Sharing is caring!


  • Enforcing the Temporary Specification
    on July 16, 2018 at 7:00 am

    In May, the ICANN Board adopted the Temporary Specification for gTLD Registration Data, modifying our agreements with registries and registrars to comply with the European Union's General Data Protection Regulation (GDPR). Since then, ICANN Contractual Compliance has received a number of questions regarding how we would enforce these new provisions. The purpose of this blog is to describe our approach to enforcing the Temporary Specification, explain how to file complaints about potential violations of the new provisions, and share information on some of the issues we have seen so far. As noted at the Global Domains Division (GDD) Industry Summit in May and at the ICANN62 Policy Forum in June, ICANN Contractual Compliance is enforcing the requirements of the Temporary Specification as of 25 May 2018, as it does any other ICANN agreement or policy requirement. This is done through the Contractual Compliance function, which employs the same approach and process for all enforcement areas. Details regarding this approach and process can be found here. All contracted parties are advised to review the Temporary Specification carefully. Many of the requirements apply even if the registry or registrar is not in the European Union and has no registrations from the European Economic Area. Enforcement of the Temporary Specification applies to all ICANN contracted parties. For a high level review of the Temporary Specification, ICANN also published and regularly updates a Frequently Asked Questions document. One recurring concern we have received is how ICANN Contractual Compliance will obtain non-public registration data that is required to process a complaint. Among the complaints received to date, ICANN Contractual Compliance has received two alleging denial of access to non-public registration data for legitimate purposes. Most of the other complaints received concern the availability of data published in WHOIS. For registrars, some of the registration data issues include: Over-redacting public registration data, e.g.: All contact fields are redacted when only some should be; Missing Administrative/Technical email field and/or value; Missing Registrant Organization/State/Province/Country field and/or value; and Redacting privacy/proxy information Non-compliant redacted fields e.g., missing anonymized email and/or webform to contact Registrant/Admin/Tech contact or using non-compliant values in the field for ex. "00000" Registrar appears to be using registry WHOIS data causing endless loop of referral from registry to registrar data Transfer requests being denied due to non-functional anonymized email address for registrant Some of the registry issues include: Missing required Registrant/Admin/Tech Email (requirement for registries) Required Registrant/Admin/Tech Email message in legal disclaimer only Not providing full registration data to the Uniform Rapid Suspension System (URS) provider Registry providing thick Bulk Registration Data Access (BRDA) files to ICANN instead of thin data We have also received a number of questions regarding the process for filing complaints alleging noncompliance with the Temporary Specification. As many have observed, there is not a "Temporary Specification" complaint form. To file a complaint about potential violations of the Temporary Specification or any other part of the agreements, please use the most relevant form published on the ICANN.org compliance page. ICANN Contractual Compliance will process complaints regardless of the form used. I hope this information is helpful. If you have any other questions or concerns regarding enforcement of the Temporary Specification, please let us know by emailing either the Contractual Compliance department at compliance@icann.org or me at Jamie.hedlund@icann.org. […]

  • Data Protection/Privacy Update: Additional Guidance from the European Data Protection Board
    on July 13, 2018 at 7:00 am

