On "Preserve DNS security and stability" and non-technical barriers to data collection

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

Teresa,

I would like to draw attention to the two relatively recent, and 
generally accessible documents, produced by kc claffey. "Ten things 
{the FCC, Lawyers} should know about the Internet", at [1] and [2], below.
In these Dr. Claffey makes the case that policy can be informed by 
research, and that research must be informed by data.
The trajectory of our industry, from the origins of the ARPANet 
project, have been policy made by belief -- a network could be funded, 
it could be operated by BBN and SRI, it could be institutionally 
transferred from ARPA to NSF to the DOC, the BBN function could be 
defunded and replaced by the CIX, the SRI function could be defunded 
and replaced by NetSol, and finally, monopoly replaced by competition.
Through out, with the exception of MILNet, an equivalent technology, 
connected to the ARPANet (in my offices at SRI, and at six other 
points), little "critical infrastructure" was implemented as an 
overlay network, or as dependent name space. That situation is no 
longer present.
I suggest that a strategic goal of ICANN for 2010 is to determine how 
the changes Dr. Claffey points out, changes in economics, ownership, 
and trust, can be made in the ICANN contractual, and non-contractual 
collection of operating procedures, so that researchers have greater 
access to data, and eventually, perhaps as early as 2011, the policy 
development processes within, and around ICANN, have the opportunity, 
now absent, of substituting private belief, some of which is very well 
informed where profit and loss issues are concerned, for public 
knowledge based upon real research based in turn upon real, and 
relevant, data.
Perhaps you could invite Dr. Claffey to address ICANN, perhaps at 
Bruxelles, and speak to the barriers economics, ownership and trust 
place to data collection, and the data that is needed to support 
research into policy questions about the operational behavior, and 
therefore the security and stability, not as belief systems, but as 
objects of scientific study.
As ICANN has grown, it may have lost some internal coherency. The 
phrase "security and stability" are used in the context of a market 
for "slots" by the EOI model authors, in the context of individual 
ASCII strings which might become TLDs by the gTLD process authors, in 
the context of individual IDN strings, which might also become TLDs by 
the IDN processes, by the authors of anti-phishing and anti-flux 
policy development processes, and so on.
Each of these uses appears to be data invariant, that is, while each 
has some supporting numbers, which may, or may not be actual data, 
none appear to motivate the users of the label "security and 
stability", on staff, or externally, to seek the general increase in 
data available from which to analyse policy outcomes or policy 
alternative claims. Moreover, it is possible that none of these uses 
of "security and stability" are correct.
In a nutshell, for all the "policy people" drawing a handsome salary 
at ICANN and in the institutional entities and corporate advocacy 
groups that enable or target policy formation by ICANN, and the public 
policy bodies informed by ICANN, no one appears to need any numbers.
As a strategic goal, moving from religion towards science, from 
unsupported beliefs to supported beliefs, seems a reasonable thing to 
attempt.
The old and new registrar accreditation agreements do not contain 
provisions for data collection, yet interesting data exists, 
particularly where the associated registry model is thick, at the 
registrar.
The existing and unfortunate draft registry agreements similarly do 
not contain provisions for data collection, yet interesting data 
exists, at the registries.
Similarly, there are potential sources of data from ASN and CIDR 
allocatees, as Dr. Claffey notes, and there are potential sources of 
data from DNS implementers, from search engine operators and 
implementers, and others, all of whom are dependent upon the long-term 
"security and stability" of the DNS, where that function has a 
technical meaning.
Examination of the existing items in the slide deck under the 
"security and stability" heading finds plenty of assertions, more 
"9's", more "secure", more "resilience", but no more data.
Lets make it a goal to assert less and observe more.

Cheers,
Eric



[1] Ten Things the FCC Should Know about the Internet - This slideset 
was presented to the Federal Communications Commission in Washington 
D.C. on May 29, 2009
kc claffy
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego
http://www.caida.org/publications/presentations/2009/top_ten_fcc/top_ten_fcc.pdf

[2] 
http://www.caida.org/publications/papers/2008/lawyers_top_ten/lawyers_top_ten.pdf 
- top ten things lawyers should know about the Internet
kc claffy
written as a series of blog entries, at 
http://blog.caida.org/best_available_data/2008/04/16/top-ten-things-lawyers-should-know-about-internet-research-1/, 
et seq. April, 2008.