[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

Kathy Kleiman kathy at kathykleiman.com
Sat Jan 18 21:32:59 CET 2014 

Hi Bill,
Thanks so much for the shout-out to NCUC and the go-ahead to submit.

Hi All,
Thanks all for taking the time to review and respond to this comment on 
such short notice. It is now going in...

Best and have a great weekend,
Kathy

:
> Hi Kathy
>
> We have like a dozen expressions of support, no voiced opposition, and 
> less than two hours until the submission deadline, so under these 
> circumstances yes let’s call it an NCUC endorsement.  Thanks for 
> writing it and please submit it on our behalf.
>
> I’m heading offline for the evening.
>
> Cheers,
>
> Bill
>
> On Jan 16, 2014, at 11:52 PM, Kathy Kleiman <Kathy at kathykleiman.com 
> <mailto:Kathy at kathykleiman.com>> wrote:
>
>> Hi All,
>> I need your help. There is an amazing study done by two researchers 
>> (a PhD and an almost-PhD) at Carnegie Melon University.  They tested 
>> the hypothesis of whether "public access to WHOIS data leads to a 
>> measurable degree of misuse of certain kinds of gTLD domain name 
>> Registrant identity and contact information."  They did both a 
>> descriptive study (surveys of law enforcement and privacy people, 
>> registrants and registrars) and an experimental study (registering 
>> domain names with no other traceable source and seeing how much spam, 
>> and unsolicited phone calls and emails they received).
>>
>> They found what we have been telling ICANN for years: "there is a 
>> statistically significant occurrence of WHOIS misue affecting 
>> Registrants' email addresses, postal addresses, and phone numbers, 
>> published in Whois."
>>
>> Great and let's tell them so! I've drafted some comments that not 
>> only support the findings (and review the great effort dedicated to 
>> the study), but also draw on abuse cases we have discussed and shared 
>> from the NCUC over many years, including political persecution, 
>> chilling effects, anti-competitive activity, and stalking.
>>
>> Since these are Reply Comments, it is traditional to not only share 
>> your own views, but comment on those of others.  Our views are, in 
>> many way, close to those of ALAC on this issue. ALAC's comments note 
>> that the Study's results "align with individual experience of 
>> At-Large constituents" and also research ALAC has done.  So the 
>> noncommercial and individual registrant groups are aligned on this 
>> issue - and that is key.
>>
>> Below and attached please find the draft comments. Please feel free 
>> to send me edits with Track Changes (if you use the attached file). 
>> To avoid a flood on the list, feel free to share small edits with me 
>> privately.  Big edits and changes are probably up for discussion.  
>> DEADLINE: SATURDAY (but I am judging my son's debate team, so 
>> tomorrow if possible).
>>
>> Best and tx,
>> Kathy
>>
>> *[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*
>> *Study on Whois Misuse*
>> *Due: January 18, 2014*
>>
>> The Noncommercial Users Constituency of ICANN submits this document 
>> in response to the call for public comments on the*/Study on Whois 
>> Misuse/*posted on the ICANN website. We respectfully submit that this 
>> Study is a very important one for ICANN and for the GNSO policy work 
>> ahead.
>>
>> We note that the study seems thorough and professionally done. Its 
>> named researchers were Dr. Nicolas Christin and Nektarios Leontiadis. 
>> Dr. Christin received his PhD in Computer Science from the University 
>> of Virginia, and is an Assistant Research Professor of Electrical and 
>> Computer Engineering at Carnegie Mellon University.Nektarios 
>> Leontiadis is a PhD candidate at Carnegie Mellon University, in the 
>> department of Engineering and Public Policy, with research focused on 
>> the economic modeling of online crime. Both are affiliated with 
>> CMU’s/CyLab/security lab.
>>
>> This study stayed close and tight to the Terms of Reference set out 
>> for it --terms set and designed by members of the GNSO and approved 
>> by the GNSO Council.
>>
>> The key question of the study was:/Does public access to 
>> WHOIS-published data lead to a measurable degree of misuse?/The 
>> answer was an unequivocal yes:
>>
>> The main finding of the descriptive study is that there is 
>> a*statistically significant occurrence of WHOIS misuse affecting 
>> Registrants’ email addresses, postal addresses, and phone numbers, 
>> published in WHOIS*when registering domains in these gTLDs.*Overall, 
>> we find that 44% of Registrants experience one or more of these types 
>> of WHOIS misuse.*[Emphasis added, WHOIS Misuse Study, p. 6]
>>
>> We appreciate the extensive efforts the CMU team undertook to test 
>> the hypothesis it was given by ICANN and the GNSO.First, it conducted 
>> a descriptive study reaching out to Experts, Registrants and 
>> Registries/Registrars. Specifically, the team surveyed a “diverse 
>> group of experts in the fields of security and privacy affiliated 
>> with research institutes, academia, law enforcement agencies, 
>> Internet Service Providers (ISPs), and national data protection 
>> commissioners.” [Study, p. 13]
>>