    The ICANN community has been engaged in focused discussion and engagement about the impact of the European Union's General Data Protection Regulation (GDPR) on the WHOIS system over the past year. During this time, ICANN org worked with the community to develop an interim approach for how ICANN and gTLD registries and registrars could continue to comply with ICANN agreements in relation to the GDPR. This interim solution was adopted by the ICANN Board in May 2018 as the Temporary Specification for gTLD Registration Data. The community continued discussions during ICANN's recent meeting in Panama (ICANN62), which included discussions about initiating policy development work for a long-term solution, as well as a possible unified approach to allow continued access to full WHOIS data to third-parties with a legitimate interest. You can find key updates, documents, legal analyses, guidance from European data protection authorities, and inputs from the community about this topic on our Data Protection/Privacy Issues webpage. An important letter [PDF, 764 KB] of note, was received by ICANN on 5 July 2018, from the European Data Protection Board (EDPB) which provided additional guidance that may help significantly to advance the ICANN community's discussion on this important issue. We are very grateful to the EDPB for its guidance and willingness to engage with ICANN.  We are carefully evaluating the additional guidance concerning our compliance with the GDPR, as it relates to publication and access to personal data which is processed in the context of ICANN's coordination of the WHOIS through its contracts with its 2,500 domain name registries and registrars. This blog will address what we are looking at from the letter and why we think the guidance is so important. Below I will highlight some of the key points in the letter and share our initial thinking about possible options for incorporating this guidance into WHOIS in the coming weeks and months. The EDPB's letter provides answers to some of the open questions from ICANN and the ICANN community relating to ICANN's approach in the Temporary Specification. A good example, on a specific open question concerning registrations of legal persons and whether such registrations are impacted by the GDPR, the EDPB advises that it "considers that personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publically available by default in the context of WHOIS. If, on the other hand, the registrant provides generic contact email information (e.g. admin@domain.com), the EDPB does not consider that the publication of such data in the context of WHOIS would be unlawful…." Second, the EDPB's letter provides important guidance to advance recent community discussions about a unified access model for how legitimate users of WHOIS data could continue to have access to non-public data. The EDPB notes that non-public WHOIS data could be made available to third parties "provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of the GDPR are met…." The EDPB confirms its expectation of ICANN developing "a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement…" This is a strong indicator that we will receive additional inputs were the community to continue its work and come together to identify a method providing access to non-public WHOIS data consistent with the law. The EDPB letter provides helpful insight into transparency requirements that should be part of a model, including appropriate logging of data requests, as well helpful suggestions in the event ICANN is considering a model that uses codes of conduct and accreditation as the approach to providing access to the data. Third, the EDPB highlights some areas where ICANN may provide additional clarity about GDPR compliance as it relates to the global WHOIS system. The areas identified by the EDPB relate to ICANN's purposes for processing gTLD registration data, data collection, as well as the appropriate period for retaining personal data.  Last, the EDPB letter makes reference to ICANN's ongoing legal proceedings in Germany against the registrar EPAG, with specific references to the clarifications ICANN provided in its court filings concerning administrative and technical contact details that are collected as part of a WHOIS record. Because of this reference, earlier this week, ICANN submitted the EDPB's letter to the court for its consideration. A copy of this submission will be published on our Litigation Documents webpage. We are carefully considering the guidance provided by the EDPB to inform the ICANN Board whether clarifications, changes or implementation adjustments may be needed to the Temporary Specification adopted on 17 May 2018. We also are evaluating this guidance as it relates to the Framework Elements for a Unified Access Model, possible contractual compliance actions against contracted parties, as well as the ongoing legal proceedings in Germany where ICANN asked the Regional Court in Bonn for assistance in interpreting the GDPR in order to protect the data collected in WHOIS. We would encourage the community to read the full of the EDPB letter, share your thoughts and continue to participate in discussions we will have over the coming months. We also hope that the EDPB's guidance will be a helpful input to the important policy work being conducted in the expedited policy development process that is being initiated by the GNSO Council. We look forward to continuing to work with you, and we are hopeful that we can continue the progress of the collective ICANN community on these important issues. We will continue to keep the community apprised of developments, and please also see our Data Protection/Privacy and provide any input through gdpr@icann.org. […]

  • Office of the CTO Activities Brief: January to June 2018
    on July 3, 2018 at 7:00 am

