[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

Sat Jan 18 16:08:17 CET 2014

http://www.icann.org/en/news/public-comment/whois-misuse-27nov13-en.htm

Linked from there I hope

Adam

On Saturday, January 18, 2014, Avri Doria <avri at acm.org> wrote:

> Hi,
>
> Just read Kathy's note.
>
> The comments seem good, and in principle it seems worth endorsing.   But
> one would need to have read the report to know for sure, and the report is
> not attached (or at least I can't find it)
>
> Was the idea to provide the report to the comments?  Woudl seem like a
> good thing to do.
>
> Too bad it wasn't sent to the NCSG -discuss and -PC early enough as it
> could have gone it as a NCSG statement.
>
> avri
>
>
> On 18-Jan-14 08:57, William Drake wrote:
>
>> Hi Folks
>>
>> As Kathy has indicated, the timeline on this is rather short, 11:59pm
>> UTC today, and she’s asking that it be approved as a NCUC statement in
>> the (probably likely) event it can’t be at the NCSG level in time.  The
>> challenge here is that, per previous, we have not for some time had the
>> NCUC policy committee called for in our dated bylaws to approve
>> constituency-level statements. So the way we’ve done such things in
>> recent years is pretty much rough consensus after hearing from as many
>> folks as possible in the time frame—certainly elected (EC) or appointed
>> (NCSG PC) representatives, and regular members as well.  Admittedly,
>> this is not quite a satisfactory approach given that NCUC is now much
>> bigger and more diverse when that model set it, but in lieu of a formal
>> PC a broader and virtual PC is what we have to work with at the moment.
>>
>> So, it’d be really helpful if we could hear back either way from
>> whoever’s online and can get their head around this in the next few hours.
>>
>> Thanks
>>
>> Bill
>>
>>
>> On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <Kathy at kathykleiman.com
>> <mailto:Kathy at kathykleiman.com>> wrote:
>>
>>  Hi All,
>>> I need your help. There is an amazing study done by two researchers (a
>>> PhD and an almost-PhD) at Carnegie Melon University.  They tested the
>>> hypothesis of whether "public access to WHOIS data leads to a
>>> measurable degree of misuse of certain kinds of gTLD domain name
>>> Registrant identity and contact information."  They did both a
>>> descriptive study (surveys of law enforcement and privacy people,
>>> registrants and registrars) and an experimental study (registering
>>> domain names with no other traceable source and seeing how much spam,
>>> and unsolicited phone calls and emails they received).
>>>
>>> They found what we have been telling ICANN for years: "there is a
>>> statistically significant occurrence of WHOIS misue affecting
>>> Registrants' email addresses, postal addresses, and phone numbers,
>>> published in Whois."
>>>
>>> Great and let's tell them so! I've drafted some comments that not only
>>> support the findings (and review the great effort dedicated to the
>>> study), but also draw on abuse cases we have discussed and shared from
>>> the NCUC over many years, including political persecution, chilling
>>> effects, anti-competitive activity, and stalking.
>>>
>>> Since these are Reply Comments, it is traditional to not only share
>>> your own views, but comment on those of others.  Our views are, in
>>> many way, close to those of ALAC on this issue. ALAC's comments note
>>> that the Study's results "align with individual experience of At-Large
>>> constituents" and also research ALAC has done.  So the noncommercial
>>> and individual registrant groups are aligned on this issue - and that
>>> is key.
>>>
>>> Below and attached please find the draft comments. Please feel free to
>>> send me edits with Track Changes (if you use the attached file). To
>>> avoid a flood on the list, feel free to share small edits with me
>>> privately.  Big edits and changes are probably up for discussion.
>>> DEADLINE: SATURDAY (but I am judging my son's debate team, so tomorrow
>>> if possible).
>>>
>>> Best and tx,
>>> Kathy
>>>
>>> *[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*
>>> *Study on Whois Misuse*
>>> *Due: January 18, 2014*
>>>
>>> The Noncommercial Users Constituency of ICANN submits this document in
>>> response to the call for public comments on the*/Study on Whois
>>> Misuse/*posted on the ICANN website. We respectfully submit that this
>>> Study is a very important one for ICANN and for the GNSO policy work
>>> ahead.
>>>
>>> We note that the study seems thorough and professionally done. Its
>>> named researchers were Dr. Nicolas Christin and Nektarios Leontiadis.
>>> Dr. Christin received his PhD in Computer Science from the University
>>> of Virginia, and is an Assistant Research Professor of Electrical and
>>> Computer Engineering at Carnegie Mellon University.Nektarios
>>> Leontiadis is a PhD candidate at Carnegie Mellon University, in the
>>> department of Engineering and Public Policy, with research focused on
>>> the economic modeling of online crime. Both are affiliated with
>>> CMU’s/CyLab/security lab.
>>>
>>> This study stayed close and tight to the Terms of Reference set out
>>> for it --terms set and designed by members of the GNSO and approved by
>>> the GNSO Council.
>>>
>>> The key question of the study was:/Does public access to
>>> WHOIS-published data lead to a measurable degree of misuse?/The answer
>>> was an unequivocal yes:
>>>
>>> The main finding of the descriptive study is that there is
>>> a*statistically significant occurrence of WHOIS misuse affecting
>>> Registrants’ email addresses, postal addresses, and phone numbers,
>>> published in WHOIS*when registering domains in these gTLDs.*Overall,
>>> we find that 44% of Registrants experience one or more of these types
>>> of WHOIS misuse.*[Emphasis added, WHOIS Misuse Study, p. 6]
>>>
>>> We appreciate the extensive efforts the CMU team undertook to test the
