Minutes | Special Meeting of the ICANN Board | 21 December 2023

Rationale for Resolution 2023.12.21.01

Why is the Board addressing the issue?

The Registration Directory Service Review is one of the four Specific Reviews anchored in Article 4, Section 4.6 of the ICANN Bylaws. Specific Reviews are conducted by community-led review teams, which assess ICANN's performance in fulfilling its commitments under the ICANN Bylaws. Reviews contribute to ensuring that ICANN serves the public interest, are critical to maintaining an effective multistakeholder model, and help ICANN achieve its mission, as detailed in Article 1 of the Bylaws.

Pursuant to the ICANN Bylaws, Article 4, Section 4.6(e)(ii), the Second Registration Directory Service Review (RDS-WHOIS2) reviewed the effectiveness of the then-current gTLD registry directory services and whether their implementation meets the legitimate needs of law enforcement, promotes consumer trust, and safeguards registrant data.

What is the proposal being considered?

This proposed action is in furtherance of resolution 2020.02.25.04 to place four of the 22 recommendations issued by the Second Registration Directory Service Review (RDS-WHOIS2) in "pending" status.

The Board notes that, at the time the Second Registration Directory Service Review (RDS-WHOIS) Final Report and its recommendations were issued, the community was discussing the Phase 2 recommendations of the Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP), while implementation of the Phase 1 recommendations was ongoing.

RDS-WHOIS2 Recommendation 4.1 calls for ICANN Contractual Compliance to "proactively monitor and enforce registrar obligations with regard to RDS (WHOIS) data accuracy using data from incoming inaccuracy complaints and RDS accuracy studies or reviews to look for and address systemic issues" and suggests that a "risk-based approach should be executed to assess and understand inaccuracy issues" to allow for appropriate actions to be taken to mitigate them.

The Board notes that ICANN Contractual Compliance (ICANN Compliance) undertakes enforcement of registrar obligations, as they currently exist within the Registrar Accreditation Agreement (RAA) and the Registration Data Directory Service (RDDS) Accuracy Program Specification of the RAA, through actions resulting from complaints received from external reports, as well as audit-related activities. The Board notes that ICANN Compliance regularly reports on enforcement activities through metrics.

The Board recognizes that there is currently no consensus on how "accuracy" is defined with respect to registration data, nor consensus on what would constitute a "systemic issue" concerning registration data accuracy.

As a result, the Board rejects RDS-WHOIS2 Recommendation 4.1. The Board understands that ICANN org will continue to support the work of the community by providing detailed metrics relating to enforcement of current registration data requirements and supporting research to help understand best practices as it concerns registration data accuracy, as appropriate.

RDS-WHOIS2 Recommendation 4.2 suggests that ICANN Compliance cross-reference "existing data from incoming complaints and studies such as the" WHOIS Accuracy Reporting System (ARS) "to detect patterns of failure to validate and verify RDS (WHOIS) data as required by the RAA" and that "when such a pattern is detected, compliance action or an audit should be initiated to review compliance of the Registrar with RDS (WHOIS) contractual obligations and consensus policies."

In addition to considerations noted on RDS-WHOIS2 Recommendation 4.1, the Board notes that the ARS was placed on hold due to ICANN org's continuing assessment of the legalities of processing the data in light of the General Data Protection Regulation (GDPR), as well as due to the lack of available data in the public directories.

ICANN's Assessment of Registration Data Accuracy Scenarios identified significant limitations to the feasibility of studies or reviews of registration data in light of current contractual requirements and existing data protection laws.

Moreover, the Board finds it unclear what "patterns of failure" might be as it relates to the verification and validation of registration data accuracy, and understands that any identified instance of noncompliance with current obligations must be corrected to maintain accreditation with ICANN.

Considering that ICANN Compliance enforcement actions must be based on the existing Registry Agreement and RAA provisions, that the ability to cross-reference data from multiple resources is unrealistic considering the current data protection legal landscape, and that ICANN Compliance already undertakes enforcement action upon any identified deficiency within complaints received and the standard Registrar Audit Program, the Board rejects RDS-WHOIS2 Recommendation 4.2.

As with RDS-WHOIS2 Recommendation 4.1, the Board understands that ICANN org will continue to support the work of the community by providing detailed metrics relating to enforcement of current registration data requirements and facilitating research to understand best practices as it concerns registration data accuracy, as appropriate.

