<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Bill,<br>
Thanks so much for the shout-out to NCUC and the go-ahead to
submit.<br>
<br>
Hi All,<br>
Thanks all for taking the time to review and respond to this
comment on such short notice. It is now going in...<br>
<br>
Best and have a great weekend,<br>
Kathy<br>
<br>
:<br>
</div>
<blockquote
cite="mid:7E402E11-32DB-4742-A286-F6510886E9C0@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Hi Kathy
<div><br>
</div>
<div>We have like a dozen expressions of support, no voiced
opposition, and less than two hours until the submission
deadline, so under these circumstances yes let’s call it an NCUC
endorsement. Thanks for writing it and please submit it on our
behalf.</div>
<div><br>
</div>
<div>I’m heading offline for the evening.</div>
<div><br>
</div>
<div>Cheers,</div>
<div><br>
</div>
<div>Bill</div>
<div><br>
<div>
<div>On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <<a
moz-do-not-send="true"
href="mailto:Kathy@kathykleiman.com">Kathy@kathykleiman.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Verdana; font-size: 18px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">Hi All,<br>
I need your help. There is an amazing study done by two
researchers (a PhD and an almost-PhD) at Carnegie Melon
University. They tested the hypothesis of whether "public
access to WHOIS data leads to a measurable degree of
misuse of certain kinds of gTLD domain name Registrant
identity and contact information." They did both a
descriptive study (surveys of law enforcement and privacy
people, registrants and registrars) and an experimental
study (registering domain names with no other traceable
source and seeing how much spam, and unsolicited phone
calls and emails they received). <span
class="Apple-converted-space"> </span><br>
<br>
They found what we have been telling ICANN for years:
"there is a statistically significant occurrence of WHOIS
misue affecting Registrants' email addresses, postal
addresses, and phone numbers, published in Whois."<span
class="Apple-converted-space"> </span><br>
<br>
Great and let's tell them so! I've drafted some comments
that not only support the findings (and review the great
effort dedicated to the study), but also draw on abuse
cases we have discussed and shared from the NCUC over many
years, including political persecution, chilling effects,
anti-competitive activity, and stalking.<br>
<br>
Since these are Reply Comments, it is traditional to not
only share your own views, but comment on those of
others. Our views are, in many way, close to those of
ALAC on this issue. ALAC's comments note that the Study's
results "align with individual experience of At-Large
constituents" and also research ALAC has done. So the
noncommercial and individual registrant groups are aligned
on this issue - and that is key.<br>
<br>
Below and attached please find the draft comments. Please
feel free to send me edits with Track Changes (if you use
the attached file). To avoid a flood on the list, feel
free to share small edits with me privately. Big edits
and changes are probably up for discussion. DEADLINE:
SATURDAY (but I am judging my son's debate team, so
tomorrow if possible).<br>
<br>
Best and tx,<br>
Kathy<br>
<br>
<div style="margin: 0in 0in 0.0001pt; line-height: 17px;
font-size: 11pt; font-family: Calibri, sans-serif;
text-align: center;"><b>[DRAFT] Comments of the
Noncommercial Users Constituency of ICANN<o:p></o:p></b></div>
<div style="margin: 0in 0in 0.0001pt; line-height: 17px;
font-size: 11pt; font-family: Calibri, sans-serif;
text-align: center;"><b>Study on Whois Misuse<o:p></o:p></b></div>
<div style="margin: 0in 0in 0.0001pt; line-height: 17px;
font-size: 11pt; font-family: Calibri, sans-serif;
text-align: center;"><b>Due: January 18, 2014<o:p></o:p></b></div>
<div style="margin: 0in 0in 0.0001pt; line-height: 17px;
font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The Noncommercial Users
Constituency of ICANN submits this document in response
to the call for public comments on the<span
class="Apple-converted-space"> </span><b><i>Study on
Whois Misuse</i></b><span
class="Apple-converted-space"> </span>posted on the
ICANN website. We respectfully submit that this Study is
a very important one for ICANN and for the GNSO policy
work ahead.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">We note that the study seems
thorough and professionally done. Its named researchers
were Dr. Nicolas Christin and Nektarios Leontiadis. Dr.
