[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

avri doria avri at ella.com
Sat Jan 18 16:27:29 CET 2014


Ah indeed it is.  For some reason, I misunderstood the report being referred to.

No objection on my part.

avri

Sent from a T-Mobile 4G LTE Device

-------- Original message --------
From: Adam Peake <ajp at glocom.ac.jp> 
Date:01/18/2014  10:08  (GMT-05:00) 
To: Avri Doria <avri at acm.org> 
Cc: ncuc-discuss at lists.ncuc.org 
Subject: Re: [NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely 

http://www.icann.org/en/news/public-comment/whois-misuse-27nov13-en.htm

Linked from there I hope

Adam



On Saturday, January 18, 2014, Avri Doria <avri at acm.org> wrote:
Hi,

Just read Kathy's note.

The comments seem good, and in principle it seems worth endorsing.   But one would need to have read the report to know for sure, and the report is not attached (or at least I can't find it)

Was the idea to provide the report to the comments?  Woudl seem like a good thing to do.

Too bad it wasn't sent to the NCSG -discuss and -PC early enough as it could have gone it as a NCSG statement.

avri


On 18-Jan-14 08:57, William Drake wrote:
Hi Folks

As Kathy has indicated, the timeline on this is rather short, 11:59pm
UTC today, and she’s asking that it be approved as a NCUC statement in
the (probably likely) event it can’t be at the NCSG level in time.  The
challenge here is that, per previous, we have not for some time had the
NCUC policy committee called for in our dated bylaws to approve
constituency-level statements. So the way we’ve done such things in
recent years is pretty much rough consensus after hearing from as many
folks as possible in the time frame—certainly elected (EC) or appointed
(NCSG PC) representatives, and regular members as well.  Admittedly,
this is not quite a satisfactory approach given that NCUC is now much
bigger and more diverse when that model set it, but in lieu of a formal
PC a broader and virtual PC is what we have to work with at the moment.

So, it’d be really helpful if we could hear back either way from
whoever’s online and can get their head around this in the next few hours.

Thanks

Bill


On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <Kathy at kathykleiman.com
<mailto:Kathy at kathykleiman.com>> wrote:

Hi All,
I need your help. There is an amazing study done by two researchers (a
PhD and an almost-PhD) at Carnegie Melon University.  They tested the
hypothesis of whether "public access to WHOIS data leads to a
measurable degree of misuse of certain kinds of gTLD domain name
Registrant identity and contact information."  They did both a
descriptive study (surveys of law enforcement and privacy people,
registrants and registrars) and an experimental study (registering
domain names with no other traceable source and seeing how much spam,
and unsolicited phone calls and emails they received).

They found what we have been telling ICANN for years: "there is a
statistically significant occurrence of WHOIS misue affecting
Registrants' email addresses, postal addresses, and phone numbers,
published in Whois."

Great and let's tell them so! I've drafted some comments that not only
support the findings (and review the great effort dedicated to the
study), but also draw on abuse cases we have discussed and shared from
the NCUC over many years, including political persecution, chilling
effects, anti-competitive activity, and stalking.

Since these are Reply Comments, it is traditional to not only share
your own views, but comment on those of others.  Our views are, in
many way, close to those of ALAC on this issue. ALAC's comments note
that the Study's results "align with individual experience of At-Large
constituents" and also research ALAC has done.  So the noncommercial
and individual registrant groups are aligned on this issue - and that
is key.

Below and attached please find the draft comments. Please feel free to
send me edits with Track Changes (if you use the attached file). To
avoid a flood on the list, feel free to share small edits with me
privately.  Big edits and changes are probably up for discussion.
DEADLINE: SATURDAY (but I am judging my son's debate team, so tomorrow
if possible).

Best and tx,
Kathy

*[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*
*Study on Whois Misuse*
*Due: January 18, 2014*

The Noncommercial Users Constituency of ICANN submits this document in
response to the call for public comments on the*/Study on Whois
Misuse/*posted on the ICANN website. We respectfully submit that this
Study is a very important one for ICANN and for the GNSO policy work
ahead.

We note that the study seems thorough and professionally done. Its
named researchers were Dr. Nicolas Christin and Nektarios Leontiadis.
Dr. Christin received his PhD in Computer Science from the University
of Virginia, and is an Assistant Research Professor of Electrical and
Computer Engineering at Carnegie Mellon University.Nektarios
Leontiadis is a PhD candidate at Carnegie Mellon University, in the
department of Engineering and Public Policy, with research focused on
the economic modeling of online crime. Both are affiliated with
CMU’s/CyLab/security lab.

This study stayed close and tight to the Terms of Reference set out
for it --terms set and designed by members of the GNSO and approved by
the GNSO Council.

