Centre for Internet and Society

DIDP Request #3: Cyber-attacks on ICANN

geetha — 2015-03-05T08:16:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of cyber-attacks on ICANN, and ICANN's internal and external responses to the same. CIS' request and ICANN's response are detailed below.

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1) the date and nature of all attacks, as well as which ICANN systems were compromised,

(2) actions taken internally by ICANN upon being notified of the attacks,

(3) what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4) the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5) what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6) whether and when culprits behind the ICANN cyber-attacks were identified, and

(7) what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).

[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-3-cyber-attacks-on-icann

DIDP Request #5: The Ombudsman and ICANN's Misleading Response to Our Request

geetha — 2015-03-06T11:11:31Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of the complaints received and resolved, parties involved and the nature of complaints under the Ombudsman process. CIS' request and ICANN's response are detailed below. ICANN's response is misleading in its insistence on confidentiality of all Ombudsman complaints and resolutions.

CIS Request

26 December 2014

To:
Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Chris LaHatte, Ombudsman, ICANN

Sub: Details regarding complaints submitted to the ICANN Ombudsman

We are very pleased to note that ICANN’s transparency and accountability mechanisms include maintaining a free, fair and impartial ombudsman. It is our understanding that any person with a complaint against the ICANN Board, staff or organization, may do so to the designated ombudsman.[1] We also understand that there are cases that the ICANN ombudsman does not have the authority to address.

In order to properly assess and study the efficiency and effectiveness of the ombudsman system, we request you to provide us with the following information:

(i) A compilation of all the cases that have been decided by ICANN ombudsmen in the history of the organization.

(ii) The details of the parties that are involved in the cases that have been decided by the ombudsmen.

(iii)A description of the proceedings of the case, along with the party that won in each instance.

Further, we hope you could provide us with an answer as to why there have been no ombudsman reports since the year 2010, on the ICANN website.[2] Additionally, we would like to bring to your notice that the link that provides the ombudsman report for the year 2010 does not work.

In order to properly assess the mechanism that ICANN uses for grievance redressal, it would be necessary to examine the details of all the cases that ICANN ombudsmen have presided over in the past. In this regard, kindly provide us with the above information.

We do hope that you will be able to furnish this information to us within the stipulated time period of 30 days. Do not hesitate to contact us if you have any doubts regarding our queries. Thank you so much.

Yours sincerely,
Lakshmi Venkataraman
NALSAR University of Law, Hyderabad, for Centre for Internet & Society
W: http://cis-india.org

ICANN Response

In its response, ICANN declines our request on grounds of confidentiality. It refers to the ICANN Bylaws on the office of the Ombudsman to argue that all matters brought before the Ombudsman "shall be treated as confidential" and the Ombudsman shall "take all reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman". ICANN states that the Ombudsman publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". In sum, ICANN states that making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline our DIDP request. But it is important to investigate ICANN's reasons. The ICANN Board appoints the Ombudsman for 2 year terms, under Article V of ICANN’s Bylaws. As we note in an earlier post, the Ombudsman’s principal function is to receive and dispose of complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. He/she also reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy. It is clear, therefore, that the Ombudsman receives and disposes of complaints under a procedure that is inadequately transparent.

ICANN argues, however, that for reasons of confidentiality and integrity of the Ombudsman office, ICANN is unable to disclose details regarding Ombudsman complaints, the complainants/respondents and a description of the proceedings (including the decision/resolution). Indeed, ICANN states its "Bylaws and the Ombudsman Framework obligates the Ombudsman to treat all matters brought before him as confidential and 'to take reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman'.” For this reason, ICANN considers that "Disclosing details about the parties involved and the nature of the cases that have been decided by the Ombudsmen would not only compromise the confidentiality of the Ombudsman process but would also violate the ICANN Bylaws and the Ombudsman Framework."

While the privacy of parties both involved and "not involved in the complaint" can be preserved (by redacting names, email addresses and other personal identification), how valid is ICANN's dogged insistence on confidentiality and non-disclosure? Let's look at Article V of ICANN's Bylaws and the Ombudsman Framework both.

Do ICANN Bylaws bind the Ombudsman to Confidentiality?

Under Article V, Section 1(2) of ICANN's Bylaws, the Ombudsman is appointed by the ICANN Board for a 2 year term (renewable). As noted earlier, the Ombudsman's principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly” or inappropriately (Art. V, Section 2). The Ombudsman is not a judge; his conflict resolution tools are "negotiation, facilitation, and 'shuttle diplomacy'.

According to Art. V, Section 3(3), the Ombudsman has access to "all necessary information and records from staff and constituent bodies" to evaluate complaints in an informed manner. While the Ombudsman can access these records, he may not "publish if otherwise confidential". When are these records confidential, then? Section 3(3) supplies the answer. The confidentiality obligations are as "imposed by the complainant or any generally applicable confidentiality policies adopted by ICANN". For instance, the complainant can waive its confidentiality by publishing the text of its complaint and the Ombudsman's response to the same (such as the Internet Commerce Association's complaint regarding the Implementation Review Team under the new gTLD program), or a complaint may be publicly available on a listserv. In any event, there is no blanket confidentiality obligation placed on the Ombudsman under ICANN's Bylaws.

Moreover, the Ombudsman also publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". That is, the Ombudsman's Annual Report showcases a graph comparing the increase in the number of complaints, categories of complaints (i.e., whether the complaints fall within or outside of the Ombudsman's jurisdiction), and a brief description of the Ombudsman's scope of resolution and response. The Annual Reports indicate that the mandate of the Ombudsman's office is extremely narrow. In 2014, for instance, 75 out of 467 complaints were within Mr. LaHatte's jurisdiction (page 5), but he notes that his ability to intervene is limited to "failures in procedure". As an input to the ATRT2 Report noted, the Office of the Ombudsman “appears so restrained and contained” (page 53). As the ATRT2 noted, "ICANN needs to reconsider the Ombudsman’s charter and the Office’s role as a symbol of good governance to be further incorporated in transparency processes"; the Office's transparency leaves much to be desired.

But I digress.

The Ombudsman is authorised to make reports on any complaint and its resolution (or lack thereof) to the ICANN Board, and unless the Ombudsman says so in his sole discretion, his reports are to be posted on the website (Art. V, Section 4(4)). The Ombudsman can also report on individual requests, such as Mr. LaHatte's response to a complaint regarding a DIDP denial (cached). Some reports are actually available on the Ombudsman page; the last published report dates back to 2012, though in 2013 and 2014, the Ombudsman dealt with more complaints within his jurisdiction than in 2012 or prior. So ICANN's argument that disclosing the information we ask for in our DIDP Request would violate ICANN Bylaws and the confidentiality of the Ombudsman is misleading.

Does the Ombudsman Framework Prohibit Public Reporting?

So if ICANN Bylaws do not ipso facto bind the Ombudsman's complaint and conflict resolution process to confidentiality, does the Ombudsman Framework do so?

The Ombudsman does indeed have confidentiality obligations under the Ombudsman Framework (page 4). All matters brought before the Ombudsman shall be treated as confidential, and the identities of parties not involved in the complaint are required to be protected. The Ombudsman may reveal the identity of the complainant to the ICANN Board or Staff only to further the resolution of a complaint (which seems fairly obvious); this obligation is extended to ICANN Board and Staff as well.

As the Framework makes crystal clear, the identity of complainants are to be kept confidential. Nothing whatsoever binds the Ombudsman from revealing the stakeholder group or affiliation of the complainants - and these are possibly of more importance. What stakeholders most often receive unfair or inappropriate treatment from ICANN Board, Staff or constituent bodies? Does business suffer more, or do non-commercial users, or indeed, governments? It is good to know what countries the complaints come from (page 4-5), but given ICANN's insistence on its multi-stakeholder model as a gold standard, it is important to know what stakeholders suffer the most in the ICANN system.

