[PC-NCSG] [NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely

Avri Doria avri
Sat Jan 18 22:35:32 EET 2014 

Hi,

Yes Robin, i know I should have done this earlier.  But I didn't.

Now, it is a lot to expect people to react quickly on a Saturday.  I am 
still hoping, but my lack of getting the request out early, really does 
exonerate anyone from not reacting in time.

avri


On 18-Jan-14 15:22, Robin Gross wrote:
> Thanks for this.  Just a friendly reminder that it the affirmative
> responsibility of all the NCSG Policy Committee Representatives to read
> proposed policy statements and weigh in on them.  Let's work as a team
> and all do our part!
>
> Thanks,
> Robin
>
>
> On Jan 18, 2014, at 12:05 PM, avri doria wrote:
>
>> Hi
>>
>> Well if NCUC send this in, it will be safe to assume NCUC supports it.
>> But I still feel I need at least one of the npoc members to endorse
>> the ncsg-pc endorsement since we do not have enough time for the
>> 'speak now or we will assume support' consensus process.
>>
>> I haven't seen one yet unless I missed it.
>>
>> avri
>>
>> Sent from a T-Mobile 4G LTE Device
>>
>>
>> -------- Original message --------
>> From: William Drake
>> Date:01/18/2014 14:35 (GMT-05:00)
>> To: Avri Doria
>> Cc: NCSG-Policy Policy NCSG-Policy
>> Subject: Re: [PC-NCSG] [NCUC-DISCUSS] Draft comments on Misuse of
>> Whois Study - timely
>>
>> Hi Avri
>>
>> There?s been a lot of comm on this...NCUC has been working to get a
>> full slate of volunteers to fill all open slots.  We are almost there
>> and will then convene an EC meeting to approve them.  So until then
>> yes please you and Nuno are still the reps to NCSG PC.  By end of
>> month this should be fixed.
>>
>> Thanks
>>
>> Bill
>>
>> On Jan 18, 2014, at 5:11 PM, Avri Doria <avri at ACM.ORG
>> <mailto:avri at ACM.ORG>> wrote:
>>
>> > Hi,
>> >
>> > No, they haven't as far as i know.  I was one of the 2013 NCUC
>> appointees, and may still be until repaced. Nuno is listed as the
>> remaining NCUC, he replaced Mary when she went into the staff.  So it
>> would be good to hear from him
>> >
>> > For NPOC, it would be good to have Marie Laure or Rudy to agree.
>> Not enough time to do a timed call at this point.
>> >
>> > avri
>> >
>> >
>> > On 18-Jan-14 11:01, Amr Elsadr wrote:
>> >> Has the NCUC-EC made its final appointments to the NCSG-PC? In any
>> case,
>> >> I second Avri?s request for support of this statement by this
>> committee.
>> >> I apologise for the short notice, and I feel I have some responsibility
>> >> to bear on this. Until very recently, I was mistakenly under the
>> >> impression that we had another week to submit this statement.
>> >>
>> >> Thanks.
>> >>
>> >> Amr
>> >>
>> >>
>> >>
>> >>
>> >> On Jan 18, 2014, at 4:39 PM, Avri Doria <avri at acm.org
>> <mailto:avri at acm.org>
>> >> <mailto:avri at acm.org>> wrote:
>> >>
>> >>>
>> >>> Any chance we can endorse this as well in the few hours left?
>> >>>
>> >>> I would just send a last minute note endorsing the NCUC statement once
>> >>> it was made, assuming it is made.  i think i can still call myself
>> >>> alternate chair.  Or the NCSg chair can send the note.
>> >>>
>> >>> "The NCSG-PC endorse the reply statement submitted by the NCUC
>> url-here."
>> >>>
>> >>>
>> >>>
>> >>> At this point I would need to hear at least one voice from each of the
>> >>> constituencies with no objections to feel free to do this.