Christin received his PhD in Computer Science from the
University of Virginia, and is an Assistant Research
Professor of Electrical and Computer Engineering at
Carnegie Mellon University.<span
class="Apple-converted-space"> </span><span> </span>Nektarios
Leontiadis is a PhD candidate at Carnegie Mellon
University, in the department of Engineering and Public
Policy, with research focused on the economic modeling
of online crime. Both are affiliated with CMU’s<span
class="Apple-converted-space"> </span><i>CyLab</i><span
class="Apple-converted-space"> </span>security lab.<o:p></o:p></p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">This study stayed close and tight
to the Terms of Reference set out for it --<span
class="Apple-converted-space"> </span><span> </span>terms
set and designed by members of the GNSO and approved by
the GNSO Council.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The key question of the study was:<span
class="Apple-converted-space"> </span><i>Does public
access to WHOIS-published data lead to a measurable
degree of misuse?</i><span> <span
class="Apple-converted-space"> </span></span>The
answer was an unequivocal yes:</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt 0.5in;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The main finding of the
descriptive study is that there is a<span
class="Apple-converted-space"> </span><b>statistically
significant occurrence of WHOIS misuse affecting
Registrants’ email addresses, postal addresses, and
phone numbers, published in WHOIS</b><span
class="Apple-converted-space"> </span>when registering
domains in these gTLDs.<span> <span
class="Apple-converted-space"> </span></span><b>Overall,
we find that 44% of Registrants experience one or more
of these types of WHOIS misuse.</b><span
class="Apple-converted-space"> </span><span> </span>[Emphasis
added, WHOIS Misuse Study, p. 6]</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">We appreciate the extensive
efforts the CMU team undertook to test the hypothesis it
was given by ICANN and the GNSO.<span> <span
class="Apple-converted-space"> </span></span>First,
it conducted a descriptive study reaching out to
Experts, Registrants and Registries/Registrars.
Specifically, the team surveyed a “diverse group of
experts in the fields of security and privacy affiliated
with research institutes, academia, law enforcement
agencies, Internet Service Providers (ISPs), and
national data protection commissioners.” [Study, p. 13]</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The team surveyed Registrants for
a “better understanding of their direct experiences with
Whois misuse” and found that 43.9% reported “some kind
of misuse of their WHOIS information,” including<span
class="Apple-converted-space"> </span><i>postal
address misuse, email address misuse<span
class="Apple-converted-space"> </span></i>and<i>phone
number misuse</i><span class="Apple-converted-space"> </span>tied
to the Whois data, as well as<span
class="Apple-converted-space"> </span><i>Identity
theft, unauthorized intrusion to servers<span
class="Apple-converted-space"> </span></i>and<i><span
class="Apple-converted-space"> </span>blackmail<span
class="Apple-converted-space"> </span></i><span> </span>to
which publicly-published Whois data may have been a
contributing factor.<span> </span></p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">Then the team surveyed Registrars
and Registries about Whois harvesting attacks, and the
deployment and effectiveness of WHOIS anti-harvesting
techniques.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">Second and perhaps most
interestingly, the CMU team conducted its own
experimental study in which they registered a set of
domain names in the top five gTLDs through a
representative set of Registrars, with unique Registrant
identities. Over the course of six months, they tracked
emails, voicemails and postal mail received by the
registrants of these experimental domain names. The
purpose of the study was to eliminate “any extraneous
variables,” e.g. the publication of a postal address in
both the Whois and an outside directory.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The conclusions of the study are
Striking – and answer questions floating in the GNSO for
over a decade.<span> <span class="Apple-converted-space"> </span></span><i>Yes,
there is abuse of publicly-published Whois data. Yes,
that abuse is statistically significant.</i><span
class="Apple-converted-space"> </span>We share again
the main finding of the Study for additional review in
this comment period:</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt 0.5in;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">The main finding of the
descriptive study is that there is a statistically
significant occurrence of WHOIS misuse affecting
Registrants’ email addresses, postal addresses, and
phone numbers, published in WHOIS when registering
domains in these gTLDs.<span> <span
class="Apple-converted-space"> </span></span>Overall,
we find that 44% of Registrants experience one or more
of these types of WHOIS misuse.<span
class="Apple-converted-space"> </span><span> </span>[Emphasis
added, WHOIS Misuse Study, p. 6]</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">We thank CMU for the extensive
efforts it devoted to this study, and the extra efforts
made and extra time spent to expand studies to include
more experts from Latin America and overall go above and
beyond the requirements for a<span> <span
class="Apple-converted-space"> </span></span>rounded
and complete study.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;"><u>Reply to Other Commenters:<o:p></o:p></u></p>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: Calibri, sans-serif;"><b>ALAC Comments:<span> </span><o:p></o:p></b></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: Calibri, sans-serif;"><span
style="font-size: 11pt; color: rgb(37, 37, 37);">ALAC
published the following comment in their comments: “We
note the study has returned findings that align with
individual experience of At-Large constituents plus
the evidence of widespread occurrence has validated
similar research undertaken by At-Large connected
researchers.”<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: Calibri, sans-serif;"><span
style="font-size: 11pt; color: rgb(37, 37, 37);"> </span></div>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">We note that NCUC, too, has
directly experienced deeply concerning misuses of WHOIS
data. In particular, attorneys in NCUC have directly
experienced and directly worked with clients who have
experienced:</p>
<div style="margin: 0in 0in 0.0001pt 0.75in; line-height:
17px; font-size: 11pt; font-family: Calibri, sans-serif;
text-indent: -0.25in;"><span><span>-<span> <span
class="Apple-converted-space"> </span></span></span></span>Stalking,
for which the Whois was the only published source for
the location of an online, home-based business by which
an ex-spouse found his wife and stalked her.</div>
<div style="margin: 0in 0in 0.0001pt 0.75in; line-height:
17px; font-size: 11pt; font-family: Calibri, sans-serif;
text-indent: -0.25in;"><span><span>-<span> <span
class="Apple-converted-space"> </span></span></span></span>Political
persecution, by which Whois data was used not only to
track dissenters (some located in the US and protected
by the First Amendment), but also their families located
in the countries about whose corruption the websites
were devoted (and who were not similarly protected);</div>
<div style="margin: 0in 0in 0.0001pt 0.75in; line-height:
17px; font-size: 11pt; font-family: Calibri, sans-serif;
text-indent: -0.25in;"><span><span>-<span> <span
class="Apple-converted-space"> </span></span></span></span>Chilling
effects, by which Whois data was used to track down and
intimidate or silence those who have a different
political, religious or moral view;</div>
<p class="MsoListParagraphCxSpLast" style="margin: 0in 0in
10pt 0.75in; line-height: 17px; font-size: 11pt;
font-family: Calibri, sans-serif; text-indent: -0.25in;"><span><span>-<span> <span
class="Apple-converted-space"> </span></span></span></span>Anticompetitive
activity – by which competitors used Whois data to track
down entrepreneurs and small businesses owners and seek
to intimidate them to set businesses plans and services
aside.<span class="Apple-converted-space"> </span><span> </span></p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;"><span style="color: rgb(37, 37,
37);">We further share with ALAC the deep concern that
“WHOIS misuse is factual and widespread, as the
evidence from 44% of sampled registrants across the
several domains attest.”<span> <span
class="Apple-converted-space"> </span></span>We
further agree that this<span
class="Apple-converted-space"> </span><span> </span>poses
a “continued threat” to the “security and confidence
in the use of the Internet, [and] the public interest
demands measures to address and abate its impact.”<span> <span
class="Apple-converted-space"> </span></span>ALAC
Comments,<span class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html"
style="color: purple; text-decoration: underline;">http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">We have the evidence, and measures
must now be taken to protect Registrants, and the
speech, work, expression, hobbies, research, business,
education and communication they conduct using their
domain names.</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">Respectfully submitted,</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">[if approved]</p>
<p class="MsoNormal" style="margin: 0in 0in 10pt;
line-height: 17px; font-size: 11pt; font-family:
Calibri, sans-serif;">NONCOMMERCIAL USERS CONSTITUENCY</p>
<span class="Apple-converted-space"> </span><span><NCUC
DRAFT Comments - Misuse of Whois Study.docx></span>_______________________________________________<br>
Ncuc-discuss mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ncuc-discuss@lists.ncuc.org">Ncuc-discuss@lists.ncuc.org</a><br>
<a moz-do-not-send="true"
href="http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss"
style="color: purple; text-decoration: underline;">http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss</a><br>
</div>
</blockquote>
</div>
<br>
<div apple-content-edited="true">
***********************************************<br>
William J. Drake<br>
International Fellow & Lecturer<br>
Media Change & Innovation Division, IPMZ<br>
University of Zurich, Switzerland<br>
Chair, Noncommercial Users Constituency, <br>
ICANN, <a moz-do-not-send="true" href="http://www.ncuc.org">www.ncuc.org</a><br>
<a moz-do-not-send="true" href="mailto:william.drake@uzh.ch">william.drake@uzh.ch</a> (direct), <a
moz-do-not-send="true" href="mailto:wjdrake@gmail.com">wjdrake@gmail.com</a>
(lists),<br>
<a moz-do-not-send="true"
href="http://www.williamdrake.org">www.williamdrake.org</a><br>
***********************************************
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>