<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">I like Kathy's comment. <br><br>+1<br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><font color="#006600"><br>
Poomjit Sirawongprasert (Moui)<br>ภูมิจิต ศิระวงศ์ประเสริฐ (หมวย)<br>twitter: <a href="http://twitter.com/moui" target="_blank">@Moui</a><br>facebook: <a href="http://facebook.com/PoomjitS" target="_blank">PoomjitS</a><br>
</font></div><br></div>
<br><br><div class="gmail_quote">On Fri, Jan 17, 2014 at 5:52 AM, Kathy Kleiman <span dir="ltr"><<a href="mailto:kathy@kathykleiman.com" target="_blank">kathy@kathykleiman.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi All,<br>
I need your help. There is an amazing study done by two researchers
(a PhD and an almost-PhD) at Carnegie Melon University. They tested
the hypothesis of whether "public access to WHOIS data leads to a
measurable degree of misuse of certain kinds of gTLD domain name
Registrant identity and contact information." They did both a
descriptive study (surveys of law enforcement and privacy people,
registrants and registrars) and an experimental study (registering
domain names with no other traceable source and seeing how much
spam, and unsolicited phone calls and emails they received). <br>
<br>
They found what we have been telling ICANN for years: "there is a
statistically significant occurrence of WHOIS misue affecting
Registrants' email addresses, postal addresses, and phone numbers,
published in Whois." <br>
<br>
Great and let's tell them so! I've drafted some comments that not
only support the findings (and review the great effort dedicated to
the study), but also draw on abuse cases we have discussed and
shared from the NCUC over many years, including political
persecution, chilling effects, anti-competitive activity, and
stalking.<br>
<br>
Since these are Reply Comments, it is traditional to not only share
your own views, but comment on those of others. Our views are, in
many way, close to those of ALAC on this issue. ALAC's comments note
that the Study's results "align with individual experience of
At-Large constituents" and also research ALAC has done. So the
noncommercial and individual registrant groups are aligned on this
issue - and that is key.<br>
<br>
Below and attached please find the draft comments. Please feel free
to send me edits with Track Changes (if you use the attached file).
To avoid a flood on the list, feel free to share small edits with me
privately. Big edits and changes are probably up for discussion.
DEADLINE: SATURDAY (but I am judging my son's debate team, so
tomorrow if possible).<br>
<br>
Best and tx,<br>
Kathy<br>
<br>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center" align="center"><b>[DRAFT] Comments of
the Noncommercial Users Constituency of ICANN<u></u><u></u></b></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center" align="center"><b>Study on Whois Misuse<u></u><u></u></b></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center" align="center"><b>Due: January 18, 2014<u></u><u></u></b></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><u></u> <u></u></p>
<p class="MsoNormal">The Noncommercial Users Constituency of ICANN
submits this
document in response to the call for public comments on the <b><i>Study
on Whois Misuse</i></b> posted on the ICANN website. We
respectfully submit
that this Study is a very important one for ICANN and for the GNSO
policy work
ahead. </p>
<p class="MsoNormal">We note that the study seems thorough and
professionally
done. Its named researchers were Dr. Nicolas Christin and
Nektarios Leontiadis.
Dr. Christin received his PhD in Computer Science from the
University of
Virginia, and is an Assistant Research Professor of Electrical and
Computer
Engineering at Carnegie Mellon University. <span> </span>Nektarios Leontiadis is a PhD
candidate at Carnegie
Mellon University, in the department of Engineering and Public
Policy, with
research focused on the economic modeling of online crime. Both
are affiliated
with CMU’s <i>CyLab</i>
security lab. <u></u><u></u></p>
<p class="MsoNormal">This study stayed close and tight to the Terms
of Reference
set out for it -- <span> </span>terms
set and designed
by members of the GNSO and approved by the GNSO Council. </p>
<p class="MsoNormal">The key question of the study was: <i>Does public access to WHOIS-published data lead to a
measurable degree
of misuse?</i><span> </span>The
answer was an
unequivocal yes: </p>
<p class="MsoNormal" style="margin-left:.5in">The main finding of
the descriptive
study is that there is a <b>statistically
significant
occurrence of WHOIS misuse affecting Registrants’ email
addresses,
postal addresses, and phone numbers, published in WHOIS</b> when
registering
domains in these gTLDs.<span> </span><b>Overall, we find that 44% of
Registrants
experience one or more of these types of WHOIS misuse.</b> <span> </span>[Emphasis added, WHOIS Misuse
Study, p. 6]</p>
<p class="MsoNormal">We appreciate the extensive efforts the CMU
team undertook
to test the hypothesis it was given by ICANN and the GNSO.<span> </span>First, it conducted a
descriptive study
reaching out to Experts, Registrants and Registries/Registrars.
Specifically, the
team surveyed a “diverse group of experts in the fields of
security and privacy
affiliated with research institutes, academia, law enforcement
agencies,
Internet Service Providers (ISPs), and national data protection
commissioners.”
