Hi Ching, I do not think that is feasible. As registrars, we cannot be put in a position of having to assess "severity". That is not our expertise or our responsibility. We need clear cut rules of what we have to act upon. Example: Test 1: Does the evidence provided clearly demonstrate an obvious case of DNS abuse? Test 2: If yes, it is clearly and obviously a malicious registration as opposed to a compromised site or service? Test 3: If yes again, are we in the best position to address this specific harm? Test 4: What is the best way to address this harm (notify/suspend/delete)? Test 5: Is there a likely negative impact from the action chosen? (Example: Is shutting down Facebook.com for accepting billions in malicious ads ok?) Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com Office: +49-172-6367025 Web: www.teaminternet.com Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Ching Chiao <ching.chiao@whoisxmlapi.com> Sent: 08 April 2026 3:41 AM To: trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com> Cc: parpis3@gmail.com <parpis3@gmail.com>; gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>; farzaneh.badii@gmail.com <farzaneh.badii@gmail.com>; Volker Greimann <volker.greimann@centralnic.com>; steve.chan@icann.org <steve.chan@icann.org> Subject: Re: [Gnso-dnsabuse-pdp] Re: Threshold - one domain vs a tiered approach Building on Marc's notes, I would like to offer two examples that illustrate the difficulty of using "severity" as a trigger: - The single hobby site case: If a network administrator for a public water utility visits a compromised hobby site and their credentials are stolen, the initial report might suggest low personal harm. However, the potential long-term impact on the local community is enormous. - The wallet-address-as-subdomain example: As I shared during today's call, the true severity of such harm is often only understood after a comprehensive investigation. This frequently involves multi-registrar scenarios, which fall outside this Working Group's scope. Requiring a registrar to reasonably determine mitigation steps is like requiring them to maintain a functional first-aid kit or Swiss army knife. The policy sets the requirement, but the registrar decides which specific tools to include based on their unique operational needs. I hope this provides helpful context. Best, Ching On Wed, Apr 8, 2026 at 6:55 AM <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> wrote: In most cases there is no way that a registrar will be able to effectively gauge the severity of the DNS abuse or impact. The DNS Abuse is being reported by one person but it is never clear how many people have been or may be affected of it is not stopped. The single hobby site infected with malware could spread it to a few people who spread it to millions. The phishing targeting a small blog could affect hundreds while the one targeting the major bank may be less well done and may affect dozens. And on and on. It is not reasonable to expect the registrar to make this determination there is no way that they effectively can. This is why while severity may seem on the surface t make sense it is not a practical and reasonable to use it as a trigger for ADC. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Pope 1 <parpis3@gmail.com<mailto:parpis3@gmail.com>> Sent: Tuesday, April 7, 2026 6:38 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Cc: Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>; farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>>; `volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>` <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>; `steve.chan@icann.org<mailto:steve.chan@icann.org>` <steve.chan@icann.org<mailto:steve.chan@icann.org>>; `ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>` <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>> Subject: Re: [Gnso-dnsabuse-pdp] Re: Threshold - one domain vs a tiered approach I hear the concern about subjectivity, but I think severity of harm really matters when we are talking about DNS abuse. Not all abuse is equal and treating everything the same risks wasting time on small nuisances while the big threats slip through. Think through with me on the following real life scenarios/issues/examples Eg1. When phishing targets a local blog, a handful of people might be inconvenienced, but when phishing hits a major bank, thousands of customers can lose money and confidence in the system. Eg2. A single hobby site infected with malware might cause minor disruption. Compare that to the WannaCry ransomware attack, which spread through networks worldwide and shut down hospitals in the UK, that is a completely different level of harm. Eg3. DNS hijacking on a small server might redirect a few users, but the 2018 MyEtherWallet DNS hijack redirected thousands of people and led to millions in stolen cryptocurrency. These cases show why severity matters. It is not just about whether abuse exists, but about how much damage it can cause to people, businesses, and