Community Outreach On Interpretation and Enforcement of the 2013 RAA
In this blog, I want to update the community on efforts I am making to offer greater clarity regarding ICANN's interpretation and enforcement of certain key provisions of the 2013 Registrar Accreditation Agreement.
Outreach Efforts to Clarify ICANN's Interpretation of the 2013 RAA
A topic that generates considerable discussion and debate within the ICANN community is the appropriate interpretation and enforcement of Section 3.18 of the 2013 Registrar Accreditation Agreement. Section 3.18.1 requires registrars to maintain an abuse point of contact to receive "reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity," and to "take reasonable and prompt steps to investigate and respond appropriately" to any reports of abuse. Section 3.18.2 requires each registrar to establish and maintain a dedicated abuse point of contact, monitored 24 x 7, to receive reports of illegal activity by law enforcement, consumer protection, quasi-governmental or similar authorities. It also requires the review of well-founded reports of illegal activity submitted to these contacts within 24 hours by an individual who is empowered by the registrar to take necessary and appropriate action in response to the report.
There are widely divergent views within the ICANN multistakeholder community regarding the proper interpretation of these provisions of the 2013 RAA. I have stated on a number of occasions, including in various meetings during ICANN 52 in Singapore, that I believe it is appropriate, fair and reasonable for ICANN to provide contracted parties, as well as other stakeholders within the community, greater clarity regarding how ICANN interprets and enforces these provisions.
In furtherance of those efforts, I have held a number of meetings and telephone calls since ICANN 52, including with members of the Registrar Stakeholder Group, representatives of the IPC and intellectual property owners, members of civil society, various parties that have submitted abuse reports under the 2013 RAA and other interested parties, to solicit their views on these matters.
The 2013 RAA is a contract between ICANN and each registrar, and it is ICANN and the individual registrar that will ultimately need to resolve issues regarding the interpretation and enforcement of that contract, either informally or potentially via mediation or arbitration. However, I recognize that the 2013 RAA was the result of extensive public discussion among the ICANN multistakeholder community and that many stakeholders are keenly interested in how it is interpreted and enforced, so I have welcomed input from the community.
My discussions with stakeholders have been productive and are evolving toward trying to seek guidance and clarity in two principal areas:
- Minimum Criteria for a Valid Abuse Complaint
What are the minimum criteria for a valid abuse complaint requiring a response from registrars? If an abuse complaint does not meet these minimum criteria, is it appropriate for a registrar to respond by asking the complaining party to submit an abuse complaint that does meet those minimum criteria?
- Minimum Criteria for "reasonable and prompt steps to investigate and respond appropriately" to Abuse Reports
What are the minimum steps that a Registrar must take in response to a valid abuse complaint in terms of both investigation and response?
Goals of Outreach Efforts
I am hopeful that the discussions we are having will lead to ICANN Contractual Compliance offering guidance regarding how ICANN interprets and intends to enforce these contractual provisions, both with respect to advising on the minimum requirements for a valid abuse complaint as well as the minimum requirements for a valid investigation and response. I believe this will be beneficial in providing direction to registrars and those submitting abuse reports.
Let me briefly explain some of the issues that have arisen during my conversations simply to illustrate a few of the many topics we have considered and debated, and are continuing to discuss.
Regarding the minimum criteria for a valid abuse complaint:
- Some registrars complain that certain abuse reports they receive are so broad and vague that it is nearly impossible to determine the nature of the complaint. Consider an abuse complaint that references the home page of a large and complex website containing multiple URLs, and simply alleging "infringement." Is such a complaint alleging copyright, trademark or patent infringement, or is it alleging the sale of counterfeit goods? Whose rights are alleged to be infringed and has the complaining party provided any evidence that it owns the rights alleged to be infringed? What specific content at what specific URLs is alleged to be infringing? Absent specifics, it is challenging for a registrar to process such an abuse report or to investigate the alleged abuse.
- Some registrars also complain that they receive multiple copies of identical abuse reports, sometimes generated by botnets, and do not believe they should be required to respond to duplicative reports repeating the same allegations.
These are a few examples of what we have been discussing in trying to define minimum requirements for a valid abuse complaint, and parties that routinely submit abuse reports have generally been receptive to the concept of trying to define what elements should be contained in an abuse report.
Regarding what is required of registrars in terms of investigation and response to an abuse complaint:
This provision of the 2013 RAA generates significantly divergent interpretations, both in terms of the scope of what some stakeholders maintain that registrars are required to do to investigate an abuse report and what constitutes an appropriate response. We have had constructive discussions regarding matters such as:
- Forwarding abuse reports to the registered name holder.
- Whether there are any circumstances in which not forwarding an abuse report to the registered name holder is justified.
- How a registrar should respond if the registered name holder ignores the abuse report and fails to respond.
- What should be communicated back to the party that filed the abuse report.
I think we are making progress toward a potential common understanding of minimum steps that registrars should take to investigate and respond.
There are, however, more challenging issues on which there is greater diversity of opinion within the community. For example, a number of parties submitting abuse reports believe that an appropriate response to illegal activity requires the registrar to suspend the registered name holder's domain name and requires ICANN to terminate the registrar's 2013 RAA if the registrar fails to do so, while some registrars maintain that an appropriate response may be to state that the registrar is unable or not qualified to determine whether the registered name holder is engaged in illegal activity and that the reporter should seek legal redress from law enforcement, regulatory authorities or the courts.
My dialogue with registrars has been constructive, as have my discussions with other interested stakeholders, and I am optimistic that these discussions will lead to providing further guidance and clarification on the minimum requirements for a valid abuse complaint as well as the minimum requirements for a valid investigation and response. Reports of abuse and illegal activity encompass a wide range of behaviors and it is unrealistic to expect that we will ever be able to arrive at a "one-size-fits-all" approach. However, I believe that if we focus on minimum requirements for abuse reports and obligations to investigate and respond, we can make significant progress in finding common ground.