Dear all,
With apologies for the delayed response (catching up on the mailing list from the weekend), I want to thank
@Brian F. Cimbolic for re-upping this section. Echoing
@farzaneh badii, this language lays the groundwork for the tiered model of severity of harm that the NCSG is keen to see reflected in the outcome of this PDP. Particularly given that registrars will conduct ADCs differently, having this language is one
clear means of accounting for the type and severity of harm to be addressed without preventing ADCs from taking place (as we are also keen to protect victims of spam, phishing, etc. from harm).
Building on the strawman proposal helpfully put forward by staff last week, I would like to suggest the following change:
When a registrar has actionable evidence that a Registered Name is being used for DNS Abuse and has taken appropriate mitigation action(s) under section 3.18.2 of the Registrar Accreditation Agreement (RAA), the registrar must
perform an Associated Domain Check depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
Respectfully, I disagree with Mark that "use of a severity as a trigger will make the end result of the PDP meaningless and will result in even more overhead for registrars." Registrars should already be accounting for severity of harm when taking 'appropriate
action' on DNS abuse so this will simply be reiterating this obligation up-front. The aim is not to prevent ADCs from happening but rather ensuring that these are conducted with care (rather than on every and any instance of reported DNS abuse). Particularly
as we have yet to define minimum procedural requirements for ADCs or to clarify obligations regarding evidence gathering, the NCSG wants to ensure that this balancing exercise is integrated both at the 'trigger' phase and during the ADC.
Looking forward to discussing this more — whether via the mailing list or on today's call (or both).
Best,
Michaela
| Michaela Nakayama Shapiro (she/her/hers) |
| Programme Officer - Censorship |
|
|
|
| Note: we work half day Fridays (AM) |
| Follow us |
|
|
 |
|
|
From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: 12 April 2026 15:55
To: Farzaneh Badii <farzaneh.badii@gmail.com>; Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>
Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.
Hi Farzaneh (and everyone else) - I wanted to note that Section 3.18.2 of the RAA has language that might account for these considerations in the language highlighted below:
"When
Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name
from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause
and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.”
Perhaps that language would be helpful in any ultimate Policy to take those concerns into consideration.
Thanks,
Brian
|
|
|
Brian Cimbolic | Chief
Legal and Policy Officer
|
|
brian@pir.org |
www.thenew.org |
Power your inspiration. Connect your world.
 
|
|
|
Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.
From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Date: Sunday, April 12, 2026 at 10:31 AM
To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>
Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.
Hi Naoum,
You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context.
First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users.
In your example, you effectively illustrate how that risk can increase with ADC check:
“PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered
via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)”
This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification
raises questions of proportionality, accuracy, and potential impact on legitimate uses.
Best regards
Farzaneh
Dear all,
Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario.
This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services]
Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work
done compared to starting and stopping and constantly switching contexts).
For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point.
PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of
the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive.
And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice
(i.e. the ADC triggered every time).
Regards,
Naoum
ΜΕΓΓΟΥΔΗΣ Ναούμ
Αστυνόμος Α'
Διεύθυνση Δίωξης Κυβερνοεγκλήματος
Τμήμα Διαδικτυακής Προστασίας Ανηλίκων
MENGOUDIS Naoum
Police Major
Cyber Crime Directorate
Online Child Protection Department
T: (+30) 2106476475
Email Disclaimer
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Think green before printing
