RE: [bc-gnso] Additional info for Whois Studies discussion at 1-AprGNSO Council Meeting

[Marilyn Cade <marilynscade@xxxxxxxxxxx>]

excellent additional background to why WHOIS is so important to business users.





> Subject: Re: [bc-gnso] Additional info for Whois Studies discussion at 
> 1-AprGNSO Council Meeting
> Date: Thu, 1 Apr 2010 08:56:29 -0600
> From: randerson@xxxxxxxxxxxxxxxx
> To: marilynscade@xxxxxxxxxxx; sdelbianco@xxxxxxxxxxxxx; 
> zahid@xxxxxxxxxxxxxxxxx; icann@xxxxxxxxxxxxxx
> CC: bc-gnso@xxxxxxxxx
> 
> 
> An accurate and readily accessible WHOIS is certainly important to more than 
> only businesses regarding trademark infringement.
> 
> An accurate and accessible WHOIS is important to consumers with respect to 
> protection. And recourse from online fraud and theft.
> 
> An accurate and accessible WHOIS is important to individuals and business 
> with respect to protection from defamation.
> 
> An accurate and accessible WHOIS is important to parents and children with 
> respect to transparency and the ability to see who's what with regard to the 
> websites children use.
> 
> An accurate and accessible WHOIS is important to civil society with respect 
> to the transparency of published news and views.
> 
> I always find it puzzling that a small number of people preoccupied with 
> privacy over all else are able to convince the wider community that to forego 
> the virtues of transparency and accountability. There are better ways to 
> fight spam than by hiding or misrepresenting the identity of web publishers. 
> And if you desire anonymity, don't publish a website.
> 
> Two of my children have been ripped off by online vendors hiding being fake 
> data. Our firm has been defamed by a website whose publisher hides being 
> privacy and fake WHOIS data. ICANN should not be tolerating this dysfunction.
> 
> 
> 
> 
> cheers/Rick
> 
> Rick Anderson
> EVP, InterBorder Holdings Ltd
> randerson@xxxxxxxxxxxxxx
> cell (403) 830-1798
>  
> 
> ----- Original Message -----
> From: owner-bc-gnso@xxxxxxxxx <owner-bc-gnso@xxxxxxxxx>
> To: Steve Delbianco  <sdelbianco@xxxxxxxxxxxxx>; Zahid Jamil  
> <zahid@xxxxxxxxxxxxxxxxx>; Mike Rodenbaugh  <icann@xxxxxxxxxxxxxx>
> Cc: Bc GNSO list  <bc-gnso@xxxxxxxxx>
> Sent: Thu Apr 01 08:14:05 2010
> Subject: Re: [bc-gnso] Additional info for Whois Studies discussion at 
> 1-AprGNSO Council Meeting
> 
> 
> While I support Steve's "thesis", I wouldn't refer to the GAC, who has worked 
> productively with business and law enforcement as "giants", however. 
> 
> I do support that policy has to be supported by informed data /research and 
> these studies should receive the funding needed. The amount proposed is 
> indeed small compared to the overall budget and will jelp to inform policy 
> making. 
> 
> I would have suggested a higher amount for the initial authorized budget-- 
> but getting two studies authorized for this budget year is a start on the 
> right direction. 
> 
> WHOIS is important to all Business users, and for more than trademark 
> collision issues. 
> 
> The delay in undertaking the studies is already a serious challenge since 
> further understanding of existing issues is important to also inform the new 
> gTLD and IDN programs. 
> 
> 
> Sent via BlackBerry by AT&T
> 
> -----Original Message-----
> From: Steve DelBianco <sdelbianco@xxxxxxxxxxxxx>
> Date: Thu, 1 Apr 2010 13:13:10 
> To: <zahid@xxxxxxxxxxxxxxxxx>; <icann@xxxxxxxxxxxxxx>
> Cc: <bc-gnso@xxxxxxxxx>
> Subject: [bc-gnso] Additional info for Whois Studies discussion at 1-Apr
>  GNSO Council Meeting
> 
> Mike and Zahid -- I predict you will encounter resistance today to the Study 
> on Whois Misuse ($150K).  If I were there, I would offer this:
>  
>  Milton Mueller, Robin Gross and the NCUC had for years claimed that people 
> suffered harm and harassment BECAUSE their data was displayed in Whois.   It 
> was just an assertion with no data support, but it was their main argument 
> against Whois.
>  
>  That's why I suggested study #1 and Claudio of INTA suggested studies 14 and 
> 15.   We wanted some data to know if significant harm comes from Whois.  It's 
> probable that a few harassment cases came from Whois but I am confident it 
> won't be material or significant, and we can show that there are other 
> sources where email addresses could be obtained.   (See below for what Liz 
> Gasster and Lorrie Cranor had to say about the misuse studies)
>  
>  I've already mentioned the AoC review of Whois that's coming next year.   
