Centre for Internet and Society

Why Presumption of Renewal is Unsuitable for the Current Registry Market Structure

Padma Venkataraman — 2017-10-31T02:53:26Z

With the recent and much protested renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal has again come to the forefront. While this seems relatively uncontroversial to most, Padma Venkataraman, a law student and intern at CIS looks at presumptive renewal through a critical lens.

With the recent renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal is worth reconsidering. When we talk about presumption of renewal for registry agreements, it means that the agreement has a reasonable renewal expectancy at the end of its contractual term. According to the current base registry agreement, it shall be renewed for 10-year periods, upon expiry of the initial (and successive) term, unless the operator commits a fundamental and material breach of the operator’s covenants or breach of its payment obligations to ICANN.

Download the entire blog post here

For more details visit https://cis-india.org/internet-governance/blog/why-presumption-of-renewal-is-unsuitable-for-the-current-registry-market-structure

Where Does ICANN’s Money Come From? We Asked; They Don’t Know

geetha — 2015-03-05T07:43:45Z

Just how transparent is ICANN? How responsive are they to requests for information? At CIS, we sent ICANN ten questions seeking information about, inter alia, their revenues, commitment to the NETmundial Principles, Globalisation Advisory Groups and organisational structure. Geetha Hariharan wonders at ICANN's reluctance to respond.

Why Is ICANN Here?

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for critical backbones of the Internet. It manages the root server system, the global allocation of IP addresses, protocol registries and the domain name system (management of gTLDs, ccTLDs, as well as the newly rolled-out “new gTLDs”).

ICANN was incorporated in California in 1998, and was intended as the technical coordination body for the backbone of the Internet. That is, it was to administer the Internet’s domain names and IP addresses, and also manage the Internet root servers.

As a result of an agreement with the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce, ICANN is the IANA functions operator. It carries out the IANA functions, which include making changes to the root zone file (the backbone of the domain name system), allocation of IP address blocks to the five Regional Internet Registries (RIRs), and maintaining protocol parameter registries in collaboration with the Internet Engineering Task Force (IETF). The RIRs are responsible for allocating IP addresses (IPv4 and IPv6) to national and local Internet registries. The IETF develops Internet standards and protocols, such as those within the TCP/IP suite. To be clear, ICANN does not make policy for the IP address or Internet standards/protocols; those are the domains of RIRs and the IETF, respectively.

ICANN, Domain Names and All That Buried Treasure

ICANN is the de facto policy-making body for domain names. Through ICANN’s community Supporting Organisations and Advisory Committees (SOACs) – largely a multi-stakeholder community – ICANN determines policies for dispute resolution (see, for instance, the UDRP for domain name disputes), maintaining the WHOIS database, etc. for domain names.

Under its contracts with Top Level Domain (TLD) Registries, ICANN receives payment for all registrations and/or renewals of domain names. For instance, under the .bharti Registry Agreement, ICANN receives a fixed annual registry free of US $6250. If there are more than 50,000 registrations or renewals of domain names under a TLD (say, .bharti) in a quarter, then ICANN also receives an amount equal to (No. of registrations or renewals X US $0.25). TLD Registries “own” TLDs like .com, and they maintain a list of all the domain names registered under that TLD. There are around 816 such Registry Agreements, and in FY14, ICANN received over US $47 million in Registry fees [see page 7].

Similar agreements exist between ICANN and domain name Registrars accredited by it, too. Domain name Registrars are entities like Go Daddy and Big Rock, from whom people like you and me (or companies) can register domain names. Only Registrars accredited by ICANN can register domain names that will be included in the ICANN DNS, the most frequently used DNS on the Web. Each Registrar pays a yearly accreditation fee of US $4000 to ICANN (see Clause 3.9). Each Registrar also pays to ICANN fees for every domain name registration or renewal. There are over 500 ICANN-accredited Registrars, and in FY14, ICANN received over US $34.5 million in Registrar fees [see page 7].

Now, apart from this, in its IANA operator role, ICANN is responsible for the global allocation of IP addresses (IPv4 and IPv6). From the global pool of IP addresses, ICANN allocates to the five Regional Internet Registries (RIRs), which then allocate to National Internet Registries like the National Internet Exchange of India (NIXI as IRINN), local Internet registries or ISPs. For this, ICANN receives a combined contribution of US $823,000 each year as revenue from RIRs [see, ex.: FY09 Financial Statements, page 3].

And this isn’t all of it! With its new gTLD program, ICANN is sitting on a large treasure trove. Each gTLD application cost US $185,000, and there were 1930 applications in the first round (that’s US $357 million). Where there arose disagreements as to the same or similar strings, ICANN initiated an auction process. Some new gTLDs were auctioned for as high as US $6 million.

So ICANN is sitting on a great deal of treasure (US $355 million in revenues in FY14 and growing). It accumulates revenue from a variety of quarters; the sources identified above are by no means the only revenue-sources. But ICANN is unaware of, or unwilling to disclose, all its sources of revenue.

ICANN's Troubling Scope-creep and Does Transparency Matter?

At CIS, we are concerned by ICANN’s unchecked influence and growing role in the Internet governance institutional space. For instance, under its CEO Fadi Chehade, ICANN was heavily involved backstage for NETmundial, and has set aside over US $200,000 for Mr. Chehade’s brainchild, the NETmundial Initiative. Coupled with its lack of transparency and vocal interests in furthering status quo (for instance, both the names and numbers communities’ proposals for IANA transition want ICANN to remain the IANA functions operator, without stringent safeguards), this makes for a dangerous combination.

The clearest indication lies in the money, one might say. As we have written before, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (Budget FY15, page 17). It has budgeted, in comparison, US $13 million for travel and meetings alone, and spent over US $18 million on travel in FY14 (Budget FY15, page 11).

To its credit, ICANN makes public its financial statements (current and historic), and community discussions are generally open. However, given the understandably complex contractual arrangements that give ICANN its revenues, even ploughing through the financials does not give one a clear picture of where ICANN’s money comes from.

So one is left with questions such as the following: Which entities (and how many of them) pay ICANN for domain names? What are the vendor payments received by ICANN and who pays? Who all have paid ICANN under the new gTLD program, and for what purposes? Apart from application fees and auctions, what other heads of payment exist? How much does each RIR pay ICANN and what for, if IP addresses are not property to be sold? For how many persons (and whom all) does ICANN provide pay for, to travel to meetings and other events?

You may well ask why these questions matter, and whether we need greater transparency. To put it baldly: ICANN’s transparency is crucial. ICANN is today something of a monopoly; it manages the IANA functions, makes policy for domain names and is increasingly active in Internet governance. It is without greater (effective) accountability than a mere review by the NTIA, and some teething internal mechanisms like the Documentary Information Disclosure Policy (DIDP), Ombudsman, Reconsideration and Independent Review and the Accountability and Transparency Review (ATRT). I could elaborate on why these mechanisms are inadequate, but this post is already too long. Suffice it to say that by carefully defining these mechanisms and setting out their scope, ICANN has stifled their effectiveness. For instance, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws (Article IV, Section 2), it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests. This simply violates the principles of natural justice, wherein one may not be a judge in one’s own cause (nemo debet esse judex in propria causa).

Moreover, ICANN serves corporate interests, for it exists on account of contractual arrangements with Registries, Registrars, the NTIA and other sundry entities. ICANN has also troublingly reached into Internet governance domains to which it was previously closed, such as the NETmundial Initiative, the NETmundial, the IGF and its Support Association. It is unclear that ICANN was ever intended to overreach so, a point admitted by Mr. Chehade himself at the ICANN Open Forum in Istanbul (IGF 2014).

Finally, despite its professed adherence to multi-stakeholderism, there is evidence that ICANN’s policy-making and functioning revolve around small, cohesive groups with multiple professional inter-linkages with other I-Star organisations. For instance, a revolving door study by CIS of the IANA Coordination Group (ICG) found that 20 out of 30 ICG members had close and longterm ties with I-Star organisations. This surely creates concern as to the impartiality and fairness of the ICG’s decision-making. It may, for instance, make a pro-ICANN outcome inevitable – and that is definitely a serious worry.

But ICANN is intended to serve the public interest, to ensure smooth, stable and resilient running of the Internet. Transparency is crucial to this, and especially so during the IANA transition phase. As advisor Jan Scholte asked at ICANN52, what accountability will ICANN exercise after the transition, and to whom will it be accountable? What, indeed, does accountability mean? The CCWG-Accountability is still asking that question. But meanwhile, one among our cohorts at CIS has advocated transparency as a check-and-balance for power.

The DIDP process at ICANN may prove useful in the long run, but does it suffice as a transparency mechanism?

ICANN's Responses to CIS' DIDP Requests

Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN. Our aim was to test and encourage transparency from ICANN, a process crucial given the CCWG-Accountability’s deliberations on ways to enhance ICANN’s accountability. We have received responses for 9 of our requests. We summarise ICANN’s responses in a table: please go here.

A glance at the table above will show that ICANN’s responses are largely negative. In 7 requests out of 9, ICANN provides very little new information. Though the responses are detailed, the majority of information they provide is already identified in CIS’ requests. For instance, in the response to the NETmundial Request, ICANN links us to blogposts written by CEO Fadi Chehade, where he notes the importance of translating the NETmundial Principles into action. They also link us to the Final Report of the Panel on Global Internet Cooperation and Governance Mechanism, and ICANN’s involvement in the NETmundial Initiative.

However, to the query on ICANN’s own measures of implementing the NETmundial Principles – principles that it has lauded and upheld for the entire Internet governance community – ICANN’s response is surprisingly evasive. Defending lack of action, they note that “ICANN is not the home for implementation of the NETmundial Principles”. But ICANN also responds that they already implement the NETmundial Principles: “Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework” (emphasis provided). One wonders, then, at the insistence on creating documents involving such high-level principles; why create them if they’re already implemented?

Responses to other requests indicate that the DIDP is, in its current form, unable to provide the transparency necessary for ICANN’s functioning. For instance, in the response to the Ombudsman Request, ICANN cites confidentiality as a reason to decline providing information. Making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline a DIDP request. But it is also important to investigate these reasons. ICANN’s Ombudsman is appointed by the ICANN Board for 2 year terms, under Clause V of ICANN’s Bylaws. The Ombudsman’s principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly”. The Ombudsman reports only to the ICANN Board, and all matters before it are kept confidential, including the names of parties and the nature of complaints. The Ombudsman reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy.

This creates a closed circle in which the Ombudsman operates. The ICANN Board appoints the Ombudsman. He/she listens to complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. However, neither the names of parties, the nature of complaints, nor the decisions of the Ombudsman are publicly available. Such a lack of transparency throws doubt on the functioning of the Ombudsman himself – and on his independence, neutrality and the extent of ICANN’s influence on him/her. An amendment of ICANN’s Bylaws would then be imperative to rectify this problem; this matter is squarely within the CCWG-Accountability’s mandate and should be addressed.

As is clear from the above examples, ICANN’s DIDP is an inadequate tool to ensure transparency functioning. The Policy was crafted without community input, and requires substantial amendments to make it a sufficient transparency mechanism. CIS’ suggestions in this regard shall be available in our next post.

CIS' Annual Reports are here. Our audit is ongoing, and the Annual Report for 2013-14 will be up shortly. Pranav Bidare (3rd year) of the National Law School, Bangalore assisted with research for this post, and created the table of CIS' DIDP requests and responses.

For more details visit https://cis-india.org/internet-governance/blog/where-does-icann2019s-money-come-from-we-asked-they-don2019t-know

Transparency in Surveillance

vipul — 2016-01-23T15:11:18Z

Transparency is an essential need for any democracy to function effectively. It may not be the only requirement for the effective functioning of a democracy, but it is one of the most important principles which need to be adhered to in a democratic state.

Introduction

A democracy involves the state machinery being accountable to the citizens that it is supposed to serve, and for the citizens to be able to hold their state machinery accountable, they need accurate and adequate information regarding the activities of those that seek to govern them. However, in modern democracies it is often seen that those in governance often try to circumvent legal requirements of transparency and only pay lip service to this principle, while keeping their own functioning as opaque as possible.

This tendency to not give adequate information is very evident in the departments of the government which are concerned with surveillance, and merit can be found in the argument that all of the government's clandestine surveillance activities cannot be transparent otherwise they will cease to be "clandestine" and hence will be rendered ineffective. However, this argument is often misused as a shield by the government agencies to block the disclosure of all types of information about their activities, some of which may be essential to determine whether the current surveillance regime is working in an effective, ethical, and legal manner or not. It is this exploitation of the argument, which is often couched in the language of or coupled with concerns of national security, that this paper seeks to address while voicing the need for greater transparency in surveillance activities and structures.

