Consideration of Reconsideration Request 18-3: Astutium Ltd.

Brief Summary and Recommendation
The full factual background is set forth in the BAMC Recommendation, which the Board has reviewed and considered, and which is incorporated here.

On 5 June 2018, the BAMC recommended that Request 18-3 be denied because the Requestor has not demonstrated sufficient basis for reconsideration for the reasons set forth in the BAMC Recommendation, which are incorporated here. (See BAMC Recommendation.)

On 20 June 2018, the Requestor submitted a rebuttal to the BAMC's Recommendation (Rebuttal), pursuant to Article 4, Section 4.2(q) of ICANN's Bylaws, which the Board has also carefully reviewed and considered. (See Rebuttal.) In the Rebuttal, the Requestor suggests that: (1) Contractual Compliance failed to communicate with the Requestor during the informal and formal resolution process; (2) the Complaint contained inaccuracies that were not vetted by ICANN org; (3) the Requestor corrected the inaccuracies in the Complaint; (4) ICANN org misunderstood the Requestor's process to validate the information; (5) the Requestor responded to the Notice of Breach; (6) the Requestor was prevented by EU privacy laws from disclosing information to ICANN org; (7) the Requestor complied with the Expired Registration Recovery Policy (ERRP) Section 4.1; and (8) the Requestor maintained a valid correspondence address on its website.96

The Board has carefully reviewed and considered The Board has carefully considered the BAMC's Recommendation and all relevant materials related to Request 18-3, including the Requestor's Rebuttal, and the Board agrees with the BAMC's Recommendation and concludes that the Rebuttal provides no additional argument or evidence to support reconsideration.

Issues
The issues for reconsideration are:

Whether ICANN org complied with applicable Commitments, Core Values, and established policies when it issued the Termination Notice;
Whether ICANN org relied on faulty data or misunderstandings when it issued the Termination Notice; and
Whether ICANN org published defamatory statements on its website, in violation of the applicable Commitments, Core Values, and established policies.
These issues are considered under the relevant standards for reconsideration requests and the contractual compliance process, which are set forth in the BAMC Recommendation.

Analysis and Rationale
Contractual Compliance Complied with Applicable Policies and Procedures.

The Requestor claims that Contractual Compliance's decision to issue the Termination Notice was based on an "overall failure of ICANN staff/policies/procedures."97 As discussed below and in further detail in the BAMC Recommendation, Contractual Compliance adhered to the applicable policies and procedures when addressing each of the six areas of noncompliance identified in the Termination Notice.

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to take reasonable steps to investigate and correct WHOIS inaccuracies.

The Requestor claims that the Complaint regarding the domain name contained inaccuracies that "were clearly and obviously faults in the ICANN reporting process;" that the Requestor nonetheless contacted the registrant and updated the inaccuracies; and that Contractual Compliance's "demands for copies of communications to 'demonstrate compliance' are both unreasonable and unnecessary."98 The Requestor also claims that Contractual Compliance did not manually review the Complaint and instead automatically forwarded it to the Requestor. The BAMC determined, and the Board agrees, that Requestor's claims are factually incorrect and do not support reconsideration.

First, Contractual Compliance follows a defined approach and process to ensure compliance with contractual obligations.99 The BAMC determined, and the Board agrees, that Contractual Compliance followed its process with respect to the handling of the Complaint. That is, upon receipt of the Complaint, Contractual Compliance evaluated and confirmed that the Complaint was within the scope of the relevant RAA and consensus policies. While some portions of the Complaint may have been inaccurate, the Complaint contained other portions that were within scope. Thus, Contractual Compliance initiated the "Informal Resolution Process" by sending the first compliance notice to the Requestor, attaching the entire Complaint.100 Contractual Compliance does not modify complaints, except to redact reporter-related data associated with requests for anonymity, even if it determines that portions of the complaint are inaccurate. Registrars are free to explain why portions of a complaint do not need to be addressed, but the fact that a portion of a complaint is inaccurate does not waive the need to address the accurate/in-scope portions of the complaint. (BAMC Recommendation, Pgs. 16-19.)

Second, the BAMC concluded, and the Board agrees, that the Requestor's claims that Contractual Compliance's "demands for copies of communications to 'demonstrate compliance are unreasonable and unnecessary'"101 do not support reconsideration. The RAA requires the Requestor to "comply with the obligations specified in the Whois Accuracy Program Specification" (WAPS) to maintain and confirm accurate contact information for its Registered Name Holder (RNH). (BAMC Recommendation, Pg. 3.) The Requestor also is required to maintain "all written communications constituting registration applications, confirmations, modifications, or terminations and related correspondence with Registered Name Holders," and must make such data available to ICANN org upon reasonable notice.102 (BAMC Recommendation, Pg. 4.) The Requestor's refusal to provide or make such data available to Contractual Compliance is a breach of its RAA. (BAMC Recommendation, Pgs. 17-18.)