even public safety. A tiered approach helps registrars focus their energy where it is most needed, while still keeping the door open to act on smaller cases when necessary. In short, severity of harm is not about slowing things down, it is about making sure we respond proportionately and effectively, so the worst threats don’t get a head start.” Edmund Brahene Cybersecurity- Internal Controls -Compliance On Tue, 7 Apr 2026, 11:07 Nitin Walia via Gnso-dnsabuse-pdp, <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Hi A purely discretionary approach risks inconsistency and missed abuse patterns, while a blanket ADC requirement is not operationally efficient. Neither extreme will serve the objective. We should instead align on a clear, risk-based framework: Mandatory ADC for confirmed high-severity abuse cases, Targeted ADC where evidence and patterns justify it and Limited discretion, with accountability. Importantly, ADC should be understood as a structured check using available data within policy and legal boundaries, not an intrusive or disproportionate action. If we are serious about reducing DNS Abuse, we must ensure that once malicious intent is established, bad actors are not allowed to continue operating across multiple domains due to lack of consistent checks. The focus now should be on defining objective triggers and thresholds that are effective, scalable, and consistently applied. Warm Regards Nitin Walia Director Data Ingenious Global nitin@data.in<mailto:nitin@data.in> | नितिन@डाटा.भारत<mailto:नितिन@डाटा.भारत> www.data.in <https://urldefense.com/v3/__http:/www.data.in__;!!DUT_TFPxUQ!ERHyPyzcwAgOc5MMgDp_ej-zkfWLqbkXgO3jlgTIkiiSYhcNUq9lLRV1DXQbhK8BPfojlv8R7EgjXHNIuw$>-------------------------------------------------------------- The content of this email is confidential and intended only for the recipient specified. If you received this message in error, please delete it and inform the sender. ________________________________ From: Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> MailId : [154111867] To: "trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>" <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>,farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Cc: "volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>" <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>,"steve.chan@icann.org<mailto:steve.chan@icann.org>" <steve.chan@icann.org<mailto:steve.chan@icann.org>>,"ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>" <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>>,"gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>" <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Threshold - one domain vs a tiered approach Date: 07 Apr 2026 04:05:31 PM Just to set the record straight, doing ADC does not mean that anyone`s privacy or other human rights are violated. The Registrar just checks business data he already has available, plus some public open source data (like the contents of a domain, if there is an active website there). That`s it. What happens next is well prescribed by Policy and applicable Law. And, of course, we would not barge into anyone`s home because he stole a pen from a store, but we would definitely keep tabs on him to see how many other pens he steals from other stores. Naoum. ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α` Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://urldefense.com/v3/__https:/www.google.com/maps/place/**_**K/@37.9879...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://urldefense.com/v3/__https:/www.google.com/maps/place/**_**K/@37.9879...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. <https://urldefense.com/v3/__https:/www.google.com/maps/search/.**D173,*115*2...> If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing ________________________________ From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Monday, April 6, 2026 17:18 To: trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com> <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Cc: volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>; steve.chan@icann.org<mailto:steve.chan@icann.org> <steve.chan@icann.org<mailto:steve.chan@icann.org>>; ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com> <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Threshold - one domain vs a tiered approach Hi At NCSG we don’t think one abusive domain should automatically trigger ADC for every domain name that is in the account or the portfolio. We want to think about other ways that can be proportional and rights respecting. The below is a draft tier based approach that considers “severity of harm” and might not be too resource intensive (thats to be seen) . Within ICANN’s defined DNS abuse scope malware, phishing, botnets, pharming, and spam where used as a delivery mechanism we can consider four tiers : • Critical (e.g. botnet C2, ransomware delivery, large-scale DNS cache poisoning or ISP-level resolver hijacking): assess report; mandatory ADC • High (e.g. phishing with active evasion, sophisticated malware, targeted router or home resolver hijacking): assess the severity ADC might be required • Medium (e.g. generic malware, low-sophistication phishing): assess, ADC recommended where a pattern is suspected. • Low (e.g. spam with no malware payload, dormant or historical abuse, resolved pharming): monitoring only; ADC at discretion where serial abuse is suspected. Investigation should also be proportionate. If somebody steals a pen from a store we won’t search their whole house. Farzaneh On Thu, Apr 2, 2026 at 6:24 PM trachtenbergm--- via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Volker, What I am not understanding is how exactly registrars will know which domain names which they have actionable evidence are being used for DNS Abuse are likely to have high yield or low yield of associated domains being used for DNS Abuse simply by looking at the abusive domain and without conducting the Associated Domain Check. Even for the sake of argument if your personal experience in reviewing abuse complaints would give you a better idea about which domain names being used for abuse are likely to have associated domains also being used for abuse just by looking at the single domain without conducting the ADC (which is doubtful), you would not be right every time and a significant number of associated domains that are being used for DNS Abuse would be missed. But even if you were right every time, that is not scalable and most people reviewing abuse complaints do not have your experience. The policy can’t be designed for the most experienced reviewer of abuse complaints but rather has to account for that regular people reviewing abuse complaints which may not have your experience. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://urldefense.com/v3/__https:/www.google.com/maps/search/411*E.*Main*St...> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Thursday, April 2, 2026 2:51 PM To: Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>; steve.chan@icann.org<mailto:steve.chan@icann.org>; ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Subject: Re: [Gnso-dnsabuse-pdp] Re: Outcomes, Action Items, and Notes - 23 March 2026 - Meeting #6 Marc, I think you may be misunderstanding. Some will have low yield, some will have high yield. In many cases, those actioning the reports on a daily basis will have some experience in recognizing which is which. Why waste time on those with a high likelihood of low yield when we could spend that time by focussing on those with high yield? That is what I am looking for in our trigger: A clear guide that adds a new obligation there where it can do good, but doesn`t where it won`t. Criminals will always be a step ahead. Lets not make their "job" easier by burdening those that are tasked with mitigating their "work" with additional processes that will ultimately make them less effective when we could be focussing on enabling them to work better? Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!CHs_FV...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR<https://urldefense.com/v3/__https:/www.google.com/maps/search/44*Gutter*Lane...>. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com> <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Sent: 02 April 2026 7:03 PM To: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>; steve.chan@icann.org<mailto:steve.chan@icann.org> <steve.chan@icann.org<mailto:steve.chan@icann.org>>; ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com> <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: RE: [Gnso-dnsabuse-pdp] Re: Outcomes, Action Items, and Notes - 23 March 2026 - Meeting #6 Volker, I would point out that you are making an assumption that running an ADC on actioned reports will have a low likelihood of yielding further results. It could yield significant actionable results that could have a meaningful impact on reducing DNS Abuse. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://urldefense.com/v3/__https:/www.google.com/maps/search/411*E.*Main*St...> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Thursday, April 2, 2026 9:26 AM To: Steve Chan <steve.chan@icann.org<mailto:steve.chan@icann.org>>; Ching Chiao <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Outcomes, Action Items, and Notes - 23 March 2026 - Meeting #6 *EXTERNAL TO GT* Thank you Ching, but I think it should be noted that that distinction does not make a practical difference. Reporters usually tend to report actual abusive registrations, so the number of additional steps to be taken for each such report will add up to a significant number of tickets that cannot be actioned in that time and will thus have to wait until later. Managing the abuse queues is at times like drinking from the firehose and to be able to keep on to of the inflow, the processes employed have to be perfectly tuned to make the most efficient use of the capacity available. Adding additional steps that lead nowhere is ultimately detrimental to