18 April 2018

Reforming auDA and the dot au ccTLD

As a member of several auDA working parties in a past life I expressed concerns regarding regulatory capture. Those substantive nature of those concerns is evident in the Commonwealth government's Review of the .au Domain Administration report released today.

The report states
On 19 October 2017, the Minister for Communications, Senator the Hon Mitch Fifield, announced a review of Australia’s management of the .au domain (the Review). The not-for-profit .au Domain Administration (auDA) oversees the operation and management framework of the .au domain of the internet. auDA is endorsed by the Australian Government as the appropriate entity to administer Australia’s country code Top-Level Domain (ccTLD)—the .au domain—on behalf of Australian internet users.
The digital landscape has changed significantly since auDA was endorsed by the Australian Government in 2000. The internet has become all-pervasive and a critical enabler of the digital economy. The .au namespace plays an important role in supporting the digital economy, allowing entities and organisations to register domain names. As of late September 2017, over 3 million .au domain names had been registered in Australia.
While internet usage continues to grow, the overall communications environment is changing. Australians are accessing the internet in different ways and cyber security threats are increasingly prevalent. Future trends may have an impact on the domain space and it is important Australia has an effective .au administrator that is able to ensure the ongoing availability of .au domains while navigating future uncertainty.
auDA’s governance arrangements have not changed significantly since it was first established, with its structure and approach to governance set at a point in time when the internet and the domain industry was still in its infancy. The Review has found that reforms to auDA’s governance arrangements are necessary if the company is to perform effectively and meet the needs of Australia’s internet community.
In undertaking the Review, the Department has reflected on three principles:
• The Australian Government is committed to strengthening multi-stakeholder mechanisms for internet governance, noting the diversity of auDA’s stakeholders. 
• The .au namespace is a public asset given its increasing importance to the daily lives of Australians and should be governed with community interests in mind. 
• auDA has a monopoly position in administering the .au namespace and should be subject to stringent oversight requirements.
Importantly, the review acknowledges that auDA has overseen a significant ramp up in the number of domain names and has introduced many important policy and security initiatives. auDA has contributed to .au being seen globally as a secure and trusted namespace.
The government's Findings are -
The central finding of the Review is the current management and governance framework for auDA is no longer fit-for-purpose and that reform is necessary if the company is to perform effectively and meet the needs of Australia’s internet community.
In particular, the current membership model, and its relationship to corporate governance, is impeding auDA’s decision making and is contributing to ongoing organisational instability. The membership class structure is not reflective of Australia’s internet community nor auDA’s stakeholders. The current process where the majority of directors are appointed from the membership does not support effective governance outcomes.
Further, directors can be elected to the board with little regard to the skills required to effectively govern a modern domain administrator. Directors are also not required to meet probity, security or conflict of interest checks.
Ultimately, current governance and management framework arrangements are not satisfactory given the importance of the .au namespace to the Australian community. In considering stakeholder feedback and better practice guidelines, the Review identifies a range of reforms to improve stakeholder engagement, transparency and accountability, and mechanisms to promote trust and confidence in the .au domain name.
The Review considers that significant and urgent reforms are necessary to ensure that the .au namespace is administered in line with community and the Australian Government’s expectations.
To achieve this, the Review has made recommendations focusing on:
• clarifying the role of the .au domain administrator to ensure its activities are aligned with its responsibilities 
• reforming the management framework to support improved transparency, consultation and accountability by providing greater guidance on performance and reporting requirements 
• supporting effective stakeholder engagement and better representation of the Australian internet community, by acknowledging the .au DNS as a public asset and the multi-stakeholder approach to internet governance 
• outlining the role and expectations of the Australian Government 
• fostering greater trust and confidence in the .au namespace by enhancing security best practice and coordination of DNS administration.
... Reforming auDA will be a substantial process. Changes to its governance and membership arrangements involves significant constitutional reform, which requires the support of the membership base. The extent to which the membership supports reform is unclear.