The key question of the study was:/Does public access to
WHOIS-published data lead to a measurable degree of misuse?/The answer
was an unequivocal yes:

The main finding of the descriptive study is that there is
a*statistically significant occurrence of WHOIS misuse affecting
Registrants’ email addresses, postal addresses, and phone numbers,
published in WHOIS*when registering domains in these gTLDs.*Overall,
we find that 44% of Registrants experience one or more of these types
of WHOIS misuse.*[Emphasis added, WHOIS Misuse Study, p. 6]

We appreciate the extensive efforts the CMU team undertook to test the
hypothesis it was given by ICANN and the GNSO.First, it conducted a
descriptive study reaching out to Experts, Registrants and
Registries/Registrars. Specifically, the team surveyed a “diverse
group of experts in the fields of security and privacy affiliated with
research institutes, academia, law enforcement agencies, Internet
Service Providers (ISPs), and national data protection commissioners.”
[Study, p. 13]

The team surveyed Registrants for a “better understanding of their
direct experiences with Whois misuse” and found that 43.9% reported
“some kind of misuse of their WHOIS information,” including/postal
address misuse, email address misuse/and/phone number misuse/tied to
the Whois data, as well as/Identity theft, unauthorized intrusion to
servers/and/blackmail/to which publicly-published Whois data may have
been a contributing factor.

Then the team surveyed Registrars and Registries about Whois
harvesting attacks, and the deployment and effectiveness of WHOIS
anti-harvesting techniques.

Second and perhaps most interestingly, the CMU team conducted its own
experimental study in which they registered a set of domain names in
the top five gTLDs through a representative set of Registrars, with
unique Registrant identities. Over the course of six months, they
tracked emails, voicemails and postal mail received by the registrants
of these experimental domain names. The purpose of the study was to
eliminate “any extraneous variables,” e.g. the publication of a postal
address in both the Whois and an outside directory.

The conclusions of the study are Striking – and answer questions
floating in the GNSO for over a decade./Yes, there is abuse of
publicly-published Whois data. Yes, that abuse is statistically
significant./We share again the main finding of the Study for
additional review in this comment period:

The main finding of the descriptive study is that there is a
statistically significant occurrence of WHOIS misuse affecting
Registrants’ email addresses, postal addresses, and phone numbers,
published in WHOIS when registering domains in these gTLDs.Overall, we
find that 44% of Registrants experience one or more of these types of
WHOIS misuse.[Emphasis added, WHOIS Misuse Study, p. 6]

We thank CMU for the extensive efforts it devoted to this study, and
the extra efforts made and extra time spent to expand studies to
include more experts from Latin America and overall go above and
beyond the requirements for arounded and complete study.

_Reply to Other Commenters:_

*ALAC Comments:*
ALAC published the following comment in their comments: “We note the
study has returned findings that align with individual experience of
At-Large constituents plus the evidence of widespread occurrence has
validated similar research undertaken by At-Large connected researchers.”

We note that NCUC, too, has directly experienced deeply concerning
misuses of WHOIS data. In particular, attorneys in NCUC have directly
experienced and directly worked with clients who have experienced:

-Stalking, for which the Whois was the only published source for the
location of an online, home-based business by which an ex-spouse found
his wife and stalked her.
-Political persecution, by which Whois data was used not only to track
dissenters (some located in the US and protected by the First
Amendment), but also their families located in the countries about
whose corruption the websites were devoted (and who were not similarly
protected);
-Chilling effects, by which Whois data was used to track down and
intimidate or silence those who have a different political, religious
or moral view;

-Anticompetitive activity – by which competitors used Whois data to
track down entrepreneurs and small businesses owners and seek to
intimidate them to set businesses plans and services aside.

We further share with ALAC the deep concern that “WHOIS misuse is
factual and widespread, as the evidence from 44% of sampled
registrants across the several domains attest.”We further agree that
thisposes a “continued threat” to the “security and confidence in the
use of the Internet, [and] the public interest demands measures to
address and abate its impact.”ALAC
Comments,http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html

We have the evidence, and measures must now be taken to protect
Registrants, and the speech, work, expression, hobbies, research,
business, education and communication they conduct using their domain
names.

Respectfully submitted,

[if approved]

NONCOMMERCIAL USERS CONSTITUENCY

<NCUC DRAFT Comments - Misuse of Whois
Study.docx>_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

***********************************************
William J. Drake
International Fellow & Lecturer
   Media Change & Innovation Division, IPMZ
   University of Zurich, Switzerland
Chair, Noncommercial Users Constituency,
   ICANN, www.ncuc.org <http://www.ncuc.org>
william.drake at uzh.ch <mailto:william.drake at uzh.ch> (direct),
wjdrake at gmail.com <mailto:wjdrake at gmail.com> (lists),
www.williamdrake.org <http://www.williamdrake.org>
***********************************************



_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140118/d38b9295/attachment-0002.html>


More information about the Ncuc-discuss mailing list