RDS-WHOIS2 Recommendation 5.1 calls for the ICANN organization (ICANN org) to continue to "monitor accuracy and/or contactability through either the ARS or a comparable tool/methodology."

Since the launch of the ARS, the regulatory environment around data protection and privacy has changed significantly. Such changes necessitated the Board's adoption of the Temporary Specification for gTLD Registration Data, which resulted in the obfuscation of most registrant contact information that was previously available in the public directories. As a result, the ARS was put on hold, where it remains.

ICANN org continues to assess the legalities of processing registration data within the current regulatory environment. The Assessment of Registration Data Accuracy Scenarios that was recently sent to the GNSO Council noted that "ICANN has identified alternative steps that can be taken, which may provide information that helps advance the Accuracy Scoping Team's work."

Considering the pause of ARS and questions surrounding the legalities of the contemplated data processing, the Board rejects RDS-WHOIS2 Recommendation 5.1, noting that ICANN continues to enforce registration data obligations within the remit of the contracted parties' agreements through inaccuracy complaints and audit-related activities.

RDS-WHOIS2 Recommendation 10.1 calls for the Board to monitor the implementation of the Privacy & Proxy Services Accreditation Issues (PPSAI) policy development process recommendations. RDS-WHOIS2 Recommendation 10.1 further suggests that should PPSAI not become operational, the Board should ensure an amendment to the 2013 RAA that "ensures that the underlying registration data of domain name registrations using Privacy/Proxy providers affiliated with registrars shall be verified and validated in application of the verification and validation requirements under the RAA unless such verification or validation has already occurred at the registrar level for such domain name registrations."

The ICANN Board has been monitoring the progress and community discussions regarding the implementation of PPSAI since it was placed on hold due to issues related to GDPR, the adoption of the Temporary Specification, the policy development and subsequent implementation of the EPDP Phase 1 (Registration Data Policy), and the then-forthcoming EPDP Phase 2 policy recommendations.

The Board will continue to monitor these activities and acknowledges the ICANN org plans to work with an Implementation Review Team (IRT) to help consider these recommendations in light of the community's work and changes in the RDS landscape since the recommendations were issued in 2015.

The Board understands that under the current requirements of the 2013 RAA and RDDS Accuracy Program Specification of the RAA, registrars must validate and verify registrant contact data, and account holder contact data (if different). Where a privacy service is used, the registrant contact data is that of the privacy services customer. Where a proxy service is used, the account holder's contact data is also subject to these requirements, which is defined as the person or entity that pays for the domain name or otherwise controls the management of the registered domain name, when different from the registrant. Accordingly, the underlying data of a privacy services customer or proxy customer managing the registered name is already subject to requirements under the RAA and RDDS Accuracy Program Specification.

The Board considers the recommendation to ensure an amendment to the 2013 RAA by 31 December 2019 as unnecessary in light of existing requirements and therefore, rejects RDS-WHOIS2 Recommendation 10.1.

Which stakeholders or others were consulted?

The RDS-WHOIS2 Final Report was published for a public comment proceeding and the Board received feedback as part of that process.

What significant materials did the Board review?

The Board considered various significant materials and documents. In addition to the ICANN assessment (see the December Scorecard), the Board consulted the RDS-WHOIS2 Review Team's Final Report and the staff report of the public comment proceeding on the RDS-WHOIS2 Final Report.

The Board has also considered the Assessment of Registration Data Accuracy Scenarios that was delivered to the GNSO Council in October 2023, as well as the ICANN Organization Enforcement of Registration Data Accuracy Obligations Before and After GDPR page.

Are there positive or negative community impacts?

Taking action on the four RDS-WHOIS pending recommendations contributes to further addressing the outcome of the Specific Reviews, and enhances ICANN's accountability.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

None.

Are there any security, stability or resiliency issues relating to the DNS?

The Board recognizes that accuracy of registration data is an important matter for ensuring a stable and secure Domain Name System, and that it has been a longstanding topic of discussion within the community.

Is this decision in the public interest and within ICANN's mission?

This action is in the public interest as it is a fulfillment of ICANN Bylaws, as articulated in Section 4.6. It is also within ICANN's mission and mandate. ICANN reviews are an important and essential part of how ICANN upholds its commitments.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

None required.

