[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely
Alex Gakuru
gakuru at gmail.com
Sat Jan 18 19:17:34 CET 2014
Echo Adam and support the statement.
Thank you Kathy.
Alex
On Sat, Jan 18, 2014 at 5:31 PM, Adam Peake <ajp at glocom.ac.jp> wrote:
> FWIW: I've not read the study, and no time now. But trusting Kathy, and
> seeing the ALAC comments align, I support the statement.
>
> Adam
>
> Adam Peake GLOCOM
>
>
> On Jan 18, 2014, at 10:57 PM, William Drake wrote:
>
> > Hi Folks
> >
> > As Kathy has indicated, the timeline on this is rather short, 11:59pm
> UTC today, and she’s asking that it be approved as a NCUC statement in the
> (probably likely) event it can’t be at the NCSG level in time. The
> challenge here is that, per previous, we have not for some time had the
> NCUC policy committee called for in our dated bylaws to approve
> constituency-level statements. So the way we’ve done such things in recent
> years is pretty much rough consensus after hearing from as many folks as
> possible in the time frame—certainly elected (EC) or appointed (NCSG PC)
> representatives, and regular members as well. Admittedly, this is not
> quite a satisfactory approach given that NCUC is now much bigger and more
> diverse when that model set it, but in lieu of a formal PC a broader and
> virtual PC is what we have to work with at the moment.
> >
> > So, it’d be really helpful if we could hear back either way from
> whoever’s online and can get their head around this in the next few hours.
> >
> > Thanks
> >
> > Bill
> >
> >
> > On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <Kathy at kathykleiman.com>
> wrote:
> >
> >> Hi All,
> >> I need your help. There is an amazing study done by two researchers (a
> PhD and an almost-PhD) at Carnegie Melon University. They tested the
> hypothesis of whether "public access to WHOIS data leads to a measurable
> degree of misuse of certain kinds of gTLD domain name Registrant identity
> and contact information." They did both a descriptive study (surveys of
> law enforcement and privacy people, registrants and registrars) and an
> experimental study (registering domain names with no other traceable source
> and seeing how much spam, and unsolicited phone calls and emails they
> received).
> >>
> >> They found what we have been telling ICANN for years: "there is a
> statistically significant occurrence of WHOIS misue affecting Registrants'
> email addresses, postal addresses, and phone numbers, published in Whois."
> >>
> >> Great and let's tell them so! I've drafted some comments that not only
> support the findings (and review the great effort dedicated to the study),
> but also draw on abuse cases we have discussed and shared from the NCUC
> over many years, including political persecution, chilling effects,
> anti-competitive activity, and stalking.
> >>
> >> Since these are Reply Comments, it is traditional to not only share
> your own views, but comment on those of others. Our views are, in many
> way, close to those of ALAC on this issue. ALAC's comments note that the
> Study's results "align with individual experience of At-Large constituents"
> and also research ALAC has done. So the noncommercial and individual
> registrant groups are aligned on this issue - and that is key.
> >>
> >> Below and attached please find the draft comments. Please feel free to
> send me edits with Track Changes (if you use the attached file). To avoid a
> flood on the list, feel free to share small edits with me privately. Big
> edits and changes are probably up for discussion. DEADLINE: SATURDAY (but
> I am judging my son's debate team, so tomorrow if possible).
> >>
> >> Best and tx,
> >> Kathy
> >>
> >> [DRAFT] Comments of the Noncommercial Users Constituency of ICANN
> >> Study on Whois Misuse
> >> Due: January 18, 2014
> >>
> >> The Noncommercial Users Constituency of ICANN submits this document in
> response to the call for public comments on the Study on Whois Misuse
> posted on the ICANN website. We respectfully submit that this Study is a
> very important one for ICANN and for the GNSO policy work ahead.
> >>
> >> We note that the study seems thorough and professionally done. Its
> named researchers were Dr. Nicolas Christin and Nektarios Leontiadis. Dr.
> Christin received his PhD in Computer Science from the University of
> Virginia, and is an Assistant Research Professor of Electrical and Computer
> Engineering at Carnegie Mellon University. Nektarios Leontiadis is a PhD
> candidate at Carnegie Mellon University, in the department of Engineering
> and Public Policy, with research focused on the economic modeling of online
> crime. Both are affiliated with CMU’s CyLab security lab.
> >>
> >> This study stayed close and tight to the Terms of Reference set out for
> it -- terms set and designed by members of the GNSO and approved by the
> GNSO Council.
> >>
> >> The key question of the study was: Does public access to
> WHOIS-published data lead to a measurable degree of misuse? The answer was
> an unequivocal yes:
> >>
> >> The main finding of the descriptive study is that there is a
> statistically significant occurrence of WHOIS misuse affecting Registrants’
> email addresses, postal addresses, and phone numbers, published in WHOIS
> when registering domains in these gTLDs. Overall, we find that 44% of
> Registrants experience one or more of these types of WHOIS misuse.