In the first section the paper examines the need for transparency, and specifically deals with the requirement for transparency in surveillance. In the next part, the paper discusses the regulations governing telecom surveillance in India. The final part of the paper discusses possible steps that may be taken by the government in order to increase transparency in telecom surveillance while keeping in mind that the disclosure of such information should not make future surveillance ineffective.

Need for Transparency

In today's age where technology is all pervasive, the term "surveillance" has developed slightly sinister overtones, especially in the backdrop of the Edward Snowden fiasco. Indeed, there have been several independent scandals involving mass surveillance of people in general as well as illegal surveillance of specific individuals. The fear that the term surveillance now invokes, especially amongst those social and political activists who seek to challenge the status quo, is in part due to the secrecy surrounding the entire surveillance regime. Leaving aside what surveillance is carried out, upon whom, and when - the state actors are seldom willing and open to talk about how surveillance is carried out, how decisions regarding who and how to target, are reached, how agency budgets are allocated and spent, how effective surveillance actions were, etc. While there may be justified security based arguments to not disclose the full extent of the state's surveillance activities, however this cloak of secrecy may be used illegally and in an unauthorized manner to achieve ends more harmful to citizen rights than the maintenance of security and order in the society.

Surveillance and interception/collection of communications data can take place under different legal processes in different countries, ranging from court-ordered requests of specified data from telecommunications companies to broad executive requests sent under regimes or regulatory frameworks requiring the disclosure of information by telecom companies on a pro-active basis. However, it is an open secret that data collection often takes place without due process or under non-legal circumstances.

It is widely believed that transparency is a critical step towards the creation of mechanisms for increased accountability through which law enforcement and government agencies access communications data. It is the first step in the process of starting discussions and an informed public debate regarding how the state undertakes activities of surveillance, monitoring and interception of communications and data. Since 2010, a large number of ICT companies have begun to publish transparency reports on the extent that governments request their user data as well as requirements to remove content. However, governments themselves have not been very forthcoming in providing such detailed information on surveillance programs which is necessary for an informed debate on this issue.[1] Although some countries currently report limited information on their surveillance activities, e.g. the U.S. Department of Justice publishes an annual Wiretap Report (U.S. Courts, 2013a), and the United Kingdom publishes the Interception of Communications Commissioner Annual Report (May, 2013), which themselves do not present a complete picture, however even such limited measures are unheard of in a country such as India.

It is obvious that Governments can provide a greater level of transparency regarding the limits in place on the freedom of expression and privacy than transparency reports by individual companies. Company transparency reports can only illuminate the extent to which any one company receives requests and how that company responds to them. By contrast, government transparency reports can provide a much greater perspective on laws that can potentially restrict the freedom of expression or impact privacy by illustrating the full extent to which requests are made across the ICT industry. [2]

In India, the courts and the laws have traditionally recognized the need for transparency and derive it from the fundamental right to freedom of speech and expression guaranteed in our Constitution. This need coupled with a sustained campaign by various organizations finally fructified into the passage of the Right to Information Act, 2005, (RTI Act) which amongst other things also places an obligation on the sate to place its documents and records online so that the same may be freely available to the public. In light of this law guaranteeing the right to information, the citizens of India have the fundamental right to know what the Government is doing in their name. The free flow of information and ideas informs political growth and the freedom of speech and expression is the lifeblood of a healthy democracy, it acts as a safety valve. People are more ready to accept the decisions that go against them if they can in principle seem to influence them. The Supreme Court of India is of the view that the imparting of information about the working of the government on the one hand and its decision affecting the domestic and international trade and other activities on the other is necessary, and has imposed an obligation upon the authorities to disclose information.[3]

The Supreme Court, in Namit Sharma v. Union of India,[4] while discussing the importance of transparency and the right to information has held:

"The Right to Information was harnessed as a tool for promoting development; strengthening the democratic governance and effective delivery of socio-economic services. Acquisition of information and knowledge and its application have intense and pervasive impact on the process of taking informed decision, resulting in overall productivity gains .

……..

Government procedures and regulations shrouded in the veil of secrecy do not allow the litigants to know how their cases are being handled. They shy away from questioning the officers handling their cases because of the latters snobbish attitude. Right to information should be guaranteed and needs to be given real substance. In this regard, the Government must assume a major responsibility and mobilize skills to ensure flow of information to citizens. The traditional insistence on secrecy should be discarded."

Although these statements were made in the context of the RTI Act the principle which they try to illustrate can be understood as equally applicable to the field of state sponsored surveillance. Though Indian intelligence agencies are exempt from the RTI Act, it can be used to provide limited insight into the scope of governmental surveillance. This was demonstrated by the Software Freedom Law Centre, who discovered via RTI requests that approximately 7,500 - 9,000 interception orders are sent on a monthly basis.[5]

While it is true that transparency alone will not be able to eliminate the barriers to freedom of expression or harm to privacy resulting from overly broad surveillance,, transparency provides a window into the scope of current practices and additional measures are needed such as oversight and mechanisms for redress in cases of unlawful surveillance. Transparency offers a necessary first step, a foundation on which to examine current practices and contribute to a debate on human security and freedom.[6]

It is no secret that the current framework of surveillance in India is rife with malpractices of mass surveillance and instances of illegal surveillance. There have been a number of instances of illegal and/or unathorised surveillance in the past, the most scandalous and thus most well known is the incident where a woman IAS officer was placed under surveillance at the behest of Mr. Amit Shah who is currently the president of the ruling party in India purportedly on the instructions of the current prime minister Mr. Narendra Modi.[7] There are also a number of instances of private individuals indulging in illegal interception and surveillance; in the year 2005, it was reported that Anurag Singh, a private detective, along with some associates, intercepted the telephonic conversations of former Samajwadi Party leader Amar Singh. They allegedly contacted political leaders and media houses for selling the tapped telephonic conversation records. The interception was allegedly carried out by stealing the genuine government letters and forging and fabricating them to obtain permission to tap Amar Singh's telephonic conversations. [8] The same individual was also implicated for tapping the telephone of the current finance minister Mr. Arun Jaitely.[9]

It is therefore obvious that the status quo with regard to the surveillance mechanism in India needs to change, but this change has to be brought about in a manner so as to make state surveillance more accountable without compromising its effectiveness and addressing legitimate security concerns. Such changes cannot be brought about without an informed debate involving all stakeholders and actors associated with surveillance, however the basic minimum requirement for an "informed" debate is accurate and sufficient information about the subject matter of the debate. This information is severely lacking in the public domain when it comes to state surveillance activities - with most data points about state surveillance coming from news items or leaked information. Unless the state becomes more transparent and gives information about its surveillance activities and processes, an informed debate to challenge and strengthen the status quo for the betterment of all parties cannot be started.

Current State of Affairs

Surveillance laws in India are extremely varied and have been in existence since the colonial times, remnants of which are still being utilized by the various State Police forces. However in this age of technology the most important tools for surveillance exist in the digital space and it is for this reason that this paper shall focus on an analysis of surveillance through interception of telecommunications traffic, whether by tracking voice calls or data. The interception of telecommunications actually takes place under two different statutes, the Telegraph Act, 1885 (which deals with interception of calls) as well as the Information Technology Act, 2000 (which deals with interception of data).

Currently, the telecom surveillance is done as per the procedure prescribed in the Rules under the relevant sections of the two statutes mentioned above, viz. Rule 419A of the Telegraph Rules, 1951 for surveillance under the Telegraph Act, 1885 and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 for surveillance under the Information Technology Act, 2000. These Rules put in place various checks and balances and try to ensure that there is a paper trail for every interception request. [10] The assumption is that the generation of a paper trail would reduce the number of unauthorized interception orders thus ensuring that the powers of interception are not misused. However, even though these checks and balances exist on paper as provided in the laws, there is not enough information in the public domain regarding the entire mechanism of interception for anyone to make a judgment on whether the system is working or not.

As mentioned earlier, currently the only sources of information on interception that are available in the public domain are through news reports and a handful of RTI requests which have been filed by various activists.[11] The only other institutionalized source of information on surveillance in India is the various transparency reports brought out by companies such as Google, Yahoo, Facebook, etc.

Indeed, Google was the first major corporation to publish a transparency report in 2010 and has been updating its report ever since. The latest data that is available for Google is for the period between January, 2015 to June, 2015 and in that period Google and Youtube together received 3,087 requests for data which asked for information on 4,829 user accounts from the Indian Government. Out of these requests Google only supplied information for 44% of the requests.[12] Although Google claims that they "review each request to make sure that it complies with both the spirit and the letter of the law, and we may refuse to produce information or try to narrow the request in some cases", it is not clear why Google rejected 56% of the requests. It may also be noted that the number of requests for information that Google received from India were the fifth highest amongst all the other countries on which information was given in the Transparency Report, after USA, Germany, France and the U.K.

Facebook's transparency report for the period between January, 2015 to June, 2015 reveals that Facebook received 5,115 requests from the Indian Government for 6,268 user accounts, out of which Facebook produced data in 45.32% of the cases.[13] Facebook's transparency report claims that they respond to requests relating to criminal cases and "Each and every request we receive is checked for legal sufficiency and we reject or require greater specificity on requests that are overly broad or vague." However, even in Facebook's transparency report it is unclear why 55.68% of the requests were rejected.

The Yahoo transparency report also gives data from the period between January 1, 2015 to June 30, 2015 and reveals that Yahoo received 831 requests for data, which related to 1,184 user accounts from the Indian Government. The Yahoo report is a little more detailed and also reveals that 360 of the 831 requests were rejected by Yahoo, however no details are given as to why the requests were rejected. The report also specifies that in 63 cases, no data was found by Yahoo, in 249 cases only non content data[14] was disclosed while in 159 cases content [15] was disclosed. The Yahoo report also claims that "We carefully scrutinize each request to make sure that it complies with the law, and we push back on those requests that don't satisfy our rigorous standards."

While the Vodafone Transparency Report gives information regarding government requests for data in other jurisdictions, [16] it does not give any information on government requests in India. This is because Vodafone interprets the provisions contained in Rule 25(4) of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (Interception Rules) and Rule 11 of the IT (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 as well as Rule 419A(19) of the Indian Telegraph Rules, 1954 which require service providers to maintain confidentiality/secrecy in matters relating to interception, as being a legal prohibition on Vodafone to reveal such information.

Apart from the four major companies discussed above, there are a large number of private corporations which have published transparency reports in order to acquire a sense of trustworthiness amongst their customers. Infact, the Ranking Digital Rights Project has been involved in ranking some of the biggest companies in the world on their commitment to accountability and has brought out the Ranking Digital Rights 2015 Corporate Accountability Index that has analysed a representative group of 16 companies "that collectively hold the power to shape the digital lives of billions of people across the globe".

Suggestions on Transparency

It is clear from the discussions above, as well as a general overview of various news reports on the subject, that telecom surveillance in India is shrouded in secrecy and it appears that a large amount of illegal and unauthorized surveillance is taking place behind the protection of this veil of secrecy. If the status quo continues, then it is unlikely that any meaningful reforms would take place to bring about greater accountability in the area of telecom surveillance. It is imperative, for any sort of changes towards greater accountability to take place, that we have enough information about what exactly is happening and for that we need greater transparency since transparency is the first step towards greater accountability.

Transparency Reports

In very simplistic terms transparency, in anything, can best be achieved by providing as much information about that thing as possible so that there are no secrets left. However, it would be naïve to say that all information about interception activities can be made public on the altar of the principle of transparency, but that does not mean that there should be no information at all on interception. One of the internationally accepted methods of bringing about transparency in interception mechanisms, which is increasingly being adopted by both the private sector as well as governments, is to publish Transparency Reports giving various details of interception while keeping security concerns in mind. The two types of transparency reports that we require in India and what that would entail is briefly discussed below:

By the Government

The problem with India's current regime for interception is that the entire mechanism appears more or less adequate on paper with enough checks and balances involved in it to prevent misuse of the allotted powers. However, because the entire process is veiled in secrecy, nobody knows exactly how good or how rotten the system has become and whether it is working to achieve its intended purposes. It is clear that the current system of interception and surveillance being followed by the government has some flaws, as can be gathered from the frequent news articles which talk about incidents of illegal surveillance. However, without any other official or more reliable sources of information regarding surveillance activities these anecdotal pieces of evidence are all we have to shape the debate regarding surveillance in India. It is only logical then that the debate around surveillance, which is informed by such sketchy and unreliable news reports will automatically be biased against the current mechanism since the newspapers would also only be interested in reporting the scandalous and the extraordinary incidents. For example, some argue that the government undertakes mass surveillance, while others argue that India only carries out targeted surveillance, but there is not enough information publicly available for a third party to support or argue against either claim. It is therefore necessary and highly recommended that the government start releasing a transparency report such as the one's brought out by the United States and the UK as mentioned above.