>> The team surveyed Registrants for a “better understanding of their 
>> direct experiences with Whois misuse” and found that 43.9% reported 
>> “some kind of misuse of their WHOIS information,” including/postal 
>> address misuse, email address misuse/and/phone number misuse/tied to 
>> the Whois data, as well as/Identity theft, unauthorized intrusion to 
>> servers/and/blackmail/to which publicly-published Whois data may have 
>> been a contributing factor.
>>
>> Then the team surveyed Registrars and Registries about Whois 
>> harvesting attacks, and the deployment and effectiveness of WHOIS 
>> anti-harvesting techniques.
>>
>> Second and perhaps most interestingly, the CMU team conducted its own 
>> experimental study in which they registered a set of domain names in 
>> the top five gTLDs through a representative set of Registrars, with 
>> unique Registrant identities. Over the course of six months, they 
>> tracked emails, voicemails and postal mail received by the 
>> registrants of these experimental domain names. The purpose of the 
>> study was to eliminate “any extraneous variables,” e.g. the 
>> publication of a postal address in both the Whois and an outside 
>> directory.
>>
>> The conclusions of the study are Striking – and answer questions 
>> floating in the GNSO for over a decade./Yes, there is abuse of 
>> publicly-published Whois data. Yes, that abuse is statistically 
>> significant./We share again the main finding of the Study for 
>> additional review in this comment period:
>>
>> The main finding of the descriptive study is that there is a 
>> statistically significant occurrence of WHOIS misuse affecting 
>> Registrants’ email addresses, postal addresses, and phone numbers, 
>> published in WHOIS when registering domains in these gTLDs.Overall, 
>> we find that 44% of Registrants experience one or more of these types 
>> of WHOIS misuse.[Emphasis added, WHOIS Misuse Study, p. 6]
>>
>> We thank CMU for the extensive efforts it devoted to this study, and 
>> the extra efforts made and extra time spent to expand studies to 
>> include more experts from Latin America and overall go above and 
>> beyond the requirements for arounded and complete study.
>>
>> _Reply to Other Commenters:_
>>
>> *ALAC Comments:*
>> ALAC published the following comment in their comments: “We note the 
>> study has returned findings that align with individual experience of 
>> At-Large constituents plus the evidence of widespread occurrence has 
>> validated similar research undertaken by At-Large connected researchers.”
>>
>> We note that NCUC, too, has directly experienced deeply concerning 
>> misuses of WHOIS data. In particular, attorneys in NCUC have directly 
>> experienced and directly worked with clients who have experienced:
>>
>> -Stalking, for which the Whois was the only published source for the 
>> location of an online, home-based business by which an ex-spouse 
>> found his wife and stalked her.
>> -Political persecution, by which Whois data was used not only to 
>> track dissenters (some located in the US and protected by the First 
>> Amendment), but also their families located in the countries about 
>> whose corruption the websites were devoted (and who were not 
>> similarly protected);
>> -Chilling effects, by which Whois data was used to track down and 
>> intimidate or silence those who have a different political, religious 
>> or moral view;
>>
>> -Anticompetitive activity – by which competitors used Whois data to 
>> track down entrepreneurs and small businesses owners and seek to 
>> intimidate them to set businesses plans and services aside.
>>
>> We further share with ALAC the deep concern that “WHOIS misuse is 
>> factual and widespread, as the evidence from 44% of sampled 
>> registrants across the several domains attest.”We further agree that 
>> thisposes a “continued threat” to the “security and confidence in the 
>> use of the Internet, [and] the public interest demands measures to 
>> address and abate its impact.”ALAC 
>> Comments,http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html
>>
>> We have the evidence, and measures must now be taken to protect 
>> Registrants, and the speech, work, expression, hobbies, research, 
>> business, education and communication they conduct using their domain 
>> names.
>>
>> Respectfully submitted,
>>
>> [if approved]
>>
>> NONCOMMERCIAL USERS CONSTITUENCY
>>
>> <NCUC DRAFT Comments - Misuse of Whois 
>> Study.docx>_______________________________________________
>> Ncuc-discuss mailing list
>> Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>
> ***********************************************
> William J. Drake
> International Fellow & Lecturer
>   Media Change & Innovation Division, IPMZ
>   University of Zurich, Switzerland
> Chair, Noncommercial Users Constituency,
>   ICANN, www.ncuc.org <http://www.ncuc.org>
> william.drake at uzh.ch <mailto:william.drake at uzh.ch> (direct), 
> wjdrake at gmail.com <mailto:wjdrake at gmail.com> (lists),
> www.williamdrake.org <http://www.williamdrake.org>
> ***********************************************
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140118/10c234c3/attachment-0002.html>

More information about the Ncuc-discuss mailing list