September 7, 2022

Best Practice: Abuse Reporter Expectation Management

This best practice explores how registrars should manage the expectations of abuse reporters. It starts with general research on the psychology of waiting, considers current registrar practices and reporter expectations, and provides specific guidance for registrars on how to manage expectations. 


Psychology of waiting 

Waiting for things is often an inevitable part of life, but some waits are more frustrating than others. Academics, consultants, and service providers have thought carefully about the psychology of waiting. They’ve found that the experience of waiting is important, if the wait is indeterminate, anxiety inducing, lonely, uncertain, unexplained, or is perceived as unfair it feels longer. This knowledge has been utilized in various contexts to improve the overall experience through communication. For example, Disney over estimates waiting times (promising 60 minutes and delivering 45 minutes). 


Abuse report responses 

When we set up NetBeacon, we tracked down abuse reporting emails for every ICANN accredited registrar. All registrars are required to publish an email to receive abuse reports. Once we cross referenced various lists, sense checked, and de-duplicated,(related registrars often use the same abuse contact) we were left with over 556 unique emails. 


We emailed all of them to introduce our new free service and encourage registrars to create an account so they could benefit from customization. We received no response (automated or otherwise) from 90% (503) of registrars. Almost 8% (43) confirmed the receipt with the creation of a ticket. The remaining 2% (10) were a mix, including redirections to a form, unclear responses, and instructions to create an account.


Reporter expectations 

Reporters and their expectations vary greatly, some of these expectations are entirely reasonable, others can be problematic. 


On the reasonable end of the spectrum, most reporters appreciate an acknowledgement of receipt. This helps them know if they have the correct information, and means they don’t need to duplicate the report. 


Some reporters may expect to be contacted for further information. In some cases, this may be appropriate. In others it may be unfeasible. Either way, clearly communicating a registrar’s standard practice is an easy way to manage expectations of future engagement. 


Expectations start to become more complex when reporters also want to know what the outcome of the decision was, and why it was made. The correct course of action becomes quite circumstantial as it may be appropriate to update reporters on the outcome of the decision depending on the context. It may also be sensible to simply have high level generic information publicly available that outlines the way decisions are made without disclosing too many details. Generally, it is necessary and potentially irresponsible for a registrar to publicly disclose the inner decision making of abuse determinations as this can result in an instruction booklet on how to slip through the abuse system. This does not mean that individual registrars should not exchange information with specific reporters. It just means the information they routinely publish for public consumption should be discerning on details. A publicly available policy, and high level answers to frequently asked questions are great ways to provide this information. 


There are some reporters who expect their reports to be actioned in a certain way—to have their determination and recommendation respected as a final decision on what should happen next. This is problematic for the registrars and for the wider system of internet governance. Registrars have developed policies and processes to make decisions based on evidence provided to them. They carry the customer relationship and potential legal liability for the result of that decision. It’s not appropriate for an external third party to appoint themselves to make such decisions. This expectation can create additional issues for registrars when they do engage with this type of reporter because it can result in an endless loop of back and forth communications, even escalating to threats of litigation. 


The question for registrars is how to best manage reasonable expectations, without getting drawn into time consuming correspondence that is not contributing to making the internet safer?


The reality of what registrars receive into their abuse inboxes is vast and varied, sometimes duplicative, automated, irrelevant, or unevidenced. Meeting every expectation of every reporter is not feasible or recommended. We’ve set out some guidance on how we think this can be managed. 


How to manage reporter expectations

Managing reporter expectations does not mean that a registrar is required to respond to and answer every question a reporter has. They don’t need to spend countless hours going back and forth in email chains. They are certainly not obliged to agree with the reporter’s determination of abuse, or to disclose the inside decision making of their abuse assessment. In most cases, it’s completely reasonable for a registrar not to respond at all beyond an initial acknowledgement of receipt. 


Based on our email experience, it seems the vast majority of registrars don’t currently provide an automated response. At the other end of expectation management we know that at least one registrar goes as far as to provide a unique URL for the reporter to monitor the status of their report. 


When it comes to reporter expectations, there are some relatively quick wins to reduce uncertainty, clarify the process, and hopefully improve the experience for everyone. 


  • Autoresponse: Set up an auto response on your abuse email. The wait for an initial acknowledgment of receipt is essentially instant.


  • Reduce uncertainty: Explain what happens next. If you’re not likely to respond beyond the initial autoreply, say so. If you don’t intend to tell the reporter the outcome, explain this too. If you do intend to respond or close cases within a particular time frame, say so and try to stick to it.


  • Share high level principles: Your auto response is a good opportunity to explain the “why.” For example, it can be useful to explain that it is not your standard practice to discuss the details of why a report is or is not determined to be abuse under your policy (e.g., because doing so could provide an instruction booklet for malicious actors to bypass your anti-abuse policies). We also recommend that you include a link to your public abuse policy. If you receive repeated questions, you could also compile a public Q&A on your website. 


We know that some registrars go above and beyond these three points, for example, including  unique URLs. This is certainly helpful for managing expectations and providing updates. We haven’t included this as advice because we’re aiming to create a best practice that all registrars, large and small, can easily meet. If you use a ticketing system you can include this information in your response, but managing expectations doesn’t require new software or business processes. It can be as simple as communicating clearly about your existing policies and processes. To make this even easier, we’re providing a generic response template that you can use and adapt. 


Generic response template 

“Thank you for contacting [registrar]. 


We have received your report and will investigate whether the domain name is in breach of our policies. If we find abuse, we will take action in line with our policies and processes. 


You can read our abuse policy here: [website]


If we need more information we may reach out to you. Due to the volume of reports we receive, we don’t routinely respond to reporters beyond this initial email confirming receipt. 


Please be aware that we do not share details of our investigation with external parties, this is to prevent malicious actors finding ways to exploit our policies and processes. 


Thank you for contacting us.”