Rationale for Resolutions 2023.12.21.02 – 2023.12.21.03

The selected audit firm and its member firms have been ICANN's independent audit firms since the audit of fiscal year 2022.  Based on the report from the organization and the Audit Committee's evaluation of the work performed during last year's audit, the committee has recommended that the Board authorize the Interim President and CEO, or her designee(s), to take all steps necessary to engage the selected firm and its member firms as ICANN's independent audit firm(s) for fiscal year 2024 for any annual independent audit requirements in any jurisdiction.

This furthers ICANN's accountability to its Mission and processes, and the results of the independent audit firm's work will be publicly available.  Taking this decision is both consistent with ICANN's Mission and in the public interest as the engagement of an independent audit firm is in fulfilment of ICANN's obligations to undertake an audit of ICANN's financial statements and helps serve ICANN's stakeholders in a more accountable manner.

This decision will have a fiscal impact on ICANN, which is accounted for in the FY24 ICANN Operating Plan and Budget and in the Draft ICANN FY25 Operating Plan and Budget.  This decision should not have any direct impact on the security, stability and resiliency of the domain name system.

This is an Organizational Administrative Function not requiring public comment.

Fifteen Directors voted in favor of Resolutions 2023.12.21.01, 2023.12.21.02, and 2023.12.21.03. Edmon Chung was unavailable to vote. The Resolutions carried.

Rationale for Resolutions 2023.12.21.04 – 2023.12.21.06

In order to facilitate the New gTLD Program Next Round initiatives outlined above, ICANN org has a need for both a platform as well as software engineering resources that can support the gTLD application lifecycle processes during the implementation and operations phases of the Program. Considering both needs together – a [Redacted – Confidential Negotiation Information] platform-licensing contract and a [Redacted – Confidential Negotiation Information] professional services contract – provides ICANN org with the most leverage in negotiating discounted rates for the necessary platform licensing, support and professional services.

ICANN org has conducted a thorough review and evaluation of the potential platform partners, starting in January 2022. In June 2022, following this evaluation, the org collaborated with a global research firm to evaluate IT service platforms for the Next Round, focused on platforms with low code application development and business process management capabilities. Concurrently, the evaluation team conducted a Request for Information (RFI) with several vendors, subsequently evaluating the top candidate platforms.

Starting in April 2023 through September 2023 ICANN org took the following actions to determine at a deeper level the viability, cost effectiveness and robustness of the candidate platform vendors:

• Launched a Request for Proposal (RFP) of top candidates from RFI

• Designed and executed a feature-rich Minimum Viable Product (MVP) based on core applicant submission, processing and evaluation actions to assess the vendor platform in practical terms.

• Conducted comprehensive internal and external system security testing and performance tuning, addressing previous round issues. As part of system security testing ICANN engaged a dedicated information security team and 3rd party pen test to evaluate the completed MVP and platform. No critical vulnerabilities were identified.

The RFP was completed and evaluated in October 2023 and consensus was achieved among internal stakeholders. The selected vendor remained the most cost effective and capable to support the New gTLD Program Next Round.

Over the contract duration for use of the platform, the overall plan is to leverage the selected platform to optimize applicant experience throughout the next round processes. To ensure the quality and efficiency of the program, ICANN org intends to:

• Track delivery and quality metrics to boost team performance.

• Focus on key deliverables to achieve optimal program output.

• Review contract vs. staff resourcing plan to minimize ongoing cost

There are several milestones remaining for the New gTLD Program Next Round, which ICANN org has estimated to require several more years of work. At a high-level these milestones include, but are not limited to the following:

• Registry Service Provider Eval (RSP)

• Applicant Support Program (ASP)

• gTLD Next Round Applicant Management System (TAMS)

• Contracting services

• Reporting services

• Other Shared Services (Payments, OFAC, Background screening)

Accordingly, ICANN organization and the BFC recommended that the Board authorize the organization to enter into, and make disbursement in furtherance of, contracts with the vendor covering a [Redacted – Confidential Negotiation Information] period and [Redacted – Confidential Negotiation Information] for the right to use the platform and professional services, respectively, with a total cost of both not to exceed [Redacted – Confidential Negotiation Information]. The professional services will augment the Engineering and IT team capabilities in support of the Next Round infrastructure development work with the selected vendor.

This decision is in the furtherance of ICANN's mission and the support of public interest to support the security, stability and resiliency of the domain name system (DNS) by ensuring that there is a fully resourced engineering and IT team able to support the organization in a fiscally responsible and accountable manner.