As discussed in detail in the BAMC Recommendation, the Requestor did not remedy all the WHOIS inaccuracies at issue during the Informal Resolution Process. For example, information in the Administrative and Technical fields (such as street names) appeared to belong to the Requestor rather than the registrant.103 Additionally, the Requestor had not validated the postal address under WAPS to ensure it was in a proper format for the applicable country as defined in the UPU Postal addressing format templates.104

The Board notes that Contractual Compliance attempted numerous times to resolve the deficiencies with the Requestor through the three separate compliance notices during the Informal Resolution Process before escalating the matter to the Formal Resolution Process by the issuance of the Breach Notice on 27 February 2018.105 (BAMC Recommendation, Pg. 18.)

The Requestor never responded to the Breach Notice, despite outreach effort from Contractual Compliance.106 As a result, Contractual Compliance escalated the matter to termination in accordance with its process and Section 5.5.4 of the RAA. Accordingly, the BAMC concluded, and the Board agrees, that Contractual Compliance followed applicable policies and procedures throughout this process and therefore, the Requestor's claims do not support reconsideration.

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to validate and verify WHOIS contact information, as required by WAPS.

The BAMC determined, and the Board agrees, that Contractual Compliance complied with established procedures when it issued the Termination Notice based on the Requestor's failure to validate and verify WHOIS contact information as required by WAPS. The Requestor claims that Contractual Compliance "misunderstand[s] … the technologies involved," that "[v]alidation of client submitted data is done prior to acceptance of that data, and [that] manual 'eyeballing' of the data is not a general requirement."107 The Requestor explained that "[i]n the event of certain specific data being updated (and subject to it not already having been verified on other domains) automated processes are then invoked as needed in accordance with [WAPS] 1.f."108

The Requestor's claim is factually incorrect. WAPS Section 1 requires the Requestor, upon "any change in the [RNH] with respect to any Registered Name sponsored by" the Requestor, to "[v]alidate the presence of data for all fields required under Subsection 3.3.1 of the Agreement in a proper format," and validate that other contact information is in the proper format.109 It also requires the Requestor to verify "the email address of the [RNH] … by sending an email requiring an affirmative response through a tool-based authentication method…."110 Within 15 days of receiving "any changes to contact information in Whois …, [the Requestor] will validate and, to the extent required by Section 1, verify the changed fields in the manner specified in Section 1 above. If [the Requestor] does not receive an affirmative response from the [RNH] providing the required verification, [the Requestor] shall either verify the applicable contact information manually or suspend the registration…."111 WAPS Section 4 requires that if the Requestor "has any information suggesting that the contact information … is incorrect[,] … [it] must verify or re-verify as applicable…." If the Requestor does not receive an affirmative response, it "shall either verify the applicable contact information manually or suspend the registration."112

Contractual Compliance requested this information from the Requestor throughout the Informal Resolution and Formal Resolution Processes. However, to date, Contractual Compliance has not received evidence of verification or validation, as required under WAPS Sections 1, 4, and 5.113 Accordingly, the Requestor's claims do not support reconsideration. (BAMC Recommendation, Pgs. 19-20.)

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to maintain and make available to ICANN registration data and records relating to the Requestor's communications with the RNH of the domain name .

The BAMC determined, and the Board agrees, that Contractual Compliance complied with established procedures when it issued the Termination Notice based on the Requestor's failure to maintain and make available to ICANN org registration data and records of the Requestor's communications with the RNH of the domain name . Sections 3.4.2 and 3.4.3 of the RAA require the Requestor to maintain records "relating to its dealings with Registry Operator(s) and [RNHs]," including correspondence, and to make those available for inspection and copying to ICANN upon reasonable notice.114 If the Requestor "believes that the provision of any such data, information or records to ICANN would violate applicable law or any legal proceedings, ICANN and [the Requestor] agree to discuss in good faith whether appropriate limitations, protections or alternative solutions can be identified to allow the production of such data."115

In Request 18-3, Requestor claims for the first time that it is prohibited from providing ICANN org the requested data because EU privacy laws limit the types of data that can be exported to the United States.116 Yet, during Informal and Formal Resolution Processes, the Requestor never raised EU privacy law as a basis for withholding the requested information.117 Rather, the Requestor simply refused to comply with Sections 3.4.2 and 3.4.3, stating "we don't provide details of private communications to 3rd parties," but did not provide a reason for withholding such communications.118

The BAMC noted that Contractual Compliance nevertheless offered to work with the Requestor on how such records could be provided to demonstrate compliance but that such efforts were met with the following response from the Requestor: "There is no requirement in WAPS to provide you with anything at all."119 Accordingly, the BAMC concluded, and the Board agrees, that the Requestor's claims do not support reconsideration. (BAMC Recommendation, Pgs. 20-22.)