There is no need for a separate department or authority just to make the transparency report and this task could probably be performed in-house by any department, but considering the sector involved, it would perhaps be best if the Department of Telecommunications is given the responsibility to bring out a transparency report. These transparency reports should contain certain minimum amount of data for them to be an effective tool in informing the public discourse and debate regarding surveillance and interception. The report needs to strike a balance between providing enough information so that an informed analysis can be made of the effectiveness of the surveillance regime without providing so much information so as to make the surveillance activities ineffective. Below is a list of suggestions as to what kind of data/information such reports should contain:

Reports should contain data regarding the number of interception orders that have been passed. This statistic would be extremely useful in determining how elaborate and how frequently the state indulges in interception activities. This information would be easily available since all interception orders have to be sent to the Review Committee set up under Rule 419A of the Telegraph Rules, 1954.
The Report should contain information on the procedural aspects of surveillance including the delegation of powers to different authorities and individuals, information on new surveillance schemes, etc. This information would also be available with the Ministry of Home Affairs since it is a Secretary or Joint Secretary level officer in the said Ministry which is supposed to authorize every order for interception.
The report should contain an aggregated list of reasons given by the authorities for ordering interception. This information would reveal whether the authorities are actually ensuring legal justification before issuing interception or are they just paying lip service to the rules to ensure a proper paper trail. Since every order of interception has to be in writing, the main reasons for interception can easily be gleaned from a perusal of the orders.
It should also reveal the percentage of cases where interception has actually found evidence of culpability or been successful in prevention of criminal activities. This one statistic would itself give a very good review of the effectiveness of the interception regime. Granted that this information may not be very easily obtainable, but it can be obtained with proper coordination with the police and other law enforcement agencies.
The report should also reveal the percentage of order that have been struck down by the Review Committee as not following the process envisaged under the various Rules. This would give a sense of how often the Rules are being flouted while issuing interception orders. This information can easily be obtained from the papers and minutes of the meetings of the Review Committee.
The report should also state the number of times the Review Committee has met in the period being reported upon. The Review Committee is an important check on the misuse of powers by the authorities and therefore it is important that the Review Committee carries out its activities in a diligent manner.

It may be noted here that some provisions of the Telegraph Rules, 1954 especially sub-Rules 17 and 18 of Rule 419A as well as Rules 22, 23(1) and 25 of the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 may need to be amended so as to make them compliant with the reporting mechanism proposed above.

By the Private Sector

We have already discussed above the transparency reports published by certain private companies. Suffice it to say that reports from private companies should give as much of the information discussed under government reports as possible and/or applicable, since they may not have a large amount of the information that is sought to be published in the government reports such as whether the interception was successful, the reasons for interception, etc. It is important to have ISPs provide such transparency reports as this will provide two different data points for information on interception and the very existence of these private reports may act as a check to ensure the veracity of the government transparency reports.

As in the case of government reports, for the transparency reports of the private sector to be effective, certain provisions of the Telegraph Rules, 1954 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009, viz. sub-Rules 14, 15 and 19 of Rule 419A of the Telegraph Rules, 1954 and Rules 20, 21, 23(1) and 25 of the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

Overhaul of the Review Committee

The Review Committee which acts as a check on the misuse of powers by the competent authorities is a very important cog in the entire process. However, it is staffed entirely by the executive and does not have any members of any other background. Whilst it is probably impractical to have civilian members in the Review Committee which has access to potentially sensitive information, it is extremely essential that the Committee has wider representation from other sectors specially the judiciary. One or two members from the judiciary on the Review Committee would provide a greater check on the workings of the Committee as this would bring in representation from the judicial arm of the State so that the Review Committee does not remain a body manned purely by the executive branch. This could go some ways to ensure that the Committee does not just "rubber stamp" the orders of interception issued by the various competent authorities.

Conclusion

It is not in dispute that there is a need for greater transparency in the government's surveillance activities in order to address the problems associated with illegal and unauthorised interceptions. This paper is not making the case that greater transparency in and by itself will be able to solve the problems that may be associated with the government's currency interception and surveillance regime, however it is not possible to address any problem unless we know the real extent of it. It is essential for an informed debate and discussion that the people participating in the discussion are "informed", i.e. they should have accurate and adequate information regarding the issues which are being discussed. The current state of the debate on interception is rife with individuals using illustrative and anecdotal evidence which, in the absence of any other evidence, they assume to be the norm.

A more transparent and forthcoming state machinery which regularly keeps its citizens abreast of the state of its surveillance regime would be likely to get better suggestions and perhaps less criticisms if it does come out that the checks and balances imposed in the regulations are actually making a difference to check unauthorized interceptions, and if not, then it is the right of the citizens to know about this and ask for reforms.

[1] James Losey, "Surveillance of Communications: A Legitimization Crisis and the Need for Transparency", International Journal of Communication 9(2015), Feature 3450-3459, 2015.

[2] Id.

[3] Namit Sharma v. Union of India, http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=39566.

[4] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=39566 . Although the judgment was overturned on review, however this observation quoted above would still hold as it has not been specifically overturned.

[5] http://sflc.in/wp-content/uploads/2014/09/SFLC-FINAL-SURVEILLANCE-REPORT.pdf .

[6] James Losey, "Surveillance of Communications: A Legitimization Crisis and the Need for Transparency", International Journal of Communication 9 (2015), Feature 3450-3459, 2015.

[7] http://gulail.com/the-stalkers/ .

[8] http://timesofindia.indiatimes.com/india/Amar-Singh-phone-tap-accused-tracked-Arun-Jaitleys-mobile/articleshow/18582508.cms .

[9] http://ibnlive.in.com/news/arun-jaitley-phonetapping-case-all-accused-get-bail/394997-37-64.html .

[10] For a detailed discussion of the Rules of interception please see Policy Paper on Surveillance in India, by Vipul Kharbanda, http://cis-india.org/internet-governance/blog/policy-paper-on-surveillance-in-india .

[11] As an example please see http://cis-india.org/internet-governance/resources/rti-on-officials-and-agencies-authorized-to-intercept-telephone-messages-in-india .

[12] https://www.google.com/transparencyreport/userdatarequests/countries/ .

[13] https://govtrequests.facebook.com/country/India/2015-H1/ .

[14] Non-content data (NCD) such as basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., "to," "from," and "date" fields from email headers).

[15] Data that users create, communicate, and store on or through Yahoo. This could include words in a communication (e.g., Mail or Messenger), photos on Flickr, files uploaded, Yahoo Address Book entries, Yahoo Calendar event details, thoughts recorded in Yahoo Notepad or comments or posts on Yahoo Answers or any other Yahoo property.

[16] https://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement/country_by_country.html .

For more details visit https://cis-india.org/internet-governance/blog/transparency-in-surveillance

Towards Algorithmic Transparency

Radhika Radhakrishnan, and Amber Sinha — 2020-07-15T13:16:44Z

This policy brief examines the issue of transparency as a key ethical component in the development, deployment, and use of Artificial Intelligence.

This brief proposes a framework that seeks to overcome the challenges in preserving transparency when dealing with machine learning algorithms, and suggests solutions such as the incorporation of audits, and ex ante approaches to building interpretable models right from the design stage. Read the full report here.

The Regulatory Practices Lab at CIS aims to produce regulatory policy suggestions focused on India, but with global application, in an agile and targeted manner and to promote transparency around practices affecting digital rights.
The Regulatory Practices Lab is supported by Google and Facebook.

For more details visit https://cis-india.org/internet-governance/blog/towards-algorithmic-transparency

If the DIDP Did Its Job

asvatha — 2016-11-07T12:57:18Z

Over the course of two years, the Centre for Internet and Society sent 28 requests to ICANN under its Documentary Information Disclosure Policy (DIDP). A part of ICANN’s accountability initiatives, DIDP is “intended to ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”

Through the DIDP, any member of the public can request information contained in documents from ICANN. We’ve written about the process here, here and here. As a civil society group that does research on internet governance related topics, CIS had a variety of questions for ICANN. The 28 DIDP requests we have sent cover a range of subjects: from revenue and financial information, to ICANN’s relationships with its contracted parties, its contractual compliance audits, harassment policies and the diversity of participants in its public forum. We have blogged about each DIDP request where we have summarized ICANN’s responses.

Here are the DIDP requests we sent in:

Dec 2014	Jan/Feb 2015	Aug/Sept 2015	Nov 2015	Apr/May 2016
ICANN meeting expenditure	Revenue from gTLD auction	Implementation of NETmundial principles	IANA transition postponement	Board Governance Committee Reports
Granular revenue statements	Globalisation Advisory Groups	Raw data - Granular income data	Presumptive renewal of registries	Diversity Analysis
ICANN cyber attacks	Organogram	Compliance audits - registries	ICANN-RIR relationship	Compliance audits
Implementation of NETmundial outcome document	Involvement in NETmundial Initiative	Compliance audits - registrars		Harassment policy
Complaints to ICANN ombudsman	RIR contract fees	Registrar abuse contact		DIDP statistics *
		Verisign Contractual violations		gTLD applicant support program
		Contractual auditors		Root Zone Maintenance agreements
		Internal website

ICANN’s responses were analyzed and rated between 0-4 based on the amount of information disclosed. The reasons given for the lack of full disclosure were also studied.

DIDP response rating
0	No relevant information disclosed
1	Very little information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
2	Partial information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
3	Adequate information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
4	All information disclosed

ICANN has defined a set of preconditions under which they are not obligated to answer a request. These preconditions are generously used by ICANN to justify their lack of a comprehensive answer. The wording of the policy also allows ICANN to dodge answering a request if it doesn’t have the relevant documents already in its possession. The responses were also classified by the number of times a particular DIDP condition for non-disclosure was invoked. We will see why these weaken ICANN’s accountability initiatives.

Of the 28 DIDP requests, only 14% were answered fully, without the use of the DIDP conditions of non-disclosure. Seven out of 28 or 40% of the DIDPs received a 0-rated answer which reflects extremely poorly on the DIDP mechanism itself. Of the 7 responses that received 0-rating, 4 were related to complaints and contractual compliance. We had asked for details on the complaints received by the ombudsman, details on contractual violations by Verisign and abuse contacts maintained by registrars for filing complaints. We received no relevant information.

We have earlier written about the extensive and broad nature of the 12 conditions of non-disclosure that ICANN uses. These conditions were used in 24 responses out of 28. ICANN was able to dodge from fully answering 85% of the DIDP requests that they got from CIS. This is alarming especially for an organization that claims to be fully transparent and accountable. The conditions for non-disclosure have been listed in this document and can be referred to while reading the following graph.

On reading the conditions for non-disclosure, it seems like ICANN can refuse to answer any DIDP request if it so wished. These exclusions are numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain: Correspondence, internal information, information related to ICANN’s relationship with governments, information derived from deliberations among ICANN constituents, information provided to ICANN by private parties and the kicker - information that would be too burdensome for ICANN to collect and disseminate.

As we can see from the graph, the most used condition under which ICANN can refuse to answer a DIDP request is F. Predictably, this is the most vaguely worded DIDP condition of the lot: “Confidential business information and/or internal policies and procedures.” It is up to ICANN to decide what information is confidential with no justification needed or provided for it. ICANN has used this condition 11 times in responding to our 28 requests.

It is also necessary to pay attention to condition L which allow ICANN to reject “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.” This is perhaps the weakest point in the entire list due its subjective nature. Firstly, on whose standards must this information request be reasonable? If the point of a transparency mechanism is to make sure that information sought by the public is disseminated, should they be allowed to obfuscate information because it is too burdensome to collect? Even if this is fair given the time constraints of the DIDP mechanism, it must not be used as liberally as has been happening. The last sub point is perhaps the most subjective. If a staff member dislikes a particular requestor, this point would justify their refusal to answer a request regardless of its validity. This hardly seems fair or transparent. This condition has been used 9 times in our 28 requests.