In fact, in the first page, the Ombudsman Framework says this: "The Ombudsman may post complaints and resolutions to a dedicated portion of the ICANN website (http://www.icann.org/ombudsman/): (i) in order to promote an understanding of the issues in the ICANN community; (ii) to raise awareness of administrative fairness; and (iii) to allow the community to see the results of similar previous cases. These postings will be done in a generic manner to protect the confidentiality and privilege of communicating with the Office of Ombudsman." But the ICANN website does not, in fact, host records of any Ombudsman complaints or resolutions; it links you only to the Annual Reports and Publications.

As I've written before, the Annual Reports provide no details regarding the nature of each complaint, their origins or resolution, and are useful if the only information we need is bare statistics of the number of complaints received. That is useful, but it's not enough. Given that the Ombudsman Framework does allow complaint/resolution reporting, it is baffling that ICANN's response to our DIDP request chooses to emphasise only the confidentiality obligations, while conveniently leaving out the parts enabling and encouring reporting.

Should ICANN Report the Ombudsman Complaints?

Of course it should. The Ombudsman is aimed at filling an integral gap in the ICANN system - he/she listens to complaints about treatment by the ICANN Board, Staff or constituent bodies. As the discussions surrounding the appeal procedures in the CWG-Names show, and as the ATRT2 recommendations on Reconsideration and Independent Review show, conflict resolution mechanisms are crucial in any environment, not least a multi-stakeholder one. And in an organisation that leaves much desired by way of accountability and transparency, not reporting on complaints against the Board, staff or constituencies seems a tad irresponsible.

If there are privacy concerns regarding the identities of complainants, their personal identifying information can be redacted. Actually, in the complaint form, adding a waiver-of-confidentiality tick-box would solve the problem, allowing the complainant to choose whether to keep his/her complaint unreportable. But the details of the respondents ought to be reported; as the entity responsible and accountable, ICANN should disclose whom complaints have been made against.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 5).

[1] See What the Ombudsman can do for you, https://www.icann.org/resources/pages/contact- 2012-02-25-en.

[2] See Annual Reports & Publications, https://www.icann.org/resources/pages/reports-96-2012- 02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-5-the-ombudsman-and-icanns-misleading-response-to-our-request-1

DIDP Request #7: Globalisation Advisory Groups

geetha — 2015-03-17T10:07:26Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding the creation and dissolution of the President's Globalisation Advisory Groups. The GAGs were created to advise the ICANN Board on its globalisation efforts, and to address questions on Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance. CIS' request and ICANN's response are detailed below.

CIS Request

12 January 2015

To:
Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Ms. Theresa Swineheart, Senior Advisor to the President on Strategy

Mr. Samiran Gupta, ICANN India

Sub: Creation and dissolution of the President’s Globalisation Advisory Groups

On 17 February 2014, at a Special Meeting of the ICANN Board, the Board passed a resolution creating the President’s Globalisation Advisory Groups.1 Six Globalisation Advisory Groups were created, including on IANA globalization, legal structures, Internet governance, the Affirmation of Commitments, policy structures and the root server system.2 According to the minutes of the meeting, the Advisory Groups were to meet with the community at ICANN49 (Singapore, March 2014), make recommendations to the Board, and the Board would present their reports at ICANN50 (London, June 2014).3 Mr. Chehade was vested with the authority to change the Advisory Groups and their composition without the need for a further resolution, but the manner of dissolution was not laid out.

ICANN lists the Advisory Groups on its “Past Groups” page, with no further information.4 Presumably, the Groups remained in existence for at most one month. No explanation is provided for the reasons regarding the dissolution of all the Advisory Groups. There are no reports or transcripts of meetings with the community at ICANN49 or recommendations to Mr. Chehade or the Board.

The Globalisation Advisory Groups covered issues crucial for ICANN and the global Internet governance community, including its seat (“Legal Structures”), the Affirmation of Commitments (considered critical for ICANN’s accountability), the IANA stewardship transition, and ICANN’s (increasing) involvement in Internet governance. Given this, we request the following information:

Of the six Globalisation Advisory Groups created, is any Group active as of today (12 January 2015)?
When and how many times did any of the Groups meet?
On what date were the Groups dissolved? Were all Groups dissolved on the same date?
By what mechanism did the dissolution take place (oral statement, email)? If the dissolution occurred by way of email or statement, please provide a copy of the same.
Did any of the six Globalisation Advisory Groups present any report, advice, or recommendations to Mr. Chehade or any member(s) of the Board, prior to their dissolution? If yes, please provide the report/recommendations (if available) and/or information regarding the same.
Why were the Advisory Groups dissolved? Has any reason been recorded, and if not, please provide an explanation.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,
Geetha Hariharan
Centre for Internet & Society

ICANN Response

ICANN's response to this request is positive. ICANN states that the Board did indeed set up the six Globalisation Advisory Groups (GAGs) on 17 February 2014 to tackle issues surrounding ICANN's globalisation efforts. The Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance were issues taken up by the GAGs. However, after the NTIA made its announcement regarding the IANA transition in March 2014, the GAGs were disbanded so as to avoid duplication of work on issues that "had a home in the global multistakeholder discussions". As a result, by a Board resolution dated 27 March 2014, the GAGs were dissolved.

This is an example of a good response to an information request. Some documentation regarding the creation and dissolution of the GAGs existed, such as the Board resolutions. The response points us to these documents, and summarises the reasons for the GAGs' creation and dissolution.

It is possible that this response is clear/comprehensive because the GAGs no longer exist, and in any event, did not perform any work worth writing about. Queries about ICANN's involvement in Internet governance (NETmundial, the NETmundial Initiative, etc.) garner responses that are, to say it informally, cage-y and surrounded by legalese.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 7).

[1] See Approved Board Resolutions | Special Meeting of the Board, https://www.icann.org/resources/board-material/resolutions-2014-02-17-en.

[2] See President’s Globalisation Advisory Groups, https://www.icann.org/en/system/files/files/globalization-19feb14-en.pdf.

[3] See Minutes | Special Meeting of the Board, https://www.icann.org/resources/board- material/minutes-2014-02-17-en.

[4] See Past Committees, Task Forces, and Other Groups, https://www.icann.org/resources/pages/past-2012-02-25-en.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-7-globalisation-advisory-groups

DIDP Request #8: ICANN Organogram

geetha — 2015-03-17T11:39:16Z

CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of its oragnisational structure and headcount of all staff. CIS' request and ICANN's response are detailed below.

CIS Request

13 January 2015

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, President and CEO

Mr. Samiran Gupta, ICANN India

Sub: ICANN organogram

In order to understand ICANN’s organizational structure, decision-making and day-to-day functioning, may we request an organogram of ICANN. We request that the organogram include ICANN’s reporting hierarchy, mentioning positions held in all departments. Wherever possible (such as middle and senior management), we request names of the ICANN staff holding the positions as well. Along with this, could you also provide a count per department of the number of ICANN staff employed in all departments as of this date?

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN does not provide all the information we requested, but it responded with the following:

First, ICANN has responded that its current staff headcount is approx. 310. ICANN states that it already makes publicly available an organisational chart. This is immensely useful, for it sets out the reporting hierarchies at senior and mid-managerial levels. However, it doesn't tell us the organisational structure categorised by all departments and staff in the said departments. The webpages of some of ICANN's departments list out some of its staff; for instance, Contractual Compliance, Global Stakeholder Engagement and Policy Development (scroll down).

