IFFOR response to queries following ICANN Public Comment Period

We have received a number of queries regarding IFFOR’s role as it relates to the .XXX registry, operated by ICM Registry. These queries stem from a public comment period opened by ICANN which runs from 18 March 2024 to 29 April 2024. 

The comment period asks for input from the internet community over ICM Registry’s proposal to renew the legacy .XXX Registry Agreement (RA) using the base gTLD Registry Agreement (Base RA), and to remove the .XXX sponsorship designation. 

IFFOR’s position regarding this transition has been made available by ICANN [pdf]. 

This post gives additional information and context regarding the role IFFOR has played as the sponsor of the .XXX TLD since its inception.

Q1. What is IFFOR’s position on ICM Registry’s policies?  

We feel that the Baseline Policies that were developed by IFFOR at the creation of the .XXX registry and which remain in force have been extremely effective.

Despite some very public concerns at its inception that the .XXX registry would become a source of damaging content, including child sexual abuse material, trademark infringement, and malware, the opposite has in fact been the case: .XXX has consistently had one of the lowest rates of abuse and infringement across the entire registry environment (including new gTLDs).

We know this, and ICANN knows this, because IFFOR produces an extensive annual report that reviews how many reports ICM Registry receives of any kind of abuse (see below for how we define that). We dig into each case, tabulate them, compare them to previous years, and also evaluate the systems that record and register those reports. 

Each year, through our IFFOR Ombudsman, we make recommendations where necessary and follow up on any previous recommendations. We initially ran this process quarterly but, per our agreements and obligations and in light of very low abuse rates, the audit was moved to annually with our most recent report produced at the end of 2023 and comprising 37 pages. 

Those reports are confidential. However, on this occasion we have published excerpts from the most recent report below to provide the internet community with a sense of why we are confident that IFFOR’s current role is no longer required for the effective management of the .XXX TLD.

Executive Summary of Findings and Conclusions

A. Overview of 2022-2023 Audit Review Results

The 2022-2023 review was based on audit metrics shared with the Registry near the beginning of this review period. Our review this year confirmed that the CRS is highly functional, fully operational, and effectively administered. We observed that the Registry owners have implemented continuing enhancements. We have verified that the fail-safes and automated verification loops, which were implemented during the last review cycle, are effective and functional. The automation and simple-yet-detailed case review process and

supporting procedures reduce issues related to staffing and incumbent competency. Our review of the system’s case documentation demonstrated solid, thorough documentation, with outstanding data integrity and system security features. 

B. Summary of Past Audit Reviews

Including this Report, this is the eighteenth report prepared by the IFFOR Ombuds Audit Team [IFFOR-OAT or OAT] since the launch CRS launch in 2011. The IFFOR-OAT maintains records of each annual or quarterly report that we have prepared for future reference. Since beginning our annual reviews, ownership of the Registry has changed hands three times, but each owner has demonstrated excellent cooperation through each Audit Review. 

C. Summary of the 2023 Audit Review Process

This year’s annual review was based on an updated, comprehensive twenty-eight (28) question Audit Review Instrument. This instrument reviews whether the CRS complies fully with Appendix C, CRS system “design specifications,” and IFFOR policy requirements, and verifies compliance with the audit metrics (which were provided to the Registry) as a basis for the review. On December 4, 2023, we held an Audit Review meeting. During this session we completed our Audit Review Instrument and reviewed the cases entered into the system. Because of the small number of cases, our case review was fairly deep and comprehensive. 

We break abuse down into seven categories: Trademark Infringement; Child Abuse Images; Phishing; Impersonation; Other; NAF-RES and NAF-CEDRP.

The two last categories refer to the National Arbitration Forum – [an ICANN-approved third party that ICM Registry uses] to run any domain disputes through.

In summary, as IFFOR stated in its letter published by ICANN as part of the .XXX comment period: “Those reviews have revealed how effective the policies have been, and continue to be, in preventing abuse within the .XXX namespace. We understand that ICM Registry plans to incorporate those policies within a revised .XXX Registry Agreement. The continued use of those policies and practices, we believe, will produce similar results going forward, and does not require IFFOR to serve as the Sponsoring Organization to ensure they are effective.”

