[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

[Kathy Kleiman]

Hi All,
I need your help. There is an amazing study done by two researchers (a 
PhD and an almost-PhD) at Carnegie Melon University.  They tested the 
hypothesis of whether "public access to WHOIS data leads to a measurable 
degree of misuse of certain kinds of gTLD domain name Registrant 
identity and contact information."  They did both a descriptive study 
(surveys of law enforcement and privacy people, registrants and 
registrars) and an experimental study (registering domain names with no 
other traceable source and seeing how much spam, and unsolicited phone 
calls and emails they received).

They found what we have been telling ICANN for years: "there is a 
statistically significant occurrence of WHOIS misue affecting 
Registrants' email addresses, postal addresses, and phone numbers, 
published in Whois."

Great and let's tell them so! I've drafted some comments that not only 
support the findings (and review the great effort dedicated to the 
study), but also draw on abuse cases we have discussed and shared from 
the NCUC over many years, including political persecution, chilling 
effects, anti-competitive activity, and stalking.

Since these are Reply Comments, it is traditional to not only share your 
own views, but comment on those of others.  Our views are, in many way, 
close to those of ALAC on this issue. ALAC's comments note that the 
Study's results "align with individual experience of At-Large 
constituents" and also research ALAC has done.  So the noncommercial and 
individual registrant groups are aligned on this issue - and that is key.

Below and attached please find the draft comments. Please feel free to 
send me edits with Track Changes (if you use the attached file). To 
avoid a flood on the list, feel free to share small edits with me 
privately.  Big edits and changes are probably up for discussion. 
DEADLINE: SATURDAY (but I am judging my son's debate team, so tomorrow 
if possible).

Best and tx,
Kathy

*[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*

*Study on Whois Misuse*

*Due: January 18, 2014*

The Noncommercial Users Constituency of ICANN submits this document in 
response to the call for public comments on the */Study on Whois 
Misuse/* posted on the ICANN website. We respectfully submit that this 
Study is a very important one for ICANN and for the GNSO policy work ahead.

We note that the study seems thorough and professionally done. Its named 
researchers were Dr. Nicolas Christin and Nektarios Leontiadis. Dr. 
Christin received his PhD in Computer Science from the University of 
Virginia, and is an Assistant Research Professor of Electrical and 
Computer Engineering at Carnegie Mellon University. Nektarios Leontiadis 
is a PhD candidate at Carnegie Mellon University, in the department of 
Engineering and Public Policy, with research focused on the economic 
modeling of online crime. Both are affiliated with CMU's /CyLab/ 
security lab.

This study stayed close and tight to the Terms of Reference set out for 
it -- terms set and designed by members of the GNSO and approved by the 
GNSO Council.

The key question of the study was: /Does public access to 
WHOIS-published data lead to a measurable degree of misuse?/The answer 
was an unequivocal yes:

The main finding of the descriptive study is that there is a 
*statistically significant occurrence of WHOIS misuse affecting 
Registrants' email addresses, postal addresses, and phone numbers, 
published in WHOIS* when registering domains in these gTLDs.*Overall, we 
find that 44% of Registrants experience one or more of these types of 
WHOIS misuse.* [Emphasis added, WHOIS Misuse Study, p. 6]

We appreciate the extensive efforts the CMU team undertook to test the 
hypothesis it was given by ICANN and the GNSO.First, it conducted a 
descriptive study reaching out to Experts, Registrants and 
Registries/Registrars. Specifically, the team surveyed a "diverse group 
of experts in the fields of security and privacy affiliated with 
research institutes, academia, law enforcement agencies, Internet 
Service Providers (ISPs), and national data protection commissioners." 
[Study, p. 13]

The team surveyed Registrants for a "better understanding of their 
direct experiences with Whois misuse" and found that 43.9% reported 
"some kind of misuse of their WHOIS information," including /postal 
address misuse, email address misuse /and /phone number misuse/ tied to 
the Whois data, as well as /Identity theft, unauthorized intrusion to 
servers /and/blackmail /to which publicly-published Whois data may have 
been a contributing factor.

Then the team surveyed Registrars and Registries about Whois harvesting 
attacks, and the deployment and effectiveness of WHOIS anti-harvesting 
techniques.

Second and perhaps most interestingly, the CMU team conducted its own 
experimental study in which they registered a set of domain names in the 
top five gTLDs through a representative set of Registrars, with unique 
Registrant identities. Over the course of six months, they tracked 
emails, voicemails and postal mail received by the registrants of these 
experimental domain names. The purpose of the study was to eliminate 
"any extraneous variables," e.g. the publication of a postal address in 
both the Whois and an outside directory.

The conclusions of the study are Striking -- and answer questions 
floating in the GNSO for over a decade./Yes, there is abuse of 
publicly-published Whois data. Yes, that abuse is statistically 
significant./ We share again the main finding of the Study for 
additional review in this comment period:

The main finding of the descriptive study is that there is a 
statistically significant occurrence of WHOIS misuse affecting 
Registrants' email addresses, postal addresses, and phone numbers, 
published in WHOIS when registering domains in these gTLDs.Overall, we 
find that 44% of Registrants experience one or more of these types of 
WHOIS misuse. [Emphasis added, WHOIS Misuse Study, p. 6]

We thank CMU for the extensive efforts it devoted to this study, and the 
extra efforts made and extra time spent to expand studies to include 
more experts from Latin America and overall go above and beyond the 
requirements for arounded and complete study.

_Reply to Other Commenters:_

*ALAC Comments:*

ALAC published the following comment in their comments: "We note the 
study has returned findings that align with individual experience of 
At-Large constituents plus the evidence of widespread occurrence has 
validated similar research undertaken by At-Large connected researchers."

We note that NCUC, too, has directly experienced deeply concerning 
misuses of WHOIS data. In particular, attorneys in NCUC have directly 
experienced and directly worked with clients who have experienced:

-Stalking, for which the Whois was the only published source for the 
location of an online, home-based business by which an ex-spouse found 
his wife and stalked her.

-Political persecution, by which Whois data was used not only to track 
dissenters (some located in the US and protected by the First 
Amendment), but also their families located in the countries about whose 
corruption the websites were devoted (and who were not similarly 
protected);

-Chilling effects, by which Whois data was used to track down and 
intimidate or silence those who have a different political, religious or 
moral view;

-Anticompetitive activity -- by which competitors used Whois data to 
track down entrepreneurs and small businesses owners and seek to 
intimidate them to set businesses plans and services aside.

We further share with ALAC the deep concern that "WHOIS misuse is 
factual and widespread, as the evidence from 44% of sampled registrants 
across the several domains attest."We further agree that this poses a 
"continued threat" to the "security and confidence in the use of the 
Internet, [and] the public interest demands measures to address and 
abate its impact."ALAC Comments, 
http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html

We have the evidence, and measures must now be taken to protect 
Registrants, and the speech, work, expression, hobbies, research, 
business, education and communication they conduct using their domain 
names.

Respectfully submitted,

[if approved]

NONCOMMERCIAL USERS CONSTITUENCY

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140116/5f7f85ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NCUC DRAFT Comments - Misuse of Whois Study.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 16547 bytes
Desc: not available
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140116/5f7f85ae/attachment.docx>