>>> hypothesis it was given by ICANN and the GNSO.First, it conducted a
>>> descriptive study reaching out to Experts, Registrants and
>>> Registries/Registrars. Specifically, the team surveyed a “diverse
>>> group of experts in the fields of security and privacy affiliated with
>>> research institutes, academia, law enforcement agencies, Internet
>>> Service Providers (ISPs), and national data protection commissioners.”
>>> [Study, p. 13]
>>>
>>> The team surveyed Registrants for a “better understanding of their
>>> direct experiences with Whois misuse” and found that 43.9% reported
>>> “some kind of misuse of their WHOIS information,” including/postal
>>> address misuse, email address misuse/and/phone number misuse/tied to
>>> the Whois data, as well as/Identity theft, unauthorized intrusion to
>>> servers/and/blackmail/to which publicly-published Whois data may have
>>> been a contributing factor.
>>>
>>> Then the team surveyed Registrars and Registries about Whois
>>> harvesting attacks, and the deployment and effectiveness of WHOIS
>>> anti-harvesting techniques.
>>>
>>> Second and perhaps most interestingly, the CMU team conducted its own
>>> experimental study in which they registered a set of domain names in
>>> the top five gTLDs through a representative set of Registrars, with
>>> unique Registrant identities. Over the course of six months, they
>>> tracked emails, voicemails and postal mail received by the registrants
>>> of these experimental domain names. The purpose of the study was to
>>> eliminate “any extraneous variables,” e.g. the publication of a postal
>>> address in both the Whois and an outside directory.
>>>
>>> The conclusions of the study are Striking – and answer questions
>>> floating in the GNSO for over a decade./Yes, there is abuse of
>>> publicly-published Whois data. Yes, that abuse is statistically
>>> significant./We share again the main finding of the Study for
>>> additional review in this comment period:
>>>
>>> The main finding of the descriptive study is that there is a
>>> statistically significant occurrence of WHOIS misuse affecting
>>> Registrants’ email addresses, postal addresses, and phone numbers,
>>> published in WHOIS when registering domains in these gTLDs.Overall, we
>>> find that 44% of Registrants experience one or more of these types of
>>> WHOIS misuse.[Emphasis added, WHOIS Misuse Study, p. 6]
>>>
>>> We thank CMU for the extensive efforts it devoted to this study, and
>>> the extra efforts made and extra time spent to expand studies to
>>> include more experts from Latin America and overall go above and
>>> beyond the requirements for arounded and complete study.
>>>
>>> _Reply to Other Commenters:_
>>>
>>> *ALAC Comments:*
>>> ALAC published the following comment in their comments: “We note the
>>> study has returned findings that align with individual experience of
>>> At-Large constituents plus the evidence of widespread occurrence has
>>> validated similar research undertaken by At-Large connected researchers.”
>>>
>>> We note that NCUC, too, has directly experienced deeply concerning
>>> misuses of WHOIS data. In particular, attorneys in NCUC have directly
>>> experienced and directly worked with clients who have experienced:
>>>
>>> -Stalking, for which the Whois was the only published source for the
>>> location of an online, home-based business by which an ex-spouse found
>>> his wife and stalked her.
>>> -Political persecution, by which Whois data was used not only to track
>>> dissenters (some located in the US and protected by the First
>>> Amendment), but also their families located in the countries about
>>> whose corruption the websites were devoted (and who were not similarly
>>> protected);
>>> -Chilling effects, by which Whois data was used to track down and
>>> intimidate or silence those who have a different political, religious
>>> or moral view;
>>>
>>> -Anticompetitive activity – by which competitors used Whois data to
>>> track down entrepreneurs and small businesses owners and seek to
>>> intimidate them to set businesses plans and services aside.
>>>
>>> We further share with ALAC the deep concern that “WHOIS misuse is
>>> factual and widespread, as the evidence from 44% of sampled
>>> registrants across the several domains attest.”We further agree that
>>> thisposes a “continued threat” to the “security and confidence in the
>>> use of the Internet, [and] the public interest demands measures to
>>> address and abate its impact.”ALAC
>>> Comments,http://forum.icann.org/lists/comments-whois-
>>> misuse-27nov13/msg00006.html
>>>
>>> We have the evidence, and measures must now be taken to protect
>>> Registrants, and the speech, work, expression, hobbies, research,
>>> business, education and communication they conduct using their domain
>>> names.
>>>
>>> Respectfully submitted,
>>>
>>> [if approved]
>>>
>>> NONCOMMERCIAL USERS CONSTITUENCY
>>>
>>> <NCUC DRAFT Comments - Misuse of Whois
>>> Study.docx>_______________________________________________
>>> Ncuc-discuss mailing list
>>> Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>>
>>
>> ***********************************************
>> William J. Drake
>> International Fellow & Lecturer
>>    Media Change & Innovation Division, IPMZ
>>    University of Zurich, Switzerland
>> Chair, Noncommercial Users Constituency,
>>    ICANN, www.ncuc.org <http://www.ncuc.org>
>> william.drake at uzh.ch <mailto:william.drake at uzh.ch> (direct),
>> wjdrake at gmail.com <mailto:wjdrake at gmail.com> (lists),
>> www.williamdrake.org <http://www.williamdrake.org>
>> ***********************************************
>>
>>
>>
>> _______________________________________________
>> Ncuc-discuss mailing list
>> Ncuc-discuss at lists.ncuc.org
>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>
>>  _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140119/0f5ebea2/attachment-0002.html>