarding pre-approval versus testing requirements
● Closed Generics: consensus remains unclear regarding whether the working group will recommend permanently prohibiting closed generic gTLDs, or to allow closed generic gTLDs in certain circumstances
● String Contention Auctions of Last Resort: further refinements are needed to finalize proposed auctions of last resort to resolve string contention sets
The GAC also issued advice that no additional new gTLD rounds should begin until ICANN implements certain prerequisite recommendations made by the Competition, Consumer Choice, and Consumer Trust (CCT) Review Team aimed at ensuring more effective anti-abuse measures in the gTLD ecosystem. It is not clear that the Sub Pro Working Group will consider this GAC advice in developing its Final Report, or whether the Board will ultimately heed the advice, particularly at a time when ICANN is starved for the additional revenue that another gTLD round is expected to deliver. Following ICANN 66, the Sub Pro Working Group believes it remains on track to publish a pre-Final Report for public comment on these outstanding issues by the end of Q1 2020, with an eye toward completing its Final Report by the end of Q2.
For more information about these topics, or other ICANN or Internet and trademark related matters, please contact any of the following team members:
Brian J. Winterfeldt - firstname.lastname@example.org
Griffin M. Barnett - email@example.com
Jennifer P. Gore - firstname.lastname@example.org