[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

Nicolas Adam nickolas.adam at gmail.com
Sat Jan 18 20:54:00 CET 2014 

I support the statement.

Nicolas

On 2014-01-18 8:57 AM, William Drake wrote:
> Hi Folks
>
> As Kathy has indicated, the timeline on this is rather short, 11:59pm 
> UTC today, and she's asking that it be approved as a NCUC statement in 
> the (probably likely) event it can't be at the NCSG level in time. 
>  The challenge here is that, per previous, we have not for some time 
> had the NCUC policy committee called for in our dated bylaws to 
> approve constituency-level statements. So the way we've done such 
> things in recent years is pretty much rough consensus after hearing 
> from as many folks as possible in the time frame---certainly elected 
> (EC) or appointed (NCSG PC) representatives, and regular members as 
> well.  Admittedly, this is not quite a satisfactory approach given 
> that NCUC is now much bigger and more diverse when that model set it, 
> but in lieu of a formal PC a broader and virtual PC is what we have to 
> work with at the moment.
>
> So, it'd be really helpful if we could hear back either way from 
> whoever's online and can get their head around this in the next few hours.
>
> Thanks
>
> Bill
>
>
> On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <Kathy at kathykleiman.com 
> <mailto:Kathy at kathykleiman.com>> wrote:
>
>> Hi All,
>> I need your help. There is an amazing study done by two researchers 
>> (a PhD and an almost-PhD) at Carnegie Melon University.  They tested 
>> the hypothesis of whether "public access to WHOIS data leads to a 
>> measurable degree of misuse of certain kinds of gTLD domain name 
>> Registrant identity and contact information."  They did both a 
>> descriptive study (surveys of law enforcement and privacy people, 
>> registrants and registrars) and an experimental study (registering 
>> domain names with no other traceable source and seeing how much spam, 
>> and unsolicited phone calls and emails they received).
>>
>> They found what we have been telling ICANN for years: "there is a 
>> statistically significant occurrence of WHOIS misue affecting 
>> Registrants' email addresses, postal addresses, and phone numbers, 
>> published in Whois."
>>
>> Great and let's tell them so! I've drafted some comments that not 
>> only support the findings (and review the great effort dedicated to 
>> the study), but also draw on abuse cases we have discussed and shared 
>> from the NCUC over many years, including political persecution, 
>> chilling effects, anti-competitive activity, and stalking.
>>
>> Since these are Reply Comments, it is traditional to not only share 
>> your own views, but comment on those of others.  Our views are, in 
>> many way, close to those of ALAC on this issue. ALAC's comments note 
>> that the Study's results "align with individual experience of 
>> At-Large constituents" and also research ALAC has done.  So the 
>> noncommercial and individual registrant groups are aligned on this 
>> issue - and that is key.
>>
>> Below and attached please find the draft comments. Please feel free 
>> to send me edits with Track Changes (if you use the attached file). 
>> To avoid a flood on the list, feel free to share small edits with me 
>> privately.  Big edits and changes are probably up for discussion.  
>> DEADLINE: SATURDAY (but I am judging my son's debate team, so 
>> tomorrow if possible).
>>
>> Best and tx,
>> Kathy
>>
>> *[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*
>> *Study on Whois Misuse*
>> *Due: January 18, 2014*
>>
>> The Noncommercial Users Constituency of ICANN submits this document 
>> in response to the call for public comments on the*/Study on Whois 
>> Misuse/*posted on the ICANN website. We respectfully submit that this 
>> Study is a very important one for ICANN and for the GNSO policy work 
>> ahead.
>>
>> We note that the study seems thorough and professionally done. Its 
>> named researchers were Dr. Nicolas Christin and Nektarios Leontiadis. 
>> Dr. Christin received his PhD in Computer Science from the University 
>> of Virginia, and is an Assistant Research Professor of Electrical and 
>> Computer Engineering at Carnegie Mellon University.Nektarios 
>> Leontiadis is a PhD candidate at Carnegie Mellon University, in the 
>> department of Engineering and Public Policy, with research focused on 
>> the economic modeling of online crime. Both are affiliated with 
>> CMU's/CyLab/security lab.
>>
>> This study stayed close and tight to the Terms of Reference set out 
>> for it --terms set and designed by members of the GNSO and approved 
>> by the GNSO Council.
>>
>> The key question of the study was:/Does public access to 
>> WHOIS-published data lead to a measurable degree of misuse?/The 
>> answer was an unequivocal yes:
>>
>> The main finding of the descriptive study is that there is 
>> a*statistically significant occurrence of WHOIS misuse affecting 
>> Registrants' email addresses, postal addresses, and phone numbers, 
>> published in WHOIS*when registering domains in these gTLDs.*Overall, 
>> we find that 44% of Registrants experience one or more of these types 
>> of WHOIS misuse.*[Emphasis added, WHOIS Misuse Study, p. 6]
>>
>> We appreciate the extensive efforts the CMU team undertook to test 
>> the hypothesis it was given by ICANN and the GNSO.First, it conducted 
>> a descriptive study reaching out to Experts, Registrants and 
>> Registries/Registrars. Specifically, the team surveyed a "diverse 
