RE: [jig] Friendly reminder: comments from WG members on Draft Summary and Analysis public comments Universal Acceptnace

["Dillon, Chris" <c.dillon@xxxxxxxxx>]

Dear colleagues,

This is just to follow up the ideas about security and universal acceptance we 
were speaking about during the last JIG call. I apologize for the poor timing 
and am not expecting these comments to affect the current version.

I suspect that fears about security in several senses may hinder universal 
acceptance and so it may be worth adding more references to it in the report.

Security fears could be due to actual issues we are already familiar with such 
as:
- there being more potential for confusion with a character set which is far 
larger than ASCII or
- with actual security holes in software.
It may be possible to offset such fears by articulating the issue, for example, 
creating lists of characters which are similar to each other. This was the 
approach taken by several of the VIP Case Studies which have tables of such 
characters at the end.

Analysis of user behaviour may also be a rewarding way forwards. For example, 
when a user searches in Google what strategies does he/she take? For example, a 
user may type "cafe" wanting "café" and Google knows this and will find it. It 
is actually possible to know what was intended in such a situation, as the last 
link clicked on in the search is usually what the user was looking for. This is 
another way of discovering what is similar to what.

Other security fears could be based on user errors of judgement. As the 
existing number of IDNs is small there is little dedicated research. However, 
there is interesting general research, for example:
The psychology of scams: provoking and committing errors of judgement. - 
Prepared for the Office of Fair Trading by the University of Exeter School of 
Psychology. - www.oft.gov.uk/shared_oft/reports/consumer_protection/oft1070.pdf 

What measures could be taken to reduce these risks? As I mentioned during the 
call, we need to know how scammers try to provoke errors and could recommend 
simple end-user-targetted advice such as "Don't click a link if it is in a 
language that you don't understand". Perhaps application providers could use 
code point ranges to set up browsers with a setting only to visit links in 
certain languages.

As regards organisations with which ICANN should work, there would be a case 
for including such organisations as the UK's Serious Organised Crime Agency. 
They announced WEIRDS in Costa Rica, a matrix which will provide a simple 
indicator of how trustworthy a site is likely to be: 
http://news.dot-nxt.com/2012/03/12/five-cs-whois-validation-model 
This is the sort of work we may want to support. Anything which demonstrates 
that the new gTLDs are safe is to be encouraged and is likely to make users and 
application providers more confident.

Regards,

Chris.
==
Research Associate in Linguistic Computing, Dept of Information Studies, UCL, 
Gower St, London WC1E 6BT Tel +44 20 7679 1599 (int 31599) 
www.ucl.ac.uk/dis/people/chrisdillon