our shared goals. On the other hand, adding additional steps where it makes sense and brings the added actual benefit of reducing the overall volume of abuse on our platforms is something all registrars should strive for. It is my firm belief that this WG should make sure that we find a way to find the right balance between not having to perform kabuki on actioned reports that have a low likelihood of yielding further results on the one hand and ensuring that there is an obligation to conduct such checks where there is potential value. Not doing that is taking the easy way out and just dumping the responsibility on our feet. Lets aim for a constructive approach instead. I also must note that I am a little disappointed by the lack of any response from any group besides the registrars with regard to my suggestion to put forward ideas what your own groups could contribute. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!EMcb8s...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR<https://urldefense.com/v3/__https:/www.google.com/maps/search/44*Gutter*Lane...>. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Ching Chiao via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 02 April 2026 5:35 PM To: Steve Chan <steve.chan@icann.org<mailto:steve.chan@icann.org>> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Outcomes, Action Items, and Notes - 23 March 2026 - Meeting #6 Hi Steve, all, Thanks very much for the meeting notes. BC has the opportunity to review them, and provide follow-up thoughts below : Re: Concern that if the trigger requires action every single time, it represents costs and efforts for the registrars, impacting the ability of registrars to effectively combat DNS Abuse. BC would like to emphasize that ADC is only required when the complaint of the initial domain is VALID (as defined in RAA) AND is found to be abusive / malicious. We don`t believe every complaint received by a registrar qualifies and hence won`t require an ADC. Meanwhile, performing ADC increases a registrar`s ability to cost effectively combat DNS abuse. Each ADC should take very little time (i.e. a few minutes) and often results in the suspension of multiple malicious domains / accounts. By suspending other (unreported) domains of known bad actors and their accounts, a registrar proactively prevents those domains and the account(s) from continuing to be used for DNS Abuse, thereby driving down the # of individual domain reports that will be received. The ADC proactive approach reduces the overall cost of mitigating abuse. It would be very helpful if the SMEs (such as NetBeason or NetCraft) & the Registrars could kindly share the following information (i.e. as required by by RAA<https://urldefense.com/v3/__https:/itp.cdn.icann.org/en/files/accredited-reg...> 3.18.4) which will help ascertain to the level of effort that will actually be needed to conduct ADC: o o o Number of complaints received in 2025 o o o o Number of complaints that were valid o o o o Number of complaints that were actioned o We understand that generally larger registrars receive more abuse reports, but they also have more staff to handle those reports and investigations. That said, we are aware that the additional ADC execution may potentially impact the workload / cost consequences for registrars with smaller DUMs. Best regards, Ching On Mon, Mar 30, 2026 at 11:13 AM Steve Chan via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear DNSAM PDP 1, Please see the attached outcomes, action items, and notes from Meeting #6. Best, Steve [OUTCOMES] * Nick Wenban-Smith elected vice-chair [ACTION ITEMS] * Staff to post election results and onboard Nick to the leadership team. * Leadership and staff to provide a path forward for the WG meeting schedule, taking into account Monday holidays. * WG members to provide further input on the proposed updated work plan, no later than 3 April [updated work plan attached]. * Jennifer Chung, as Council liaison to the WG, to submit work plan to the Council no later than 6 April. [NOTES] 1. Welcome * None 2. Update on VC Chair Selection * Nick Wenban-Smith elected vice-chair Action Item: Staff to post election results and onboard Nick to the leadership team. 3. Meeting Cadence/Public Holidays * With so many meetings on Monday, leadership is proposing to move the meetings to the second most common acceptable day based on Doodle poll results. * Suggestion from many to leave on Monday and only move to Tuesday if there are “enough” WG members that cannot attend, but don’t cancel. Action Item: Leadership and staff to provide a path forward for the WG meeting schedule, taking into account Monday holidays. 