>> >>>
>> >>> avri
>> >>>
>> >>>
>> >>> -------- Original Message --------
>> >>> Subject:Re: [NCUC-DISCUSS] Draft comments on Misuse of Whois Study -
>> >>> timely
>> >>> Date:Sat, 18 Jan 2014 16:31:38 +0100
>> >>> From:Amr Elsadr <aelsadr at egyptig.org <mailto:aelsadr at egyptig.org>
>> <mailto:aelsadr at egyptig.org>>
>> >>> To:William Drake <wjdrake at gmail.com <mailto:wjdrake at gmail.com>
>> <mailto:wjdrake at gmail.com>>
>> >>> CC:NCUC EC <ncuc-ec at lists.ncuc.org <mailto:ncuc-ec at lists.ncuc.org>
>> <mailto:ncuc-ec at lists.ncuc.org>>,
>> >>> "ncuc-discuss at lists.ncuc.org <mailto:ncuc-discuss at lists.ncuc.org>
>> <mailto:ncuc-discuss at lists.ncuc.org>"
>> >>> <ncuc-discuss at lists.ncuc.org <mailto:ncuc-discuss at lists.ncuc.org>
>> <mailto:ncuc-discuss at lists.ncuc.org>>
>> >>>
>> >>>
>> >>>
>> >>> Hi Bill and all,
>> >>>
>> >>> I have gone through the study as well as attended the webinar with the
>> >>> researchers who performed it and find that Kathy?s comments are
>> spot on.
>> >>> The statistical significance she (and the report) mention were
>> found to
>> >>> be with a 95% confidence rate, which is the standard accepted
>> confidence
>> >>> of an accurate study based on quantitative analysis.
>> >>>
>> >>> I am happy to endorse this statement and am grateful to Kathy for
>> taking
>> >>> the time to draft it.
>> >>>
>> >>> Thanks Kathy.
>> >>>
>> >>> Amr
>> >>>
>> >>> On Jan 18, 2014, at 2:57 PM, William Drake <wjdrake at gmail.com
>> <mailto:wjdrake at gmail.com>
>> >>> <mailto:wjdrake at gmail.com>
>> >>> <mailto:wjdrake at gmail.com>> wrote:
>> >>>
>> >>>> Hi Folks
>> >>>>
>> >>>> As Kathy has indicated, the timeline on this is rather short, 11:59pm
>> >>>> UTC today, and she?s asking that it be approved as a NCUC
>> statement in
>> >>>> the (probably likely) event it can?t be at the NCSG level in time.
>> >>>> The challenge here is that, per previous, we have not for some time
>> >>>> had the NCUC policy committee called for in our dated bylaws to
>> >>>> approve constituency-level statements. So the way we?ve done such
>> >>>> things in recent years is pretty much rough consensus after hearing
>> >>>> from as many folks as possible in the time frame?certainly elected
>> >>>> (EC) or appointed (NCSG PC) representatives, and regular members as
>> >>>> well.  Admittedly, this is not quite a satisfactory approach given
>> >>>> that NCUC is now much bigger and more diverse when that model set it,
>> >>>> but in lieu of a formal PC a broader and virtual PC is what we
>> have to
>> >>>> work with at the moment.
>> >>>>
>> >>>> So, it?d be really helpful if we could hear back either way from
>> >>>> whoever?s online and can get their head around this in the next few
>> >>>> hours.
>> >>>>
>> >>>> Thanks
>> >>>>
>> >>>> Bill
>> >>>>
>> >>>>
>> >>>> On Jan 16, 2014, at 11:52 PM, Kathy Kleiman
>> <Kathy at kathykleiman.com <mailto:Kathy at kathykleiman.com>
>> >>>> <mailto:Kathy at kathykleiman.com>
>> >>>> <mailto:Kathy at kathykleiman.com>> wrote:
>> >>>>
>> >>>>> Hi All,
>> >>>>> I need your help. There is an amazing study done by two researchers
>> >>>>> (a PhD and an almost-PhD) at Carnegie Melon University.  They tested
>> >>>>> the hypothesis of whether "public access to WHOIS data leads to a
>> >>>>> measurable degree of misuse of certain kinds of gTLD domain name
>> >>>>> Registrant identity and contact information."  They did both a
>> >>>>> descriptive study (surveys of law enforcement and privacy people,
>> >>>>> registrants and registrars) and an experimental study (registering
>> >>>>> domain names with no other traceable source and seeing how much
>> spam,
>> >>>>> and unsolicited phone calls and emails they received).