The Review proposes two options to implement recommendations. The first option would see the Minister for Communications issuing revised terms of endorsement to auDA supported by an implementation plan with clearly identified milestones for reform. This plan would see a clear pathway for reform in place by three months, significant progress by 12 months, and the full reform package implemented within 24 months.
Alternatively, the Government could consider issuing an expression of interest to assess whether an alternative provider is able to perform the .au domain administration function in line with the revised terms of endorsement. This option may identify a viable alternative provider for the administration of the .au namespace mitigating the risk that constitutional reform of auDA cannot be achieved.
The stability, resilience and security of the .au namespace is paramount to the Government. The review recommends that auDA be given the opportunity to conduct the necessary reforms. However, the Government is committed to implementation of timely reform and will take action to ensure that Australia’s domain name is administered effectively and in the interest of all Australians. This includes transitioning the delegation for management of .au to another provider if auDA is unable to achieve necessary outcomes.
On that basis the report features the following recommendations
Purpose of the .au domain administrator
1. While auDA has an ongoing role in the security and stability of the .au space including as part of the critical infrastructure sector, this should not in the foreseeable future alter auDA’s role and purpose. 
2. That auDA continue to operate as a not-for-profit entity and does not seek to maximise profit. 
3. Consideration of commercial strategies relevant to the sustainability of the domain administrator should not detract from the domain administrator’s core function as described in the terms of endorsement and core purpose.
Management framework
4. That auDA provide an annual Strategic Plan covering at least a four-year-period and with the Strategic Plan reflecting company purpose and terms of endorsement. The auDA Board and management should present progress against the organisation’s purpose and its strategic objectives at auDA’s Annual General Meeting and in its Annual Report. 
5. That auDA develop a KPI framework to: a. measure its performance against its stated objectives in its terms of endorsement b. report against in its Annual Report and at its Annual General Meeting. 
6. As part of its Strategic Plan, that auDA outline how it intends to discharge its functions as a not-for-profit company and report on its effectiveness in its Annual Report and at its Annual General Meeting.
Transparency and consultation
7. That auDA reform its governance arrangements to ensure: 
a. that the nomination of all Board positions is undertaken by a Nomination Committee comprised of representatives from industry, the business sector, consumers, an auDA member representative, and the Commonwealth, represented by the Department
i. in establishing the Nomination Committee, the auDA Board will undertake a consultative merit-based process to identify members, with a Department representative as a panellist, and the Department to select the committee members from this process 
ii. the Nomination Committee will undertake probity and disclosure assessments and develop a skills matrix to ensure new directors have an appropriate mix of technical and corporate skills and industry experience 
iii. the Nomination Committee will shortlist: member candidates to stand for election by members; and independent candidates to stand for election by the Board 
iv. however, the first Board, following the reform of auDA’s governance arrangements will be selected according to the skills mix identified by the Nomination Committee with shortlisted nominees agreed with the Department 
b. length of terms directors can serve is capped at three years with directors appointed for no more than two consecutive terms 
c. the Board is structured so that the majority of the Board is independent of auDA’s membership 
d. that within 12 months the Board is reconstituted to ensure all appointments meet this criteria.
8. That auDA establish a Board Charter:
a. to set out the respective roles and responsibilities of the Board, Chair and CEO 
b. to set out the basis for appointment of the Chair 
c. that requires the Board to report on an annual basis to stakeholders publicly on its performance against this charter. 
9. That auDA:
a. formalise its transparency and accountability framework, consistent with recommendations in the Westlake review 
b. report annually on its performance against the framework in its Annual Report and at its Annual General Meeting.
Membership
10. That auDA reforms its existing membership model by creating a single member class or a functional constituency model and that membership reform is non-discriminatory and supported with transparent membership guidelines. 
11. That auDA diversify its member base in the short-term with a focus on extending membership to stakeholders that are underrepresented. 
