ICANN picks 28 registries for abuse audit
ICANN has kicked off its annual compliance audit, and this time it’s focused on registries rather than registrars.
It’s picked 28 gTLDs based on whether they’ve not been fully audited before, whether they have more than 100 domains, and whether they show up a lot in abuse blocklists (excluding spam blocklists).
Only one gTLD per registry has been picked, which might be why the number is lower than previous audit rounds.
The audit will entail sending a questionnaire to each registry to ask how they are complying with each of their commitments under the Registry Agreement.
Registries have already been told if they’ve been picked. ICANN hopes to have it all wrapped up in the third quarter.
Most registrars did NOT “fail” abuse audit, ICANN says
Most registrars did not “fail” a recent abuse audit, despite what I wrote in my original coverage, according to ICANN.
“Referring to a certain blog, none of the registrars failed the audit,” ICANN senior audit manager Yan Agranonik said during a session of ICANN 72’s Prep Week last night.
He’s talking about ME! He’s talking about ME!
“Failure would mean that there’s an irreparable finding of deficiency that can not be corrected timely or it just goes against the registrar’s business model,” Agranonik said.
An accompanying presentation reads:
None of the registrars “failed” the audit. “Failure” means that the auditee did not acknowledge/remediate identified violations of the RAA or their business practices are not compatible with RAA.
At the risk of prolonging a tedious semantic debate, what I reported in August, when the results of the audit were announced, was: “The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.”
A bunch of registrar employees, and now apparently ICANN’s own head auditor, disagreed with my characterization.
ICANN had issued a press release stating that of 126 audited registrars, it had identified 111 “that were not fully compliant with the RAA’s requirements related to the receiving and handling of DNS abuse reports.”
To me, if ICANN checks whether you’re doing a thing you should be doing and you’re not doing the thing, that’s a fail.
But to ICANN, if ICANN checks whether you’re doing a thing you should be doing and you’re not doing the thing, and it tells you you’re not doing the thing you should be doing, so you start doing the thing, that’s not a fail.
I think reasonable people could disagree on the definitions here.
But I did write that the registrars “failed… according to ICANN”, and that appears to be inaccurate, so I’m happy to correct the record today.
Most registrars fail ICANN abuse audit
The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.
(UPDATE October 14, 2021: ICANN disagrees with this characterization.)
The audit of 126 registrars, representing over 90% of all registered gTLD domains, founds that 111 were “not fully compliant with the [Registrar Accreditation Agreement’s] requirements related to the receiving and handling of DNS abuse reports”.
Only 15 companies passed with flying colors, ICANN said.
A further 92 have already put in place changes to address the identified concerns, with 19 more still struggling to come into compliance.
The particular parts of the RAA being audited require registrars to publish an abuse email address that it monitored 24/7 and to take action on well-founded cases of abuse within 24 hours of notification.
The results of the audit, carried out by ICANN Compliance and KPMG, can be found here (pdf).
153 registrars fingered for ICANN security probe
Registrars will be asked to account for abusive domain names found on their services, under a new ICANN security audit.
ICANN says it will soon send requests for information to 153 registrars, asking them to provide documentation showing how they dealt with domains used for distribution of malware or spam.
Registrars will get audited if more than five domains under their sponsorship showed up on a number of block-lists ICANN uses (SpamHaus and the like) during November 2020.
ICANN is spinning the number of affected registrars as a very small percentage of the accredited base, but it really isn’t.
It said that “only” 153 out of 2,380 accredited registrars are affected, apparently willfully ignoring the fact that well over 1,700 of these registrars are shell accreditations used for drop-catching and belonging to just two companies: Web.com and NameBright.
Domains never stick around at drop-catch shells for long, and abusive registrants typically aren’t buying expensive names on the aftermarket, they’re prowling the budget registrars for sub-dollar bargains and bulk-reg tools.
Up to a couple hundred or other accredited registrars have no or negligible domains under management. Several more are corporate registrars with no retail front-end.
So we’re really looking at “only” 153 out of 500 to 600 active retail registrars that saw the required level of abuse, a much higher percentage than would be ideal.
The audit is part of ICANN’s regular Contractual Compliance Audit Program, which seeks to determine whether any registrars or registries are in breach of their contractual obligations.