Q2. What role did IFFOR play in negotiations between ICM Registry and ICANN regarding this proposed amendment?

IFFOR played no role in the negotiations, nor did we feel it would be appropriate to do so.  We were aware negotiations have been occurring for some time and provided ICM Registry with a letter of our position on the possible transition, upon ICM Registry’s request.

Q3. What role did IFFOR assume over the review and/or approval of policies and practices implemented by ICM Registry?

IFFOR and its Policy Council established and approved the Baseline Policies used by ICM Registry upon launch of the .XXX TLD in 2011 and ICM Registry has included those policies into each registrant agreement since its launch. 

IFFOR has not revised its policies since inception because IFFOR felt it was unnecessary to do so.  IFFOR has reviewed the impact of the Baseline Policies implemented by ICM Registry in an annual audit report (as described above); summaries of which are provided to ICANN annually and in full upon ICANN’s request.

Early on there may have been some initial confusion among members of the internet community regarding ICM Registry’s ability to develop and implement policies on .XXX; however, ICM Registry’s Agreement with ICANN clearly states that ICM Registry, and not IFFOR, is responsible for policies on .XXX as well as implementing those policies via restrictions on registration and other related matters.  

Appendix S of the existing .XXX Agreement with ICANN, states: 

“Registry Operator shall have delegated authority to develop policy for the sTLD, consistent with its obligations to delegate certain policy development authority to IFFOR as set forth in the Sponsoring Organization Agreement between IFFOR and ICM…

[ICM Registry] shall have the delegated authority to develop policy regarding]:

“Restrictions on Registration and Policies for Use of Domain Names

  1. Reservation of names to be withheld from reservation in the sTLD (in addition to those names reserved by ICANN and set forth in a schedule by ICANN).
  2. Policies regarding eligibility to register a domain name in the sTLD, which need not be uniform for all names within the sTLD.
  3. Restrictions and policies on how registered names may be used, which need not be uniform for all names within the sTLD, and which may vary, for example, by type, name, or registrant category.
  4. Establishment of policies applicable to registrants and/or registrars related to information, products, services, end-user addressing, operations, eligibility verification, and registration procedures within the domain, consistent with industry and technology standards and practices.”

It is worth noting that IFFOR’s Baseline policies came into effect in 2011, before the domain name industry caught up via the 2012 new gTLD program.  As such, a number of IFFOR’s Baseline Policies, as well as ICM Registry’s own policies and implementation, created industry standards and best practices that effectively became universal for all new gTLDs.  For example, rapid domain name dispute resolution procedures (e.g., in new gTLD program it is the URS), registrant verification (e.g., in new gTLD program registrars are required to verifiy registrant email addresses), CSAM abuse reporting (e.g., .XXX was the first TLD to collaborate with global CSAM reporting organizations to ensure maximum protection for minors; many registries and registrars now do the same as a best practice).  

Given the clear delineation in ICM Registry’s Agreement with ICANN and in light of industry standards within the domain name industry, in combination with IFFOR’s ongoing focus on ensuring its original Baseline Policies and the .XXX complaint reporting system maintains effectiveness, IFFOR has consistently observed that the policies in place are effective and as such, no additional policies have been required. 

The practices IFFOR does continue to review annually, as mentioned above, are with respect to the abuse reporting system.  IFFOR has provided recommendations to ICM Registry on several occasions since 2011 which have resulted in improvements or enhancements of the system, but those were internal improvements and not changes to the Baseline Policies.

Q4. Why was the funding arrangement changed between IFFOR and ICM Registry in 2013?

ICM Registry’s obligation was to fund IFFOR at an amount of $10.00 USD per resolving domain, per year.  However, IFFOR’s start-up, development and operational costs were significantly higher than the money available through those terms.  ICM effectively advanced IFFOR over $2 million dollars in its first few years of launch and operation.  

When IFFOR was fully established and operational, the parties agreed on a more reasonable financial arrangement in recognition of the pre-funded amounts.  

