The WHOIS Review Team just issued a 92 page report “to review the extent to which ICANN’s WHOIS policy and to see whether ICANN’s implementation are effective, meet the legitimate needs of law enforcement and promote consumer trust.”
The answer was clear.
“Formed in October 2010, the WHOIS Review Team comprised representatives from across the ICANN constituencies, a representative of law enforcement and two independent experts.
“WHOIS as an issue encompasses:
- The WHOIS Protocol, including its continued fitness for purpose given that both the Internet and uses of WHOIS have expanded beyond what their original designers would have imagined possible;
- Internationalization of WHOIS Data, and the consistent handling of non-ASCII text in both the records and the display of the domain name itself
- Ongoing development of WHOIS policy within ICANN’s existing machinery, and the impact of other policy development on WHOIS;
- Maintaining some coordination role to ensure that so far as possible, policy development effort is not duplicated, relevant research is brought to the attention of relevant working groups or staff, and is followed up in a timely way; and
- That compliance with contractual obligations, and outreach to affected communities of users is managed effectively and that timely reporting be given to the Community.
“”The WHOIS Review Team finds that in all of the above points, ICANN the corporation has failed to meet expectations”
As for its recommendations the team recommended that
“WHOIS, in all its aspects, should be a strategic priority for ICANN the organization.”
“It should form the basis of staff incentivization and published organizational objectives.”
“To support WHOIS as a strategic priority, the ICANN board should create a committee that includes the CEO.
“Advancement of the WHOIS strategic priority objectives should be a major factor in staff incentivization programs for ICANN staff participating in the committee, including the CEO.”
“Regular (at least annual) updates on progress against targets should be given to the Community within ICANN’s regular reporting channels, and should cover all aspects of WHOIS including protocol, policy development, studies and their follow up.”
The committee went on to say:
One of our earliest “findings” was our inability to find a clear, concise, well- communicated WHOIS Policy. The Team was assured that one existed and that it had been in force for some time.”
“Several versions of Registrar and Registry contracts were reviewed as were compliance activities related to the policy. Throughout, we were unable to locate a document labeled WHOIS Policy as referenced by the ICANN- approved Affirmation of Commitments. “”
ICANN should act to ensure that its compliance function is managed in accordance with best practice principles, including that:
a. There should be full transparency regarding the resourcing and structure of its compliance function. To help achieve this ICANN should, at a minimum, publish annual reports that detail the following relevant to ICANN’s compliance activities: staffing levels; budgeted funds; actual expenditure; performance against published targets; and organizational structure (including the full lines of reporting and accountability).
b. There should be clear and appropriate lines of reporting and accountability, to allow compliance activities to be pursued pro-actively and independently of other interests. To help achieve this, ICANN should appoint a senior executive whose sole responsibility would be to oversee and manage ICANN’s compliance function. This senior executive should report directly and solely to a sub-committee of the ICANN Board. This sub-committee should include Board members with a range of relevant skills, and should include the CEO. The sub-committee should not include any representatives from the regulated industry, or any other Board members who could have conflicts of interest in this area.
c. ICANN should provide all necessary resources to ensure that the compliance team has the processes and technological tools it needs to efficiently and pro-actively manage and scale its compliance activities. The Review Team notes that this will be particularly important in light of the new gTLD program, and all relevant compliance processes and tools should be reviewed and improved, and new tools developed where necessary, in advance of any new gTLDs becoming operational.””
The Team was also quite frustrated with receiving funding from ICANN an organization with over $5o Million dollars in reserve as well as lack of transparency and getting the information they needed from ICANN:
“”Despite substantial efforts made, and dedicated staff, the Compliance function has suffered from lack of resources, and has struggled to maintain organizational priority.
Evidence of recent investment is welcome, but there remains much to do.
“We find that basic information, for example on staffing, budget vs. actual spend, and key performance metrics, remain difficult to obtain.”
Concerns have been expressed in public comment as to whether the current structure of the Compliance team (ie being a department within ICANN) is helping. We have an open mind about whether the Compliance function should be located within the organization or not. There is much to be said for structural independence. However, we note that the costs and upheaval associated with such a restructure (both human and financial) would be great. We believe that it should be possible to effect improvements through clearer lines of accountability particularly for Compliance’s leadership, and much greater transparency.
Finally, we note the sensitivity from some sections of the community about use of the term “regulator” to describe ICANN’s role within the industry. We have tried to avoid the term in our final recommendations. However, we do not fully understand the sensitivity: ICANN is part of a self-regulatory ecosystem. It accredits some actors (registries and registrars) and requires certain behaviors of them. It has an operational function to enforce contractual requirements. These activities can be properly described as regulation in the sense of private sector, self-regulation. If they were not done effectively, they would need to be done by someone – or something – else.””
The report is quite detailed and if you have an hour to kill its an interesting read.