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to provide domain name data in the specified response format, as required by the RAA.

The BAMC determined, and the Board agrees, that Contractual Compliance complied with established procedures when it issued the Termination Notice based on the Requestor's failure to provide domain name data in the format required by the RAA. (BAMC Recommendation, Pgs. 22-23.) In accordance with its process when a complaint reaches the third compliance notice phase,120 Contractual Compliance conducted a full compliance check to identify whether there were any additional areas of non-compliance by Astutium Ltd., and confirmed that there were three additional areas of non-compliance as identified in the Breach Notice.121 Contrary to the Requestor's assertion, Contractual Compliance did not create additional "backdoor" requirements, but rather complied with its process when identifying other areas of noncompliance.

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to include a link in its registration agreement to its renewal fees and post-expiration renewal fees.

The BAMC determined, and the Board agrees, that Contractual Compliance complied with established procedures when it issued the Termination Notice based on the Requestor's failure to include a link to its renewal fees and post-expiration renewal fees in its registration agreement as required by Section 4.1 of the Expired Registration Recovery Policy (ERRP).122 The Requestor claims that it complied with Section 4.1 of the ERRP because its fees are displayed on every page of its website.123 However, a link to the Requestor's renewal fees and post-expiration renewal fees on its website was not included in the Requestor's registration agreement as required by Section 4.1 of the ERRP.124

Accordingly, because Contractual Compliance adhered to applicable policies and procedures, the BAMC concluded, and the Board agrees, that reconsideration is not warranted. (BAMC Recommendation, Pgs. 23-24.)

Contractual Compliance complied with applicable policies and procedures when it issued the Termination Notice for Requestor's failure to publish a correspondence address on Requestor's website.

The BAMC determined, and the Board agrees, that Contractual Compliance complied with established procedures when it issued the Termination Notice based on the Requestor's failure to publish a correspondence address on its website. The Requestor claims that "[n]o breach has occurred" because the Requestor's website "has a 'Contact' link at the top of every page, has telephone numbers on every page, contains multiple methods of communication (email, telephone, ticket, fax post) listed and clearly shows [its] address at the bottom of every page."125 However, the Requestor's correspondence address on its website must be the same as the address provided in its Registrar Information Specification (RIS).126 Contractual Compliance was unable to locate the correspondence address provided in the Requestor's RIS on the Requestor's website.127 Accordingly, consistent with the RAA and Contractual Compliance's process, Contractual Compliance issued the Termination Notice. (BAMC Recommendation, Pgs. 24-25.)

The Requestor Has Not Demonstrated That Contractual Compliance Relied on False or Inaccurate Information When It Issued the Termination Notice.

The BAMC concluded, and the Board agrees, that the Requestor has not identified any false or inaccurate information that Contractual Compliance purportedly relied upon when it decided to issue the Termination Notice. The only apparent reference to purported reliance on false or misleading information is the Requestor's claim that ICANN org "misunderstands … the technologies involved" in the Requestor's automated validation process of registrant contact information.128 That is not a basis for reconsideration. (BAMC Recommendation, Pgs. 25-26.)

The Requestor Has Not Demonstrated That ICANN Org Published Defamatory Statements on Its Website or Violated Its Commitments by Publishing the Notices on Its Website.

The BAMC concluded, and the Board agrees, that Contractual Compliance did not violate any established process or procedures when it published the Breach and Termination Notices on the Notices webpage. Notices sent during the Formal Resolution process are published on https://www.icann.org/compliance/notices, and ICANN updates the progress of each enforcement action.129 (BAMC Recommendation, Pgs. 26-27.)

To the extent that the Requestor is suggesting that the publicly available Breach and Termination Notices contain libelous statements, the BAMC determined and the Board agrees that this is unconvincing. ICANN org takes defamation claims seriously. Accordingly, in the evaluation of Request 18-3, ICANN org reviewed the Breach and Termination Notices and confirmed that there neither the breaches identified nor any statements contained in the Notices are false or defamatory. Moreover, the Requestor has failed to show how any statements in the Notices are defamatory. Accordingly, the Requestor has not identified any element of ICANN's Mission, Commitments, Core Values, or established ICANN policy(ies) violated by ICANN organization, and reconsideration is not warranted on this ground.

The Requestor's Rebuttal Does Not Raise Arguments or Facts That Support Reconsideration.

The Board has considered the Requestor's Rebuttal and finds that the Requestor has not provided any additional arguments or facts supporting reconsideration.