What you will notice is that ICANN provides us a list of staff, but we cannot be sure whether the team includes more persons than those mentioned. Second, a quick glance at the Policy Development staff makes clear that ICANN selects from outside this pool to coordinate the policy development. For instance, the IANA Stewardship Transition (the CWG-IANA) is supported by Ms. Grace Abuhamad, who is not a member of the policy support staff, but coordinates the IANA mailing list and F2F meetings anyway. What this means is that we're no longer certain who within ICANN is involved in policy development and support, whom they report to, and where the Chinese walls lie. This is why an organogram is necessary: the policy-making and implementation functions in ICANN may be closely linked because of staff interaction, and effective Chinese walls would benefit from public scrutiny.

Now, ICANN says that one may explore staff profiles on the Staff page. While short biographies/profiles are available for most staff on the Staff page, it's unclear what departments they work in, how many staff members work each in department, whom they report to, and what the broad range of their responsibilities include.

Privacy concerns do not preclude the disclosure of such information for two reasons. First, staff profiles imply a consent to making staff information public (at least their place in the organisational structure, if not their salaries, addresses, phone extension numbers, etc.). Second, such information is necessary and helpful to scrutinise the effectiveness of ICANN's functioning. Like the example of the policy-making process mentioned above, greater transparency in internal functioning will itself serve as a check against hazards like partisanism, public comment aggregation, drafting of charters for policy-making and determining scope, etc. While the functioning itself may or need not change, scrutiny can ensure responsibility from ICANN and its staff.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 8).

For more details visit https://cis-india.org/internet-governance/blog/didp-request-8-organogram

Navigating the 'Reconsideration' Quagmire (A Personal Journey of Acute Confusion)

Padmini Baruah and Geetha Hariharan — 2016-11-30T13:48:41Z

An earlier analysis of ICANN’s Documentary Information Disclosure Policy already brought to light our concerns about the lack of transparency in ICANN’s internal mechanisms. Carrying my research forward, I sought to arrive at an understanding of the mechanisms used to appeal a denial of DIDP requests. In this post, I aim to provide a brief account of my experiences with the Reconsideration Request process that ICANN provides for as a tool for appeal.

Backdrop: What is the Reconsideration Request Process?

The Reconsideration Request process has been laid down in Article IV, Section 2 of the

ICANN Bylaws. Some of the key aspects of this provision have been outlined below^{^[1]},

ICANN is obligated to institute a process by which a person materially affected by ICANN action/inaction can request review or reconsideration.

To file this request, one must have been adversely affected by actions of the staff or the board that contradict ICANN’s policies, or actions of the Board taken up without the Board considering material information, or actions of the Board taken up by relying on false information.
A separate Board Governance Committee was created with the specific mandate of reviewing Reconsideration requests, and conducting all the tasks related to the same.
The Reconsideration Request must be made within 15 days of:
- FOR CHALLENGES TO BOARD ACTION: the date on which information about the challenged Board action is first published in a resolution, unless the posting of the resolution is not accompanied by a rationale, in which case the request must be submitted within 15 days from the initial posting of the rationale;
- FOR CHALLENGES TO STAFF ACTION: the date on which the party submitting the request became aware of, or reasonably should have become aware of, the challenged staff action, and
- FOR CHALLENGES TO BOARD OR STAFF INACTION: the date on which the affected person reasonably concluded, or reasonably should have concluded, that action would not be taken in a timely manner

.The Board Governance Committee is given the power to summarily dismiss a reconsideration request if:
- the requestor fails to meet the requirements for bringing a Reconsideration Request;
- it is frivolous, querulous or vexatious; or
- the requestor had notice and opportunity to, but did not, participate in the public comment period relating to the contested action, if applicable

If not summarily dismissed, the Board Governance Committee proceeds to review and reconsider.
A requester may ask for an opportunity to be heard, and the decision of the Board Governance Committee in this regard is final.

The basis of the Board Governance Committee’s action is public written record information submitted by the requester, by third parties, and so on.
The Board Governance Committee is to take a decision on the matter and make a final determination or recommendation to the Board within 30 days of the receipt of the Reconsideration request, unless it is impractical to do so, and it is accountable to the Board to make an explanation of the circumstances that caused the delay.
The determination is to be made public and posted on the ICANN website.

ICANN has provided a neat infographic to explain this process in a simple fashion, and I am reproducing it here:

(Image taken from https://www.icann.org/resources/pages/accountability/reconsiderationen)

Our Tryst with the Reconsideration Process

The Grievance
Our engagement with the Reconsideration process began with the rejection of two of our requests (made on September 1, 2015) under ICANN’s Documentary Information Disclosure Policy. The requests sought information about the registry and registrar compliance audit process that ICANN maintains, and asked for various documents pertaining to the same^{^[2]}:

Copies of the registry/registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (20142015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registrars/registries to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registrars/registries that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identify the registries/registrars who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual noncompliance.
A copy of the registrar selfassessment form which is to be submitted to ICANN.

ICANN integrated both the requests and addressed them via one response on 1 October, 2015 (which can be found here). In their response, ICANN inundated us with already available links on their website explaining the compliance audit process, and the processes ancillary to it, as well as the broad goals of the programme none of which was sought for by us in our request. ICANN then went on to provide us with information on their ThreeYear Audit programme, and gave us access to some of the documents that we had sought, such as the preaudit notification template, list of registries/registrars that received an audit notification, the expenditure incurred to some extent, and so on .

Individual contracted party reports were denied to us on the basis of their grounds for nondisclosure. Further, and more disturbingly, ICANN refused to provide us with the names of the contracted parties who had been found under the audit process to have committed discrepancies. Therefore, a large part of our understanding of the way in which the compliance audit process works remains unfinished.

What we did

Dissatisfied with this response, I went on to file a Reconsideration request (number 1522) as per their standard format on November 2, 2015. (The request filed can be accessed here).As grounds for reconsideration, I stated that “As a part of my research I was tracking the ICANN compliance audit process, and therefore required access to audit reports in cases where discrepancies where formally found in their actions. This is in the public interest and therefore requires to be disclosed...While providing us with an array of detailed links explaining the compliance audit process, the ICANN staff has not been able to satisfy our actual requests with respect to gaining an understanding of how the compliance audits help in regulating actions of the registrars, and how they are effective in preventing breaches and discrepancies.” Therefore, I requested them to make the records in question publicly available “We request ICANN to make the records in question, namely the audit reports for individual contracted parties that reflect discrepancies in contractual compliance, which have been formally recognised as a part of your enforcement process. We further request access to all documents that relate to the expenditure incurred by ICANN in the process, as we believe financial transparency is absolutely integral to the values that ICANN stands by.”

The Board Governance Committee’s response³

The determination of the Board Governance Committee was that our claims did not merit reconsideration, as I was unable to identify any “misapplication of policy or procedure by the ICANN Staff”, and my only issue was with the substance of the DIDP Response itself, and substantial disagreements with a DIDP response are not proper bases for reconsideration

(emphasis supplied).

The response of the Board Governance Committee was educative of the ways in which they determine Reconsideration Requests. Analysing the DIDP process, it held that ICANN was well within its powers to deny information under its defined Conditions for NonDisclosure, and denial of substantive information did not amount to a procedural violation. Therefore, since the staff adhered to established procedure under the DIDP, there was no basis for our grievance, and our request was dismissed..

Furthermore, as a postscript, it is interesting to note that the Board Governance Committee delayed its response time by over a month, by its own admission “In terms of the timing of the BGC’s recommendation, it notes that Section 2.16 of Article IV of the Bylaws provides that the BGC shall make a final determination or recommendation with respect to a reconsideration request within thirty days, unless impractical. To satisfy the thirtyday deadline, the BGC would have to have acted by 2 December 2015. However, due to the timing of the BGC’s meetings in November and December, the first practical opportunity for the BGC to consider Request 1522 was 13 January 2016.”⁴

Whither do I wander now?

To me, this entire process reflected the absurdity of the Reconsideration request structure as an appeal mechanism under the Documentary Information Disclosure Policy. As our experience indicated, there does not seem to be any way out if there is an issue with the substance of ICANN’s response. ICANN, commendably, is particular about following procedure with respect to the DIDP. However, what is the way forward for a party aggrieved by the flaws in the existing policy? As I had analysed earlier, the grounds for ICANN to not disclose information are vast, and used to deny a large chunk of the information requests that they receive. How is the hapless requester to file a meaningful appeal against the outcome of a bad policy, if the only ground for appeal is noncompliance with the procedure of said bad policy? This is a serious challenge to transparency as there is no other way for a requester to acquire information that ICANN may choose to withold under one of its myriad clauses. It cannot be denied that a good information disclosure law ought to balance the free disclosure of information with the holding back of information that truly needs to be kept private.^{^[3]}^{^[4]} However, it is this writer’s firm opinion that even instances where information is witheld, there has to be a stronger explanation for the same, and moreover, an appeals process that does not take into account substantive issues which might adversely affect the appellant falls short of the desirable levels of transparency. Global standards dictate that grounds for appeal need to be broad, so that all failures to apply the information disclosure law/policy may be remedied.⁶ Various laws across the world relating to information disclosure often have the following as grounds for appeal: an inability to lodge a request, failure to respond to a request within the set time frame, a refusal to disclose information, in whole or in part, excessive fees and not providing information in the form sought, as well as a catchall clause for other failures.⁷

Furthermore, independent oversight is the heart of a proper appeal mechanism in such situations^{^[5]}; the power to decide the appeal must not rest with those who also have the discretion to disclose the information, as is clearly the case with ICANN, where the Board Governance Committee is constituted and appointed by the ICANN Board itself [one of the bodies against whom a grievance may be raised].

Suggestions

We believe ICANN, in keeping with its global, multistakeholder, accountable spirit, should adopt these standards as well, especially now that the transition looms around the corner. Only then will the standards of open, transparent and accountable governance of the Internet upheld by ICANN itself as the ideal be truly, meaningfully realised. Accordingly, the following standards ought to be met with:

Establishment of an independent appeals authority for information disclosure cases
Broader grounds for appeal of DIDP requests
Inclusion of disagreement with the substantive content of a DIDP response as a ground for appeal.
Provision of proper reasoning for any justification of the witholding of information that is necessary in the public interest.

[1] Article IV, Section 2, ICANN Bylaws, 2014 available at https://www.icann.org/resources/pages/governance/bylawsen/#IV

[2] Copies of the request can be found here and here.

[3] Katherine Chekouras, Balancing National Security with a Community's RighttoKnow: Maintaining

Public Access to Environmental Information Through EPCRA 's NonPreemption Clause, 34 B.C. Envtl. Aff. L. Rev 107, (2007).

[4] Toby Mendel, Freedom of Information: A Comparative Legal Study 151 (2nd edn, 2008).

Id, at 152

³4 Available here. https://www.icann.org/en/system/files/files/reconsideration1522cisfinaldetermination13jan16en.pdf

[5] Mendel, supra note 6.

For more details visit https://cis-india.org/internet-governance/blog/navigating-reconsideration-quagmire-a-personal-journey-of-acute-confusion

CIS Response to ICANN's proposed renewal of .org Registry

akriti — 2019-04-28T02:16:40Z

We thank ICANN for the opportunity to comment on this issue of its proposed renewal of the .org Registry Agreement with the operator, Public Interest Registry (PIR). Supporting much of the community , we too find severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process (PDP).

Presumption of Renewal

CIS has, in the past, questioned the need for a presumption of renewal in registry contracts and it is important to emphasize this within the context of this comment as well. We had, also, asked ICANN for their rationale on having such a practice with reference to their contract with Verisign to which they responded saying:

“Absent countervailing reasons, there is little public benefit, and some significant potential for disruption, in regular changes of a registry operator. In addition, a significant chance of losing the right to operate the registry after a short period creates adverse incentives to favor short term gain over long term investment.”

This logic can presumably be applied to the .org registry, as well, yet a re-auction of ,even, legacy top-level domains can only serve to further a fair market, promote competition and ensure that existing registries do not become complacent.

These views were supported in the course of the PDP on Contractual Conditions - Existing Registries in 2006 wherein competition was seen useful for better pricing, operational performance and contributions to registry infrastructure. It was also noted that most service industries incorporate a presumption of competition as opposed to one of renewal.

Download the file to access our full response.

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-april-28-2019-cis-response-to-icanns-proposed-renewal-of-org-registry

DIDP Request #10 - ICANN does not know how much each RIR contributes to its Budget

asvatha — 2016-07-27T14:57:00Z

In an effort to understand the relationship between the Regional Internet Registries (RIRs) and ICANN, we requested current and historical information on the contract fees paid by the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) to ICANN annually.

We acknowledged that the independently audited financial reports on ICANN’s website list the total amount from all RIRs as a lump sum.[1] However, we specifically sought a breakdown of these fees detailing contributions made by each RIR from 1999 to 2014. Not only will this information help understand the RIR-ICANN relationship, it will also be relevant to the IANA transition.

The request filed by Protyush Choudhury can be found here.

What ICANN said

According to ICANN’s response to our request, the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) make a voluntary annual contribution to ICANN’s budget through the Number Resource Organization (NRO). [2] Since Financial Year 2000, this contribution has been made to ICANN as an aggregate amount without the kind of breakdown requested by us with the exception of FY03, FY04 and FY05. The breakdown of the contribution for those years is as below:

FY03: APNIC - $129,400; ARIN - $159,345; RIPE - $206,255
FY04: APNIC - $160,500; ARIN - $144,450; RIPE - $224,700; LACNIC - $5,350
FY05: APNIC - $220,976; ARIN - $218,507; RIPE - $358,086; LACNIC - $25,431

The response links back to the independent financial reports mentioned by us in the request. These reports can be found on the ICANN website here.

On closer examination of the audit reports of FY03, 04 and 05, it is clear that the information provided in their response is either incomplete or incorrect. According to KPMG’s audit report of FY03, the total contribution from Address Registries is US$535,000. The breakdown in the response adds up only to $494,600. The response does not account for the extra $40,400. If only APNIC, ARIN and RIPE contributed to ICANN in 2003, where did the other $40,400 come from? Moreover, why is it listed as an Address Registry Fee in the audit report if it was a voluntary contribution?[3]

The “Address Registry Fees” in the audit reports for FY04 and FY05 match the amounts in the response: $535,000 and $823,00 respectively. ICANN's response to our DIDP request may be found here.

For the reader’s reference, the audit reports for FY00 - FY14 are linked below:

[1] See audited financial reports: https://www.icann.org/resources/pages/governance/current-en

[2] See letter from NRO to ICANN: https://www.icann.org/en/system/files/files/akplogan-to-twomey-23mar09-en.pdf

[3]. See report for FY03 (pg 4): https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-10-icann-does-not-know-how-much-each-rir-contributes-to-its-budget

DIDP Request #9 - Exactly how involved is ICANN in the NETmundial Initiative?

asvatha — 2016-07-27T15:53:22Z

The importance and relevance of knowing ICANN’s involvement in the NETmundial Initiative cannot be overstated.

It was reported recently that ICANN contributed US$200,000 to the Initiative.[1] Following this report, we requested the details of all expenses incurred by ICANN for NMI till date. This includes formal contributions to NMI as well as costs incurred towards travel and accommodation of ICANN board and staff to meetings relevant to the NMI discussion.

Apart from these financial details, we also requested information regarding the number of staff working on NMI from ICANN and the hours clocked by them for the same. We further specified that we would like this information to gauge ICANN’s involvement beyond its technical mandate. The request filed by Geetha Hariharan can be found here.

What ICANN said

In its response, ICANN separated the questions in the request into two categories: a) Expenses incurred by ICANN towards the NETmundial Initiative and b) Other resources (personnel and hours) allocated to the Initiative by ICANN. The first category in the request includes: formal contribution to the NETmundial Initiative; travel costs of ICANN board and staff; and costs of maintenance of other sponsored parties. The second includes the number of staff involved in the NETmundial Initiative from ICANN and the number of hours spent working on it.

To answer both, the response directs us to the Memorandum of Collaboration (MOC)[2]signed by the Brazilian Internet Steering Committee (CGI.br), ICANN and the World Economic Forum (WEF) to set up the NETmundial Initiative according to the outcome document from the initial NETmundial meeting in Sao Paulo, Brazil.

Some of the important takeaways from the MOC that are relevant to our request are the following:

Each party to the MOC agrees to pay $201,667 towards operational expenses on signature of the agreement.
Total anticipated cost of the NETmundial Initiative is $605,000 (also mentioned in the response).
Each party will assign 1 staff member to the NETmundial Initiative secretariat during the inaugural period to smoothen the process. This staff member will commit at least 50% of their time towards Secretariat work.

This information is important but it does not provide a comprehensive answer to our query. It does not, for example, answer if ICANN contributed anything more than the $201,667 the MOC specifies. It also does not tell us if ICANN allotted any staff apart from the designated secretariat member to work on NETmundial Initiative.

Further, the response states that ICANN does not keep track of costs according to the number of hours or the topic but rather according to strategic objectives. Since ICANN is not required to create a document that does not already exist to answer a DIDP enquiry,[3] we have no way of knowing the specific amount of time or money spent on the NETmundial Initiative by ICANN. The response instead directs us to the financial presentation at ICANN50 where the costs of attending the NETmundial Meeting at Sao Paulo is detailed. While this is interesting (ICANN spent $1.5 million)[4] it is not a satisfactory answer to our question.

ICANN justifies its lack of direct answers by expressing that not only is the request “overbroad", it is also “subject to the following DIDP Condition of Nondisclosure: Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; and (iii) complying with which is not feasible.”[5]

ICANN's response to our DIDP request may be found here.

[1] See McCarthy, ‘I’m Begging You To Join’ – ICANN’s NETmundial Initiative gets desperate, THE REGISTER (12 December 2014), http://www.theregister.co.uk/2014/12/12/im begging you to join netmundial initiative gets d esperate/

[2] See MOC: https://www.netmundial.org/sites/default/files/MOC-%20CGI.br,%20ICANN%20&%20WEF.pdf

[3] See Disclosure Policy: https://www.icann.org/resources/pages/didp-2012-02-25-en

[4] See ICANN50 Finance Presentation (Pg 4): https://london50.icann.org/en/schedule/thu-finance/presentation-finance-26jun14-en

[5] See ICANN conditions for non-disclosure: https://www.icann.org/resources/pages/didp-2012-02-25-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-9-exactly-how-involved-is-icann-in-the-netmundial-initiative

CIS representation at ICANN 58

praskrishna — 2017-03-28T14:22:22Z

The Internet Corporation for Assigned Names and Numbers (ICANN) organized ICANN 58 at Copenhagen from March 9 to March 16, 2017. On behalf of the Centre for Internet & Society (CIS), Vidushi Marda participated in the event and made a presentation.

CIS' focus at ICANN can broadly be divided into four heads: human rights, jurisdiction, transparency and accountability. Since March last year, we have also been pushing for changes in ICANN's expected standards of behavior, along with adoption of an anti harassment policy. After the IANA transition in September last year, the community is now divided into sub groups (SGs) that look into different issues for ICANN post transition, including the 4 that CIS works on. More information on ICANN 58 can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/cis-representation-at-icann-58

NTIA to give up control of the Internet's root

pranesh — 2014-03-18T18:21:40Z

On Friday evening the U.S. government's National Telecommunications and Information Administration (NTIA) announced that it was setting into motion a transition to give up a few powers that it holds over some core Internet functions, and that this would happen by September 2015. Pranesh Prakash provides a brief response to that announcement.

As it noted in the NTIA's press release:

NTIA’s responsibility includes the procedural role of administering changes to the authoritative root zone file – the database containing the lists of names and addresses of all top-level domains – as well as serving as the historic steward of the [Domain Name System (DNS)]. NTIA currently contracts with [the Internet Corporation for Assigned Names and Numbers, ICANN] to carry out the Internet Assigned Numbers Authority (IANA) functions and has a Cooperative Agreement with Verisign under which it performs related root zone management functions. Transitioning NTIA out of its role marks the final phase of the privatization of the DNS as outlined by the U.S. Government in 1997.

This move was welcomed by "Internet technical leaders".

While this announcement cannot be said to be unexpected, it is nonetheless an important one and is also a welcome one. The NTIA seems to have foreclosed any option of the US government's role being performed by any government-led organization by noting in their press release, "NTIA will not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution," once again reaffirming their belief in American exceptionalism: the NTIA could fulfil its role despite being a government, but now even a body involving multiple stakeholders can't replace the NTIA's role if it is going to be government-led.

Unfortunately, this announcement to relax American "stewardship" or "oversight" over some aspects of the Internet's technical functioning cannot restore the trust that has been lost due to actions taken by the US government and US companies. This new announcement won't change the US government's ability to 'tap' the Internet, nor will it affect their ability to unilaterally seize .com/.net/.name/.org/.edu/.tv/.cc/.us and other US-based domain names. Nor will a shift away from NTIA oversight lead to any of the chilling visions that some believe might lie in our future: the fears of the Association of National Advertisers and of some politicians and members of the US Congress is based on ignorance of what NTIA's role is.

The European Commission in a communiqué last month noted: "recent revelations of large-scale surveillance have called into question the stewardship of the U.S. when it comes to Internet governance". Unfortunately, the U.S. giving up that stewardship role will not prevent the continuation of their large-scale surveillance, just as the lack of such a stewardship role has not prevented other governments — U.K., India, Canada, Sweden, France, etc. — from engaging in large-scale surveillance.

There are three main benefits from the U.S. giving up this role.

First, it will put an end to the political illegitimacy of the U.S. government having a core authority in a global system, somehow making it first among equals;
Second, will focus light on ICANN, which under US oversight performs the IANA functions, and might, one hopes, lead to needed reform in ICANN's other functions;
Third, it will allow us to collectively move on from this dreaded political issue at the heart of Internet governance, which nevertheless is of little practical consequence if ICANN's accountability mechanisms are strengthened. As difficult as it may be, ICANN has to be accountable not just to one government or another but to the world, and ensuring that accountability to all doesn't become accountability to none, as NetChoice's Steve DelBianco put it, is the formidable task ahead of us.

Yet, all the ICANN reform in the world will still not lead to a less spied-upon, more open, and more equitable Internet.

For more details visit https://cis-india.org/internet-governance/blog/ntia-to-give-up-control-of-internets-root

NETmundial and Suggestions for IANA Administration

smarika — 2014-04-23T04:00:49Z

Following NTIA's announcement to give up control over critical Internet functions, the discussion on how that role should be filled has gathered steam across the Internet governance space.

This post maps the discussion across the NETmundial submissions and presents six emerging evolution scenarios related to the IANA functions:

Separation of IANA from policy/ICANN, control of IANA to a multilateral body
Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
No separation of IANA from policy/ICANN, control of IANA to a multilateral body
No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
Multiplication of TLD registries and root servers
Maintenance of status quo

I. Separation of IANA from policy/ICANN, control of IANA to a multilateral body

The proposal under this category demands for the separation of IANA function from technical policy making, and suggests that the IANA function be transferred to an intergovernmental body.

Such proposal is listed below:

Sl.No.	Proposal No.	Name of Proposal	Organization	Sector	Region	Link
1	186	The Next Best Stage for the Future of Internet Governance is Democracy	Global Geneva	Civil Society	Geneva, Switzerland	http://content.netmundial.br/contribution/the-next-best-stage-for-the-future-of-internet-governance-is-democracy/305

This proposal by Global Geneva seeks the establishment of an intergovernmental organisation called World Internet Organisation (WIO), under which IANA (which is understood to be essentially technical and concerning safety and security of the Internet would be located. WIO would additionally have a special link/status/contract with IANA to avoid unwanted interference from governments. A 75% majority at WIO would be requested to act/modify/contest an IANA decision, making it difficult for governments to go beyond reasonable and consensual demands. WIO would act in concert with World Internet Forum, under which ICANN would be located, whereby it would make policy decisions regarding gTLDs apart from its other present functions.

II. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

There are certain proposals whereby it is proposed that IANA function should be separated from technical policy making, or ICANN, and IANA function, which is perceived to be a purely administrative one in such submissions, should be handed over to some sort of non-multilateral organisation, which take different forms in each proposal.

Most such submissions have emerged from the civil society or the technical community.

The Internet Governance Project submission envisions the creation of a DNS Authority under whose umbrella IANA would function. The DNS Authority would be separate from ICANN. This proposal has been endorsed by the submissions of InternetNZ as well as Article 19 and Best Bits. Avri Doria’s submission, along with the submission of APC, envisions the establishment of an independent IANA, separate from the technical policy function. Such independence is sought to be preceded by a transition period by a body called IANA Stewardship Group which would be constituted mostly by members from the technical community. IANA is sought to be governed via MoUs with all stakeholders, on the same lines as the MoU between ICANN and the IETF, as described in RFC2860, RFC6220. The focus of these MoUs would not be policy but will be on performance and adherence to service level agreements.

These submissions are listed below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	19	Roadmap for Globalising IANA: Four Principles and a Proposal for Reform	Internet Governance Project	Civil Society	North America	http://content.netmundial.br/contribution/roadmap-for-globalizing-iana-four-principles-and-a-proposal-for-reform-a-submission-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/96
2	26	Roadmap for the Further Evolution of the Internet Governance Ecosystem- ICANN	Article 19 and Best Bits	Civil Society	Global	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem-icann/109
3	42	Content Contribution to NetMundial on the Roadmap for the Futher Evolution of the IG Ecosystem regarding the Internationalisation of the IANA Function	InternetNZ	Technical Community	New Zealand	http://content.netmundial.br/contribution/content-contribution-to-netmundial-on-the-roadmap-for-the-futher-evolution-of-the-ig-ecosystem-regarding-the-internationalisation-of-the-iana-function/130
4	60	One Possible Roadmap for IANA Evolution	Avri Doria, Independent Researcher	Other	USA	http://content.netmundial.br/contribution/one-possible-roadmap-for-iana-evolution/153
5	162	APC Proposals for the Further Evolution of the Internet Governance Ecosystem	Association for Progressive Communications (APC)	Civil Society	APC is an international organisation with its executive director's office in South Africa	http://content.netmundial.br/contribution/apc-proposals-for-the-further-evolution-of-the-internet-governance-ecosystem/280

III. No separation of IANA from policy/ICANN, control of IANA to a multilateral body

These submissions propose that the IANA function should come under a multilateral body. However they do not suggest the separation of IANA function from policymaking, or from ICANN; or they are at least silent on this latter issue. 2 such proposals come from the civil society and 2 from the government.

A list of these submissions is provided below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	8	Roadmaps for Further Evolution of Internet Governance	Association for Proper Internet Governance	Civil Society	Switzerland	http://content.netmundial.br/contribution/roadmaps-for-further-evolution-of-internet-governance/65
2	45	Russian Parliament Submission to NET mundial	State Duma of the Russian Federation (Parliament of the Russia)	Government	Russian Federation	http://content.netmundial.br/contribution/themes/133
3	121	Contribution from the Islamic Republic of Iran to the Global Multiskaeholder (sic) Meeting for the Future of the Internet, 23-24 April 2014 Sao Paulo, Brazil	Cyber Space National Center, Iran	Government	Islamic Republic of Iran	http://content.netmundial.br/contribution/contribution-from-the-islamic-republic-of-iran-to-the-global-multiskaeholder-meeting-for-the-future-of-the-internet-23-24-april-2014-sao-paolo-brazil/236
4	125	Towards Reform of Global Internet Governance	The Society for Knowledge Commons	Civil Society	India and Brazil	http://content.netmundial.br/contribution/towards-reform-of-global-internet-governance/240

IV. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

These submissions do not consider the issue of separation of IANA function from policymaking, or ICANN, or at least do not state an opinion on the separation of IANA function from ICANN. However, they do suggest that the control of IANA should be held by a non-multilateral body, and not the US Government.

Many of these submissions also suggest that the oversight of ICANN should be done by a non-multilateral body, therefore it makes sense that the IANA function is administered by a non-multilateral body, without its removal from the ICANN umbrella.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
2	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
3	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
4	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
5	61	French Government Submission to NETmundial	French Ministry of Foreign Affairs	Government	France	http://content.netmundial.br/contribution/french-government-submission-to-netmundial/154
6	63	Nominet Submission on Internet Governance Principles and the Roadmap	Nominet	Private Sector	UK	http://content.netmundial.br/contribution/nominet-submission-on-internet-governance-principles-and-the-roadmap/156
7	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
8	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
9	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10	94	Roadmap for the Future Development of the Internet Governance Ecosystem	Ministry of Foreign Affairs of Argentina	Government	Argentina	http://content.netmundial.br/contribution/roadmap-for-the-future-development-of-the-internet-governance-ecosystem/196
11	97	Orange Contribution for NETmundial	Orange Group	Private Sector	Deputy to the Chief Regulatory Officer Orange Group	http://content.netmundial.br/contribution/orange/199
12	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
13	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
14	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
15	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany / Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
16	148	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
17	146	Evolution and Internationalisation of ICANN	CGI.br- Brazilian Internet Steering Committee	Other	Brazil	http://content.netmundial.br/contribution/evolution-and-internationalization-of-icann/263
18	176	Addressing Three Prominent “How To” Questions on the Internet Governance Ecosystem Future	Luis Magalhes, Professor at IST of University of Lisbon, Portugal; Panelist of ICANN’s Strategy Panel on the Role in the Internet Governance System	Academia	Portugal	http://content.netmundial.br/contribution/addressing-three-prominent-how-to-questions-on-the-internet-governance-ecosystem-future/294
19	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

V. Multiplication of TLD registries and Root Servers

These submissions are based on the assumption that reform in the current ICANN/IANA administrative structure is impossible as the US government is unlikely to give up its oversight role over both. Instead, these submissions suggest that multiple TLD registries and root servers should be created as alternatives to today’s IANA/ICANN so that a healthy market competition can be fostered in this area, rather than fostering monopoly of IANA.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	41	Internet Governance: What Next?	EUROLINC	Civil Society	France, Europe	http://content.netmundial.br/contribution/internet-governance-what-next/129
2	175	The Intergovernance of the InterPLUS	INTLNET	Civil Society	France	http://content.netmundial.br/contribution/the-intergovernance-of-the-interplus/293

VI. Maintenance of status quo

These submissions are based on the “if it ain’t broke, don’t fix it” principle, and are of the opinion that there is no need to change the administration of IANA function as it functions efficiently in the current system.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	12	United Kingdom Government Submission	Department For Culture Media and Sport, United Kingdom Government	Government	Government	http://content.netmundial.br/contribution/united-kingdom-government-submission/79
2	133	Perspectives from the Domain Name Association	Domain Name Association	Private Sector	Private Sector	http://content.netmundial.br/contribution/perspectives-from-the-domain-name-association/249

Read more on ICANN/IANA: Role and Structural Considerations (PDF Document, 1215 Kb)

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-and-suggestions-for-iana-administration

Brazil passes Marco Civil; the US-FCC Alters its Stance on Net Neutrality

geetha — 2014-04-24T10:05:32Z

Hopes for the Internet rise and fall rapidly. Yesterday, on April 23, 2014, Marco Civil da Internet, the Brazilian Bill of Internet rights, was passed by the Brazilian Senate into law.

Marco Civil, on which we blogged previously, includes provisions for the protection of privacy and freedom of expression of all users, rules mandating net neutrality, etc. Brazil celebrated the beginning of NETmundial, a momentous first day about which Achal Prabhala blogs, with President Rousseff’s approval of the Marco Civil.

At about the same time, news broke that the US Federal Communications Commission is set to propose new net neutrality rules. In the wake of the Verizon net neutrality decision in January, the proposed new rules will prohibit Internet service providers such as Comcast from slowing down or blocking traffic to certain websites, but permit fast lane traffic for content providers who are willing to pay for it. This fast lane would prioritise traffic from content providers like Netflix and Youtube on commercially reasonable terms, and result in availability of video and other content at higher speeds or quality. An interesting turn-around, as Marco Civil expressly mandates net neutrality for all traffic.

For more details visit https://cis-india.org/internet-governance/blog/brazil-passes-marco-civil-us-fcc-alters-stance-on-net-neutrality

CIS Comments: Enhancing ICANN Accountability

geetha — 2014-06-10T13:03:57Z

On May 6, 2014, ICANN published a call for public comments on "Enhancing ICANN Accountability". This comes in the wake of the IANA stewardship transition spearheaded by ICANN and related concerns of ICANN's external and internal accountability mechanisms. Centre for Internet and Society contributed to the call for comments.

Introduction:

On March 14, 2014, the US National Telecommunications and Information Administration announced its intent to transition key Internet domain name functions to the global multi-stakeholder Internet governance community. ICANN was tasked with the development of a proposal for transition of IANA stewardship, for which ICANN subsequently called for public comments. At NETmundial, ICANN President and CEO Fadi Chehadé acknowledged that the IANA stewardship transition and improved ICANN accountability were inter-related issues, and announced the impending launch of a process to strengthen and enhance ICANN accountability in the absence of US government oversight. The subsequent call for public comments on “Enhancing ICANN Accountability” may be found here.

Suggestions for improved accountability:

In the event, Centre for Internet and Society (“CIS”) wishes to limit its suggestions for improved ICANN accountability to matters of reactive or responsive transparency on the part of ICANN to the global multi-stakeholder community. We propose the creation and implementation of a robust “freedom or right to information” process from ICANN, accompanied by an independent review mechanism.

Article III of ICANN Bye-laws note that “ICANN and its constituent bodies shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”. As part of this, Article III(2) note that ICANN shall make publicly available information on, inter alia, ICANN’s budget, annual audit, financial contributors and the amount of their contributions, as well as information on accountability mechanisms and the outcome of specific requests and complaints regarding the same. Such accountability mechanisms include reconsideration (Article IV(2)), independent review of Board actions (Article IV(3)), periodic reviews (Article IV(4)) and the Ombudsman (Article V).

Further, ICANN’s Documentary Information Disclosure Policy (“DIDP”) sets forth a process by which members of the public may request information “not already publicly available”. ICANN may respond (either affirmatively or in denial) to such requests within 30 days. Appeals to denials under the DIDP are available under the reconsideration or independent review procedures, to the extent applicable.

While ICANN has historically been prompt in its response to DIDP Requests, CIS is of the view that absent the commitments in the AoC following IANA stewardship transition, it would be desirable to amend and strengthen Response and Appeal procedures for DIDP and other, broader disclosures. Our concerns stem from the fact that, first, the substantive scope of appeal under the DIDP, on the basis of documents requested, is unclear (say, contracts or financial documents regarding payments to Registries or Registrars, or a detailed, granular break-up of ICANN’s revenue and expenditures); and second, that grievances with decisions of the Board Governance Committee or the Independent Review Panel cannot be appealed.

Therefore, CIS proposes a mechanism based on “right to information” best practices, which results in transparent and accountable governance at governmental levels.

First, we propose that designated members of ICANN staff shoulder responsibility to respond to information requests. The identity of such members (information officers, say) ought to be made public, including in the response document.

Second, an independent, third party body should be constituted to sit in appeal over information officers’ decisions to provide or decline to provide information. Such body may be composed of nominated members from the global multi-stakeholder community, with adequate stakeholder-, regional- and gender-representation. However, such members should not have held prior positions in ICANN or its related organizations. During the appointed term of the body, the terms and conditions of service ought to remain beyond the purview of ICANN, similar to globally accepted principles of an independent judiciary. For instance, the Constitution of India forbids any disadvantageous alteration of privileges and allowances of judges of the Supreme Court and High Courts during tenure.

Third, and importantly, punitive measures ought to follow unreasonable, unexplained or illegitimate denials of requests by ICANN information officers. In order to ensure compliance, penalties should be made continuing (a certain prescribed fine for each day of information-denial) on concerned officers. Such punitive measures are accepted, for instance, in Section 20 of India’s Right to Information Act, 2005, where the review body may impose continuing penalties on any defaulting officer.

Finally, exceptions to disclosure should be finite and time-bound. Any and all information exempted from disclosure should be clearly set out (and not merely as categories of exempted information). Further, all exempted information should be made public after a prescribed period of time (say, 1 year), after which any member of the public may request for the same if it continues to be unavailable.

CIS hopes that ICANN shall deliver on its promise to ensure and enhance its accountability and transparency to the global multi-stakeholder community. To that end, we hope our suggestions may be positively considered.

Comment repository:

All comments received by ICANN during the comment period (May 6, 2014 to June 6, 2014) may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability

Do you agree with our fee hike? Press 1 to answer Yes; or 2 for Yes

praskrishna — 2015-10-01T15:28:37Z

It has long been a concern that domain-name overseer ICANN is largely funded by companies reliant on the organization to make money.

The article by Kieren McCarthy was published in the Register on September 29, 2015.

Every biz that wishes to sell domain names – called a registrar – has to pay the organization $4,000 a year, plus 18 cents on every domain they sell.

In addition, they have to pay a variable fee that comprises the money ICANN says it spends on registrar-related activities divided by the number of companies that are accredited. This year that cost was $3.8m and with roughly 1,150 companies, that's $3,300 a head.

The pricing structure provides California-based ICANN with just under $40m a year, more than a third of its total budget. But in order to make sure the non-profit organization doesn't abuse its market control to hike up its fees, each year the registrars have to formally approve the fee structure that the ICANN Board has adopted. And they do that through an online vote.

This year, some registrars are wondering whether the $3.8m spent by ICANN is a good deal for them.

"What do your ICANN fees get you?" ICANN asks itself in an email sent to all registrars. "In addition to helping cover the expenses associated with ICANN meetings and ICANN's day-to-day operations, your fees have allowed us to conduct regular outreach with registrars through 'roadshow' type training seminars, webinars, in-person events, and site visits."

Don't ask, don't tell

It's not clear how that money is spent nor on what, since ICANN continues to provide only the vaguest details over its budget, providing annual sums for "travel" and for "meetings" across the entire organization.

ICANN is also actively refusing to hand that information over, telling one outfit that formally asked for additional financial data that for it to do so would be "extremely time consuming and overly burdensome." That organization – the Centre for Internet and Society – is appealing that decision [PDF] to ICANN's Board with a decision made two days ago but still unpublished.

ICANN expenditure is increasing: in 2014 alone, its "travel" costs jumped by 85 per cent to $17m; its meetings budget nearly doubled from an average of $3.2m per public meeting in 2013 to $6m in 2014. But there is almost no information on where this money has been spent, and so far no explanation for why it spent $113m in 2014 with an income of just $84m.

What else is ICANN spending registrars' fees on? "We've recruited Registrar Services staff dedicated to serving Europe, the Middle East/Africa, and Asia and have already begun a series of (low-cost) micro-regional events in China, Japan, Singapore, and South Korea, with plans taking shape for events in Europe, Africa, the Middle East, and the Americas in the near future," we're told.

But existing registrars are wondering whether all these new staff and events are needed. Are there hundreds of new registrars entering the market? Are they in Asia?

Unfortunately, ICANN has stopped providing that kind of information. In 2009, under pressure to be more open about what was going on, the organization made big play of the fact it was going to produce statistics showing how many registrars there were, how big they were, and where they were based in a new "dashboard."

But those stats stopped being produced two years ago and the most recent data provided is from 2012.

Software and security

Where else do the millions of dollars from the companies that support ICANN go? "We're building up the 'GDD Portal'," says a note from ICANN's staff, "which will become a one-stop destination for all registrar resources at ICANN, and transitioning our customer relationship management software from RADAR to salesforce.com."

This is the same GDD Portal that ICANN had to shut down earlier this year because of a security breach. It had misconfigured out-the-box software and exposed every user's information, including financial projections, launch plans, and confidential exchanges, to every other user. Having at first claimed there was "no indication" that confidential information was exposed, it later admitted that it had in fact happened 330 times.

As for RADAR, it was specifically named in a report by Verisign as a security risk; this is one of the things on a "growing list of examples where ICANN's operational track record leaves much to be desired."

We're listening...

Finally, in explaining why the registrar fees are a good deal for the companies, ICANN's staff note: "Most importantly, we're doing our best to listen to you to ensure that our work is of real value to you."

Unfortunately that listening does not extend to hearing any complaints about the fees, or what they are spent on.

All registrars receive an email during the annual approval of the fees levied against them with a link to an online survey. Incredibly enough, however, they are only allowed to agree to the fees – there is no option to disagree. Or in fact do anything other than sign up for another year.

And what is ICANN's explanation for why the companies that provide it with over a third of its budget are not allowed to express anything but approval of the fees ICANN sets? Problems with the voting software:

The system is only able to accept affirmative expressions of approval. (A technical limitation in the voting software prevents us from knowing when we've reached the level of approval required if we offer both a 'yes, I approve,' and a 'no, I don't approve' option.) But if you have reservations about approving the budget or concerns you'd like addressed first, please let me know and I'll be happy to try to address those directly with you.

So despite charging the companies $3,500 each a year to run the systems that they use, ICANN has been unable to find voting software that is capable of accepting more than one answer. Money well spent.

For more details visit https://cis-india.org/internet-governance/news/the-register-september-29-2015-kieren-mccurthy-do-you-agree-with-our-fee-hike

Peering behind the veil of ICANN's DIDP (II)

Padmini Baruah — 2015-10-15T03:14:18Z

In a previous blog post, I had introduced the concept of ICANN’s Documentary Information Disclosure Policy (“DIDP”) and their extremely vast grounds for non-disclosure. In this short post, I have made an analysis of every DIDP request that ICANN has ever responded to, to point out the flaws in their policy that need to be urgently remedied.

Read the previous blog post here. Every DIDP request that ICANN has ever responded to can be accessed here.

The table here is a comprehensive breakdown of all the different DIDP requests that ICANN has responded to. This table is to be read with this document, which has a numbered list of the different non-disclosure exceptions outlined in ICANN’s policy. What I sought to scrutinize was the number of times ICANN has provided satisfactory information, the number of times it has denied information, and the grounds for the same. What we found was alarming:

Of a total of 91 requests (as of 13/10/2015), ICANN has fully and positively responded to only 11.
It has responded partially to 47 of 91 requests, with some amount of information (usually that which is available as public records).
It has not responded at all to 33 of 91 requests.
The Non-Disclosure Clause (1)^{^[1]} has been invoked 17 times.
The Non-Disclosure Clause (2)^{^[2]} has been invoked 39 times.
The Non-Disclosure Clause (3)^{^[3]} has been invoked 31 times.
The Non-Disclosure Clause (4)^{^[4]} has been invoked 5 times.
The Non-Disclosure Clause (5)^{^[5]} has been invoked 34 times.
The Non-Disclosure Clause (6)^{^[6]} has been invoked 35 times.
The Non-Disclosure Clause (7)^{^[7]} has been invoked once.
The Non-Disclosure Clause (8)^{^[8]} has been invoked 22 times.
The Non-Disclosure Clause (9)^{^[9]} has been invoked 30 times.
The Non-Disclosure Clause (10)^{^[10]} has been invoked 10 times.
The Non-Disclosure Clause (11)^{^[11]} has been invoked 12 times.
The Non-Disclosure Clause (12)^{^[12]} has been invoked 18 times.

This data is disturbing because it reveals that ICANN has in practice been able to deflect most requests for information. It regularly utilised its internal processes and discussions with stakeholders clauses, as well as clauses on protecting financial interests of third parties (over 50% of the total non-disclosure clauses ever invoked - see chart below) to do away with having to provide information on pertinent matters such as its compliance audits and reports of abuse to registrars. We believe that even if ICANN is a private entity legally, and not at the same level as a state, it nonetheless plays the role of regulating an enormous public good, namely the Internet. Therefore, there is a great onus on ICANN to be far more open about the information that they provide.

Finally, it is extremely disturbing that they have extended full disclosure to only 12% of the requests that they receive. An astonishing 88% of the requests have been denied, partly or otherwise. Therefore, it is clear that there is a failure on part of ICANN to uphold the transparency it claims to stand for, and this needs to be remedied at the earliest.

^{^[1]} “Information provided by or to a government or international organization, or any form of recitation of such information, in the expectation that the information will be kept confidential and/or would or likely would materially prejudice ICANN's relationship with that party”

^{^[2]} “Internal information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process by inhibiting the candid exchange of ideas and communications, including internal documents, memoranda, and other similar communications to or from ICANN Directors, ICANN Directors' Advisors, ICANN staff, ICANN consultants, ICANN contractors, and ICANN agents”

^{^[3]} “Information exchanged, prepared for, or derived from the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process between and among ICANN, its constituents, and/or other entities with which ICANN cooperates by inhibiting the candid exchange of ideas and communications”

^{^[4]} “Personnel, medical, contractual, remuneration, and similar records relating to an individual's personal information, when the disclosure of such information would or likely would constitute an invasion of personal privacy, as well as proceedings of internal appeal mechanisms and investigations”

^{^[5]} “Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement”

^{^[6]} “Confidential business information and/or internal policies and procedures”

^{^[7]} “Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice”

^{^[8]} “Information subject to the attorney– client, attorney work product privilege, or any other applicable privilege, or disclosure of which might prejudice any internal, governmental, or legal investigation”

^{^[9]} “Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication”

^{^[10]} “Information that relates in any way to the security and stability of the Internet, including the operation of the L Root or any changes, modifications, or additions to the root zone”

^{^[11]} “Trade secrets and commercial and financial information not publicly disclosed by ICANN”

^{^[12]} “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual”

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icanns-didp-ii