4. Update on Workplan * Leaders and staff have taken into consideration input and has suggested changes to shorten the timeline. Key changes are initial deliberations and time between Initial and Final Report. Some appreciation, but also some discomfort for the shortened work plan. * The initial proposal for the work plan was potentially too conservative; the updated work plan is still designed to be achievable. * Next step is for the work plan to go to Council for acknowledgement via the Council liaison, Jennifer Chung. Action Item: WG members to provide further input on the proposed updated work plan, no later than 3 April [updated work plan attached]. Action Item: Jennifer Chung, as Council liaison to the WG, to submit work plan to the Council no later than 6 April. 5. Continue Deliberation * Early input received from the BC, GAC, IPC, ISPCP, NCSG, RrSG – input is aggregated and stored on the Wiki. Each piece of input will be added into the collaboration tool, relative to the Charter question. * Reviewed Overarching Themes so far from WG discussions, both verbal and on email. Also included relevant sections from Early Input, though full comments should be reviewed on the Wiki: https://icann-community.atlassian.net/wiki/spaces/DAMP1/pages/983433230/Community+Input<https://urldefense.com/v3/__https:/icann-community.atlassian.net/wiki/spaces/DAMP1/pages/983433230/Community*Input__;Kw!!DUT_TFPxUQ!EMcb8s5tfH9v-QJgxhTLT7aDWFwZsaRzPGJayPWO_DZUtmdyqHY8XYi5vnZ3fN_l5l2jYbzNA7HEBqZd39y7gBxtub3tOA$> * Concern that if the trigger requires action every single time, it represents costs and efforts for the registrars, impacting the ability of registrars to effectively combat DNS Abuse. Noted that we still have a question to determine what the investigation will look like. * Suggestion/reminder to define a maliciously registered domain name based on RAA 3.18.2. * “When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse.” * Reminder that we need to allow for some flexibility in the solutions as bad actors will change their methods. However, the requirements still ultimately need to be enforceable. * The GAC early input talks about how to perform the ADC, as in what represents association – this input connects to a later Charter question. We are blending the charter questions a bit. * If the trigger is not a single maliciously registered domain name based on RAA 3.18.2, what would be the alternative? * Caution from some to avoid listing all ways to identify associated domain names engaging in DNS Abuse as defined by 3.18.2. * Question about proportionality in respect of initial trigger versus ADC – answer from those that are particularly concerned about proportionality, is both. * Reminder from ISPCP early input that the ADC should also be based on the same standard as in 3.18.2. Are there any members suggesting to go beyond these limitations? Seems to be alignment to stick with the RAA definition. * A balance is needed to avoid listing every ADC action, but also not to leave so vague that bad actors can exploit the holes. * Several mentions of a “reasonableness” standard for the ADC, in terms of what needs to be looked at. Continued caution against creating a prescriptive matrix. * Suggestion to create an advisory to help guide what the ADC should include, which can be updated from time to time. Question about how advisories are updated – answer is that there are a multitude of ways to update advisories. * Several members reminded that proportionality is important. However, question about potential harms from investigating whether other DNS Abuse is occurring. * Noted that reasonableness is already a component of the RAA, including for RAA 3.18.2. There is a difference between “what” reasonableness represents for initial trigger versus the reasonableness of “how” the ADC is performed. The advisory notion is more relevant to the latter of “how”. * Some discussion about compromised domains, which are not within scope of this PDP. Question about whether a compromised domain should trigger investigation of the account. * We have not yet discussed what the ADC itself should involve, other than it should not be prescriptive. This aspect is when proportionality will be more relevant. * Reasonableness of the ADC will vary based on the circumstances. And question about how that should be passed on to the reseller. 6. AOB * Planning to have 4 sessions during the standard meetings days for ICANN86. Will try to avoid conflicts to the extent possible. * There will also be a prep-week webinar to provide an update on the progress of this PDP. * Will need to confirm work plan – get it to Council by the 6th. * Staff will continue to update the collaboration tool and the WG should continue to review and provide feedback. Steven Chan VP, Policy Development Support & GNSO Relations Internet Corporation for Assigned Names and Numbers (ICANN) 12025 Waterfront Drive, Suite 300<https://urldefense.com/v3/__https:/www.google.com/maps/search/12025*Waterfro...> Los Angeles, CA 90094-2536<https://urldefense.com/v3/__https:/www.google.com/maps/search/12025*Waterfro...> Email: steve.chan@icann.org<mailto:steve.chan@icann.org> Mobile: +1.310.339.4410 _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> Do not Remove: [HID]20260407160531165[-HID] [XGENFOOTER] [-XGENFOOTER] _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>