    The first half of 2018 has been busy for the ICANN organization's Office of the Chief Technology Officer (OCTO) team. We have been involved in endeavors around the globe to increase engagement with our peers and partners and improve knowledge of the Internet's system of unique identifiers per ICANN's mission. Some of our efforts include: Providing capabilities and support to key actors to maintain the security, stability, and resiliency of the Internet's system of unique identifiers. Providing technical analyses to support ICANN's positions. Collecting and analyzing data to prepare stakeholders for the upcoming root zone Key Signing Key (KSK) rollover. Studying and measuring components of the Domain Name System (DNS). In this brief, we'd like to highlight a few of our recent activities. Root Zone Key Signing Key (KSK) Rollover OCTO continues its work on the plan to update the root zone Key Signing Key (KSK) as part of the Internet Assigned Numbers Authority (IANA) Names function as operated by ICANN's affiliate, Public Technical Identifiers (PTI). Following the suspension of the rollover last year, and leveraging data generated by the processes described in Request for Comments (RFC) 8145, Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC), we have been collecting telemetry to help us better understand the potential impact of rolling the KSK of the root of the DNS and to help the community to self-assess its readiness. The analysis of this data, including automated graphs on RFC 8145 announcements available at http://root-trust-anchor-reports.research.icann.org, is helping to improve the understanding of the situation around the KSK rollover and has given us better information to share with the network operator community, including Internet service providers and Internet Exchange Point operators, to help track down root zone trust anchor misconfiguration. The updated plan to roll the root KSK remains on track with an intent to use the new KSK on 11 October 2018. Prior to this, we anticipate advice from the Security and Stability Advisory Committee (SSAC) and the Root Server System Advisory Committee (RSSAC) on the KSK rollover to be provided to the Board, and that the Board will make a decision to go ahead with the roll in September 2018. More information is at http://icann.org/kskroll. Domain Abuse Activity Reporting (DAAR) The Security, Stability, and Resiliency (SSR) team within OCTO has continued refining the DAAR project. DAAR is a system for studying and reporting on domain name registration and security threat (i.e., domain abuse) behavior across top-level domain (TLD) registries and registrars. While the work has been mainly focused on generic TLDs (gTLDs), we are working to provide a way to open this to country code TLDs (ccTLDs) that are interested in participating in DAAR on a voluntary basis. The main purpose of DAAR is to provide statistics related to four specific security threats – phishing, malware distribution, botnet command and control, and spam – to the ICANN community in order to facilitate informed policy decisions. Recently, two domain name reputation and DNS abuse experts have conducted independent reviews of DAAR. One review focused on methodology while the other review examined the data feeds DAAR uses. OCTO is in the process of publishing these reviews for community review in the coming days. Post-ICANN62, we are planning to provide a platform for daily private reporting of DAAR abuse statistics, along with a monthly report that will be made public. More information on DAAR can be found at https://www.icann.org/octo-ssr/daar. Root Servers Data Equivalence Study The Root Server System comprises over 1,000 individual machines operated or overseen by 12 organizations known as root server operators on 13 pairs of Internet Protocol (IP) addresses – 13 IP version 4 (IPv4) addresses and 13 IP version 6 (IPv6) addresses. The ICANN org is one of these organizations. For some time, the ICANN org has obtained root data from three other root server operators, namely USC-ISI, University of Maryland, and the Internet Systems Consortium. To understand the similarities and differences in traffic to the different root servers, and to allow us to assess the accuracy and credibility of studies of data from a limited number of servers, OCTO has undertaken an examination of three months of traffic from the root servers. In the coming months, OCTO will be publishing an analysis of the equivalence of traffic to these root servers. Object eXchange (OX) Project The usage of the Internet is evolving and so is the DNS. Over the past few years, the OCTO team has been studying some of the new challenges emerging around use cases of the DNS beyond the typical mapping of domain names to IP addresses. In particular, the team is studying the temporal property of identifiers in the DNS that can vary from temporary to persistent. This work has led to a proposal to add a new Resource Record (RR) type to the DNS – Object eXchange (OX) – that points to user-defined structured data. At ICANN60 in Abu Dhabi, a presentation introduced a proof of concept that used the new RR type to store information that allows an Internet of Things (IoT) device to find the information needed to automatically update its firmware. Currently, a new real-world experiment is extending such use of information stored in the DNS, combined with Blockchain and IoT, to track cattle in rural areas based on the persistence of identifiers. In many countries, cattle roam free. As a result, there is conflict between ranchers and farmers when cattle graze in farmed fields (or when the farmers claim they did). In collaboration with teams from universities in La Plata, Argentina, and Cape Coast, Ghana, OCTO has been providing technical assistance to a project to address the issue by bringing together the technologies of IoT, Blockchain, and the OX entry in the DNS. By attaching an IoT device on each cow's collar and uploading the location data into a database in the cloud, the team is able to track the movement of cows at regular intervals with non-repudiation of the information through Blockchain technology. In doing so, the researchers are showing a new and innovative use of the DNS, combined with new technologies, that demonstrate the applicability of the DNS to areas not previously anticipated. We will be working with our collaborators to publish more information about this project in the near future. ICANN Think Tank Overall, the OCTO team strives to be a reliable technical resource for the ICANN org, Board, and community for the fulfillment of ICANN's core mission. A recent process for a "think tank" approach to technical studies within the OCTO team will help further streamline our work and publications for the community. The new process in place helps the team prioritize requests for studies that take into consideration alignment with ICANN's mission, strategic objectives, and the timeliness of the topic. It also ensures that outcomes of studies that have public scope are properly published and referenced on the ICANN website with the availability of translation. Summary As the landscape of the Internet identifier systems evolves and the use the Internet itself reaches new heights, it is important that ICANN, as an organization and as a community, has the tools and mechanisms to understand the underlying technologies. The diversity of experience within the OCTO team gives us a broad view on relevant topics which will help tackle these studies and research in a more open manner. Projects like DAAR and OX take a new approach that will advance the community's awareness of the changes we are witnessing. We will continue to report to the community on our work at future ICANN Public Meetings and through briefs like this one. […]

  • FY19 Community Regional Outreach Program (CROP) Ready for Use by Eligible ICANN Communities
    on July 3, 2018 at 7:00 am