> [Emphasis added, WHOIS Misuse Study, p. 6]
> >>
> >> We appreciate the extensive efforts the CMU team undertook to test the
> hypothesis it was given by ICANN and the GNSO. First, it conducted a
> descriptive study reaching out to Experts, Registrants and
> Registries/Registrars. Specifically, the team surveyed a “diverse group of
> experts in the fields of security and privacy affiliated with research
> institutes, academia, law enforcement agencies, Internet Service Providers
> (ISPs), and national data protection commissioners.” [Study, p. 13]
> >>
> >> The team surveyed Registrants for a “better understanding of their
> direct experiences with Whois misuse” and found that 43.9% reported “some
> kind of misuse of their WHOIS information,” including postal address
> misuse, email address misuse andphone number misuse tied to the Whois data,
> as well as Identity theft, unauthorized intrusion to servers and blackmail
> to which publicly-published Whois data may have been a contributing factor.
> >>
> >> Then the team surveyed Registrars and Registries about Whois harvesting
> attacks, and the deployment and effectiveness of WHOIS anti-harvesting
> techniques.
> >>
> >> Second and perhaps most interestingly, the CMU team conducted its own
> experimental study in which they registered a set of domain names in the
> top five gTLDs through a representative set of Registrars, with unique
> Registrant identities. Over the course of six months, they tracked emails,
> voicemails and postal mail received by the registrants of these
> experimental domain names. The purpose of the study was to eliminate “any
> extraneous variables,” e.g. the publication of a postal address in both the
> Whois and an outside directory.
> >>
> >> The conclusions of the study are Striking – and answer questions
> floating in the GNSO for over a decade. Yes, there is abuse of
> publicly-published Whois data. Yes, that abuse is statistically
> significant. We share again the main finding of the Study for additional
> review in this comment period:
> >>
> >> The main finding of the descriptive study is that there is a
> statistically significant occurrence of WHOIS misuse affecting Registrants’
> email addresses, postal addresses, and phone numbers, published in WHOIS
> when registering domains in these gTLDs. Overall, we find that 44% of
> Registrants experience one or more of these types of WHOIS misuse.
> [Emphasis added, WHOIS Misuse Study, p. 6]
> >>
> >> We thank CMU for the extensive efforts it devoted to this study, and
> the extra efforts made and extra time spent to expand studies to include
> more experts from Latin America and overall go above and beyond the
> requirements for a rounded and complete study.
> >>
> >> Reply to Other Commenters:
> >>
> >> ALAC Comments:
> >> ALAC published the following comment in their comments: “We note the
> study has returned findings that align with individual experience of
> At-Large constituents plus the evidence of widespread occurrence has
> validated similar research undertaken by At-Large connected researchers.”
> >>
> >> We note that NCUC, too, has directly experienced deeply concerning
> misuses of WHOIS data. In particular, attorneys in NCUC have directly
> experienced and directly worked with clients who have experienced:
> >>
> >> - Stalking, for which the Whois was the only published source
> for the location of an online, home-based business by which an ex-spouse
> found his wife and stalked her.
> >> - Political persecution, by which Whois data was used not only
> to track dissenters (some located in the US and protected by the First
> Amendment), but also their families located in the countries about whose
> corruption the websites were devoted (and who were not similarly protected);
> >> - Chilling effects, by which Whois data was used to track down
> and intimidate or silence those who have a different political, religious
> or moral view;
> >> - Anticompetitive activity – by which competitors used Whois
> data to track down entrepreneurs and small businesses owners and seek to
> intimidate them to set businesses plans and services aside.
> >>
> >> We further share with ALAC the deep concern that “WHOIS misuse is
> factual and widespread, as the evidence from 44% of sampled registrants
> across the several domains attest.” We further agree that this poses a
> “continued threat” to the “security and confidence in the use of the
> Internet, [and] the public interest demands measures to address and abate
> its impact.” ALAC Comments,
> http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html
> >>
> >> We have the evidence, and measures must now be taken to protect
> Registrants, and the speech, work, expression, hobbies, research, business,
> education and communication they conduct using their domain names.
> >>
> >> Respectfully submitted,
> >>
> >> [if approved]
> >>
> >> NONCOMMERCIAL USERS CONSTITUENCY
> >>
> >> <NCUC DRAFT Comments - Misuse of Whois
> Study.docx>_______________________________________________
> >> Ncuc-discuss mailing list
> >> Ncuc-discuss at lists.ncuc.org
> >> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
> >
> > ***********************************************
> > William J. Drake
> > International Fellow & Lecturer
> > Media Change & Innovation Division, IPMZ
> > University of Zurich, Switzerland
> > Chair, Noncommercial Users Constituency,
> > ICANN, www.ncuc.org
> > william.drake at uzh.ch (direct), wjdrake at gmail.com (lists),
> > www.williamdrake.org
> > ***********************************************
> >
> > _______________________________________________
> > Ncuc-discuss mailing list
> > Ncuc-discuss at lists.ncuc.org
> > http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>
> _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140118/99d5a7fe/attachment-0002.html>
More information about the Ncuc-discuss
mailing list