Besides the DIDP non-disclosure conditions, ICANN also has an excuse built into the definition of DIDP. Since it is not obliged to create or summarize documents under the DIDP process, it can simply claim to not have the specific document we request and thus negate its responsibility to our request. This is what ICANN did with one of our requests for raw financial data. For our research, we required raw data from ICANN specifically with regard to its expenditure on staff and board members for their travel and attendance at meetings. As an organization that is answerable to multiple stakeholders including governments and the public, it is justified to expect that they have financial records of such items in a systematic manner. However, we were surprised to learn that ICANN does not in fact have these stored in a manner that they can send as attachments or publish. Instead they directed us to the audited financial reports which did little for our research. However, in response to our later request for granular data on revenue from domain names, ICANN explained that while they do not have such a document in their possession, they would create one. This distinction between the two requests seems arbitrary to us since we consider both to be important to public.

Nevertheless, there were some interesting outcomes from our experience filing DIDPs. We learnt that there has been no substantive work done to inculcate the NETmundial principles at ICANN, that ICANN has no idea which regional internet registry contributes the most to its budget, and that it does not store (or is not willing to reveal) any raw financial data. These outcomes do not contribute to a sense of confidence in the organization.

ICANN has an opportunity to reform this particular transparency mechanism at its Workstream 2 discussions. ICANN must make use of this opportunity to listen and work with people who have used the DIDP process in order to make it useful, effective and efficient. To that effect, we have some recommendations from our experience with the DIDP process.

That ICANN does not currently possess a particular document is not an excuse if it has the ability to create one. In its response to our questions on the IANA transition, ICANN indicated that it does not have the necessary documents as the multi stakeholder body that it set up is the one conducting the transition. This is somewhat justified. However, in response to our request for financial details, ICANN must not be able to give the excuse that it does not have a document in its possession. It and it alone has the ability to create the document and in response to a request from the public, it should.

ICANN must also revamp its conditions for non-disclosure and make it tighter. It must reduce the number of exclusions to its disclosure policy and make sure that the exclusion is not done arbitrarily. Specifically with respect to condition F, ICANN must clarify how information was classified as confidential and why that is different from everything else on the list of conditions.

Further, ICANN should not be able to use condition L to outright reject a DIDP request. Instead, there must be a way for the requester and ICANN to come to terms about the request. This could happen by an extension of the 1 month deadline, financial compensation by requester for any expenditure on ICANN’s part to answer the request or by a compromise between the requester and ICANN on the terms of the request. The sub point about requests made “by a vexatious or querulous individual” must be removed from condition L or at least be separated from the condition so that it is clear why the request for disclosure was denied.

ICANN should also set up a redressal mechanism specific to DIDP. While ICANN has the Reconsideration Requests process to rectify any wrongdoing on the part of staff or board members, this is not adequate to identify whether a DIDP was rejected on justifiable grounds. A separate mechanism that deals only with DIDP requests and wrongful use of the non-disclosure conditions would be helpful. According to the icann bylaws, in addition to Requests for Reconsideration, ICANN has also established an independent third party review of allegations against the board and/or staff members. A similar mechanism solely for reviewing whether ICANN’s refusal to answer a DIDP request is justified would be extremely useful.

A strong transparency mechanism must make sure that its objective are to provide answers, not to find ways to justify its lack of answers. With this in mind, we hope that the revamp of transparency mechanisms after workstream 2 discussions leads to a better DIDP process than we are used to.

For more details visit https://cis-india.org/internet-governance/blog/if-the-didp-did-its-job

ICANN’s Problems with Accountability and the .WEB Controversy

Padma Venkataraman — 2017-10-28T15:49:38Z

The Post-Transition IANA promised enhanced transparency and accountability to the global multistakeholder community. The series of events surrounding the .WEB auction earlier this year has stirred up issues relating to the lack of transparency and accountability of ICANN. This post examines the .WEB auction as a case study to better understand exact gaps in accountability.

Chronological Background of the .WEB Auction

In June 2012, ICANN launched a new phase for the creation and operation of Generic Top-Level Domains (gTLDs). After confirming the eligibility of seven applicants for the rights of the .WEB domain name, ICANN placed them in a string contention set (a group of applications with similar or identical applied for gTLDs).^[1]

[Quick Note: ICANN procedure encourages the resolving of this contention set by voluntary settlement amongst the contending applicants (also referred to as a private auction), wherein individual participation fees of US $185,000 go to ICANN and the auction proceeds are distributed among the bidders. If a private auction fails, the provision for a last resort auction conducted by ICANN is invoked - here the total auction proceeds go to ICANN along with the participation fees.^[2]]

In June 2016, NuDotCo LLC, a bidder that had previously participated in nine private auctions without any objection, withdrew its consent to the voluntary settlement. Ruby Glen LLC, another bidder, contacted NDC to ask if it would reconsider its withdrawal, and was made aware of changes in NDC’s Board membership, financial position, management and a potential change in ownership, by NDC’s Chief Financial Officer.^[3] Concerned about the transparency of the auction process, Ruby Glen requested ICANN to postpone the auction on June 22, in order to investigate the discrepancies between NDC’s official application and its representation to Ruby Glen.^[4] The Vice President of ICANN’s gTLD Operations and the independent ICANN Ombudsman led separate investigations, both of which were limited to few e-mails seeking NDC’s confirmation of status quo. On the basis of NDC’s denial of any material changes, ICANN announced that the auction would proceed as planned, as no grounds had been found for its postponement.^[5]

On July 27, NDC’s winning bid – USD 135 million – beat the previous record by $90 million, doubling ICANN’s total net proceeds from the past fifteen auctions it had conducted.^[6] Soon after NDC’s win, Verisign, Inc., the market giant that owns the .com and .net domain names, issued a public statement that it had used NDC as a front for the auction, and that it had been involved in its funding from the very beginning. Verisign agreed to transfer USD 130 million to NDC, allowing the latter to retain a $5 million stake in .WEB.^[7]

Ruby Glen LLC filed for an injunction against the transfer of .WEB rights to NDC, and sought expedited discovery^[8] against ICANN and NDC in order to gather evidentiary support for the temporary restraining order.^[9] Donuts Inc., the parent company of Ruby Glen, simultaneously filed for recovery of economic loss due to negligence, fraud and breach of bylaws among other grounds, and Affilias, the second highest bidder, demanded that the .WEB rights be handed over by ICANN.^[10] Furthermore, at ICANN57, Affilias publicly brought up the issue in front of ICANN’s Board, and Verisign followed with a rebuttal. However, ICANN’s Board refused to comment on the issue at that point as the matter was still engaged in ongoing litigation.^[11]

Issues Regarding ICANN’s Assurance of Accountability

The Post-Transition IANA promised enhanced transparency and accountability to the global multistakeholder community. The series of events surrounding the .WEB auction has stirred up issues relating to the lack of transparency and accountability of ICANN. ICANN’s arbitrary enforcement of policies that should have been mandatory, with regard to internal accountability mechanisms, fiduciary responsibilities and the promotion of competition, has violated Bylaws that obligate it to operate ‘consistently, neutrally, objectively, and fairly, without singling out any particular party for discriminatory treatment’.^[12]

Though the US court ruled in favour of ICANN, the discrepancies that were made visible with regard to ICANN’s differing emphasis on procedural and substantive compliance with its rules and regulations, have forced the community to acknowledge that corporate strategies, latent interests and financial advantages undermine ICANN’s commitment to accountability. The approval of NDC’s ridiculously high bid with minimal investigation or hesitation, even after Verisign’s takeover, signifies pressing concerns that stand in the way of a convincing commitment to accountability, such as:

The Lack of Substantive Fairness and Accountability at ICANN (A Superficial Investigation)
ICANN’s Sketchy Tryst with Legal Conformity
The Financial Accountability of ICANN’s Auction Proceeds

The Lack of Substantive Fairness and Accountability in its Screening Processes:

Ruby Glen’s claim that ICANN conducted a cursory investigation of NDC’s misleading and unethical behaviour brought to light the ease and arbitrariness with which applications are deemed valid and eligible.

Disclosure of Significant Details Unique to Applicant Profiles: In the initial stage, applications for the gTLD auctions require disclosure of background information such as proof of legal establishment, financial statements, primary and secondary contacts to represent the company, officers, directors, partners, major shareholders, etc. At this stage, TAS User Registration IDs, which require VAT/tax/business IDs, principal business address, phone, fax, etc. of the applicants, are created to build unique profiles for different parties in an auction.^[13] Any important change in an applicant’s details would thus significantly alter the unique profile, leading to uncertainty regarding the parties involved and the validity of transactions undertaken. NDC’s application clearly didn’t meet the requirements here, as its financial statements, secondary contact, board members and ownership all changed at some point before the auction took place (either prior to or post submission of the application).^[14]

Mandatory Declaration of Third Party Funding: Applications presupposing a future joint venture or any organisational unpredictability are not deemed eligible by ICANN, and if any third party is involved in the funding of the applicant, the latter is to provide evidence of such commitment to funding at the time of submission of its financial documents.^[15] Verisign’s public announcement that it was involved in NDC’s funding from the very beginning (well before the auction) and its management later, proves that NDC’s failure to notify ICANN made its application ineligible, or irregular at the very least.^[16]

Vague Consequences of Failure to Notify ICANN of Changes: If in any situation, certain material changes occur in the composition of the management, ownership or financial position of the applicant, ICANN is liable to be notified of the changes by the submission of updated documents. Here, however, the applicant may be subjected to re-evaluation if a material change is concerned, at ICANN’s will (there is no mention of what a material change might be). In the event of failure to notify ICANN of changes that would lead the previous information submitted to be false or misleading, ICANN may reject or deny the application concerned.^[17] NDC’s absolute and repeated denial of any changes, during the extremely brief e-mail ‘investigation’ conducted by ICANN and the Ombudsman, show that at no point was NDC planning on revealing its intimacy with Verisign. No extended evaluation was conducted by ICANN at any point.^[18] Note: The arbitrary power allowed here and the vague use of the term ‘material’ obstruct any real accountability on ICANN’s part to ensure that checks are carried out to discourage dishonest behaviour, at all stages.

Arbitrary Enforcement of Background Checks: In order to confirm the eligibility of all applicants, ICANN conducts background screening during its initial evaluation process to verify the information disclosed, at the individual and entity levels.^[19] The applicants may be asked to produce any and all documents/evidence to help ICANN complete this successfully, and any relevant information received from ‘any source’ may be taken into account here. However, this screening is conducted only with regard to two criteria: general business diligence and criminal history, and any record of cybersquatting behaviour.^[20] In this case, ICANN’s background screening was clearly not thorough, in light of Verisign’s confirmed involvement since the beginning, and at no point was NDC asked to submit any extra documents (apart from the exchange of e-mails between NDC and ICANN and its Ombudsman) to enable ICANN’s inquiry into its business diligence.^[21] Further, ICANN also said that it was not required to conduct background checks or a screening process, as the provisions only mention that ICANN is allowed to do so, when it feels the need.^[22] This ludicrous loophole hinders transparency efforts by giving ICANN the authority to ignore any questionable details in applications it desires to deem eligible, based on its own strategic leanings, advantageous circumstances or any other beneficial interests.

ICANN’s deliberate avoidance of discussing or investigating the ‘allegations’ against NDC (that were eventually proved true), as well as a visible compromise in fairness and equity of the application process point to the conclusion it desired.

ICANN’s Sketchy Tryst with Legal Conformity:

ICANN’s lack of substantive compliance, with California’s laws and its own rules and regulations, leave us with the realisation that efforts towards transparency, enforcement and compliance (even with emphasis on the IANA Stewardship and Accountability Process) barely meet the procedural minimum.

Rejection of Request for Postponement of Auction: ICANN’s intent to ‘initiate the Auction process once the composition of the set is stabilised’ implies that there must be no pending accountability mechanisms with regard to any applicant.^[23] When ICANN itself determines the opening and closing of investigations or reviews concerning applicants, arbitrariness on ICANN’s part in deciding on which date the mechanisms are to be deemed as pending, may affect an applicant’s claim about procedural irregularity. In this case, ICANN had already scheduled the auction for July 27, 2016, before Ruby Glen sent in a request for postponement of the auction and inquiry into NDC’s eligibility on June 22, 2016.^[24] Even though the ongoing accountability mechanisms had begun after initiation of the auction process, ICANN confirmed the continuance of the process without assurance about the stability of the contention set as required by procedure. Ruby Glen’s claim about this violation in auction rules was dismissed by ICANN on the basis that there must be no pending accountability mechanisms at the time of scheduling of the auction.^[25] This means that if any objection is raised or any dispute resolution or accountability mechanism is initiated with regard to an applicant, at any point after fixing the date of the auction, the auction process continues even though the contention set may not be stabilised. This line of defence made by ICANN is not in conformity with the purpose behind the wording of its auction procedure as discussed above.