    The Global Stakeholder Engagement (GSE) and Policy teams are pleased to report that the Community Regional Outreach Program (CROP) FY19 is ready for the ICANN community to use as of 3 July 2018. Following community consultations and Public Comments on the Draft FY19 Operating Plan and Budget, the ICANN Board allocated USD 50,000 for CROP in the final FY19 budget. To ensure that support for community outreach efforts remains within the appropriate budget framework while balancing the program goals, the ICANN organization was directed to review the existing CROP guidelines and develop improved, additional criteria for FY19. The ICANN org has also been tasked with assessing the CROP process at the end of FY19. The final FY19 CROP guidelines are consistent with the other community travel and outreach programs that the ICANN org administers. Accordingly, the fundamental principle is that CROP funding is to be used for FY19 outreach efforts that are directly and demonstrably related to ongoing ICANN policy, technical, and advisory activities, in accordance with the new CROP guidelines and additional specific criteria. The new CROP allocates up to three regional trips to each of the five Regional At-Large Organizations (RALOs) and each eligible constituency in the Generic Names Supporting Organization (GNSO) – Business Constituency (BC), Intellectual Property Constituency (IPC), Internet Service Providers and Connectivity Providers Constituency (ISPCP), Non-Commercial Users Constituency (NCUC), and Not-for-Profit Operational Concerns Constituency (NPOC). With a few specific exceptions as detailed in the new guidelines, these allocations are to be used mainly for outreach activities at ICANN Public Meetings in the relevant region or official regional meetings organized by the ICANN org. As was previously the case, each eligible community group must have in place a relevant outreach strategic plan. Under the new CROP guidelines, the plan must address certain specific additional requirements. As before, trip requests need to be submitted at least six weeks prior to travel dates. In addition, the relevant regional GSE vice president must approve the request at least five working days before the six-week travel deadline. We invite you to browse through the CROP FY19 space and the CROP Procedures and Guidelines page to familiarize yourself with the updated program. Please watch for the CROP team announcement on your community mailing lists. This announcement will give more details about how to coordinate with CROP team to begin using the program. We are pleased to be able to continue to support the community's regional outreach activities for FY19. We look forward to your feedback at the end of this fiscal year so that we may continue to improve the program in line with the community's budgeting priorities in future years. […]