> And then there's the GAC.  In their Whois letter 
> (http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf)  the GAC 
> explicitly calls for misuse data:
>  
>  The goal should be to initially compile data that provides a documented 
> evidence base regarding: ...  the types and extent of misuses of WHOIS data 
> and what harm is caused by each type of misuse, including economic, use of 
> WHOIS data in SPAM generation, abuse of personal data, loss of reputation or 
> identity theft, security costs and loss of data.
>  
>  There's a lesson I learned during the Microsoft case:  "Don't moon the 
> giant."   This study is $150K out of a $70M annual budget and that's a small 
> price to pay to avoid mooning the giants of GAC and USG.
>  
>  Just my two cents.
>  --Steve
>  
>  
>  Below is the early analysis from the esteemed Lorrie Cranor of ATT and W3C.  
> Lorrie concluded it might be helpful though she thought it would be 
> inexpensive.
>  
>  WHOIS misuse studies
>  Four proposals (suggestions #1, #14, #15 and #21) suggest that ICANN study 
> misuse of WHOIS data to determine the connection, if any, between WHOIS and 
> illegal activities. These studies will help establish the extent and nature 
> of problems caused by unprotected WHOIS data.
>  Study Suggestion Number 1: (DelBianco)  1) Gather data on WHOIS misuse from 
> consumer protection bureaus and other entities who maintain data on misuse 
> incidents reported by registrants and 2) survey a random sample of 
> registrants in each gTLD and selected ccTLDs.
>  Study Suggestion Number 14: (INTA)  Create a set of new email addresses, use 
> half of them to register domain names, and monitor all for spam for 90 days 
> to determine how much WHOIS information contributes to spam.
>  Study Suggestion Number 15: (INTA) Create a set of new email addresses, use 
> them to register new domain names at registrars that allow and disallow port 
> 43 WHOIS queries, and monitor all for spam to determine the extent to which 
> port 43 WHOIS queries contribute to spam.
>  Study Suggestion Number 21: (Kleiman) Survey registrars and human rights 
> organizations to determine how WHOIS is being used in ways that seem to have 
> no bearing on the security and stability of the DNS.
>  
>  1 and 21 propose to survey registrars and other parties who may keep records 
> of misuse incidents. 1 also proposes a survey of registrants. These proposed 
> studies may shed some light on the extent and type of misuse of WHOIS data. 
> However, it will be difficult to gather representative data as not all cases 
> of abuse are reported. In addition, it is not always possible to confirm that 
> misused data was obtained from WHOIS, as this information may be available 
> form other sources. A registrant survey is likely to receive disproportionate 
> responses from registrants who believe their WHOIS information has been 
> abused. Nonetheless, the above studies may result in useful qualitative data 
> about the nature of misuse and provide a rough quantitative estimate of the 
> extent of misuse. Surveying those who already keep track of abuse incidents 
> is likely to be a relatively low- cost approach. The registrant study is 
> likely to be more expensive if done on a large scale, and seems less likely 
> to result in useful data.
>  
>  14 and 15 focus specifically on spam and propose studies in which new email 
> addresses are created and used to register domains to determine how much 
> WHOIS information contributes to spam. 15 compares the amount of spam 
> received as a result of registering a domain at registrars that allow and 
> prohibit port 43 WHOIS queries. These studies should results in fairly 
> accurate quantitative data. However, 14 is quite similar to the October 2007 
> SSAC study "Is the WHOIS service a source for email addresses for spammers?" 
> and would not likely contribute new information. If port 43 queries are of 
> interest from a policy perspective, study 15 should provide reliable data to 
> inform that discussion.
>  
>  
>  
>  On 3/31/10 5:43 PM, "Steve DelBianco" <sdelbianco@xxxxxxxxxxxxx> wrote:
>  
>  Mike & Zahid -- 
>  
>  You asked for some BC membership views on the Whois studies that will be 
> discussed at your Council meeting tomorrow (1-Apr).  See below and 
> attachment.   Hope this helps.
>  
>  Your agenda shows potential actions on Whois studies:
>  3.4.1 Review and assess cost and feasibility estimates for the studies
>  3.4.2 Decide whether to pursue any of the studies and, if so, which ones
>  3.4.3 Provide input into the FY11 budget process
>  3.5 How should we accomplish the above?
>  .    Should we form a drafting team to develop recommendations for 
> consideration in our next meeting?
>  .    Note that a final budget has to be finished by 17 May and there are 
> currently no funds budgeted for Whois Studies
>  
>  My recommendations:
>  
>  Let's proceed with the Misuse and Registrant Identification studies.  
