Re: [bc-gnso] Additional info for Whois Studies discussion at 1-AprGNSO Council Meeting

["Marilyn Cade " <marilynscade@xxxxxxxxxxx>]

While I support Steve's "thesis", I wouldn't refer to the GAC, who has worked 
productively with business and law enforcement as "giants", however. 

I do support that policy has to be supported by informed data /research and 
these studies should receive the funding needed. The amount proposed is indeed 
small compared to the overall budget and will jelp to inform policy making. 

I would have suggested a higher amount for the initial authorized budget-- but 
getting two studies authorized for this budget year is a start on the right 
direction. 

WHOIS is important to all Business users, and for more than trademark collision 
issues. 

The delay in undertaking the studies is already a serious challenge since 
further understanding of existing issues is important to also inform the new 
gTLD and IDN programs. 


Sent via BlackBerry by AT&T

-----Original Message-----
From: Steve DelBianco <sdelbianco@xxxxxxxxxxxxx>
Date: Thu, 1 Apr 2010 13:13:10 
To: <zahid@xxxxxxxxxxxxxxxxx>; <icann@xxxxxxxxxxxxxx>
Cc: <bc-gnso@xxxxxxxxx>
Subject: [bc-gnso] Additional info for Whois Studies discussion at 1-Apr
 GNSO Council Meeting

Mike and Zahid -- I predict you will encounter resistance today to the Study on 
Whois Misuse ($150K).  If I were there, I would offer this:
 
 Milton Mueller, Robin Gross and the NCUC had for years claimed that people 
suffered harm and harassment BECAUSE their data was displayed in Whois.   It 
was just an assertion with no data support, but it was their main argument 
against Whois.
 
 That's why I suggested study #1 and Claudio of INTA suggested studies 14 and 
15.   We wanted some data to know if significant harm comes from Whois.  It's 
probable that a few harassment cases came from Whois but I am confident it 
won't be material or significant, and we can show that there are other sources 
where email addresses could be obtained.   (See below for what Liz Gasster and 
Lorrie Cranor had to say about the misuse studies)
 
 I've already mentioned the AoC review of Whois that's coming next year.   And 
then there's the GAC.  In their Whois letter 
(http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf)  the GAC 
explicitly calls for misuse data:
 
 The goal should be to initially compile data that provides a documented 
evidence base regarding: ...  the types and extent of misuses of WHOIS data and 
what harm is caused by each type of misuse, including economic, use of WHOIS 
data in SPAM generation, abuse of personal data, loss of reputation or identity 
theft, security costs and loss of data.
 
 There's a lesson I learned during the Microsoft case:  "Don't moon the giant." 
  This study is $150K out of a $70M annual budget and that's a small price to 
pay to avoid mooning the giants of GAC and USG.
 
 Just my two cents.
 --Steve
 
 
 Below is the early analysis from the esteemed Lorrie Cranor of ATT and W3C. 
 Lorrie concluded it might be helpful though she thought it would be 
inexpensive.
 
 WHOIS misuse studies
 Four proposals (suggestions #1, #14, #15 and #21) suggest that ICANN study 
misuse of WHOIS data to determine the connection, if any, between WHOIS and 
illegal activities. These studies will help establish the extent and nature of 
problems caused by unprotected WHOIS data.
 Study Suggestion Number 1: (DelBianco)  1) Gather data on WHOIS misuse from 
consumer protection bureaus and other entities who maintain data on misuse 
incidents reported by registrants and 2) survey a random sample of registrants 
in each gTLD and selected ccTLDs.
 Study Suggestion Number 14: (INTA)  Create a set of new email addresses, use 
half of them to register domain names, and monitor all for spam for 90 days to 
determine how much WHOIS information contributes to spam.
 Study Suggestion Number 15: (INTA) Create a set of new email addresses, use 
them to register new domain names at registrars that allow and disallow port 43 
WHOIS queries, and monitor all for spam to determine the extent to which port 
43 WHOIS queries contribute to spam.
 Study Suggestion Number 21: (Kleiman) Survey registrars and human rights 
organizations to determine how WHOIS is being used in ways that seem to have no 
bearing on the security and stability of the DNS.
 
 1 and 21 propose to survey registrars and other parties who may keep records 
of misuse incidents. 1 also proposes a survey of registrants. These proposed 
studies may shed some light on the extent and type of misuse of WHOIS data. 
However, it will be difficult to gather representative data as not all cases of 
abuse are reported. In addition, it is not always possible to confirm that 
misused data was obtained from WHOIS, as this information may be available form 
other sources. A registrant survey is likely to receive disproportionate 
responses from registrants who believe their WHOIS information has been abused. 
Nonetheless, the above studies may result in useful qualitative data about the 
nature of misuse and provide a rough quantitative estimate of the extent of 
misuse. Surveying those who already keep track of abuse incidents is likely to 
be a relatively low- cost approach. The registrant study is likely to be more 
expensive if done on a large scale, and seems less likely to result in useful 
data.
 