The Rebuttal states that: (1) Contractual Compliance failed to communicate with the Requestor during the Informal and Formal Resolution Processes; (2) the Complaint contained inaccuracies that were not vetted by ICANN org; (3) the Requestor corrected the inaccuracies in the Complaint; (4) ICANN org staff misunderstands the process the Requestor used to validate the information; (5) the Requestor responded to the Notice of Breach; (6) the Requestor was prevented by EU privacy laws from disclosing information to ICANN org; (7) the Requestor complied with ERRP Section 4.1; and (8) the Requestor maintained a valid correspondence address on its website.

With respect to the first claim, the Board finds that this argument is not supported. Rather, the chronologies attached to the Breach and Termination Notices, as well as the detailed written correspondence between Contractual Compliance and the Requestor130 demonstrate that Contractual Compliance repeatedly contacted the Requestor via email, facsimile, courier mail, and telephone to resolve the breaches at issue.

With respect to the Requestor's claim that there were inaccuracies in the Complaint sent to the Requestor, as detailed above in Section 3.A.1, the Board finds that this argument has been sufficiently addressed by the BAMC. The Requestor has not set forth any new evidence in its Rebuttal supporting reconsideration.

Similarly, the Board finds that the third and fourth claims in the Rebuttal have been sufficiently addressed by the BAMC for the reasons discussed above and in the BAMC Recommendation. The Requestor has not set forth any new evidence in its Rebuttal supporting reconsideration.

With respect to the Requestor's rebuttal that it responded to the Breach Notice by contacting Mukesh Chulani, the Registrar Services & Engagement Senior Manager, the Board finds that this claim does not support reconsideration. The Requestor does not provide – nor is ICANN org aware of – anything to show that the Requestor cured the breaches identified in the Breach Notice during the communication with Mr. Chulani. Moreover, Mr. Chulani engaged with the Requestor to encourage the Requestor to cure the breaches with Contractual Compliance before the matter escalated to termination. (See Attachment H to Reference Materials.)

With respect to the Requestor's rebuttal that it was prevented by EU privacy laws from disclosing information to ICANN org, the Board finds that this claim has been sufficiently addressed by the BAMC for the reasons discussed above and in the BAMC Recommendation. The Requestor acknowledges that it never raised these concerns with Contractual Compliance during the Informal and Formal Resolution Processes. Further, as the BAMC noted, even though the Requestor did not identify privacy regulations as the basis for withholding from ICANN the requested information, Contractual Compliance nevertheless offered to work with the Requestor on how such records could be provided to demonstrate compliance, but the Requestor rejected Contractual Compliance's offer. (Attachment 1 to BAMC Recommendation on Request 18-3, Pgs. 9-10.) The BAMC concluded, and the Board agrees, that the Requestor's response to Contractual Compliance on this matter demonstrates that the Requestor's concerns about this breach item is not the inability to comply due to privacy regulations, but rather that the Requestor believes that "[t]here is no requirement in WAPS to provide [Contractual Compliance] with anything at all." (Id. at Pg. 10.)

With respect to the Requestor's rebuttal that it complied with ERRP Section 4.1 because it displays its renewal fees and post-expiration renewal fees on its website, the Board finds that this argument has been sufficiently addressed by the BAMC. (See infra at Section 3.A.5.) The Requestor has not provided anything new to show that its Domain Registration Agreement contains a link to the renewal fees as required by the ERRP Section 4.1. Accordingly, reconsideration is not warranted.

Finally, with respect to the Requestor's claims that the RIS form that ICANN org has on file "is not the current RIS form" and that ICANN has "failed to update/store/file the correct and updated information,"131 the Board finds that the Requestor has not provided anything to support these claims. While the Requestor claims that it updated its RIS through the ICANN Registrar Database RADAR,132 RADAR does not, in fact, contain any RIS information because it does not have the functionality for RIS forms to be submitted on its platform. As specified in the Registrar Contacts Update webpage at https://www.icann.org/resources/pages/registrar-contact-updates-2015-09-..., RIS updates should be emailed to [email protected].133 The Requestor has not provided any evidence demonstrating that it submitted a revised RIS form pursuant to applicable procedures. The only RIS form that ICANN org has received from the Requestor is the RIS form that Contractual Compliance sent the Requestor on 13 March 2018, and that form reflects an address that is different from the address listed on the Requestor's website.

Accordingly, the Board concludes that nothing in the Requestor's rebuttal warrants reconsideration.

This action is within ICANN's Mission and is in the public interest as it is important to ensure that, in carrying out its Mission, ICANN is accountable to the community for operating within the Articles of Incorporation, Bylaws, and other established procedures, by having a process in place by which a person or entity materially affected by an action of the ICANN Board or Staff may request reconsideration of that action or inaction by the Board. Adopting the BAMC's Recommendation has no financial impact on ICANN and will not negatively impact the security, stability and resiliency of the domain name system.

This is an Organizational Administrative Function that does not require public comment.