>  
>  The Misuse and Registrant ID studies are likely to generate data that would 
> affect policy decisions and compliance work.  These 2 studies are not going 
> to stop the long-standing disagreements between passionate parties on either 
> side, but that's not the point of doing studies.   Remember the debate over 
> domain tasting?  Fact-based data on the number of deletes with the AGP were 
> astounding, and helped us enact a policy change.  The data did not make 
> everyone agree on whether domain tasting was harmful.  But facts showed a 
> hugely prevalent use of AGP that was outside its original purpose, and that 
> moved us to a new consensus policy.
>  
>  We'll certainly use study data when setting policy and compliance standards, 
> especially with so many new TLD operators coming online next year.  
>  
>  Moreover, the Affirmation of Commitments (9.3.1) requires ICANN to "organize 
> a review of WHOIS policy and its implementation to assess the extent to which 
> WHOIS policy is effective and its implementation meets the legitimate needs 
> of law enforcement and promotes consumer trust".  The Misuse and Registrant 
> data studies will be essential for that review.
>  
>  We will also want to have these study results on hand so they can be 
> compared with study results after new TLDs are operating for one year, as 
> required by the Affirmation of Commitments item 9.3 
>  
>  
>  Let's go right to the core issue of Money.  Consider this discussion that 
> happened during Council meeting in Nairobi:
>  Liz Gasster described some study proposals as "expensive" and then Stefane 
> and Wolf commented on the costs and budget constraints.   
>  
>  I intervened to say that the lack of fact-based studies has itself been very 
> expensive over several years of time & travel on the part of dozens of 
> community members.   Those costs will continue unless/until we have facts at 
> hand to make policy decisions.
>  
>  Marilyn made a similar point about need for fact-based analysis.    
>  
>  Bruce Tonkin recommended that Council budget a lump sum for studies, then 
> decide how to spend it.  Don't budget each specific study, he said.
>  
>  I believe Bruce Tonkin is right.  Council should ask for a budget of 
> $XXX,XXX in FY 2011 for a general category of Whois studies.   Since we need 
> a budget number now, I'd say $360,000, to cover the misuse and registrant 
> studies ($150K each) plus a 20% contingency.  
>  
>  Next steps: I would ask staff to begin negotiating with the two 'superior' 
> bidders on detailed workplan for their studies.  Staff should start by asking 
> bidders to review:
>  
>  The 4-Mar-2009 Council resolution on Whois studies, including the original 
> rationale for each hypothesis, etc.   
>  
>  The Affirmation of Commitments, items 9.3 and 9.3.1
>  
>  Staff should also show the bidders any Whois-related items in the Draft 
> Applicant Guidebook.
>  
>  Superior Bidders can then prepare detailed study workplans that policy staff 
> can analyze and present to Council later this year. 
>  
>  
>  Note:  The Staff report (page 7) mentions the Whois Accuracy report, and 
> asks whether "barriers to accuracy" provide useful insights to policy.  
>  
>  I would answer, "Accuracy is something we aspire to; whereas inaccuracy is a 
> contract compliance problem."    
>  
>  Let's set high aspirations to require accurate Whois data for registrants, 
> even if we know that lots of data is inaccurate today. After all, registrars 
> manage to gather credit card information that's sufficiently accurate to 
> ensure they get paid.   Let's find ways to ensure they apply the same 
> diligence in collecting and validating public Whois data.
>  
>  (Note: Susan Kawaguchi of Facebook volunteered to draft BC comments on Whois 
> Accuracy report.  Those aren't due until 15-Apr)   
>  
>  Whois Studies Reports and resources: 
>  https://st.icann.org/gnso-council/index.cgi?whois_discussion#
>  
> http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.pdf
>  Presentation Slides: 
> http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en.pdf
>  
>  -- 
>  Steve DelBianco
>  Executive Director
>  NetChoice
>  http://www.NetChoice.org and http://blog.netchoice.org 
>  +1.202.420.7482
> 
> 
>  
>  
> This e-mail message and any attachments may contain confidential and/or 
> privileged information intended only for the addressee. In the event this 
> e-mail is sent to you in error, sender and sender’s company do not waive 
> confidentiality or privilege, and waiver may not be assumed. Any 
> dissemination, distribution or copying of, or action taken in reliance on, 
> the contents of this e-mail by anyone other than the intended recipient is 
> prohibited. If you have been sent this e-mail in error, please destroy all 
> copies and notify sender at the above e-mail address.
>  
> Computer viruses can be transmitted by e-mail. You should check this e-mail 
> message and any attachments for viruses. Sender and sender’s company accept 
> no liability for any damage caused by any virus transmitted by this e-mail. 
> Like other forms of communication, e-mail communications may be vulnerable to 
> interception by unauthorized parties. If you do not wish to communicate by 
> e-mail, please notify sender. In the absence of such notification, your 
> consent is assumed. Sender will not take any additional security measures 
> (such as encryption) unless specifically requested.