>> >>>>>
>> >>>>> They found what we have been telling ICANN for years: "there is a
>> >>>>> statistically significant occurrence of WHOIS misue affecting
>> >>>>> Registrants' email addresses, postal addresses, and phone numbers,
>> >>>>> published in Whois."
>> >>>>>
>> >>>>> Great and let's tell them so! I've drafted some comments that not
>> >>>>> only support the findings (and review the great effort dedicated to
>> >>>>> the study), but also draw on abuse cases we have discussed and
>> shared
>> >>>>> from the NCUC over many years, including political persecution,
>> >>>>> chilling effects, anti-competitive activity, and stalking.
>> >>>>>
>> >>>>> Since these are Reply Comments, it is traditional to not only share
>> >>>>> your own views, but comment on those of others.  Our views are, in
>> >>>>> many way, close to those of ALAC on this issue. ALAC's comments note
>> >>>>> that the Study's results "align with individual experience of
>> >>>>> At-Large constituents" and also research ALAC has done.  So the
>> >>>>> noncommercial and individual registrant groups are aligned on this
>> >>>>> issue - and that is key.
>> >>>>>
>> >>>>> Below and attached please find the draft comments. Please feel free
>> >>>>> to send me edits with Track Changes (if you use the attached file).
>> >>>>> To avoid a flood on the list, feel free to share small edits with me
>> >>>>> privately.  Big edits and changes are probably up for discussion.
>> >>>>> DEADLINE: SATURDAY (but I am judging my son's debate team, so
>> >>>>> tomorrow if possible).
>> >>>>>
>> >>>>> Best and tx,
>> >>>>> Kathy
>> >>>>>
>> >>>>> *[DRAFT] Comments of the Noncommercial Users Constituency of ICANN*
>> >>>>> *Study on Whois Misuse*
>> >>>>> *Due: January 18, 2014*
>> >>>>>
>> >>>>> The Noncommercial Users Constituency of ICANN submits this document
>> >>>>> in response to the call for public comments on the*/Study on Whois
>> >>>>> Misuse/*posted on the ICANN website. We respectfully submit that
>> this
>> >>>>> Study is a very important one for ICANN and for the GNSO policy work
>> >>>>> ahead.
>> >>>>>
>> >>>>> We note that the study seems thorough and professionally done. Its
>> >>>>> named researchers were Dr. Nicolas Christin and Nektarios
>> Leontiadis.
>> >>>>> Dr. Christin received his PhD in Computer Science from the
>> University
>> >>>>> of Virginia, and is an Assistant Research Professor of
>> Electrical and
>> >>>>> Computer Engineering at Carnegie Mellon University.Nektarios
>> >>>>> Leontiadis is a PhD candidate at Carnegie Mellon University, in the
>> >>>>> department of Engineering and Public Policy, with research
>> focused on
>> >>>>> the economic modeling of online crime. Both are affiliated with
>> >>>>> CMU?s/CyLab/security lab.
>> >>>>>
>> >>>>> This study stayed close and tight to the Terms of Reference set out
>> >>>>> for it --terms set and designed by members of the GNSO and approved
>> >>>>> by the GNSO Council.
>> >>>>>
>> >>>>> The key question of the study was:/Does public access to
>> >>>>> WHOIS-published data lead to a measurable degree of misuse?/The
>> >>>>> answer was an unequivocal yes:
>> >>>>>
>> >>>>> The main finding of the descriptive study is that there is
>> >>>>> a*statistically significant occurrence of WHOIS misuse affecting
>> >>>>> Registrants? email addresses, postal addresses, and phone numbers,
>> >>>>> published in WHOIS*when registering domains in these gTLDs.*Overall,
>> >>>>> we find that 44% of Registrants experience one or more of these
>> types
>> >>>>> of WHOIS misuse.*[Emphasis added, WHOIS Misuse Study, p. 6]
>> >>>>>
>> >>>>> We appreciate the extensive efforts the CMU team undertook to test
>> >>>>> the hypothesis it was given by ICANN and the GNSO.First, it
>> conducted
>> >>>>> a descriptive study reaching out to Experts, Registrants and
>> >>>>> Registries/Registrars. Specifically, the team surveyed a ?diverse
>> >>>>> group of experts in the fields of security and privacy affiliated
>> >>>>> with research institutes, academia, law enforcement agencies,
>> >>>>> Internet Service Providers (ISPs), and national data protection
>> >>>>> commissioners.? [Study, p. 13]
>> >>>>>
>> >>>>> The team surveyed Registrants for a ?better understanding of their
>> >>>>> direct experiences with Whois misuse? and found that 43.9% reported
>> >>>>> ?some kind of misuse of their WHOIS information,? including/postal
>> >>>>> address misuse, email address misuse/and/phone number misuse/tied to
>> >>>>> the Whois data, as well as/Identity theft, unauthorized intrusion to
>> >>>>> servers/and/blackmail/to which publicly-published Whois data may
>> have
>> >>>>> been a contributing factor.