[Study, p. 13] </p>
<p class="MsoNormal">The team surveyed Registrants for a “better
understanding of
their direct experiences with Whois misuse” and found that 43.9%
reported “some
kind of misuse of their WHOIS information,” including <i>postal address misuse, email address misuse </i>and <i>phone number misuse</i> tied
to the Whois
data, as well as <i>Identity
theft,
unauthorized intrusion to servers </i>and<i>
blackmail </i><span> </span>to which
publicly-published
Whois data may have been a contributing factor.<span>
</span></p>
<p class="MsoNormal">Then the team surveyed Registrars and
Registries about Whois
harvesting attacks, and the deployment and effectiveness of WHOIS
anti-harvesting
techniques.</p>
<p class="MsoNormal">Second and perhaps most interestingly, the CMU
team
conducted its own experimental study in which they registered a
set of domain
names in the top five gTLDs through a representative set of
Registrars, with
unique Registrant identities. Over the course of six months, they
tracked emails,
voicemails and postal mail received by the registrants of these
experimental
domain names. The purpose of the study was to eliminate “any
extraneous variables,”
e.g. the publication of a postal address in both the Whois and an
outside
directory.</p>
<p class="MsoNormal">The conclusions of the study are Striking – and
answer
questions floating in the GNSO for over a decade.<span> </span><i>Yes,
there is abuse of publicly-published Whois data. Yes, that abuse
is
statistically significant.</i> We share again the main finding
of the Study for
additional review in this comment period: </p>
<p class="MsoNormal" style="margin-left:.5in">The main finding of
the descriptive
study is that there is a statistically significant occurrence of
WHOIS misuse
affecting Registrants’ email addresses, postal addresses, and
phone numbers,
published in WHOIS when registering domains in these gTLDs.<span> </span>Overall, we find that 44% of
Registrants
experience one or more of these types of WHOIS misuse. <span> </span>[Emphasis added, WHOIS Misuse
Study, p. 6]</p>
<p class="MsoNormal">We thank CMU for the extensive efforts it
devoted to this
study, and the extra efforts made and extra time spent to expand
studies to
include more experts from Latin America and overall go above and
beyond the
requirements for a<span> </span>rounded
and complete
study. </p>
<p class="MsoNormal"><u>Reply to Other Commenters:<u></u><u></u></u></p>
<p><b>ALAC
Comments:<span> </span><u></u><u></u></b></p>
<p><span style="font-size:11.0pt;color:#252525">ALAC
published the
following comment in their comments: “We note the study has
returned findings
that align with individual experience of At-Large constituents
plus the
evidence of widespread occurrence has validated similar research
undertaken by At-Large
connected researchers.”<u></u><u></u></span></p>
<p><span style="font-size:11.0pt;color:#252525"><u></u> <u></u></span></p>
<p class="MsoNormal">We note that NCUC, too, has directly
experienced deeply
concerning misuses of WHOIS data. In particular, attorneys in NCUC
have
directly experienced and directly worked with clients who have
experienced:</p>
<p style="margin-left:.75in"><span><span>-<span>
</span></span></span>Stalking, for which the
Whois was the only
published source for the location of an online, home-based
business by which an
ex-spouse found his wife and stalked her.</p>
<p><span><span>-<span>
</span></span></span>Political persecution, by
which Whois data was used
not only to track dissenters (some located in the US and protected
by the First
Amendment), but also their families located in the countries about
whose
corruption the websites were devoted (and who were not similarly
protected); </p>
<p><span><span>-<span>
</span></span></span>Chilling effects, by which
Whois data was used
to track down and intimidate or silence those who have a different
political, religious
or moral view; </p>
<p style="margin-left:.75in"><span><span>-<span>
</span></span></span>Anticompetitive activity –
by which competitors
used Whois data to track down entrepreneurs and small businesses
owners and
seek to intimidate them to set businesses plans and services
aside. <span> </span></p>
<p class="MsoNormal"><span style="color:#252525">We further share
with ALAC the
deep concern that “WHOIS misuse is factual and widespread, as
the evidence from
44% of sampled registrants across the several domains attest.”<span> </span>We further agree that this
<span> </span>poses a “continued
threat” to the “security
and confidence in the use of the Internet, [and] the public
interest demands
measures to address and abate its impact.”<span>
</span>ALAC Comments, <a href="http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html" target="_blank">http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html</a>
<u></u><u></u></span></p>
<p class="MsoNormal">We have the evidence, and measures must now be
taken to
protect Registrants, and the speech, work, expression, hobbies,
research,
business, education and communication they conduct using their
domain names. </p>
<p class="MsoNormal">Respectfully submitted,</p>
<p class="MsoNormal">[if approved]</p>
<p class="MsoNormal">NONCOMMERCIAL USERS CONSTITUENCY</p>
</div>
<br>_______________________________________________<br>
Ncuc-discuss mailing list<br>
<a href="mailto:Ncuc-discuss@lists.ncuc.org">Ncuc-discuss@lists.ncuc.org</a><br>
<a href="http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss" target="_blank">http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss</a><br>
<br></blockquote></div><br></div>