  • Chair’s Blog: ICANN62 Meeting & Board Workshop
    on July 3, 2018 at 7:00 am

    Thank you to everyone who participated in a successful ICANN62. Our gracious hosts in Panama made the meeting experience easy, and the active participation both from those joining remotely from their homes and those in the rooms made it very productive. In addition to working hard, I am sure many of you had an opportunity to wander around the old town, enjoy the local food, visit the Panama Canal, or even buy Panama hats (which everyone says are made in Ecuador!). The football World Cup also added quite a bit of amusement for those who were keen to follow match results on their smart phones or on the big screen. Board Workshop In the days preceding ICANN62, the Board held a three-day workshop in Panama City. We held several public sessions, in-depth sessions about the key issues and priorities of each stakeholder group for ICANN62 in preparation for the meeting, and several sessions that we had rescheduled from our Vancouver workshop. Of course, we spent  time discussing the European Union's General Data Protection Regulation (GDPR) with our CEO, and the status of the dialogues with the community, the European Commission, and the European Data Protection Board regarding possible guidance on the Unified Access Model. As for Auction Proceeds, we discussed in detail the Board’s fiduciary duties and how these could be aligned with the choice of disbursement mechanisms. We also held sessions on: The status of (a) the supplemental rules for the ICANN’s Independent Review Process (IRP) and (b) the establishment of a standing panel; The Internationalized Domain Name (IDN) implementation guidelines, which apply to IDNs at the second level; A technical look at the security and stability of the ICANN-managed root server (IMRS, also known as L-root); The status of the Policy Development Process on new gTLD subsequent procedures, and a discussion on preliminary ideas from ICANN org about how to implement the launch of a next round of new gTLDs; The draft FY19 Board priorities; An update on streamlining organizational and specific reviews; An update from the Board working group on Internet Governance (IG), covering three topics: (a) key activities since ICANN60 in Abu Dhabi, (b) global trends in the IG ecosystem that might affect ICANN’s role, and (c) planned engagements in IG events till the end of 2018; and A communications training for Board members. Additionally, the Board continued its discussions on the development of ICANN’s next strategic plan for the period 2021-2025, building on the work from the Board’s prior discussions. Finally, whilst in Panama, members of the ICANN Board met with members of the Internet Society Board, and had dinner with members of the LACTLD Board as part of their 20th anniversary celebration. Policy Forum Unsurprisingly, a major focus of this meeting was data protection and privacy issues, namely GDPR. There were sessions all across the community focusing on the different pieces of the work we have to do, and it is heartening to see the community work together to address the challenges we face. On behalf of the Board, I would like, particularly, to congratulate the Generic Names Supporting Organization (GNSO) Council for the remarkable progress made over the course of our week in Panama on the development of the charter for the Expedited Policy Development Process (EPDP).  From a blank template, the charter is beginning to take shape, with much of it agreed on in principle, and the various interests are still working hard to resolve any outstanding differences. I understand that by the time the GNSO Council meets on 19 July, it is anticipated that the EPDP charter would have been approved; the EPDP chair selected; and the members, liaisons, and alternates nominated by the GNSO and other Supporting Organizations and Advisory Committees (SO/ACs).  As part of the Strategic Outlook Program, the ICANN org team held eight trend gathering sessions with community stakeholder groups, to make sure that the  opportunities and challenges raised are incorporated into ICANN's current and future strategy. The input was invaluable, and I look forward to collaborating with the community on phases of the strategy moving forward. Several members of the Board attended a session with the new gTLD Auction Proceeds Cross-Community Working Group (CCWG-AP), offering ideas on independent evaluation of requests, on tranches of funds made available every year, and other aspects of disbursement. The Board appreciates the open and constructive engagement it has been having with the CCWG-AP and will continue to engage as the CCWG-AP further develops its preliminary recommendations. The Cross-Community Working Group on Enhancing ICANN Accountability (CCWG-Accountability) held its final plenary meeting and public engagement session during ICANN62. I’d like to thank the CCWG-Accountability for all of its hard work and progress achieved, and the Board looks forward to receiving its final report. The Supporting Organizations (SOs) and Advisory Committees (ACs) made great strides in their work, including: The Government Advisory Committee held sessions on GDPR implementation matters, access to Curative Rights Protection Mechanisms by IGOs and INGOs, IGO names and acronyms, auction proceeds; held follow-up sessions on the Dot Amazon IRP and Dot PersianGulf; held a capacity building workshop; and completed its Communiqué. The At-Large Advisory Committee held sessions with a focus on policy issues including New gTLDs, GDPR/WHOIS, and the Root Key Signing Key (KSK) Rollover; and elected a new Chair. The Regional At-Large Organizations held a LACRALO Open House meeting, and the AFRALO Board and its members held a meeting to discuss the Africa perspective on various ICANN policy issues. The Security and Stability Advisory Committee (SSAC) held working sessions to update the Names Collision and Analysis project proposal, held an emerging security session in collaboration with Tech Day, and held meetings with several other groups on a variety of topics, including GDPR, KSK rollover, and root zone evolution. SSAC also held members meetings with a series of technical presentations and discussions on topics such as hyperlocal root pros and cons, the proactive and collaborative DDoS mitigation strategy for Dutch critical infrastructure, and ICANN org gave an update on collaboration tools. The Root Server System Advisory Committee (RSSAC) held working sessions focused on internal administration, Caucus work management, and future work. The RSSAC also presented a proposed governance model for the DNS Root Server System. The Address Supporting Organization (ASO) did not formally convene at ICANN62, but members who were present participated actively in cross-community and high interest sessions. CEOs of four of the five Regional Internet Registries (RIRs) met with representatives from the ICANN Board and ICANN org to discuss ideas for improving the effectiveness of the RIRs participation in ICANN’s meetings. The Country Code Names Supporting Organization (ccNSO) continued to make progress on the retirement of ccTLDs, held sessions on disaster recovery and business continuity, held a Tech Day with a focus on the operational and technical exchange of information and best practices, held a ccNSO Members Day focusing on business and administrative matters, and elected Council Chairs and Vice Chairs. The GNSO spent a significant amount of time focusing on the different policy development activities such as: working on an Initial Report on New gTLD Subsequent Procedures; preparing for the initiation of an EPDP on the Temporary Specification for gTLD registration data; continued its review of all Rights Protection Mechanisms, focusing on Uniform Rapid Suspension data; and continuing the deliberations in preparation for the new gTLD Auction Proceeds Initial Report. Ethos Award This year, the community selection panel posthumously recognized a long-time member of the ICANN community, Stéphane Van Gelder, with the Multistakeholder Ethos Award. The tribute to Stéphane Van Gelder was very fitting and we were all touched to share memories of him with his wife, Julie Talfournier Van Gelder, who joined us in Panama. For more details on the workshop, including resolutions from the public Board meeting, please see the Board page. I appreciate your time and hard work, and ongoing commitment to ICANN. Finally, the SO and AC Leaders are already looking ahead to ICANN63. I hope to see many of you in Barcelona. […]

(Visited 6 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *