In spite of the material we were presented with in Durban something has gone very wrong inside of ICANN Compliance. KnujOn has published a report which demonstrates that ICANN Compliance appears to completely collapse between September 2012 and December 2012. Following December 2012, ICANN seems to stop responding to or processing any complaints. It is around this time certain compliance employees start disappearing. This was not limited to the Sydney office as some would have us believe, all while we have been given assurances the compliance team was being ramped up not down. The accepted budget has 20 Compliance staffers listed but in reality there are only 14 employees with another ubiquitous staff member vanished from the roster. Six phantom employees is a lot.
We can see the impact of this within the report as 8000 plus complaints were not process effectively or simply did not get processed at all. This report was very much a follow up to a previous report which shows the lack of enforcement in detail. The report speaks for itself in its multiple examples. However, let us focus on one, which given the history and details is completely unacceptable.
The Rape Tube
While the registrar BizCn has been a cited as a comfortable home to drug-dealing sites as well as trademark infringement, one of the most outrageous domains existing in perpetual violation, but with the silent approval of ICANN, is The Rape Tube. A play on Youtube, rapetube[DOT]org offers the most heinous and sick material, which is beyond any other Internet trash (I can't even re-print the site's own description here). But this is not just about the garbage content, it is about ineffective ICANN policy and process. You see the Rape Tube is hiding behind a completely invalid WHOIS record which had been documented and reported to ICANN Compliance multiple times since 2011. The Rape Tube has the same WHOIS record as approvedonlinepharmacy[DOT]net and at least 1000 other illicit sites sponsored by BizCn and is accused of being part of a network run by a criminal organization. None of this is a problem apparently. Not only did the registrar fail to correct the issue or suspend the domains in question but ICANN did not issue a breach notice when alerted. When asked why, ICANN insisted that answering such questions would jeopardize ICANN's relationship with BizCn. Placing the importance of a relationship with a contracted party in clear violation of the RAA over that of the ICANN commitment to the public seems a serious transgression of public trust. But, according to our research the relationship with BizCn trumps everything, calling the sincerity of ICANN pledges into question.
And this is not even the first time. In 2010 a BizCn-sponsored domain with false WHOIS was part of a massive malware attack. Complaints were filed, the registrar did not act, ICANN was notified and no breach notice was issued. Additionally, according to a recent report BizCn has not been providing Port 43 WHOIS access which is a condition of the contract. So what is going on here?
Analyzing the Analysis
Putting some perspective on the issue, the drive for new Compliance metrics started several years ago when the previous head of ICANN Compliance called for more resources and publicly accessible statistics. He was silently removed from his post shortly after. Now, we have a new push, but is it real?
Compliance has started publishing more information, but the way they put data out is frustrating. There is little context for their numbers. Look at this chart. Does it make sense? Does the Processed value include the Closed count? Add up the various closed counts and they do not equal the total closed count. Since the Processed value far exceeds the Received value we must assume that some portion of the 5043 processed complaints are from previous months, how many? How old? Are the closed complaints from this month or a previous month? Compare this chart to the chart below. The Received complaints in chart one for February is 2423. The second chart has 2409. If you assume they are adding the 14 breach and termination notices to the number works out, but breaches and terminations are not complaints. Look at the detailed list of actions and it becomes even more confusing. The charts list 6 Breach notices in February, but the detail shows 1 breach notice and the rest are updates of previous actions. The enforcements against Bargin Register, Inc and Power Brand Center Corp. are counted TWICE in different sections.
I put forth a different metric: Does what Compliance produces actually have any effect or benefit for the Internet? The simple answer is no. Cybercrime is barreling ahead and ICANN appears powerless to slow access to domain names for illicit use. But why would it? ICANN's various moves always seem geared towards limiting the scope of Internet consumer complaints, favoring the desires of commercial stakeholders. To ICANN, the ordinary Internet user is not important. What is important is keeping the domain industry happy, so all areas of ICANN are engaged in this effort. Thus the language used to respond to complaints reflects this bias. Policy discussion occurs in public, but important decisions are still happening secretly. Most people do not own a domain name, but are impacted by their use. Even those who own domain names typically do no own very many. However, the spammers profiled in our report own thousands. The abusers of the system who purchase and dump domain names are contributing far more to ICANN's growth than the average netizen could ever dream of. Spammers may be their best repeat customers and as such may receive better treatment than ordinary Internet users. The abusers put money and energy into the cycle. We're counting on ICANN to protect the DNS but the watchman has been asleep too long and the thieves slip in with impunity.
The Invisible Money Line
Regardless of the flurry of compliance notices in 2013 the department remains a primary bill collector. The most recent notice is about a $6,834.56 deficit. But this is not simply about the money, it is about how much money. To say that only registrars who owe money get terminated is just the beginning of the story. Is Compliance a tool for shaking out registrars who are not "bringing home the bacon"? The number of registrars actually terminated in the last three years had less than 4,000 total combined .COM domains. This represents a rounding error decimal point in ICANN's budget. 67% of the breach notices in the last 2 years were to registrars with fewer than 10k names. 85% have fewer than 20k names. Only 34% are for non-financial reasons — none ever reached enforcement level. 8 of them came up because of the new audit process so are not really complaint-based; without those, 76% of all enforcement is to collect fees. However, within the counts there are two anomalies: Tucows and XinNet. XinNet has over one million domains. However, ICANN stated this was "due to an error” and the breach was withdrawn. As for Tucows, they received multiple extensions and the issue was eventually dropped by ICANN. Would a registrar with a small number of domains who owed fees be given such reprieve?
What Happened?
There seems to have been a purge of critical compliance staff at the end of 2012 which coincides with the general decline of performance. Meanwhile, a minority of players are using the DNS as a weapon against consumers all under ICANN's watchful eye. There cannot be consumer trust in an environment of skullduggery. It is part of the reason why sites like the Rape Tube are allowed to endure.
We started off with such high hopes from the new CEO but it appears he has come to a locked door which is beyond even the CEO's ability to open. Additionally, even more doors were closed. What the CEO set out to accomplish cannot be completed. The special relationship with BizCn places real limits on what the CEO can deliver to the rest of the community. It seems he needs more support from the ICANN community to keep the organization on track, if he fails we all fail. Anyone who wants to discuss this issue and find out how to move forward can contact me directly.
Written by Garth Bruen, Internet Fraud Analyst and Policy Developer