>> group of experts in the fields of security and privacy affiliated 
>> with research institutes, academia, law enforcement agencies, 
>> Internet Service Providers (ISPs), and national data protection 
>> commissioners." [Study, p. 13]
>>
>> The team surveyed Registrants for a "better understanding of their 
>> direct experiences with Whois misuse" and found that 43.9% reported 
>> "some kind of misuse of their WHOIS information," including/postal 
>> address misuse, email address misuse/and/phone number misuse/tied to 
>> the Whois data, as well as/Identity theft, unauthorized intrusion to 
>> servers/and/blackmail/to which publicly-published Whois data may have 
>> been a contributing factor.
>>
>> Then the team surveyed Registrars and Registries about Whois 
>> harvesting attacks, and the deployment and effectiveness of WHOIS 
>> anti-harvesting techniques.
>>
>> Second and perhaps most interestingly, the CMU team conducted its own 
>> experimental study in which they registered a set of domain names in 
>> the top five gTLDs through a representative set of Registrars, with 
>> unique Registrant identities. Over the course of six months, they 
>> tracked emails, voicemails and postal mail received by the 
>> registrants of these experimental domain names. The purpose of the 
>> study was to eliminate "any extraneous variables," e.g. the 
>> publication of a postal address in both the Whois and an outside 
>> directory.
>>
>> The conclusions of the study are Striking -- and answer questions 
>> floating in the GNSO for over a decade./Yes, there is abuse of 
>> publicly-published Whois data. Yes, that abuse is statistically 
>> significant./We share again the main finding of the Study for 
>> additional review in this comment period:
>>
>> The main finding of the descriptive study is that there is a 
>> statistically significant occurrence of WHOIS misuse affecting 
>> Registrants' email addresses, postal addresses, and phone numbers, 
>> published in WHOIS when registering domains in these gTLDs.Overall, 
>> we find that 44% of Registrants experience one or more of these types 
>> of WHOIS misuse.[Emphasis added, WHOIS Misuse Study, p. 6]
>>
>> We thank CMU for the extensive efforts it devoted to this study, and 
>> the extra efforts made and extra time spent to expand studies to 
>> include more experts from Latin America and overall go above and 
>> beyond the requirements for arounded and complete study.
>>
>> _Reply to Other Commenters:_
>>
>> *ALAC Comments:*
>> ALAC published the following comment in their comments: "We note the 
>> study has returned findings that align with individual experience of 
>> At-Large constituents plus the evidence of widespread occurrence has 
>> validated similar research undertaken by At-Large connected researchers."
>>
>> We note that NCUC, too, has directly experienced deeply concerning 
>> misuses of WHOIS data. In particular, attorneys in NCUC have directly 
>> experienced and directly worked with clients who have experienced:
>>
>> -Stalking, for which the Whois was the only published source for the 
>> location of an online, home-based business by which an ex-spouse 
>> found his wife and stalked her.
>> -Political persecution, by which Whois data was used not only to 
>> track dissenters (some located in the US and protected by the First 
>> Amendment), but also their families located in the countries about 
>> whose corruption the websites were devoted (and who were not 
>> similarly protected);
>> -Chilling effects, by which Whois data was used to track down and 
>> intimidate or silence those who have a different political, religious 
>> or moral view;
>>
>> -Anticompetitive activity -- by which competitors used Whois data to 
>> track down entrepreneurs and small businesses owners and seek to 
>> intimidate them to set businesses plans and services aside.
>>
>> We further share with ALAC the deep concern that "WHOIS misuse is 
>> factual and widespread, as the evidence from 44% of sampled 
>> registrants across the several domains attest."We further agree that 
>> thisposes a "continued threat" to the "security and confidence in the 
>> use of the Internet, [and] the public interest demands measures to 
>> address and abate its impact."ALAC 
>> Comments,http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html
>>
>> We have the evidence, and measures must now be taken to protect 
>> Registrants, and the speech, work, expression, hobbies, research, 
>> business, education and communication they conduct using their domain 
>> names.
>>
>> Respectfully submitted,
>>
>> [if approved]
>>
>> NONCOMMERCIAL USERS CONSTITUENCY
>>
>> <NCUC DRAFT Comments - Misuse of Whois 
>> Study.docx>_______________________________________________
>> Ncuc-discuss mailing list
>> Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>
> ***********************************************
> William J. Drake
> International Fellow & Lecturer
>   Media Change & Innovation Division, IPMZ
>   University of Zurich, Switzerland
> Chair, Noncommercial Users Constituency,
>   ICANN, www.ncuc.org <http://www.ncuc.org>
> william.drake at uzh.ch <mailto:william.drake at uzh.ch> (direct), 
> wjdrake at gmail.com <mailto:wjdrake at gmail.com> (lists),
> www.williamdrake.org <http://www.williamdrake.org>
> ***********************************************
>
>
>
> _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140118/c2e0b44c/attachment-0002.html>

More information about the Ncuc-discuss mailing list