>> >>>>>
>> >>>>> Then the team surveyed Registrars and Registries about Whois
>> >>>>> harvesting attacks, and the deployment and effectiveness of WHOIS
>> >>>>> anti-harvesting techniques.
>> >>>>>
>> >>>>> Second and perhaps most interestingly, the CMU team conducted
>> its own
>> >>>>> experimental study in which they registered a set of domain names in
>> >>>>> the top five gTLDs through a representative set of Registrars, with
>> >>>>> unique Registrant identities. Over the course of six months, they
>> >>>>> tracked emails, voicemails and postal mail received by the
>> >>>>> registrants of these experimental domain names. The purpose of the
>> >>>>> study was to eliminate ?any extraneous variables,? e.g. the
>> >>>>> publication of a postal address in both the Whois and an outside
>> >>>>> directory.
>> >>>>>
>> >>>>> The conclusions of the study are Striking ? and answer questions
>> >>>>> floating in the GNSO for over a decade./Yes, there is abuse of
>> >>>>> publicly-published Whois data. Yes, that abuse is statistically
>> >>>>> significant./We share again the main finding of the Study for
>> >>>>> additional review in this comment period:
>> >>>>>
>> >>>>> The main finding of the descriptive study is that there is a
>> >>>>> statistically significant occurrence of WHOIS misuse affecting
>> >>>>> Registrants? email addresses, postal addresses, and phone numbers,
>> >>>>> published in WHOIS when registering domains in these gTLDs.Overall,
>> >>>>> we find that 44% of Registrants experience one or more of these
>> types
>> >>>>> of WHOIS misuse.[Emphasis added, WHOIS Misuse Study, p. 6]
>> >>>>>
>> >>>>> We thank CMU for the extensive efforts it devoted to this study, and
>> >>>>> the extra efforts made and extra time spent to expand studies to
>> >>>>> include more experts from Latin America and overall go above and
>> >>>>> beyond the requirements for arounded and complete study.
>> >>>>>
>> >>>>> _Reply to Other Commenters:_
>> >>>>>
>> >>>>> *ALAC Comments:*
>> >>>>> ALAC published the following comment in their comments: ?We note the
>> >>>>> study has returned findings that align with individual experience of
>> >>>>> At-Large constituents plus the evidence of widespread occurrence has
>> >>>>> validated similar research undertaken by At-Large connected
>> >>>>> researchers.?
>> >>>>>
>> >>>>> We note that NCUC, too, has directly experienced deeply concerning
>> >>>>> misuses of WHOIS data. In particular, attorneys in NCUC have
>> directly
>> >>>>> experienced and directly worked with clients who have experienced:
>> >>>>>
>> >>>>> -Stalking, for which the Whois was the only published source for the
>> >>>>> location of an online, home-based business by which an ex-spouse
>> >>>>> found his wife and stalked her.
>> >>>>> -Political persecution, by which Whois data was used not only to
>> >>>>> track dissenters (some located in the US and protected by the First
>> >>>>> Amendment), but also their families located in the countries about
>> >>>>> whose corruption the websites were devoted (and who were not
>> >>>>> similarly protected);
>> >>>>> -Chilling effects, by which Whois data was used to track down and
>> >>>>> intimidate or silence those who have a different political,
>> religious
>> >>>>> or moral view;
>> >>>>>
>> >>>>> -Anticompetitive activity ? by which competitors used Whois data to
>> >>>>> track down entrepreneurs and small businesses owners and seek to
>> >>>>> intimidate them to set businesses plans and services aside.
