Study Suggestion Number 1
Submitted By: [Redacted for privacy reasons] Topic: Documented misuse of Whois data Hypothesis: Public access to Whois data is responsible for a material number of cases of misuse that have caused harm to natural persons whose websites do not have a commercial purpose. How the hypothesis could be falsified: This hypothesis could be falsified if the data do not document a material number of cases of harm to individuals arising from public access to their Whois data. Utility: If a significant number of misuse cases involve receipt of unwanted email (spam), ICANN could modify its policies to reduce automated harvesting of email addresses from Whois. For instance, ICANN could require that registrars use data protection measures (e.g. captcha) on all Whois inquiry services. ICANN might also modify policies governing entities and processes for bulk retrieval of Whois data. Type of Study Needed: ICANNâ??s Security and Stability Advisory Committee (SSAC) has already studied email spam arising from Whois data, including an analysis of data protection measures used by ICANN-accredited registrars. See â??Is the WHOIS service a source for email addresses for spammers?â?? at http://gnso.icann.org/correspondence/ssac-whois-study-27oct07.pdf Some consumer protection bureaus and other entities may maintain data on misuse incidents reported by registrants. While this wonâ??t indicate the proportion of registrants who have had incidents, it might give us other useful insights about whether public access to Whois data has been a cause of individual harm. Most likely, we will need to conduct a survey of registrants to learn about specific incidents of misuse. Data should be gathered for relevant samples of registrants in each gTLD and in selected ccTLDs. While the survey should not be open to the public, responses might be solicited via emails to registrants, who could update a web-based survey form. Survey questions should be carefully phrased to avoid a biased response, since those who feel their data has been misused are more likely to respond than those who have no incidents to report. Data that needs to be collected: The listof data elements below presumes that each record would document an actual instance of Whois data misuse. To the extent that survey of registrants is used for data collection, we should also collect and compile records for registrants that reported no misuse of their Whois data. Data element/Suggested source/Anticipated challenges Purpose of Website (personal, commercial, etc.) Survey of registrants Is your information publicly available in places other than Whois? Survey of registrants Type of misuse (e.g., spam; unwanted phone contact, harassment) Consumer protection agencies; survey of registrants Date of incident Consumer protection agencies; survey of registrants Description of incident Consumer protection agencies; survey of registrants Domain name Consumer protection agencies; survey of registrants Whois data elements (at time of misuse incident) Consumer protection agencies; survey of registrants Type of registrant (legal person or natural person) Consumer protection agencies; survey of registrants Does the registrantâ??s website have a commercial purpose? Consumer protection agencies; survey of registrants Registrar (at time of misuse incident) Consumer protection agencies; survey of registrants Type of entity that misused the Whois data Consumer protection agencies; survey of registrants Name of entity that misused the Whois data Consumer protection agencies; survey of registrants National law or regulation that was violated by misuse incident Consumer protection agencies; survey of registrants Adverse consequences to registrant arising from the misuse incident Consumer protection agencies; survey of registrants Population to be surveyed: Survey of registrants in each of the gTLDs and in selected ccTLDs. Sample Size: For a 95% confidence level and a 5% margin of error, you would need a sample size of around 400 randomly selected respondents in the major gTLDs. Sample sizes would be reduced for smaller gTLDs and ccTLDs. Type of Analysis: It would be important to analyze not only the frequency of abuse but the type and severity of that misuse of Whois data. With an understanding of the characteristics of the abusers, the type of abuse and the most likely targets for abuse, effective policy recommendations may become evident. In any analysis of misuse, it is critical to determine whether the data was, or could easily have been obtained from a source other than Whois.