Earlier in the Registerfly controversy, ICANN Vice President Paul Levins posted to the ICANN Blog,
ICANN is not a regulator. We rely mainly on contract law. We do not condone in any way whatsoever RegisterFly’s business practice and behaviour.
This is disingenuous. ICANN is the central link in a web of contracts that regulate the business of domain name allocation. ICANN has committed, as a public benefit corporation, to enforcing those contracts in the public interest. Domain name registrants, among others, rely on those contracts to establish a secure, stable environment for domain name registration and through that for online content location.
A user registers a domain name by contracting with a registrar, such as Registerfly. The terms of that agreement are constrained by ICANN's accreditation contract with the registrar. French registrar Gandi explains this web with helpful diagrams in its registration agreement:
Gandi is a Registrar, accredited by both the Trustee Authority [ICANN] and registry of each TLD to assign and manage domain names according to their specific TLD. We must abide by the terms and conditions of Our accreditation contract. As a consequence, We must pass some of Our obligations on to Our customers.
As such, We commit Ourselves to providing you with the best possible service. This being said, due to Our contractual obligations with the Trustee Authorities and Registries, and which You must also abide by, Our services are limited in some of their technical, legal, regulatory and contractual aspects.
Now the ICANN contracts can both limit and help the end-user registrant. On the limit side, they restrict the registrant's ability to maintain anonymity or privacy by requiring the registrar to provide accurate identifying information to the WHOIS database, a duty the registrar fulfills by compelling provision of accurate information in its own contract with the registrant. This requirement benefits trademark holders, who have recently turned out to prophesy doom if data display is limited.
On the benefit side, the RAA-imposed duty of data escrow, requiring the registrar to maintain an escrowed copy of its registration database, provides evidence of a registrant's domain name holdings in the event of registrar failure. Registrants seeing this provision could believe that their domain names would be secure even if the registrar who had recorded them defaulted.
So they might have believed, but apparently ICANN has never enforced this provision of its contracts. Moreover, ICANN denies that the public is a third-party beneficiary entitled to demand enforcement.
The Registerfly debacle shows why this view is wrong as a matter of law and policy. ICANN was told more than a year ago of customer service problems at Registerfly, but did nothing to respond to those complaints, including escrowing data, leaving the company's 200,000 registrants at risk of losing domain names or the ability to update them when Registerfly's business troubles escalated early this year.
ICANN should recognize that the reason for its registrar contracts is precisely to benefit third parties: domain name registrants and those who rely on the domain name system. ICANN is not (or shouldn't be) accrediting registrars merely to have a larger pool of organizations paying fealty to it. Rather, it is imposing terms and conditions on registrars and, with an "ICANN accredited" seal, inviting the public to rely on those terms for a secure domain name registration.
In cases where ICANN fails to recognize a registrar's problems, concerned members of the public should be entitled to take action themselves. As well as enforcing public-benefit obligations on its own, ICANN should facilitate individual action by removing the "no third-party beneficiary" language from its contracts.