Lack of Adequate Participation in the Discovery Planning Process: In order to gather evidentiary support and start the discovery process for the passing of the injunction, ICANN was required to engage with Ruby Glen in a conference, under Federal law. However, due to a disagreement as to the extent of participation required from both parties involved in the process, ICANN recorded only a single appearance at court, after which it refused to engage with Ruby Glen.^[26] ICANN should have conducted a thorough investigation, based on both NDC’s and Verisign’s public statements, and engaged more cooperatively in the conference, to comply substantively with its internal procedure as well jurisdictional obligations. Under ICANN’s Bylaws, it is to ensure that an applicant does not assign its rights or obligations in connection with the application to another party, as NDC did, in order to promote a competitive market and ensure certainty in transactions.^[27] However, due to its lack of substantive compliance with due procedure, such bylaws have been rendered weak.

Demand to Dismiss Ruby Glen’s Complaint: ICANN demanded the dismissal of Ruby Glen’s complaint on the basis that the complaint was vague and unsubstantiated.^[28] After the auction, Ruby Glen’s allegations and suspicions about NDC’s dishonest behaviour were confirmed publicly by Verisign, making the above demand for dismissal of the complaint ridiculous.

Inapplicability of ICANN’s Bylaws to its Contractual Relationships: ICANN maintained that its bylaws are not part of application documents or contracts with applicants (as it is a not-for-profit public benefit corporation), and that ICANN’s liability, with respect to a breach of ICANN’s foundational documents, extends only to officers, directors, members, etc.^[29] In addition, it said that Ruby Glen had not included any facts that suggested a duty of care arose from the contractual relationship with Ruby Glen and Donuts Inc.^[30] Its dismissal of and considerable disregard for fiduciary obligations like duty of care and duty of inquiry in contractual relationships, prove the contravention of promised commitments and core values (integral to its entire accountability process), which are to ‘apply in the broadest possible range of circumstances’.^[31]

ICANN’s Legal Waiver and Public Policy: Ruby Glen had submitted that, under the California Civil Code 1668, a covenant not to sue was against policy, and that the legal waiver all applicants were made to sign in the application was unenforceable.^[32] This waiver releases ICANN from ‘any claims arising out of, or related to, any action or failure to act’, and the complaint claimed that such an agreement ‘not to challenge ICANN in court, irrevocably waiving the right to sue on basis of any legal claim’ was unconscionable.^[33] However, ICANN defended the enforceability of the legal waiver, saying that only a covenant not to sue that is specifically designed to avoid responsibility for own fraud or willful injury is invalidated under the provisions of the California Civil Code.^[34] A waiver, incorporating the availability of accountability mechanisms ‘within ICANN’s bylaws to challenge any final decision of ICANN’s with respect to an application’, was argued as completely valid under California’s laws. It must be kept in mind that challenges to ICANN’s final decisions can make headway only through its own accountability mechanisms (including the Reconsideration Requests Process, the Independent Review Panel and the Ombudsman), which are mostly conducted by, accountable to and applicable at the discretion of the Board.^[35] This means that the only recourse for dissatisfied applicants is through processes managed by ICANN, leaving no scope for independence and impartiality in the review or inquiry concerned, as the .WEB case has shown.

Note: ICANN has also previously argued that its waivers are not restricted by S. 1668 because the parties involved are sophisticated - without an element of oppression, and that these transactions don’t involve public interest as ICANN doesn’t provide necessary services such as health, transportation, etc.^[36] Such line of argument shows its continuous refusal to acknowledge responsibility for ensuring access to an essential good, in a diverse community, justifying concerns about ICANN’s commitment to accessibility and human rights.

Required to remain accountable to the stakeholders of the community through mechanisms listed in its Bylaws, ICANN’s repeated difficulty in ensuring these mechanisms adhere to the purpose behind jurisdictional regulations confirm hindrances to impartiality, independence and effectiveness.

The Financial Accountability of ICANN’s Auction Proceeds:

The use and distribution of significant auction proceeds accruing to ICANN have been identified by the internet community as issues central to financial transparency, especially in a future of increasing instances of contention sets.

Private Inurement Prohibition and Legal Requirements of Tax-Exempted Organisations: Subject to California’s state laws as well as federal laws, tax exemptions and tax-deductible charitable donations (available to not-for-profit public benefit corporations) are dependent on the fulfillment of jurisdictional obligations by ICANN, including avoiding contracts that may result in excessive economic benefit to a party involved, or lead to any deviation from purely charitable and scientific purposes.^[37] ICANN’s Articles require that it ‘shall pursue the charitable and public purposes of lessening the burdens of government and promoting the global public interest in the operational stability of the Internet’.^[38] Due to this, ICANN’s accumulation of around USD 60 million (the total net proceeds from over 14 contention sets) since 2014 has been treated with unease, making it impossible to ignore the exponential increase in the same after the .WEB controversy.^[39] With its dedication to a bottom-up, multi-stakeholder policy development process, the use of a single and ambiguous footnote, in ICANN’s Guidebook, to tackle the complications involving significant funds that accrue from last resort auctions (without even mentioning the arbiters of their ‘appropriate’ use) is grossly insufficient.^[40]

Need for Careful and Inclusive Deliberation Over the Use of Auction Proceeds: At the end of the fiscal year 2016, ICANN’s balance sheet showed a total of USD 399.6 million. However, the .WEB sale amount was not included in this figure, as the auction happened after the last date (June 30, 2016).^[41] Around seven times the average winning bid, a USD 135 million hike in ICANN’s accounts shows the need for greater scrutiny on ICANN’s process of allocation and distribution of these auction proceeds.^[42] While finding an ‘appropriate purpose’ for these funds, it is important that ICANN’s legal nature under US jurisdiction as well as its vision, mission and commitments be adhered to, in order to help increase public confidence and financial transparency.

The CCWG Charter on New gTLD Auction Proceeds: ICANN has always maintained that it recognised the concern of ‘significant funds accruing as a result of several auctions’ at the outset.^[43] In March 2015, the GNSO brought up issues relating to the distribution of auction proceeds at ICANN52, to address growing concerns of the community.^[44] A Charter was then drafted, proposing the formation of a Cross-Community Working Group on New gTLD Auction Proceeds, to help ICANN’s Board in allocating these funds.^[45] After being discussed in detail at ICANN56, the draft charter was forwarded to the various supporting organisations for comments.^[46] The Charter received no objections from 2 organisations and was adopted by the ALAC, ASO, ccNSO and GNSO, following which members and co-chairs were identified from the organisations to constitute the CCWG.^[47] It was decided that while ICANN’s Board will have final responsibility in disbursement of the proceeds, the CCWG will be responsible for the submission of proposals regarding the mechanism for the allocation of funds, keeping ICANN’s fiduciary and legal obligations in mind.^[48] While creating proposals, the CCWG must recommend how to avoid possible conflicts of interest, maintain ICANN’s tax-exempt status, and ensure diversity and inclusivity in the entire process.^[49] It is important to note that the CCWG cannot make recommendations ‘regarding which organisations are to be funded or not’, but is to merely submit a proposal for the process by which allocation is undertaken.^[50] ICANN’s Guidebook mentions possible uses for proceeds, such as ‘grants to support new gTLD applications or registry operators from communities’, the creation of a fund for ‘specific projects for the benefit of the Internet community’, the ‘establishment of a security fund to expand use of secure protocols’, among others, to be decided by the Board.^[51]

A Slow Process and the Need for More Official Updates: The lack of sufficient communication/updates about any allocation or the process behind such, in light of ICANN’s current total net auction proceeds of USD 233,455,563, speaks of an urgent need for a decision by the Board (based on a recommendation by CCWG), regarding a timeframe for the allocation of such proceeds.^[52] However, the entire process has been very slow, with the first CCWG meeting on auction proceeds scheduled for 26 January 2016, and the lists of members and observers being made public only recently.^[53] Here, even parties interested in applying for the same funds at a later stage are allowed to participate in meetings, as long as they include such information in a Statement of Interest and Declaration of Intention, to satisfy CCWG’s efforts towards transparency and accountability.^[54]

The worrying consequences of ICANN’s lack of financial as well as legal accountability (especially in light of its controversies), reminds us of the need for constant reassessment of its commitment to substantive transparency, enforcement and compliance with its rules and regulations. Its current obsessive courtship with only procedural regularity must not be mistaken for a greater commitment to accountability, as assured by the post-transition IANA.

^[1] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 2. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.p df)

^[2] 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[3] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[4] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[5] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 4-7. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[6] PLAINTIFF RUBY GLEN, LLC’S NOTICE OF MOTION AND MOTION FOR LEAVE TO TAKE THIRD PARTY DISCOVERY OR, IN THE ALTERNATIVE, MOTION FOR THE COURT TO ISSUE A SCHEDULING ORDER, 3.

(https://www.icann.org/en/system/files/files/litigation-ruby-glen-motion-court-issue-scheduling-order-26oct16-en.pdf)

^[7](https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm5ld3NocS5idXNpbmVzc3dpcmUuY29tL3ByZXNzLXJlbGVhc2UvdmVyaXNpZ24tc3RhdGVtZW50LXJlZ2FyZGluZy13ZWItYXVjdGlvbi1yZXN1bHRz)

^[8] An expedited discovery request can provide the required evidentiary support needed to meet the Plaintiff’s burden to obtain a preliminary injunction or temporary restraining order. (http://apps.americanbar.org/litigation/committees/businesstorts/articles/winter2014-0227-using-expedited-discovery-with-preliminary-injunction-motions.html)

^[9] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 2. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[10] (http://domainincite.com/20789-donuts-files-10-million-lawsuit-to-stop-web-auction); (https://www.thedomains.com/2016/08/15/afilias-asks-icann-to-disqualify-nu-dot-cos-135-million-winning-bid-for-web/)

^[11] (http://www.domainmondo.com/2016/11/news-review-icann57-hyderabad-india.html)

^[12] Art III, Bylaws of Public Technical Identifiers, ICANN. (https://pti.icann.org/bylaws)

^[13] 1.4.1.1, gTLD Applicant Guidebook ICANN, 1-39.(https://newgtlds.icann.org/en/applicants/agb)

^[14] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[15] 1.2.1; 1.2.2, gTLD Applicant Guidebook ICANN, 1-21. (https://newgtlds.icann.org/en/applicants/agb)

^[16](https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm5ld3NocS5idXNpbmVzc3dpcmUuY29tL3ByZXNzLXJlbGVhc2UvdmVyaXNpZ24tc3RhdGVtZW50LXJlZ2FyZGluZy13ZWItYXVjdGlvbi1yZXN1bHRz)

^[17] 1.2.7, gTLD Applicant Guidebook ICANN, 1-30. (https://newgtlds.icann.org/en/applicants/agb)

^[18] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 4. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[19] 1.1.2.5, gTLD Applicant Guidebook ICANN, 1-8. (https://newgtlds.icann.org/en/applicants/agb)

^[20] 1.2.1, gTLD Applicant Guidebook ICANN, 1-21. (https://newgtlds.icann.org/en/applicants/agb)

^[21] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 7. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[22] 6.8; 6.11, gTLD Applicant Guidebook ICANN, 6-5 (https://newgtlds.icann.org/en/applicants/agb);

DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 10. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[23] 1.1.2.10, gTLD Applicant Guidebook ICANN. (https://newgtlds.icann.org/en/applicants/agb)

^[24] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[25] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 8. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[26] 26(f); 65, Federal Rules of Civil Procedure (https://www.federalrulesofcivilprocedure.org/frcp/title-viii-provisional-and-final-remedies/rule-65-injunctions-and-restraining-orders/); (https://www.federalrulesofcivilprocedure.org/frcp/title-v-disclosures-and-discovery/rule-26-duty-to-disclose-general-provisions-governing-discovery/)

^[27] 6.10, gTLD Applicant Guidebook ICANN, 6-6. (https://newgtlds.icann.org/en/applicants/agb); (https://www.icann.org/resources/reviews/specific-reviews/cct)

^[28] 12(b)(6), Federal Rules of Civil Procedure; DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 6. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[29] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 8. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[30] PLAINTIFF RUBY GLEN, LLC’S OPPOSITION TO DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MOTION TO DISMISS FIRST AMENDED COMPLAINT; MEMORANDUM OF POINTS AND AUTHORITIES, 12.