This decision will have a fiscal impact, but the impact has already been accounted for in the FY24 budget and will be for future budgets as well. 

As noted above, this action is intended to have a positive impact on security, stability and resiliency of the DNS.

This is an Organizational Administrative Function that does not require public comment.

Rationale for Resolutions 2023.12.21.07 – 2023.12.21.08

The Registry System Testing (RST) system is to be developed to comply with Recommendation 39.1 of the Final Report on the New gTLD Subsequent Procedures Policy Development Process that instructs ICANN org to create such a system.

The RST system is part of the New gTLD Program – It is a Next Round initiative and should be ready for launch a minimum of 18 months prior to the opening of the next round of gTLD application submission and concurrent with the Registry Service Provider (RSP) evaluation system launch (i.e., Q4 2024).

The RST is expected to be leveraged during the RSP pre-evaluation phase, throughout the gTLD application evaluation processes, during pre-delegation and long term to handle contracted party changes and updates. Therefore, a system that can handle the long term volume demands with less manual overhead is desired.

To support the outstanding deliverables for the RST system, ICANN org has a need for third-party engineering development and quality assurance for 12 months to augment internal IT capacity.

Benefits to outsourcing this work include: (i) ability to ramp up, ramp down, or redirect resources and change team skill sets quickly; and in-sourcing the necessary talent in the timeframe required would exceed the cost of outsourcing to a trusted vendor.

In Oct 2023, ICANN launched a Request for Proposal (RFP) to identify a RST service provider to augment ICANN's Engineering and IT (E&IT) team in developing the RST v2.0 service.

Upon completion of RFP evaluation, a preferred vendor was selected as the best candidate. The vendor has an established relationship of past performance with ICANN in providing skilled engineering and quality assurance services and is the preferred vendor for this project.

Over the contract duration, the plan is to: (i) Track delivery and quality metrics to boost team performance; (ii) focus on key deliverables to achieve optimal system output; and (iii) review contract vs. staff resourcing plan to minimize ongoing cost.

There are several milestones to complete Registry System Testing, which ICANN org has estimated to require 12 months of work. At a high-level these milestones include, but are not limited to the following:

• RESTful API

• Test Orchestration System (TOS)

• Implement automated test areas

• Integration with test infrastructure, database and storage systems

• Documentation training, troubleshooting

• Ongoing operational support

Given the remaining work to deliver these milestones, ICANN org has determined that a [Redacted – Confidential Negotiation Information] support services contract should be established with the preferred vendor.

This decision is in the furtherance of ICANN's mission and the support of public interest to support the security, stability and resiliency of the domain name system by ensuring that there is a fully resourced engineering and IT team able to support the organization in a fiscally responsible and accountable manner.

This decision will have a fiscal impact, but the impact has already been accounted for in the FY24 budget and will be for future budgets as well. 

As noted above, this action is intended to have a positive impact on the next round of new gTLD applications, and further application rounds.

This is an Organizational Administrative Function that does not require public comment.

Rationale for Resolutions 2023.12.21.09 – 2023.12.21.10

When the Interim President and CEO was engaged, both in her role as Special Advisor to the President and SVP Global Stakeholder Engagement, and again as Interim President and CEO, she was offered a base salary, plus an at-risk component of her compensation package.  Consistent with all personnel with the ICANN organization, the Interim President and CEO is to be evaluated against specific goals and the Interim President and CEO confirmed in coordination with the Compensation Committee, which were previously approved by the Board. 

The Interim President and CEO provided to the Compensation Committee her assessment of the progress toward the FY24 goals.  The Compensation Committee discussed and agreed that the Interim President and CEO should be awarded her at-risk compensation for the first half of FY24 and recommended that the Board approve payment to the Interim President and CEO for her at-risk compensation for the first half of FY24.  The Board agrees with the Compensation Committee's recommendation. 

Taking this decision is in furtherance of ICANN's Mission and is in the public interest in that it helps ensure that Interim President and CEO is sufficiently compensated in line with her performance in furtherance of the Mission, and which reflects that her goals are consistent with ICANN's Strategic and Operating plans. 

While the decision to pay the Interim President and CEO her at-risk compensation for the first half of FY24 will have a fiscal impact on ICANN, it is an impact that was contemplated in the FY24 budget.  This decision will not have an impact on the security, stability or resiliency of the domain name system.

This is an Organizational Administrative Function that does not require public comment.

The Chair called the meeting to a close.