 14 and 15 focus specifically on spam and propose studies in which new email 
addresses are created and used to register domains to determine how much WHOIS 
information contributes to spam. 15 compares the amount of spam received as a 
result of registering a domain at registrars that allow and prohibit port 43 
WHOIS queries. These studies should results in fairly accurate quantitative 
data. However, 14 is quite similar to the October 2007 SSAC study "Is the WHOIS 
service a source for email addresses for spammers?" and would not likely 
contribute new information. If port 43 queries are of interest from a policy 
perspective, study 15 should provide reliable data to inform that discussion.
 
 
 
 On 3/31/10 5:43 PM, "Steve DelBianco" <sdelbianco@xxxxxxxxxxxxx> wrote:
 
 Mike & Zahid -- 
 
 You asked for some BC membership views on the Whois studies that will be 
discussed at your Council meeting tomorrow (1-Apr).  See below and attachment. 
  Hope this helps.
 
 Your agenda shows potential actions on Whois studies:
 3.4.1 Review and assess cost and feasibility estimates for the studies
 3.4.2 Decide whether to pursue any of the studies and, if so, which ones
 3.4.3 Provide input into the FY11 budget process
 3.5 How should we accomplish the above?
 .    Should we form a drafting team to develop recommendations for 
consideration in our next meeting?
 .    Note that a final budget has to be finished by 17 May and there are 
currently no funds budgeted for Whois Studies
 
 My recommendations:
 
 Let's proceed with the Misuse and Registrant Identification studies.  
 
 The Misuse and Registrant ID studies are likely to generate data that would 
affect policy decisions and compliance work.  These 2 studies are not going to 
stop the long-standing disagreements between passionate parties on either side, 
but that's not the point of doing studies.   Remember the debate over domain 
tasting?  Fact-based data on the number of deletes with the AGP were 
astounding, and helped us enact a policy change.  The data did not make 
everyone agree on whether domain tasting was harmful.  But facts showed a 
hugely prevalent use of AGP that was outside its original purpose, and that 
moved us to a new consensus policy.
 
 We'll certainly use study data when setting policy and compliance standards, 
especially with so many new TLD operators coming online next year.  
 
 Moreover, the Affirmation of Commitments (9.3.1) requires ICANN to "organize a 
review of WHOIS policy and its implementation to assess the extent to which 
WHOIS policy is effective and its implementation meets the legitimate needs of 
law enforcement and promotes consumer trust".  The Misuse and Registrant data 
studies will be essential for that review.
 
 We will also want to have these study results on hand so they can be compared 
with study results after new TLDs are operating for one year, as required by 
the Affirmation of Commitments item 9.3 
 
 
 Let's go right to the core issue of Money.  Consider this discussion that 
happened during Council meeting in Nairobi:
 Liz Gasster described some study proposals as "expensive" and then Stefane and 
Wolf commented on the costs and budget constraints.   
 
 I intervened to say that the lack of fact-based studies has itself been very 
expensive over several years of time & travel on the part of dozens of 
community members.   Those costs will continue unless/until we have facts at 
hand to make policy decisions.
 
 Marilyn made a similar point about need for fact-based analysis.    
 
 Bruce Tonkin recommended that Council budget a lump sum for studies, then 
decide how to spend it.  Don't budget each specific study, he said.
 
 I believe Bruce Tonkin is right.  Council should ask for a budget of $XXX,XXX 
in FY 2011 for a general category of Whois studies.   Since we need a budget 
number now, I'd say $360,000, to cover the misuse and registrant studies ($150K 
each) plus a 20% contingency.  
 
 Next steps: I would ask staff to begin negotiating with the two 'superior' 
bidders on detailed workplan for their studies.  Staff should start by asking 
bidders to review:
 
 The 4-Mar-2009 Council resolution on Whois studies, including the original 
rationale for each hypothesis, etc.   
 
 The Affirmation of Commitments, items 9.3 and 9.3.1
 
 Staff should also show the bidders any Whois-related items in the Draft 
Applicant Guidebook.
 
 Superior Bidders can then prepare detailed study workplans that policy staff 
can analyze and present to Council later this year. 
 
 
 Note:  The Staff report (page 7) mentions the Whois Accuracy report, and asks 
whether "barriers to accuracy" provide useful insights to policy.  
 
 I would answer, "Accuracy is something we aspire to; whereas inaccuracy is a 
contract compliance problem."    
 
 Let's set high aspirations to require accurate Whois data for registrants, 
even if we know that lots of data is inaccurate today. After all, registrars 
manage to gather credit card information that's sufficiently accurate to ensure 
they get paid.   Let's find ways to ensure they apply the same diligence in 
collecting and validating public Whois data.
 
 (Note: Susan Kawaguchi of Facebook volunteered to draft BC comments on Whois 
Accuracy report.  Those aren't due until 15-Apr)   
 
 Whois Studies Reports and resources: 
 https://st.icann.org/gnso-council/index.cgi?whois_discussion#
 http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.pdf
 Presentation Slides: 
http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en.pdf
 
 -- 
 Steve DelBianco
 Executive Director
 NetChoice
 http://www.NetChoice.org and http://blog.netchoice.org 
 +1.202.420.7482