(https://www.icann.org/en/system/files/files/litigation-ruby-glen-opposition-motion-dismiss-first-amended-complaint-07nov16-en.pdf)

^[31] (https://archive.icann.org/en/accountability/frameworks-principles/legal-corporate.htm); Art. 1(c), Bylaws for ICANN. (https://www.icann.org/resources/pages/governance/bylaws-en)

^[32] (http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1668); NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER: MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 24. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[33] 6.6, gTLD Applicant Guidebook ICANN, 6-4. (https://newgtlds.icann.org/en/applicants/agb)

^[34] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 18. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[35] (https://www.icann.org/resources/pages/mechanisms-2014-03-20-en)

^[36] AMENDED REPLY MEMORANDUM IN SUPPORT OF ICANN’S MOTION TO DISMISS FIRST AMENDED COMPLAINT, 4. (https://www.icann.org/en/system/files/files/litigation-dca-reply-memo-support-icann-motion-dismiss-first-amended-complaint-14apr16-en.pdf)

^[37] 501(c)(3), Internal Revenue Code, USA. (https://www.irs.gov/charities-non-profits/charitable-organizations/exemption-requirements-section-501-c-3-organizations)

^[38] Art. II, Public Technical Identifiers, Articles of Incorporation, ICANN. (https://pti.icann.org/articles-of-incorporation)

^[39](https://community.icann.org/display/alacpolicydev/At-Large+New+gTLD+Auction+Proceeds+Discussion+Paper+Workspace)

^[40] (https://www.icann.org/policy); 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[41]5, Internet Corporation for ASsigned Names and Numbers, Fiscal Statements As of and for the Years Ended June 30, 2016 and 2015. (https://www.icann.org/en/system/files/files/financial-report-fye-30jun16-en.pdf);

(http://domainincite.com/21204-icann-has-400m-in-the-bank?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DomainIncite+%28DomainIncite.com%29)

^[42] (http://www.theregister.co.uk/2016/07/28/someone_paid_135m_for_dot_web)

^[43](https://community.icann.org/display/CWGONGAP/Cross-Community+Working+Group+on+new+gTLD+Auction+Proceeds+Home)

^[44] (https://www.icann.org/public-comments/new-gtld-auction-proceeds-2015-09-08-en)

^[45] (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[46] (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[47](https://www.icann.org/news/announcement-2-2016-12-13-en);

(https://community.icann.org/display/CWGONGAP/Cross-Community+Working+Group+on+new+gTLD+Auction+Proceeds+Home)

^[48] (https://ccnso.icann.org/workinggroups/ccwg-charter-07nov16-en.pdf); (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[49] (https://www.icann.org/public-comments/new-gtld-auction-proceeds-2015-09-08-en)

^[50] (https://community.icann.org/display/CWGONGAP/CCWG+Charter)

^[51] 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[52] (https://newgtlds.icann.org/en/applicants/auctions/proceeds)

^[53] (https://community.icann.org/pages/viewpage.action?pageId=63150102)

^[54] (https://www.icann.org/news/announcement-2-2016-12-13-en)

For more details visit https://cis-india.org/internet-governance/blog/icann2019s-problems-with-accountability-and-the-web-controversy

ICANN’s Documentary Information Disclosure Policy – I: DIDP Basics

Vinayak Mithal — 2014-07-01T13:01:34Z

In a series of blogposts, Vinayak Mithal analyses ICANN's reactive transparency mechanism, comparing it with freedom of information best practices. In this post, he describes the DIDP and its relevance for the Internet community.

The Internet Corporation for Assigned Names and Numbers (“ICANN”) is a non-profit corporation incorporated in the state of California and vested with the responsibility of managing the DNS root, generic and country-code Top Level Domain name system, allocation of IP addresses and assignment of protocol identifiers. As an internationally organized corporation with its own multi-stakeholder community of Advisory Groups and Supporting Organisations, ICANN is a large and intricately woven governance structure. Necessarily, ICANN undertakes through its Bye-laws that “in performing its functions ICANN shall remain accountable to the Internet community through mechanisms that enhance ICANN’s effectiveness”. While many of its documents, such as its Annual Reports, financial statements and minutes of Board meetings, are public, ICANN has instituted the Documentary Information Disclosure Policy (“DIDP”), which like the RTI in India, is a mechanism through which public is granted access to documents with ICANN which are not otherwise available publicly. It is this policy – the DIDP – that I propose to study.

In a series of blogposts, I propose to introduce the DIDP to unfamiliar ears, and to analyse it against certain freedom of information best practices. Further, I will analyse ICANN’s responsiveness to DIDP requests to test the effectiveness of the policy. However, before I undertake such analysis, it is first good to know what the DIDP is, and how it is crucial to ICANN’s present and future accountability.

What is the DIDP?

One of the core values of the organization as enshrined under Article I Section 4.10 of the Bye-laws note that “in performing its functions ICANN shall remain accountable to the Internet community through mechanisms that enhance ICANN’s effectiveness”. Further, Article III of the ICANN Bye-laws, which sets out the transparency standard required to be maintained by the organization in the preliminary, states - “ICANN and its constituent bodies shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”.

Accordingly, ICANN is under an obligation to maintain a publicly accessible website with information relating to its Board meetings, pending policy matters, agendas, budget, annual audit report and other related matters. It is also required to maintain on its website, information about the availability of accountability mechanisms, including reconsideration, independent review, and Ombudsman activities, as well as information about the outcome of specific requests and complaints invoking these mechanisms.

Pursuant to Article III of the ICANN Bye-laws for Transparency, ICANN also adopted the DIDP for disclosure of publicly unavailable documents and publish them over the Internet. This becomes essential in order to safeguard the effectiveness of its international multi-stakeholder operating model and its accountability towards the Internet community. Thereby, upon request made by members of the public, ICANN undertakes to furnish documents that are in possession, custody or control of ICANN and which are not otherwise publicly available, provided it does not fall under any of the defined conditions for non-disclosure. Such information can be requested via an email to didp@icann.org.

Procedure

Upon the receipt of a DIDP request, it is reviewed by the ICANN staff.
Relevant documents are identified and interview of the appropriate staff members is conducted.
The documents so identified are then assessed whether they come under the ambit of the conditions for non-disclosure.
- Yes - A review is conducted as to whether, under the particular circumstances, the public interest in disclosing the documentary information outweighs the harm that may be caused by such disclosure.
- Documents which are considered as responsive and appropriate for public disclosure are posted on the ICANN website.
- In case of request of documents whose publication is appropriate but premature at the time of response then the same is indicated in the response and upon publication thereafter, is notified to the requester.

Time Period and Publication

The response to the DIDP request is prepared by the staff and is made available to the requestor within a period of 30 days of receipt of request via email. The Request and the Response is also posted on the DIDP page http://www.icann.org/en/about/transparency in accordance with the posting guidelines set forth at http://www.icann.org/en/about/transparency/didp.

Conditions for Non-Disclosure

There are certain circumstances under which ICANN may refuse to provide the documents requested by the public. The conditions so identified by ICANN have been categorized under 12 heads and includes internal information, third-party contracts, non-disclosure agreements, drafts of all reports, documents, etc., confidential business information, trade secrets, information protected under attorney-client privilege or any other such privilege, information which relates to the security and stability of the internet, etc.

Moreover, ICANN may refuse to provide information which is not designated under the specified conditions for non-disclosure if in its opinion the harm in disclosing the information outweighs the public interest in disclosing the information. Further, requests for information already available publicly and to create or compile summaries of any documented information may be declined by ICANN.

Grievance Redressal Mechanism

In certain circumstances the requestor might be aggrieved by the response received and so he has a right to appeal any decision of denial of information by ICANN through the Reconsideration Request procedure or the Independent Review procedure established under Section 2 and 3 of Article IV of the ICANN Bye-laws respectively. The application for review is made to the Board which has designated a Board Governance Committee for such reconsideration. The Independent Review is done by an independent third-party of Board actions, which are allegedly inconsistent with the Articles of Incorporation or Bye-laws of ICANN.

Why does the DIDP matter?

The breadth of ICANN’s work and its intimate relationship to the continued functioning of the Internet must be appreciated before our analysis of the DIDP can be of help. ICANN manages registration and operations of generic and country-code Top Level Domains (TLD) in the world. This is a TLD:

(Source: here)

Operation of many gTLDs, such as .com, .biz or .info, is under contract with ICANN and an entity to which such operation is delegated. For instance, Verisign operates the .com Registry. Any organization that wishes to allow others to register new domain names under a gTLD (sub-domains such as ‘benefithealth’ in the above example) must apply to ICANN to be an ICANN-accredited Registrar. GoDaddy, for instance, is one such ICANN-accredited Registrar. Someone like you or me, who wants to get our own website – say, vinayak.com – buys from GoDaddy, which has a contract with ICANN under which it pays periodic sums for registration and renewal of individual domain names. When I buy from an ICANN-accredited Registrar, the Registrar informs the Registry Operator (say, Verisign), who then adds the new domain name (vinayak.com) to its registry list, and then it can be accessed on the Internet.

ICANN’s reach doesn’t stop here, technically. To add a new gTLD, an entity has to apply to ICANN, after which the gTLD has to be added to the root file of the Internet. The root file, which has the list of all TLDs (or all ‘legitimate’ TLDs, some would say), is amended by Verisign under its tripartite contract with the US Government and ICANN, after which Verisign updates the file in its ‘A’ root server. The other 12 root servers use the same root file as the Verisign root server. Effectively, this means that only ICANN-approved TLDs (and all sub-domains such as ‘benefithealth’ or ‘vinayak’) are available across the Internet, on a global scale. Or at least, ICANN-approved TLDs have the most and widest reach. ICANN similarly manages country-code TLDs, such as .in for India, .pk for Pakistan or .uk for the United Kingdom.

All of this leads us to wonder whether the extent of ICANN’s voluntary and reactive transparency is sufficient for an organization of such scale and impact on the Internet, perhaps as much impact as the governments do. In the next post, I will analyse the DIDP’s conditions for non-disclosure of information with certain freedom of information best practices.

Vinayak Mithal is a final year student at the Rajiv Gandhi National University of Law, Punjab. His interests lie in Internet governance and other aspects of tech law, which he hopes to explore during his internship at CIS and beyond. He may be reached at vinayakmithal@gmail.com.

For more details visit https://cis-india.org/internet-governance/blog/icann2019s-documentary-information-disclosure-policy-2013-i-didp-basics

ICANN reveals hitherto undisclosed details of domain names revenues

geetha — 2014-12-12T05:08:02Z

Following requests from CIS, ICANN has shared a detailed list of its revenues from domain names for the fiscal year ending June 2014. Such level of detail has, until now, been unavailable. Historical data is still to be made available.

Five days ago, CIS received a detailed list of ICANN’s revenues from domain name sales and renewals for the fiscal year ending June 2014. The document, sent to us by ICANN’s India head Mr. Samiran Gupta, lists payments received by ICANN from registrars, registries, sponsors and other entities such as the NRO and Country Code TLD administrators. Such granular information is not available at the moment on ICANN’s website as part of its financial transparency disclosures. A summary has also been provided by ICANN.

This revenue disclosure from ICANN comes on the heels of public and email correspondence between CIS and ICANN staff. At the Asia Pacific Regional IGF (August 3-6, 2014), CIS’ Sunil Abraham sought granular data – both current and historical – on ICANN’s revenues from the domain name industry.

Again, at the ICANN Open Forum at IGF (4 September 2014), Sunil sought “details of a list of legal entities that give money to ICANN and how much money they give to ICANN every year”. In emails to Kuek Yu-Chuang (ICANN’s Asia Pacific head) and Xavier Calvez (ICANN CFO), CIS had asked for historical data as well.

The global domain name industry is a multi-billion dollar industry, and ICANN sits at the centre of the web. ICANN is responsible for the policy-making and introduction of new Top Level Domains (TLDs), and it also performs technical coordination and maintenance of the Internet’s unique identifiers (domain names and IP addresses). For each domain name that is registered or renewed, ICANN receives payment through a complex contractual network of registries and registrars. The domain name industry is ICANN’s single largest revenue source.

