Commissioner's speech to the Dotnz Registrar Conference 2018
Brent Carey, Domain Name Commissioner, delivered his first major speech as commissioner to the dot nz Registrar Conference 2018 held at the Copthorne Hotel in Wellington on 3 May 2018.
Introduction
For those of you expecting Debbie Monahan, I am obviously not her. I am the new second DNC
Thank you, Maddison, and thank you John Edwards Privacy Commissioner for spending time with us this morning.
It's great to see you all here for what promises to be our most successful Registrar Conference to date. There has been a significant amount of activity in the .nz domain name space this past 12 months. An activity I think we can all be proud of, as the .nz domain name market celebrated more than 700,000 active domain name registrations in 2017/18.
Many of the policy changes such as opening up domain names at the second level are maturing, and the market for .nz domain Market is getting stronger.
For me, as .nz's second domain name commissioner, the annual Registrar Conference is a great chance for all of us, as domain name industry professionals, to reflect on key issues that have arisen last year, and to make plans for the year ahead.
It's also a great opportunity to discuss what everyone in the .nz domain name space is doing, and for me to be able to draw on ideas so we can continuously improve in a changing industry.
Nearly 100 days into my appointment we're also part way through two significant reforms to the .nz domain name space. The introduction of an Individual Registrant Privacy Option and technical changes to the Port 43 protocol, where we reduced registrant information from a .nz query search.
As a new Domain Name Commissioner, along with my four capable staff, I have also been trying to get the message out about the differences in registration abuse, infrastructure abuse and content abuse. While abuse in any form can raise questions about how the .nz domain name space should be run, it's only in the areas of registration and infrastructure abuse that there is a role for a self-regulator.
At Christmas time I was interviewed by Radio New Zealand, where I was at pains to try and explain that my role was not a regulator of internet content, nor should the .nz terms and conditions or .nz policies be interpreted in such a way as to put us in that role.
However, it's a position that is hard to maintain if there are data quality issues in the results of a WHOIS search. Data quality of register records is a significant issue to the wider community and has emerged as a major challenge for all of us. As more and more people get themselves online with a trusted .nz domain, there is more registration data at risk of ageing or simply being wrong. Old or invalid registration data means there are more opportunities for the compromise of domain name registration records and domain name infrastructure.
At the same time, you as organisations such as yours are embracing new products and services and building good privacy and security practices, which for many of you are a market differentiator between good corporate citizen and bad.
Individual registrants too are increasingly becoming better informed about what it means to be a domain name holder, following up with the Domain Name Commissioner's office when they have a domain related enquiry or want to transfer their domain to someone else. In 2017/2018, my office received around 2000 domain related enquiries (an increase of about 15% from last year). Not surprisingly issues with UDAI generation was one of the top three reasons for enquiries against individual Registrars. Other common themes we see include difficulties with a change of registrant and problems with domain names registered in the reseller's name.
My staff and I have also been preparing for and implementing structural and personnel changes that have resulted from InternetNZ's organisational review. These changes saw the departure of Debbie Monahan and a transfer of the .nz policy-making function to InternetNZ.
But more than dealing with structural changes, my Office has been dealing with significant policy reforms, involving the registrations of domains at the second level, changes to the WHOIS Port 43 output, and the implementation of an Individual Registrant Privacy Option.
The introduction of second level registrations has produced a significant number of new registrations between 2015 and 2017 (over 134,781). Between October and December 2017 our Office, with the assistance of .nz registry services, managed the release to market of a number of previously conflicted domains that became available on a "first-come, first-served" basis. This was achieved through work the Office did with individual registrants to manage their domain name preferences.
Earlier this year we also conducted a public consultation on Port 43, and we received a number of submissions. The contributions made were valuable, and the Office's approach to Port 43 was guided by those submissions and the risks identified by the registry.
The restriction of information is intended to guard against the bulk harvesting of registrant's personal information and for the storage of that information in secondary databases to be used for purposes unrelated to domain name registration and management.
Since the Individual Registrant Privacy Option (IRPO) became mandatory for all .nz Registrars to offer, the holders of more than 7000 domain names have taken up the offer to withhold their phone and address details. I believe this has been a positive development. Consumers nowadays understand better the principles of only collecting and sharing the minimum amount of personal information required to get the best service, or where there are pressing public policy needs.
From 25 May this year, the privacy landscape will forever change again with the introduction of the GDPR. And the Domain Name Commission is committed to assisting registrars and itself to meet the requirements of the GDPR. We as the Commission are required to comply as a data manager. At the end of my speech, Josh will give some more information about what the Office intends to do to help Registrars with GDPR compliance.
There's also been much work behind the scenes too. Early in my tenure, I spoke with staff at the Office of the Privacy Commissioner. That office plays an important role in the domain name industry, and we need to work closely together on issues of online privacy. Next week, as part of Privacy Awareness week, our Office will also be issuing our first joint fact sheet aimed at informing .nz registrants about domain names and privacy.