>> >>>>>
>> >>>>> We further share with ALAC the deep concern that ?WHOIS misuse is
>> >>>>> factual and widespread, as the evidence from 44% of sampled
>> >>>>> registrants across the several domains attest.?We further agree that
>> >>>>> thisposes a ?continued threat? to the ?security and confidence
>> in the
>> >>>>> use of the Internet, [and] the public interest demands measures to
>> >>>>> address and abate its impact.?ALAC
>> >>>>>
>> Comments,http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html
>> >>>>>
>> >>>>> We have the evidence, and measures must now be taken to protect
>> >>>>> Registrants, and the speech, work, expression, hobbies, research,
>> >>>>> business, education and communication they conduct using their
>> domain
>> >>>>> names.
>> >>>>>
>> >>>>> Respectfully submitted,
>> >>>>>
>> >>>>> [if approved]
>> >>>>>
>> >>>>> NONCOMMERCIAL USERS CONSTITUENCY
>> >>>>>
>> >>>>> <NCUC DRAFT Comments - Misuse of Whois
>> >>>>> Study.docx>_______________________________________________
>> >>>>> Ncuc-discuss mailing list
>> >>>>> Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
>> >>>>>
>> <mailto:Ncuc-discuss at lists.ncuc.org><mailto:Ncuc-discuss at lists.ncuc.org>
>> >>>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>> >>>>
>> >>>> ***********************************************
>> >>>> William J. Drake
>> >>>> International Fellow & Lecturer
>> >>>> Media Change & Innovation Division, IPMZ
>> >>>> University of Zurich, Switzerland
>> >>>> Chair, Noncommercial Users Constituency,
>> >>>> ICANN,www.ncuc.org <http://www.ncuc.org>
>> <http://www.ncuc.org/><http://www.ncuc.org/>
>> >>>> william.drake at uzh.ch <mailto:william.drake at uzh.ch>
>> >>>> <mailto:william.drake at uzh.ch><mailto:william.drake at uzh.ch> (direct),
>> >>>> wjdrake at gmail.com <mailto:wjdrake at gmail.com>
>> >>>> <mailto:wjdrake at gmail.com><mailto:wjdrake at gmail.com> (lists),
>> >>>> www.williamdrake.org <http://www.williamdrake.org>
>> >>>> <http://www.williamdrake.org/><http://www.williamdrake.org/>
>> >>>> ***********************************************
>> >>>>
>> >>>> _______________________________________________
>> >>>> Ncuc-discuss mailing list
>> >>>> Ncuc-discuss at lists.ncuc.org <mailto:Ncuc-discuss at lists.ncuc.org>
>> >>>>
>> <mailto:Ncuc-discuss at lists.ncuc.org><mailto:Ncuc-discuss at lists.ncuc.org>
>> >>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>> >>>
>> >>>
>> >>>
>> >>> <Attached Message
>> Part.txt>_______________________________________________
>> >>> PC-NCSG mailing list
>> >>> PC-NCSG at ipjustice.org <mailto:PC-NCSG at ipjustice.org>
>> <mailto:PC-NCSG at ipjustice.org>
>> >>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>> >>
>> >
>> > _______________________________________________
>> > PC-NCSG mailing list
>> > PC-NCSG at ipjustice.org <mailto:PC-NCSG at ipjustice.org>
>> > http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>> ***********************************************
>> William J. Drake
>> International Fellow & Lecturer
>>   Media Change & Innovation Division, IPMZ
>>   University of Zurich, Switzerland
>> Chair, Noncommercial Users Constituency,
>>   ICANN, www.ncuc.org <http://www.ncuc.org>
>> william.drake at uzh.ch <mailto:william.drake at uzh.ch> (direct),
>> wjdrake at gmail.com <mailto:wjdrake at gmail.com> (lists),
>> www.williamdrake.org <http://www.williamdrake.org>
>> ***********************************************
>>
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org <mailto:PC-NCSG at ipjustice.org>
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
>
>
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg
>

More information about the NCSG-PC mailing list