ICANN82 Recap: Progress and Challenges in DNS Abuse and Policy

Last week, the 82nd ICANN meeting took place in Seattle. This meeting was also the first one since Kurtis Lindqvist was nominated as ICANN CEO. As an engineer, Kurtis brings a practical mindset to the table, a breath of fresh air for many in the community.

This meeting continued the focus on DNS Abuse, but with a twist: we saw genuine dialogue instead of the usual back-and-forth. Several sessions stood out.

Talking to each other

The Commercial Stakeholder Group, which includes business and IP representatives, sat down with registries and registrars to discuss the challenges of handling DNS abuse reports.

They expressed their frustration at the lack of certainty of the successful outcome of their abuse reports.

For their part, the registrars presented cases that were reported to them and explained why they could not take action. They reminded the audience that most registrars don’t have in-house legal counsel and must be presented with indisputable actionable reports.

Although counter-natured, lawyers must keep their DNS abuse reports concise and in plain language and refrain from including as many attachments as their email client can bear.

To this end, the DNS Abuse Working Group has published a set of documents aimed at helping reporters draft effective reports

According to the registrars (and our own experience), the recurring reasons for not taking action are that the reported abuse pertained to the website content and not the domain name itself or the lack of evidence.

Considering the vigour with which numerous attendees took notes during this session, the interactive format was well-received and should be continued.

The Terminology Tangle

Another recurring theme surfaced in Seattle: the lack of a common definition for specific key terms.

One example is the word « bulk ».

For years, there have been unsubstantiated claims within the ICANN community that « bulk registrations » are a cause or a tool for DNS Abuse. However, no one can explain what bulk means. Is it the number of domain registrations by the same registrant? The number of simultaneous registrations by the same registrant or by the same registrar or registry? And what is the threshold to qualify as « bulk »?

From a macro perspective, it’s undoubtedly true that criminals are registering numerous domain names. However, they are regrettably not dull. They are not putting all their malicious registrations in one proverbial basket, and identifying them and their registrations is increasingly difficult.

Indeed, registrars, too, are vested in preventing those registrations from happening. On top of being almost always performed with a stolen means of payment that will result in a transaction cancellation and a chargeback fee, handling abuse requires staff intervention and represents a high cost for registrars.

Another example is the word « accuracy ».

Despite the accuracy scoping team’s blatant failure to produce a meaningful report, developing a policy on « accuracy » is still actively considered. However, there is no consensus on what accuracy means regarding domain registration data.

For some, accuracy seems to be the public’s right to access every registrant’s identity on demand. For others, it’s limited to reaching the registrant when needed. The fact that their email address is generic and the postal address they provided for their registration is not their place of residence does not make them inaccurate.

Oddly enough, the proponents of the first conception are basing their definition on a twisted interpretation of data privacy laws. If it’s true that GDPR grants the right to data subjects to keep their personal data accurate in the databases of service providers, and an obligation to the latter to accept updates from data subjects. This certainly does not create a right for third parties to access this data.

Goodbye WHOIS, Hello RDAP

As mentioned in our previous post, the new registration data policy that will replace the 7-year-old Temporary Specifications will enter into force in August 2025. Registries and registrars benefitted from this meeting to discuss the specifics of this critical transition.

Hopefully, this new policy will create more uniformity in the content of the domain registration database formerly known as whois. ICANN Update: Launching RDAP; Sunsetting WHOIS

The transition from Whois to RDAP will also give registrars more flexibility regarding the information they publish about the domain names they manage.

The DNS Abuse Working Group is leveraging this new capacity. Together with the technical community members, it is attempting to implement a specific flag that could be applied to domain names suspended by registrars. This flag would help the public know when a registrar has suspended a domain name.

Disclosing: a balancing act

The Standing Committee evaluating the RDRS is close to finalising its report. The RDRS tool allows legitimate access seekers to ask the registrar in charge to disclose registrant-redacted data.

There is also a discrepancy between the expectations of access seekers, who believe they will automatically gain access to the redacted data, and registrars, who must conduct a balancing test between their clients’ right to privacy and the rights on which the disclosure request is based.

As mentioned, most registrars don’t have in-house lawyers, let alone privacy lawyers. Therefore, they must be very cautious when deciding the validity of disclosure requests.

This matter is so sensitive that the Noncommercial Stakeholder Group (which represents registrants at ICANN) has enlisted Article 19 to draft guidelines for registrars to protect the registrants’ rights. Those guidelines won’t be compulsory, but they could greatly help registrars in this complex area.

The Zombie policy

The Seattle meeting also served as the occasion for the group to determine whether the policy developed on a Privacy Proxy Services Accreditation system is implementable. Although a policy dealing almost exclusively with privacy matters should logically be overhauled to consider GDPR’s consequences for the industry, the group is inconceivably trying to salvage this obsolete text.

Time to prepare if you want your internet extension

Last but not least, the next round of applications for new TLDs is still set for April 2026. The meeting was buzzing with registry operators promoting their platforms. If you're considering applying for a new extension, now's the time to start preparing.