Welcome back from Cancun; I hope everyone is rested following travel to and from the recent ICANN70 conference…

Wouldn’t that be nice? We didn’t get to travel to Cancun this year, and I don’t expect to be able to travel for ICANN71 or 72 either, but we still had a successful conference with lots of productive meetings.

Following the conclusion of ICANN70, the Tucows Policy team hosted a webinar to review the highlights and do a deep dive into some specific upcoming changes that are relevant to resellers. You can view the recording, and if you’d like to stay in the loop about future webinars make sure you’re signed up to our newsletter!

For those of you who, like me, prefer reading over watching a video, here are some notes about what we went over in the webinar:

Work Toward a New Registration Data Policy

The Expedited Policy Development Process for gTLD Registration Data (referred to just as the “EPDP”) is underway in three different phases. Work on phases 1 and 2 happened at ICANN70.

Phase 1: Creating a New gTLD Registration Data Policy

The Implementation Review Team working on bringing Phase 1 policy recommendations into effect met during ICANN70 to continue their regular work, discussing details of the new overall gTLD Registration Data Policy, which outlines Registrar and Registry obligations relating to handling personal data associated with domain name registrations. The team is also reviewing draft updates to other policies which are affected by the Phase 1 EPDP Recommendations. However, work cannot be completed until a Data Protection Agreement establishing obligations relating to how personal data is handled and protected is drafted and then signed by ICANN and each gTLD registrar or registry. Once the new Registration Data policy is finalized, there will be an implementation buffer period of at least 6 months to provide registrars and registries ample time to update systems and processes.

Phase 2: Developing a Standardized System for Access/Disclosure of gTLD Registration Data (SSAD)

Phase 2 of the EPDP resulted in policy recommendations for developing a standardized centralized system to handle requests and responses relating to the disclosure of gTLD registration data, known as the Standardized System for Access/Disclosure of gTLD registration data or “SSAD”. These policy recommendations have been approved by the GNSO Council and are now with the ICANN Board for review; until the recommendations are approved and have gone through the implementation phase, disclosure requests will continue to be handled by each registrar in a decentralized manner. We’ve detailed our own approach in our Tiered Access (Gated Whois) blog post. The public comment period for the recommendations contained in this phase’s Final Report is complete, and comments can be reviewed on the ICANN website. During the ICANN Board’s meeting at ICANN70, they passed a motion directing ICANN Org to initiate a new process called an Operational Design Phase. The purpose of this phase would be to give the Board more information about the costs of developing and maintaining the proposed SSAD, so they can make an informed decision about how to proceed.

What the Proposed Registration Data Policy Changes Mean for Resellers

During our ICANN70 Recap webinar, we looked at the specific changes to how registrars operate that will be required under the new Registration Data Policy. Although the policy is not yet final, we know what to expect because the draft is readily available, and I’m representing Tucows as a participant in the Implementation Review Team.

It’s important to note that, although this represents a significant amount of work for registrars and registries, any Tucows reseller work is optional. There are some changes that our reseller partners may choose to make, but we’ll complete this work in a way that avoids any disruption or required efforts on your part.

Here are the changes with optional reseller action:

    1. More registrant data will be optional
      Specifically, Organization, Nameservers & DNSSEC info. You can make this optional for the domain owner to provide.
    2. Technical contact will be deprecated
       Any Technical contact data submitted will be ignored. You may choose to stop collecting or sending this data to us.
    3. Organization use explanation
      If the domain owner provides an Organization, we will present information about how it is used. Specifically, this information will appear on the registrant’s Data Sharing Preferences Page. You might choose to display a notice for your customers, as needed.

Here are the changes with no associated action on your part:

    1. Sign Data Protection Agreements
      We will negotiate & sign DPAs with ICANN, TLD registries, and the data escrow provider.
    2. Reduce data sharing/retention
      We will modify data sharing and retention practices.
    3. Respond to disclosure requests
      We already have a robust process in place.

Remember, this is just a sneak peek of what’s to come. We’ll communicate clearly and often as the process continues and we start making changes on our side.

Transfer Policy Updates

The Transfer Policy, which governs both inter-registrar transfers and domain ownership transfers, is due for an update, and a new Policy Development Working Group is being chartered to undertake this work. There are a few reasons why this policy needs to change:

  • It’s difficult to explain to domain owners
  • The ownership transfer process is especially cumbersome and shows very little sign of preventing domain theft (its whole reason for existence!)
  • Because of changes to the public Whois output necessitated by the GDPR, the registrant email is no longer available to the gaining registrar via the public registration record, so the part of the transfer process which relies on that (the gaining Form of Authorization) has to be updated

The new Policy Development Working Group will review and update the entire Transfer Policy in three phases:

  1. The Form of Authorization and transfer authorization codes (for inter-registrar transfers)
  2. Ownership transfers
  3. Everything else – the transfer dispute resolution policy, transfer emergency action contact, reversing transfers, and cancelling transfers

We know the current processes are confusing, and there are lots of opportunities to make domain transfers easier for domain owners while ensuring they’re safe and secure. I’ll be an active member of the Policy Development Working Group, there to ensure that the transfer process is secure, reliable, and efficient.

DNS Abuse

Much of ICANN70 focused on “DNS Abuse”, including presentations by ICANN Staff’s DAAR (Domain Abuse Activity Reporting) group, which showed that DNS Abuse has objectively decreased overall, despite the COVID-19 crisis. Despite this clear decrease in abuse rates, the issue is still one of great concern to many groups in the ICANN community.

The Registrar Stakeholder Group (RrSG) continues to advocate for defining the term “DNS Abuse” as it is used in the DNS Abuse Framework (which Tucows helped draft):

DNS Abuse is composed of five broad categories of harmful activity insofar as they intersect with the DNS: malware, botnets, phishing, pharming, and spam (when it serves as a delivery mechanism for the other forms of DNS Abuse.

This definition, notably, does not include any issues relating to website content; although website content may be offensive or illegal, it is outside the purview of ICANN and does not constitute DNS Abuse.

In addition to the presentations by ICANN’s DAAR group, there were several DNS Abuse-related sessions that provided the opportunity for attendees to review the topic from various perspectives. Reg Levy, Tucows’s Head of Compliance, co-chairs the RrSG DNS Abuse Subgroup, which works closely with the corresponding Registry Stakeholder Group DNS Abuse Subgroup (together, the Contracted Party House DNS Abuse Subgroup). These DNS Abuse groups perform regular outreach to ICANN Stakeholder groups to better understand their concerns about DNS Abuse, discuss positive changes they have seen in the industry, and consider areas for collaboration.

Tucows takes DNS Abuse seriously and the Tucows Compliance team is always on hand to discuss strategies with resellers to reduce DNS Abuse in their respective namespaces. We are always pleased to work with our resellers to help them prevent DNS Abuse.

Website Content Issues

The final section of our webinar was an update from our CEO Elliot Noss on website content abuse issues and how our thinking on that topic is evolving with the times. It’s too much to summarize in a few words, so we’ll point you back to the webinar recording to get the full picture of what happened. Elliot also shared thoughts on content moderation during a fireside at NamesCon back in January 2021.

As promised, we’ll keep you posted as things develop. We encourage you to subscribe to our newsletter to make sure you’re informed of these and other important industry updates.