Under the 2013 Registrar Accreditation Agreement, registrars are obliged to document their responses to abuse reports, keep the data for two years, and hand it over to ICANN on demand.
ICANN hopes to finish the audit by the third quarter this year.
Sixty gTLD registries not monitoring security threats
Roughly 5% of gTLD registry operators have been doing no abuse monitoring, despite contractual requirements to do so, a recent ICANN audit has found.
ICANN checked with 1,207 registries — basically all gTLDs — between November 2018 and June, and found about 60 of them “were not performing any security threat monitoring, despite having domains registered in their gTLDs”.
A further 180 (15%) were not doing security checks, but had no registered domains, usually because they were unused dot-brands. ICANN told these companies that they had to do the checks anyway, to remain in compliance.
In all cases, ICANN said, the registries remediated their oversights during the audit to bring their gTLDs back into compliance.
ICANN does not name the non-compliant registries in the summary of the audit’s results, published yesterday (pdf).
Registries under the 2012 new gTLD base registry agreement all have to agree to this:
Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.
It’s possible to keep tabs on abuse by monitoring domain blocklists such as SpamHaus, SURBL and PhishTank. Some such lists are freely available, others carry hefty licensing fees.
ICANN itself monitors these lists through its Domain Abuse Activity Reporting project, so it’s able to work out the differences between the levels of abuse registries report and what the empirical data suggests.
Registries typically either use these lists via in-house tools or license products provided by vendors such as Neustar, RegistryOffice, Knipp, CSC, DOTZON, Afnic, AusCERT, Shadowserver, Telefonica, Secure Domain Foundation and Netcraft, ICANN said.
Perhaps unsurprisingly, there’s a bit of disagreement between ICANN and some registries about how the somewhat vague obligations quote above are be interpreted.
ICANN thinks registries should have to provide information about specific domains that were identified as abusive and what remediation actions were taken, but some registries think they only have to provide aggregate statistical data (which would be my read of the language).
The contracts also don’t specify how frequently registries much carry out security reviews.
Of the 80% (965) of registries already in compliance, 80% (772) were doing daily abuse monitoring. Others were doing it weekly, monthly, or even quarterly, ICANN found, all of which appear to be in line with contractual requirements.
ICANN cancels registrar audit as GDPR headaches loom
ICANN has decided to call off a scheduled audit of its registrar base, to enable registrars to focus on sorting out compliance with the General Data Protection Regulation.
The biannual audit, carried out by ICANN Compliance, was due to start in May. As you likely know by now, May 25 is GDPR Day, when the EU’s privacy law comes into full effect.
In a letter (pdf) to registrars, senior VP of compliance Jamie Hedlund said: “The April 2018 registrar audit round is on hold.”
He added: “We are reviewing the schedule, resources and risks associated with holding a single, larger audit round in autumn of 2018, as well as considering alternative approaches.”
His letter came in response to a plea (pdf) from Registrar Stakeholder Group chair Graeme Bunton, who said an audit that clashed with GDPR deadline would be an “enormous undertaking” for affected registrars.
The audits, which have been running for a few years, randomly select a subset of registries and registrars to spot-check compliance with their Registrar Accreditation Agreements and Registry Agreements.
The program looks at 20-odd areas of compliance, one of which is Whois provision.
Zero registrars pass ICANN audit
Some of the biggest names in the registrar game were among a bewildering 100% that failed an ICANN first-pass audit in the latest round of random compliance checks.
Of the 55 registrars picked to participate in the audit, a resounding 0 passed the initial audit, according to data released today.
Among them were recognizable names including Tucows, Register.com, 1&1, Google and Xin Net.
ICANN found 86% of the registrars had three or more “deficiencies” in their compliance with the 2013 Registrar Accreditation Agreement.
By far the most problematic area was compliance with sections 3.7.7.1 to 3.7.7.12 of the RAA, which specifies what terms registrars must put in their registration agreements and how they verify the contact details of their customers.
A full three quarters of audited registrars failed on that count, according to ICANN’s report (pdf).
More than half of tested registrars failed to live up to their commitments to respond to reports of abuse, where they’re obliged among other things to have a 24/7 contact number available.
There was one breach notice to a registrar as a result of the audit, but none of the failures were serious enough for ICANN to terminate the deficient registrar’s contract. Two registrars self-terminated during the process.
ICANN’s audit program is ongoing and operates in rounds.