Given the impending IANA transition and accountability debates at ICANN, and the rapid growth of the global domain name industry, one would imagine that ICANN is held up to the same standard of accountability as laid down in the right to information mechanisms of many countries. At the ICANN Open Forum (IGF Istanbul), Sunil raised this very point. Had a Public Information Officer in India failed to respond to a request for information for a month (as ICANN had to CIS’ request for granular revenue data), the officer would have been fined and reprimanded. Since there are no sufficiently effective accountability or reactive transparency measures at ICANN, such penalties are not in place.

In any event, CIS received the list of ICANN’s current domain name revenues after continual email exchanges with ICANN staff. This is undoubtedly heartening, as ICANN has shown itself responsive to repeated requests for transparency. But it remains that ICANN has shared revenue data only for the fiscal year ending June 2014, and historical revenue data is still not publicly available. Neither is a detailed list (current and historical) of ICANN’s expenditures publicly available. Perhaps ICANN could provide the necessary information during its regular Quarterly Stakeholder Reports, as well as on its website. This would go a long way in ascertaining and improving ICANN’s accountability and transparency.

The documents:

For more details visit https://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014

DIDP Request #8: ICANN Organogram

geetha — 2015-03-17T11:39:16Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of its oragnisational structure and headcount of all staff. CIS' request and ICANN's response are detailed below.

CIS Request

13 January 2015

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, President and CEO

Mr. Samiran Gupta, ICANN India

Sub: ICANN organogram

In order to understand ICANN’s organizational structure, decision-making and day-to-day functioning, may we request an organogram of ICANN. We request that the organogram include ICANN’s reporting hierarchy, mentioning positions held in all departments. Wherever possible (such as middle and senior management), we request names of the ICANN staff holding the positions as well. Along with this, could you also provide a count per department of the number of ICANN staff employed in all departments as of this date?

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN does not provide all the information we requested, but it responded with the following:

First, ICANN has responded that its current staff headcount is approx. 310. ICANN states that it already makes publicly available an organisational chart. This is immensely useful, for it sets out the reporting hierarchies at senior and mid-managerial levels. However, it doesn't tell us the organisational structure categorised by all departments and staff in the said departments. The webpages of some of ICANN's departments list out some of its staff; for instance, Contractual Compliance, Global Stakeholder Engagement and Policy Development (scroll down).

What you will notice is that ICANN provides us a list of staff, but we cannot be sure whether the team includes more persons than those mentioned. Second, a quick glance at the Policy Development staff makes clear that ICANN selects from outside this pool to coordinate the policy development. For instance, the IANA Stewardship Transition (the CWG-IANA) is supported by Ms. Grace Abuhamad, who is not a member of the policy support staff, but coordinates the IANA mailing list and F2F meetings anyway. What this means is that we're no longer certain who within ICANN is involved in policy development and support, whom they report to, and where the Chinese walls lie. This is why an organogram is necessary: the policy-making and implementation functions in ICANN may be closely linked because of staff interaction, and effective Chinese walls would benefit from public scrutiny.

Now, ICANN says that one may explore staff profiles on the Staff page. While short biographies/profiles are available for most staff on the Staff page, it's unclear what departments they work in, how many staff members work each in department, whom they report to, and what the broad range of their responsibilities include.

Privacy concerns do not preclude the disclosure of such information for two reasons. First, staff profiles imply a consent to making staff information public (at least their place in the organisational structure, if not their salaries, addresses, phone extension numbers, etc.). Second, such information is necessary and helpful to scrutinise the effectiveness of ICANN's functioning. Like the example of the policy-making process mentioned above, greater transparency in internal functioning will itself serve as a check against hazards like partisanism, public comment aggregation, drafting of charters for policy-making and determining scope, etc. While the functioning itself may or need not change, scrutiny can ensure responsibility from ICANN and its staff.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 8).

For more details visit https://cis-india.org/internet-governance/blog/didp-request-8-organogram

DIDP Request #7: Globalisation Advisory Groups

geetha — 2015-03-17T10:07:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding the creation and dissolution of the President's Globalisation Advisory Groups. The GAGs were created to advise the ICANN Board on its globalisation efforts, and to address questions on Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance. CIS' request and ICANN's response are detailed below.

CIS Request

12 January 2015

To:
Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Ms. Theresa Swineheart, Senior Advisor to the President on Strategy

Mr. Samiran Gupta, ICANN India

Sub: Creation and dissolution of the President’s Globalisation Advisory Groups

On 17 February 2014, at a Special Meeting of the ICANN Board, the Board passed a resolution creating the President’s Globalisation Advisory Groups.1 Six Globalisation Advisory Groups were created, including on IANA globalization, legal structures, Internet governance, the Affirmation of Commitments, policy structures and the root server system.2 According to the minutes of the meeting, the Advisory Groups were to meet with the community at ICANN49 (Singapore, March 2014), make recommendations to the Board, and the Board would present their reports at ICANN50 (London, June 2014).3 Mr. Chehade was vested with the authority to change the Advisory Groups and their composition without the need for a further resolution, but the manner of dissolution was not laid out.

ICANN lists the Advisory Groups on its “Past Groups” page, with no further information.4 Presumably, the Groups remained in existence for at most one month. No explanation is provided for the reasons regarding the dissolution of all the Advisory Groups. There are no reports or transcripts of meetings with the community at ICANN49 or recommendations to Mr. Chehade or the Board.

The Globalisation Advisory Groups covered issues crucial for ICANN and the global Internet governance community, including its seat (“Legal Structures”), the Affirmation of Commitments (considered critical for ICANN’s accountability), the IANA stewardship transition, and ICANN’s (increasing) involvement in Internet governance. Given this, we request the following information:

Of the six Globalisation Advisory Groups created, is any Group active as of today (12 January 2015)?
When and how many times did any of the Groups meet?
On what date were the Groups dissolved? Were all Groups dissolved on the same date?
By what mechanism did the dissolution take place (oral statement, email)? If the dissolution occurred by way of email or statement, please provide a copy of the same.
Did any of the six Globalisation Advisory Groups present any report, advice, or recommendations to Mr. Chehade or any member(s) of the Board, prior to their dissolution? If yes, please provide the report/recommendations (if available) and/or information regarding the same.
Why were the Advisory Groups dissolved? Has any reason been recorded, and if not, please provide an explanation.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,
Geetha Hariharan
Centre for Internet & Society

ICANN Response

ICANN's response to this request is positive. ICANN states that the Board did indeed set up the six Globalisation Advisory Groups (GAGs) on 17 February 2014 to tackle issues surrounding ICANN's globalisation efforts. The Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance were issues taken up by the GAGs. However, after the NTIA made its announcement regarding the IANA transition in March 2014, the GAGs were disbanded so as to avoid duplication of work on issues that "had a home in the global multistakeholder discussions". As a result, by a Board resolution dated 27 March 2014, the GAGs were dissolved.

This is an example of a good response to an information request. Some documentation regarding the creation and dissolution of the GAGs existed, such as the Board resolutions. The response points us to these documents, and summarises the reasons for the GAGs' creation and dissolution.

It is possible that this response is clear/comprehensive because the GAGs no longer exist, and in any event, did not perform any work worth writing about. Queries about ICANN's involvement in Internet governance (NETmundial, the NETmundial Initiative, etc.) garner responses that are, to say it informally, cage-y and surrounded by legalese.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 7).

[1] See Approved Board Resolutions | Special Meeting of the Board, https://www.icann.org/resources/board-material/resolutions-2014-02-17-en.

[2] See President’s Globalisation Advisory Groups, https://www.icann.org/en/system/files/files/globalization-19feb14-en.pdf.

[3] See Minutes | Special Meeting of the Board, https://www.icann.org/resources/board- material/minutes-2014-02-17-en.

[4] See Past Committees, Task Forces, and Other Groups, https://www.icann.org/resources/pages/past-2012-02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-7-globalisation-advisory-groups

DIDP Request #6: Revenues from gTLD auctions

geetha — 2015-03-10T10:59:37Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding revenues received from gTLD auctions. CIS' request and ICANN's response are detailed below.

CIS Request

12 January 2015

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Sub: Revenues from gTLD auctions

It is our understanding that an auction for a Generic Top Level Domain (gTLD) is used as a last-resort mechanism in order to resolve string contention, i.e., when there are groups of applications for same or confusingly similar new gTLDs. As of now, the ICANN website only furnishes information of the winning applicant and the winning price, as regards each new gTLD auction.[1] We have observed that information regarding the bids from all other applicants is not available. The revenue information provided to us[2] does not include revenues from new gTLDs.

In this regard, we request you to provide us with the following information:

(i) How many gTLDs have been sold via the auction process, since its inception?

(ii) What were the starting and winning bids in the ICANN auctions conducted?

(iii) What revenue has ICANN received from the gTLD auctions, since the first ICANN auction was conducted? Please also provide information about the winner (name, corporate information provided to/ available with ICANN).

(iv) How are proceeds from the gTLD auction process utilized?

We believe that this information will give us a framework for understanding the gTLD auction process within ICANN. Furthermore, it will assist us in understanding the manner and purpose for which the proceeds from the auctioning process are utilized, in the broader structure of ICANN transparency and accountability.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Warm regards,

Lakshmi Venkataraman,

IV Year, NALSAR University of Law, Hyderabad,

for Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to the above query is positive. ICANN states that all information surrounding the auctions is available on the New gTLDs microsite, and on the Auctions page: http://newgtlds.icann.org/en/applicants/auctions. The current status of auction proceeds and costs are available at http://newgtlds.icann.org/en/applicants/auctions/proceeds, and auction results are at https://gtldresult.icann.org/application-result/applicationstatus/auctionresults. The utilization of proceeds from the auctions is yet to be decided by the ICANN Board: “[auction] proceeds will be reserved and earmarked until the Board determines a plan for the appropriate use of the funds through consultation with the community. Auction proceeds are net of any Auction costs. Auction costs may include initial set-up costs, auction management fees, and escrow fees.”

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 6).

[1] See Auction Results, https://gtldresult.icann.org/application-result/applicationstatus/auctionresults.

[2] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-6-revenues-from-gtld-auctions

DIDP Request #5: The Ombudsman and ICANN's Misleading Response to Our Request

geetha — 2015-03-06T11:11:31Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of the complaints received and resolved, parties involved and the nature of complaints under the Ombudsman process. CIS' request and ICANN's response are detailed below. ICANN's response is misleading in its insistence on confidentiality of all Ombudsman complaints and resolutions.

CIS Request

26 December 2014

To:
Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Chris LaHatte, Ombudsman, ICANN

Sub: Details regarding complaints submitted to the ICANN Ombudsman

We are very pleased to note that ICANN’s transparency and accountability mechanisms include maintaining a free, fair and impartial ombudsman. It is our understanding that any person with a complaint against the ICANN Board, staff or organization, may do so to the designated ombudsman.[1] We also understand that there are cases that the ICANN ombudsman does not have the authority to address.

In order to properly assess and study the efficiency and effectiveness of the ombudsman system, we request you to provide us with the following information:

(i) A compilation of all the cases that have been decided by ICANN ombudsmen in the history of the organization.

(ii) The details of the parties that are involved in the cases that have been decided by the ombudsmen.

(iii)A description of the proceedings of the case, along with the party that won in each instance.

Further, we hope you could provide us with an answer as to why there have been no ombudsman reports since the year 2010, on the ICANN website.[2] Additionally, we would like to bring to your notice that the link that provides the ombudsman report for the year 2010 does not work.

In order to properly assess the mechanism that ICANN uses for grievance redressal, it would be necessary to examine the details of all the cases that ICANN ombudsmen have presided over in the past. In this regard, kindly provide us with the above information.

We do hope that you will be able to furnish this information to us within the stipulated time period of 30 days. Do not hesitate to contact us if you have any doubts regarding our queries. Thank you so much.

Yours sincerely,
Lakshmi Venkataraman
NALSAR University of Law, Hyderabad, for Centre for Internet & Society
W: http://cis-india.org

ICANN Response

In its response, ICANN declines our request on grounds of confidentiality. It refers to the ICANN Bylaws on the office of the Ombudsman to argue that all matters brought before the Ombudsman "shall be treated as confidential" and the Ombudsman shall "take all reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman". ICANN states that the Ombudsman publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". In sum, ICANN states that making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline our DIDP request. But it is important to investigate ICANN's reasons. The ICANN Board appoints the Ombudsman for 2 year terms, under Article V of ICANN’s Bylaws. As we note in an earlier post, the Ombudsman’s principal function is to receive and dispose of complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. He/she also reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy. It is clear, therefore, that the Ombudsman receives and disposes of complaints under a procedure that is inadequately transparent.