And I am in the final stages of negotiating the Office's first Memorandum of Understanding with the CERT, as a priority for data sharing in the area of domain name registration abuse. I hope too to be able to issue our second joint fact sheet with CERT on domain names and security later in the year.
But more than this, since taking up my appointment in January 2018 our Office has spent much of the year so far engaging with business, Government, individuals, and working closely with people that encounter the domain name industry from multiple angles.
In my first 100 days of my appointment I've also spent time and energy trying to get across the message that, far from over, the role in tackling all forms of abuse online in the domain name space is increasing, becoming more complex, and more intertwined in the decisions we make, and all business, government and law enforcement processes. When meeting with stakeholders, I am gauging interest in having a multi-stakeholder summit at the end of the year to continue the conversation on how best to tackle these issues for the .nz domain name space.
Every day my Office continues to do business as usual work to strengthen the integrity of the .nz domain name space in the area of registration abuse and the use of invalid registration details. The validation of registration details falls under our mandate and is an important part of how we work towards a trusted .nz domain name space.
The process is underpinned, first and foremost, by the principles of natural justice and procedural fairness. This does, however, make the process very labour intensive, as it involves phone and email contact with the Registrant in question, as well as the sending of a physical letter.
We follow up domain names we are made aware of by CERT NZ or other trusted notifiers, and those brought to our attention by members of the public. Of those domain names we are made aware of, over 99% end up being cancelled due to non-compliance with .nz policies which require valid contact details. Over the last year, we have seen a strong upward trend in cancellations of non-compliant domain names for having invalid contact details, and as we solidify our thinking of processes when it comes to bad registration details, this number will only increase.
At this stage, I am still developing my thinking when it comes to our invalid registration process, and how we tackle bad `data in the registry on a broader scale. I think that the message is starting to be heard, and with the community's increasing participation in the digital economy, these types of issues won't stop coming, and this is something we all have a role to play in reducing risks of registrants registering domains using invalid details.
I also attended the Internet and Jurisdiction Conference in Ottawa recently, and the focus of the conference was on cross-border responses to domain name abuse and coming up with some guiding principles to enable greater cooperation amongst the players.
On a separate note, there is a particular area in the compliance space where I need your help. That area is in the reseller network. The Office has not yet formulated a plan on how best to reach out to resellers, and obviously, we don't want to duplicate the work being done by Registrars. However, more needs to be done in this part of the market to inform and educate resellers of their .nz obligations.
I see some compliance value we can deliver by providing .nz Registrars with a reseller tool kit which explains resellers obligations in the .nz domain name space as well as provide a model reseller agreement. I hope you agree with me too. I'm aiming to publish something this year about .nz and resellers. Josh will also speak in a little more detail about this.
As well as guidance for resellers we're also committed to working with Registrars when we receive intelligence of trends in the reseller network involving incorrect and invalid registrant details.
I'm pleased that as a result of our regulatory enforcement action with one Registrar we were able to uncover some bad practices of a particular reseller of .nz domain names overseas. Once this had been brought to the attention of the Registrar, they decided not to wear the compliance risk of their reseller's actions and cancelled their agreement with the reseller.
What are we doing next?
As ever, everything will be published on the Domain Name Commission website, and we'll flag updates on our social media channels, Facebook and LinkedIn and through our e-newsletter.
So, it is with this in mind that over the next 12 months, we will be working to refine all of the information materials we produce and to build our compliance program.
The established but growing popularity and effectiveness of our enquiry management system for .nz registrants has also necessitated me to better resource our first contact enquiries. I am putting resourcing in two part-time Enquiries Officer roles and a review this year of our .nz Dispute Resolution Service. So, there will be some new faces joining the Domain Name Commission in the coming months.
From my time working in legal compliance and as the lead privacy auditor for the Victorian Privacy Commissioner, I will also be spending some time developing our agreement and policy compliance program in partnership with the Registrar Advisory Group. I want to develop some balance scorecard reports to identify risks to security and trust and areas of non-compliance and make recommendations to help organisations reduce risks or address non-compliance.
All participants in the .nz market have worked hard to make .nz a trusted online experience governed by a solid .nz policy framework, so we'll be testing some key principles under those policies to make sure safeguards are in place.
We've also started our journey of telling our story better with a brand refresh to signify my commitment to raising awareness and doing more outreach work with stakeholders and participants in the .nz market. We will continue to evolve, to simplify, be meaningful, and deliver value in what we do.
The departure of one Commissioner and the arrival of another is also a platform to grow and develop the Office.
I want our Office to help as much as possible to make .nz trusted and to deal with issues collaboratively when they arise.
Thanks for your attention this afternoon.