12. That auDA report annually on its initiatives for growing its membership, and their effectiveness at diversifying the membership in its Annual Report and at its Annual General Meeting. 
13. That auDA review its assessment process for new members, in conjunction with the implementation of Recommendations 10, 11 and 12. 
Expectations and role of the Government 
14. That the Minister for Communications issue new terms of endorsement, setting out the Government’s expectations for .au domain administration and that auDA respond by publishing a statement on how it will deliver on these expectations. 
15. That the Government review these terms of endorsement within two years from when they are issued to ensure they remain fit-for-purpose, with reviews scheduled every three years going forward. 
16. That the Department of Communications and the Arts adopts a more formal oversight role of auDA, including that:
a. auDA report quarterly to the Department on its implementation of reforms, work agenda and key work priorities 
b. the Department conducts independent verification of some or all of auDA’s reporting provided through its Annual Report, including those requirements identified as part of the review 
c. a senior executive officer from the Department continue as a non-voting observer at auDA Board meetings and is present for all decisions taken by the Board. 
17. That the oversight role of the Department of Communications and the Arts is reviewed periodically by Government to ensure it is fit-for-purpose. 
Stakeholder engagement 
18. That auDA develops a public stakeholder engagement strategy and implementation plan to articulate how it will engage with stakeholders in all levels of operation and decision making. 
19. Through its Annual Report and at its Annual General Meeting, auDA should report on its performance against its stakeholder engagement strategy. 
20. That auDA publish conclusions from its review on its community activities and publish an implementation plan on future community activities. 
21. That auDA continue to engage with ICANN and other international bodies to represent Australian interests. 
22. That auDA’s stakeholder engagement strategy (Recommendation 18) include ICANN and other relevant international fora and bodies. 
23. As part of its Strategic Plan (Recommendation 4), auDA publishes a forward-looking international travel schedule and describes in its Annual Report the effectiveness of its international activity.
Trust and confidence in .au
24. As part of its international engagement (Recommendations 21, 22 and 23), auDA engage with key international security fora including ICANN’s Security and Stability Advisory Committee to ensure that it is kept updated on international security developments. 
25. That auDA develop and implements an enterprise security strategy based on domestic and international best practice in consultation with all relevant stakeholders. 
26. That auDA publishes a public facing version of its enterprise security strategy, having regard to relevant sensitivities. 
27. As part of its stakeholder engagement plan (Recommendation 18), that auDA maps its relationship with Australian Government security agencies and the internet industry and community on security of the .au namespace. 
28. That the Department of Communications and the Arts facilitate partnerships between auDA and relevant cyber security agencies. 
29. As part of its quarterly reports to Government (Recommendation 16) that auDA report on its security activities.
The report identifies  new terms of endorsement
Preamble
Australia’s country-code Top Level Domain (ccTLD) is an important resource, given the growing reliance of Australians on the .au namespace for economic and social activities. Noting there is a diversity of stakeholders in this namespace, the management of the .au domain must support multi-stakeholder engagement and be administered in the public interest. Responsibility for the administration of .au is ultimately derived from, and is subject to, the authority of the Commonwealth. The Australian Government can delegate the responsibility for managing the .au namespace to an appropriate entity or organisation. However, endorsement from Government is contingent on the entity satisfying a number of conditions. The Government provides the following terms of endorsement to auDA, as the .au domain administrator.
Core functions
The .au domain administrator will undertake the following core functions: • ensure stable, secure and reliable operation of the .au domain space • respond quickly to matters that compromise DNS security • promote principles of competition, fair trading and consumer protection • operate as a fully self-funding and not-for-profit organisation • actively participate in national and international technical and policy namespace fora to ensure that Australia’s interests are represented and to identify trends and developments relevant to the administration of the .au namespace • establish appropriate dispute resolution mechanisms.