The reconciled financial arrangement between ICM Registry and IFFOR resulted in significant reductions within IFFOR; as such, many individuals, service providers and vendors were replaced by more affordable resources – in some cases, individuals and organizations provided services to IFFOR for greatly reduced, or no, compensation because they believed in the work being done.  

The other impact of the reconciled financial arrangement was that less funds were available for grants and as such, the IFFOR Policy Council devised a grants program consistent with its Policy Goals that provided value and impact within its more limited budget.  

Q5. What is the IFFOR grants program, how is it run, and how many recipients have there been?

IFFOR has awarded grants to global organisations on topics that align with our policy goals. As explained on our website: “The Grants program may fund research, technological development, advocacy, child protection, and legal challenge that fits firmly within IFFOR’s policy goals and on the dot-xxx top-level domains.”

IFFOR’s Policy Council devised the system for creating and approving grants and we have given over 100 grants to individuals, schools, and organizations since inception.  Each grant season we opened up grants for a key period of time, advertised them at various conferences, online and in direct communication with educators and educational institutions, and then assessed applicants according to the criteria established by our Policy Council, and awarded grants to successful applicants.

Our grant recipients have all been in the area of child protection, since we believe this is the most important aim and use of IFFOR’s funds. Our earlier grant recipients included research looking at industry standards and solutions regarding age verification, as well as research on how child sexual abuse material (CSAM) is disseminated online in an effort to enable organizations and internet providers to provide solutions to mitigate, divert and prevent online harm to minors.

In recent years, our child protection grants have focused on  dissemination of AtFirstSite, our expert created, policy-led educational resource for 11-14 year olds that gives caregivers, educators and parents tools to educate youth on protecting themselves online.  Through our grants program we made the course available for free, and for some recipients also provided a trained facilitator of the course, to schools and youth-based organizations who applied for it and met the criteria.

In light of our awareness that the ICM-IFFOR arrangement could be terminated due to revisions in the ICANN-ICM Agreement, IFFOR wanted to maximize the chances of providing useful, timely and expertly created educational tools to as many organziations as possible.  As such, we updated our AtFirstSite course to ensure its relevance and in 2023 made the updated AtFirstCourse available as our grant award on an ongoing and rolling basis – effectively making the course available for free to any organization requesting it, without limitations on grant application windows or delivery times.

As a timely opportunity and with the hopes of providing a needed resource, IFFOR made, and is still making, the grant available to everyone who applies for it while also dedicating outreach efforts in response to UK legislation that made it compulsory for all UK schools to run Personal, Social, Health and Economic Education (PSHE) courses.  For its current grant, IFFOR contacted every school in the UK with children aged 11-14 (the target age group) to bring awareness of the ongoing grant award that allows them to satisfy their PSHE requirements for free.  We hope to provide a significant value to an underfunded area via our ongoing grant opportunity and want our industry leading educational resource to have the maximum impact possible, to protect minors and youth online.  This felt like the most meaningful and important grant we could give at this time.  

Q6. What recent policy work has IFFOR undertaken?

During the COVID-19 pandemic, in order to contribute positively during the explosion in teaching-from-home and consistent with our Policy Goals of protecting youth online, IFFOR funded and organized an extensive piece of research and analysis on online learning and parental controls.  

While this work did not translate, nor was it required to translate, into any recommendations or changes within the .XXX TLD, it is policy work aimed at providing tools and information to the internet community generally and organizations, parents and caregivers specifically, in our ongoing commitment to protecting youth online. 

We have also contributed to policy work through the information, philosophies, tools and policies expressed in our AtFirstSite educational course and have spoken extensively at international conferences regarding online content and the protection of minors.

Q7. What does IFFOR intend to do if the new agreement is approved by ICANN?

If the proposed .XXX registry agreement is approved, IFFOR will wind down its operations.  As our final contribution, we will make our AtFirstSite course available to the internet and educational communities in our ongoing hope that this work can make the world, both online and offline, a safer place for parents, caregivers, minors and youth.