Dear Michaela,

Thank you for your thoughtful note. I would like to offer some additional perspectives. You mentioned that the goal is to ensure ADCs are conducted with "care" rather than on every instance of reported abuse. However, "care" can have various interpretations. For some registrars, conducting an ADC with care could involve preemptive risk-profiling for every newly registered domain to prevent cyberattacks, potentially relying on internal labeling or third-party sources. For instance, at the time of registration, attributes such as group number or group size could be added to the domain or registrant data to facilitate investigation in the future.

In a scenario where a registrar identifies a domain like "xxbank-secure-logincom.[TLD]" , and still suggests 10–20 other TLDs to that same customer, I strongly recommend recording this ADC group at the time of registration. This would be highly beneficial for any future investigations.

I still believe using "severity as a trigger" can be problematic. As previously shared, a large ADC group might contain only one phishing domain, yet that single domain could target a public water supply org. Given how rapidly the cyberattack landscape evolves, a tiered model is unlikely to capture these risks effectively and could complicate the workflow.

Thanks!

Best,

Ching

On Mon, Apr 13, 2026 at 7:04 PM Michaela Nakayama Shapiro via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

INTERNAL
Dear all,

With apologies for the delayed response (catching up on the mailing list from the weekend), I want to thank @Brian F. Cimbolic for re-upping this section. Echoing @farzaneh badii, this language lays the groundwork for the tiered model of severity of harm that the NCSG is keen to see reflected in the outcome of this PDP. Particularly given that registrars will conduct ADCs differently, having this language is one clear means of accounting for the type and severity of harm to be addressed without preventing ADCs from taking place (as we are also keen to protect victims of spam, phishing, etc. from harm).

Building on the strawman proposal helpfully put forward by staff last week, I would like to suggest the following change:

When a registrar has actionable evidence that a Registered Name is being used for DNS Abuse and has taken appropriate mitigation action(s) under section 3.18.2 of the Registrar Accreditation Agreement (RAA), the registrar must perform an Associated Domain Check depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

Respectfully, I disagree with Mark that "use of a severity as a trigger will make the end result of the PDP meaningless and will result in even more overhead for registrars." Registrars should already be accounting for severity of harm when taking 'appropriate action' on DNS abuse so this will simply be reiterating this obligation up-front. The aim is not to prevent ADCs from happening but rather ensuring that these are conducted with care (rather than on every and any instance of reported DNS abuse). Particularly as we have yet to define minimum procedural requirements for ADCs or to clarify obligations regarding evidence gathering, the NCSG wants to ensure that this balancing exercise is integrated both at the 'trigger' phase and during the ADC.

Looking forward to discussing this more — whether via the mailing list or on today's call (or both).

Best,

Michaela

Michaela Nakayama Shapiro (she/her/hers)

Programme Officer - Censorship

Defending freedom of expression
and information

www.article19.org Subscribe to our Newsletter

Note: we work half day Fridays (AM)

Follow us

From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: 12 April 2026 15:55
To: Farzaneh Badii <farzaneh.badii@gmail.com>; Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>
Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Farzaneh (and everyone else) - I wanted to note that Section 3.18.2 of the RAA has language that might account for these considerations in the language highlighted below:

"When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.”

Perhaps that language would be helpful in any ultimate Policy to take those concerns into consideration.

Thanks,

Brian

Brian Cimbolic | Chief Legal and Policy Officer

brian@pir.org | www.thenew.org | Power your inspiration. Connect your world.

Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.
From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Date: Sunday, April 12, 2026 at 10:31 AM
To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>
Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Naoum,

You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context.

First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users.

In your example, you effectively illustrate how that risk can increase with ADC check:

“PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)”

This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification raises questions of proportionality, accuracy, and potential impact on legitimate uses.

Best regards

Farzaneh

On Sun, Apr 12, 2026 at 7:33 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:
Dear all,

Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services]

Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts).

For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive.

And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time).

Regards,

Naoum
ΜΕΓΓΟΥΔΗΣ Ναούμ

Αστυνόμος Α'

Διεύθυνση Δίωξης Κυβερνοεγκλήματος

Τμήμα Διαδικτυακής Προστασίας Ανηλίκων

Λ. Αλεξάνδρας 173, 115 22, Αθήνα

MENGOUDIS Naoum

Police Major

Cyber Crime Directorate

Online Child Protection Department

Alexandras Avenue 173, 115 22, Athens

T: (+30) 2106476475

E: n.mengoudis@cybercrimeunit.gov.gr
-------------------

Email Disclaimer
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you  are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Think green before printing
_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org
_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org