Emerging domain issues such as commercial opportunities should not detract from the domain administrator performing its core functions.
Conditional requirements
In undertaking these functions, the .au domain administrator will uphold the following requirements and conditions: Effective governance arrangements for the .au namespace Good governance practices provide the foundation for the effective management of the .au ccTLD. The .au domain administrator must implement a governance structure that supports effective decision-making and represents the interests of stakeholders in a transparent and accountable manner.
Conditions:
That the .au domain administrator has:
• a governance structure which includes the following characteristics: 
• an independent process that can provide assurances of the suitability of candidates considered for board appointments, such as a Nomination Committee 
• a board that has the collective mix of technical and corporate skills, and industry experience, to effectively administer the .au namespace 
• a board that appoints a majority of directors who are independent of the organisation, including the Chair 
• appointment terms that support ongoing board renewal 
• a Board Charter that outlines the roles and responsibilities of the board, Chair and CEO and the basis for appointment of the Chair.
Facilitate effective stakeholder engagement
Noting that the .au namespace has a diversity of stakeholders, the .au domain administrator must engage and consult widely to ensure it can effectively represent the views of its stakeholders.
Conditions: 
That the .au domain administrator:
• consults with stakeholders on deliberations and decisions that will impact on the Australian internet community 
• develop a comprehensive stakeholder engagement plan, including how it will engage with key stakeholders such as industry, members of the community, Government and relevant international bodies and organisations  
• consistent with this stakeholder engagement plan, participate in international fora and relevant community activities 
• has a clearly defined membership structure that can represent the views of the Australian internet community 
• initiate activities that engage the internet community and support the diversification of its member base 
• establish an effective process for assessing and processing new members.
Support accountability and transparency
In managing a public asset, the .au domain administrator will be accountable to its stakeholders, including the Australian Government. Improved transparency and accountability is necessary to provide the assurance that the .au namespace is being managed consistent with Government and community expectations.
Conditions:
That the .au domain administrator has:
• an annual strategic plan that reflects these Terms of Endorsement and the company’s purpose with reference to how it will discharge its functions as a not-for-profit entity 
• a transparency and accountability framework 
• an effective reporting framework which would include reporting through its Annual Report and at its Annual General Meeting on performance against: 
• these terms of endorsement, supported by a key performance indicator framework • board performance against its charter 
• its strategic plan • the transparency and accountability framework 
• stakeholder engagement activities including international and community activities and initiatives that aim to expand the member base.
Engagement with the Australian Government
In providing its endorsement for an entity to administer what is a public asset, the Government has a strong interest in the management of Australia’s ccTLD. 
Conditions: 
That the .au domain administrator:
• provide quarterly updates on performance and work priorities to the Department 
• acknowledge that the Government reserves the right to independently review auDA’s reporting and reporting processes at any time 
• ensure that a senior officer from the Department is included in all relevant auDA governance processes, including, but not limited to, non-voting observer status at board meetings for all decisions 
• develop a strategy to enable an orderly transition to an alternative domain administrator in the event that endorsement is withdrawn by the Government.
Support trust and confidence in .au
Confidence in the .au namespace will be critical to the growth of Australia’s economy. In addition to the Department of Communications and the Arts, there are a number of other Australian Government agencies that have a role in supporting the security and stability of .au.
Conditions:
That the .au domain administrator:
• engage with key international security fora to ensure it is aware of international security developments and best practice 
• develop, maintain and, to the greatest extent possible, publish an enterprise security strategy which is informed by domestic and international best practice 
• work with the Department of Communications and the Arts to facilitate partnerships between auDA and relevant cyber security agencies
Commencement of these terms of endorsement
In agreeing to the terms of endorsement, the .au domain administrator is required to respond in writing within three months, providing an implementation plan on how it will meet these terms. The Australian Government will conduct a review within two years to assess the performance of the .au domain administrator and consider whether these terms of endorsement remain fit-for-purpose.