In the current round, registrars were selected from those which either hadn’t had an audit in a couple of years, were found lacking in previous rounds, or had veered dangerously close to formal breach notices.
The round kicked off last September with requests for documents. The initial audit, which all registrars failed, was followed by a remediation phase from January to May.
Over the remediation phase, only one third of the registrars successfully resolved all the issues highlight by the audit. The remainder issued remediation plans and will be followed up on in future rounds.
The 0% pass rate is not unprecedented. It’s the same as the immediately prior audit (pdf), which ran from May to October 2016.
Black Ice suspended by ICANN
A small Israeli registrar has had its registrar accreditation suspended by ICANN.
Black Ice domains, which has a few thousand .com and .net domains under management, failed to comply with an ICANN audit and was overdue on its fees by over $5,000, according to the ICANN notice (pdf).
It won’t be allowed to sell gTLD domains or accept inbound transfers from December 19 to March 18, and may be terminated if it fails to come back into compliance.
The registrar is the fourth to have its accreditation suspended by ICANN in 2014. The organization has terminated a further seven registrars, down on the 11 terminated in the whole of 2013.
Almost half of registrars “deficient” in compliance audit
Almost half of accredited domain name registrars were found “deficient” during a recent ICANN compliance survey.
Results of an audit published today show that 146 of 322 registrars (45%) picked at random for the September 2013 to May 2014 study had to carry out some form of remediation in order to comply with their contracts.
The report comes at the end of the second year of ICANN’s audit program, which aims to bring all accredited registrars and gTLD registries into compliance over three years.
The deficiencies noted at 146 registrars cover areas ranging from compliance with ICANN consensus policies to the availability of Whois services over the web and port 43.
In almost every instance the numbers were down on last year.
For example, ICANN documented 86 registrars who could not initially show compliance with requirements on the retention of registrant data, down from 105 a year ago.
Only 15 registrars of the 322 (4.6%) flunked the audit and will be re-tested. The others were all able to bring their systems into line with ICANN’s requirements during the course of the audit.
Three registrars were terminated as a result of deficiencies identified during this phase of the program.
The full report, along with the list of participating registrars, can be found here.
In major snub, Verisign refuses to let ICANN audit .net
Verisign has delivered a significant blow to ICANN’s authority by refusing to take part in its contractual compliance audit program.
The snub runs a risk of scuppering ICANN’s plans to make compliance a cornerstone of its new management’s strategy.
In a letter to ICANN’s compliance department this week, Verisign senior vice president Pat Kane said that the company has no obligation to submit to an audit of .net under its ICANN contract.
Kane wrote:
Verisign has no contractual obligations under its .net Registry Agreement with ICANN to comply with the proposed audit. Absent such express contractual obligations, Verisign will not submit itself to an audit by or at the direction of ICANN of its books and records.
The company is basically refusing to take part in ICANN’s Contractual Compliance Audit Program, a proactive three-year plan to make sure all gTLD registries and accredited registrars are sticking to their contracts.
For registries, the plan calls for ICANN to look at things like compliance with Whois, zone file access, data escrow, monthly reporting, and other policies outlined in the registry agreements.
Verisign isn’t necessarily admitting that it thinks it would not pass the .net audit, but it is sending a strong signal that it believes ICANN’s authority over it has limits.
In the program’s FAQ, ICANN admits that it does not have explicit audit rights over all contracted parties, stating:
What’s the basis for including all contracted parties, when the ‘Right to Audit’ clause isn’t present in 2001 RAA and Registry Agreements?
One of ICANN’s responsibilities is to conduct audits of its agreements in order to ensure that all contracted parties are in compliance with those agreements.
If Verisign is refusing to participate, other registries may decide they don’t want to cooperate either. That wouldn’t look good for ICANN, which has made compliance a key strategic priority.
When Fadi Chehade started as CEO last September, one of his first moves was to promote compliance boss Maguy Serad to vice president, reporting directly to him.
He told DI that he would be “bringing a lot more weight and a lot more independent management from my office to the compliance function”.
At his inaugural address to the community in Prague last June, he spoke of how he planned to bring IBM-style contract management prowess to ICANN.
Compliance is also a frequently raised concern of the Governmental Advisory Committee (though generally geared toward rogue registrars rather than registries).
Recent Comments