ICANN argues, however, that for reasons of confidentiality and integrity of the Ombudsman office, ICANN is unable to disclose details regarding Ombudsman complaints, the complainants/respondents and a description of the proceedings (including the decision/resolution). Indeed, ICANN states its "Bylaws and the Ombudsman Framework obligates the Ombudsman to treat all matters brought before him as confidential and 'to take reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman'.” For this reason, ICANN considers that "Disclosing details about the parties involved and the nature of the cases that have been decided by the Ombudsmen would not only compromise the confidentiality of the Ombudsman process but would also violate the ICANN Bylaws and the Ombudsman Framework."

While the privacy of parties both involved and "not involved in the complaint" can be preserved (by redacting names, email addresses and other personal identification), how valid is ICANN's dogged insistence on confidentiality and non-disclosure? Let's look at Article V of ICANN's Bylaws and the Ombudsman Framework both.

Do ICANN Bylaws bind the Ombudsman to Confidentiality?

Under Article V, Section 1(2) of ICANN's Bylaws, the Ombudsman is appointed by the ICANN Board for a 2 year term (renewable). As noted earlier, the Ombudsman's principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly” or inappropriately (Art. V, Section 2). The Ombudsman is not a judge; his conflict resolution tools are "negotiation, facilitation, and 'shuttle diplomacy'.

According to Art. V, Section 3(3), the Ombudsman has access to "all necessary information and records from staff and constituent bodies" to evaluate complaints in an informed manner. While the Ombudsman can access these records, he may not "publish if otherwise confidential". When are these records confidential, then? Section 3(3) supplies the answer. The confidentiality obligations are as "imposed by the complainant or any generally applicable confidentiality policies adopted by ICANN". For instance, the complainant can waive its confidentiality by publishing the text of its complaint and the Ombudsman's response to the same (such as the Internet Commerce Association's complaint regarding the Implementation Review Team under the new gTLD program), or a complaint may be publicly available on a listserv. In any event, there is no blanket confidentiality obligation placed on the Ombudsman under ICANN's Bylaws.

Moreover, the Ombudsman also publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". That is, the Ombudsman's Annual Report showcases a graph comparing the increase in the number of complaints, categories of complaints (i.e., whether the complaints fall within or outside of the Ombudsman's jurisdiction), and a brief description of the Ombudsman's scope of resolution and response. The Annual Reports indicate that the mandate of the Ombudsman's office is extremely narrow. In 2014, for instance, 75 out of 467 complaints were within Mr. LaHatte's jurisdiction (page 5), but he notes that his ability to intervene is limited to "failures in procedure". As an input to the ATRT2 Report noted, the Office of the Ombudsman “appears so restrained and contained” (page 53). As the ATRT2 noted, "ICANN needs to reconsider the Ombudsman’s charter and the Office’s role as a symbol of good governance to be further incorporated in transparency processes"; the Office's transparency leaves much to be desired.

But I digress.

The Ombudsman is authorised to make reports on any complaint and its resolution (or lack thereof) to the ICANN Board, and unless the Ombudsman says so in his sole discretion, his reports are to be posted on the website (Art. V, Section 4(4)). The Ombudsman can also report on individual requests, such as Mr. LaHatte's response to a complaint regarding a DIDP denial (cached). Some reports are actually available on the Ombudsman page; the last published report dates back to 2012, though in 2013 and 2014, the Ombudsman dealt with more complaints within his jurisdiction than in 2012 or prior. So ICANN's argument that disclosing the information we ask for in our DIDP Request would violate ICANN Bylaws and the confidentiality of the Ombudsman is misleading.

Does the Ombudsman Framework Prohibit Public Reporting?

So if ICANN Bylaws do not ipso facto bind the Ombudsman's complaint and conflict resolution process to confidentiality, does the Ombudsman Framework do so?

The Ombudsman does indeed have confidentiality obligations under the Ombudsman Framework (page 4). All matters brought before the Ombudsman shall be treated as confidential, and the identities of parties not involved in the complaint are required to be protected. The Ombudsman may reveal the identity of the complainant to the ICANN Board or Staff only to further the resolution of a complaint (which seems fairly obvious); this obligation is extended to ICANN Board and Staff as well.

As the Framework makes crystal clear, the identity of complainants are to be kept confidential. Nothing whatsoever binds the Ombudsman from revealing the stakeholder group or affiliation of the complainants - and these are possibly of more importance. What stakeholders most often receive unfair or inappropriate treatment from ICANN Board, Staff or constituent bodies? Does business suffer more, or do non-commercial users, or indeed, governments? It is good to know what countries the complaints come from (page 4-5), but given ICANN's insistence on its multi-stakeholder model as a gold standard, it is important to know what stakeholders suffer the most in the ICANN system.

In fact, in the first page, the Ombudsman Framework says this: "The Ombudsman may post complaints and resolutions to a dedicated portion of the ICANN website (http://www.icann.org/ombudsman/): (i) in order to promote an understanding of the issues in the ICANN community; (ii) to raise awareness of administrative fairness; and (iii) to allow the community to see the results of similar previous cases. These postings will be done in a generic manner to protect the confidentiality and privilege of communicating with the Office of Ombudsman." But the ICANN website does not, in fact, host records of any Ombudsman complaints or resolutions; it links you only to the Annual Reports and Publications.

As I've written before, the Annual Reports provide no details regarding the nature of each complaint, their origins or resolution, and are useful if the only information we need is bare statistics of the number of complaints received. That is useful, but it's not enough. Given that the Ombudsman Framework does allow complaint/resolution reporting, it is baffling that ICANN's response to our DIDP request chooses to emphasise only the confidentiality obligations, while conveniently leaving out the parts enabling and encouring reporting.

Should ICANN Report the Ombudsman Complaints?

Of course it should. The Ombudsman is aimed at filling an integral gap in the ICANN system - he/she listens to complaints about treatment by the ICANN Board, Staff or constituent bodies. As the discussions surrounding the appeal procedures in the CWG-Names show, and as the ATRT2 recommendations on Reconsideration and Independent Review show, conflict resolution mechanisms are crucial in any environment, not least a multi-stakeholder one. And in an organisation that leaves much desired by way of accountability and transparency, not reporting on complaints against the Board, staff or constituencies seems a tad irresponsible.

If there are privacy concerns regarding the identities of complainants, their personal identifying information can be redacted. Actually, in the complaint form, adding a waiver-of-confidentiality tick-box would solve the problem, allowing the complainant to choose whether to keep his/her complaint unreportable. But the details of the respondents ought to be reported; as the entity responsible and accountable, ICANN should disclose whom complaints have been made against.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 5).

[1] See What the Ombudsman can do for you, https://www.icann.org/resources/pages/contact- 2012-02-25-en.

[2] See Annual Reports & Publications, https://www.icann.org/resources/pages/reports-96-2012- 02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-5-the-ombudsman-and-icanns-misleading-response-to-our-request-1

DIDP Request #4: ICANN and the NETmundial Principles

geetha — 2015-03-05T08:28:44Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of ICANN's implementation of the NETmundial Principles that it has endorsed widely and publicly. CIS' request and ICANN's response are detailed below.

CIS Request

27 December 2014

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of implementation by and within ICANN of the NETmundial Outcome Document (April ‘14)

We express our appreciation at ICANN’s prompt acknowledgement of our previous DIDP request, and await the information. We would, in the meanwhile, request information regarding ICANN’s internal measures to implement the NETmundial Outcome Document.[1]

In a post titled Turning Talk Into Action After NETmundial,[2] Mr. Chehade emphasized the imperative to carry forward the NETmundial principles to fruition. In nearly every public statement, Mr. Chehade and other ICANN representatives have spoken in praise and support of NETmundial and its Outcome Document.

But in the absence of binding value to them, self-regulation and organizational initiatives pave the way to adopt them. There must be concrete action to implement the Principles. In this regard, we request information about mechanisms or any other changes afoot within ICANN, implemented internally in recognition of the NETmundial Principles.

At the IGF in Istanbul, when CIS’ Sunil Abraham raised this query,[3] Mr. Chehade responded that mechanisms ought to and will be undertaken jointly and in collaboration with other organisations. However, institutional improvements are intra-organisational as well, and require changes within ICANN. An example would be the suggestions to strengthen the IGF, increase its term, and provide financial support (some of which are being achieved, though ICANN’s financial contribution to IGFSA is incongruous in comparison to its financial involvement in the NETmundial Initiative).

From ICANN, we have seen consistent championing of the controversial NETmundial Initiative,[4] and contribution to the IGF Support Association.[5] There are also mechanisms instituted for IANA Stewardship Transition and Enhancing ICANN Accountability,[6] as responses to the NTIA’s announcement to not renew the IANA functions contract and related concerns of accountability.

In addition to the above, we would like to know what ICANN has done to implement the NETmundial Principles, internally and proactively.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to the above request disappointingly linked to the very same blogpost we note in our request, Turning Talk Into Action After NETmundial. Following this, ICANN points us to their involvement in the NETmundial Initiative. On the question of internal implementation, ICANN's response is defensive, to say the least. "ICANN is not the home for the implementation of the NETmundial Principles", they say. In any event, ICANN defends that it already implements the NETmundial Principles in its functioning, a response that comes as a surprise to us. "Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework", notes ICANN's response. Needless to say, ICANN's response falls short of responding to our queries.

Finally, ICANN notes that our request is beyond the scope of the DIDP, as it does not relate to ICANN's operational activities. Notwithstanding that our query does in fact seek ICANN's operationalisation of the NETmundial Principles, we are now confused as to where to go to seek this information from ICANN. If the DIDP is not the effective transparency tool it is aimed to be, who in ICANN can provide answers to these questions?

ICANN's response may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 4).

[1] See NETmundial Multi-stakeholder Statement, http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf.

[2] See Chehade, Turning Talk Into Action After NETmundial, http://blog.icann.org/2014/05/turning-talk-into-action-after-netmundial/.

[3] See ICANN Open Forum, 9^th IGF 2014 (Istanbul, Turkey), https://www.youtube.com/watch?v=Cio31nsqK_A.

[4] See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/.

[5] See ICANN Donates $50k to Internet Governance Forum Support Association, https://www.icann.org/resources/press-material/release-2014-12-18-en.

[6] See NTIA IANA Functions’ Stewardship Transition & Enhancing ICANN Accountability Processes, https://www.icann.org/stewardship-accountability.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-4-icann-and-the-netmundial-principles

DIDP Request #3: Cyber-attacks on ICANN

geetha — 2015-03-05T08:16:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of cyber-attacks on ICANN, and ICANN's internal and external responses to the same. CIS' request and ICANN's response are detailed below.

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1) the date and nature of all attacks, as well as which ICANN systems were compromised,

(2) actions taken internally by ICANN upon being notified of the attacks,

(3) what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4) the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5) what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6) whether and when culprits behind the ICANN cyber-attacks were identified, and

(7) what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).

[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-3-cyber-attacks-on-icann

DIDP Request #2: Granular Revenue/Income Statements from ICANN

geetha — 2015-03-05T08:07:02Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking current and historical details of ICANN's income/revenue from its various sources. CIS' request and ICANN's response are detailed below.

CIS Request

22 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for granular income/revenue statements of ICANN from 1999-2014

Earlier this month, on 3 December 2014, Mr. Samiran Gupta presented CIS with detailed and granular information regarding ICANN’s domain names income and revenues for the fiscal year ended June 30, 2014. This was in response to several requests made over a few months. The information we received is available on our website.[1]

The information mentioned above was, inter alia, extremely helpful in triangulating ICANN’s reported revenues, despite and in addition to certain inconsistencies between the Annual Report (FY14) and the information provided to us.

We recognize that ICANN makes public its current and historical financial information to a certain extent. Specifically, its Operating Plan and Budget, Audited Financial Statements, Annual Reports, Federal and State Tax Filings, Board Compensation Report and ccTLD Contributions Report are available on the website.[2]

However, a detailed report of ICANN’s income or revenue statement, listing all vendors and customers, is not available on ICANN’s website. Our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN, requires information in such granularity. We request, therefore, historical data re: income and revenue from domain names (1999-2014), in a manner as detailed and granular as the information referenced in FN[1]. We would appreciate if such a report lists all legal entities and individuals who contribute to ICANN’s domain names income/ revenue.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to CIS's request can be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 2).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See Historical Financial Information for ICANN, https://www.icann.org/resources/pages/historical-2012-02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-2